MCP Server
The KAVACH MCP server is a stateless transport adapter over the REST control plane. Each tool validates input, calls exactly one REST endpoint, maps the response, and translates errors.
Overview
Kavach exposes a Model Context Protocol server as a stateless transport adapter over the existing REST control plane. The MCP server does not own governance rules, persistence, provider behavior, or orchestration semantics. Each tool validates input, calls exactly one REST endpoint, maps the REST response, and translates REST errors into tool errors.
- 01validate tool envelope
The tool validates its schema, request identity and controlled-write context.
- 02open audit record
A durable MCP audit entry is created before any REST work begins.
- 03delegate one REST operation
The stateless adapter calls exactly one canonical control-plane endpoint.
- 04commit result or error
The same audit record receives the outcome, correlation data and duration.
governed outcome
AUDITED
One tool call · one REST boundary · durable execution evidence
MCP Interfaces
Kavach offers three MCP interfaces. They expose the same canonical tool registry, but serve different client environments. Choose the interface your client already understands rather than adding an unnecessary proxy.
Local MCP
MCP over stdio
For an AI desktop client that starts Kavach as a local child process.
Remote MCP
Streamable HTTP
For an MCP-aware remote client connecting to an authenticated HTTP endpoint.
HTTP & OpenAPI
MCPO
For conventional HTTP clients, generated OpenAPI tooling, and Swagger UI.
Multi-Organization Context
Control-plane tools accept a required context object containing organization_id and, for project operations, project_id. Actor identity is resolved by the server and is not accepted as an impersonation argument. Discovery and administration tools include organization.*, project.*, membership.*, role_assignment.*, authorization.permissions, and context.current.
MCPO & REST Proxy
MCPO is the OpenAPI proxy used to expose MCP tools as ordinary HTTP endpoints. It provides Swagger UI and REST compatibility for clients that cannot connect directly to a stdio MCP server. MCPO does not replace Kavach authorization; every proxied call still reaches the REST control plane with an authenticated service identity.
./scripts/mcp/start-mcp.sh
# Open the generated API surface
open http://127.0.0.1:8001/docsFor setup, authentication, and client-specific guidance, see the MCPO OpenAPI guide.
Authentication
The MCP server uses the Keycloak kavach-mcp confidential client with client credentials. The short-lived token is refreshed before expiry. The service-account actor is discovered during startup and written to .env.mcp.generated; developers should not manually hard-code the actor ID in a fresh setup.
A valid token is not sufficient by itself. Grant the service account the required organization/project roles in Studio under Organization → Access; tenant membership and permission checks apply to every tool.
Tool Groups
Provider Tools
provider.list— list available evaluation providers
Registry Tools
registry.list_prompts,registry.get_promptregistry.list_models,registry.get_modelregistry.list_datasets,registry.get_dataset
Evaluation Tools
evaluation.history,evaluation.latestevaluation.get,evaluation.metricsevaluation.submit_async
Experiment Tools
experiment.list,experiment.getexperiment.candidates,experiment.runsexperiment.compare_candidates,experiment.leaderboardexperiment.createexperiment.add_candidate,experiment.run_async
Governance Tools
governance.compare,governance.driftgovernance.report,governance.summarize_experimentgovernance.explain_candidate,governance.compare_candidatesgovernance.investigate_execution,governance.investigate_jobgovernance.investigate_evaluation,governance.investigate_auditgovernance.explain_drift,governance.summarize_driftgovernance.generate_experiment_report,governance.generate_evaluation_reportgovernance.generate_drift_report,governance.generate_investigation_report
Governance Decision Tools
governance_decision.evaluate,governance_decision.getgovernance_decision.list,governance_decision.evidencegovernance_decision.lineage,governance_decision.explain
Job Tools
job.list,job.statusjob.cancel,job.retry
Ontology Graph Tools
ontology_graph.get_entity,ontology_graph.get_relationshipontology_graph.get_relationships,ontology_graph.neighbourhoodontology_graph.upstream,ontology_graph.downstreamontology_graph.find_paths
MCP Audit Tools
mcp_audit.list,mcp_audit.getmcp_audit.find_by_request,mcp_audit.find_by_correlation
Write Envelope
Controlled write tools share this required envelope:
{
"request_id": "...",
"idempotency_key": "...",
"requested_by": "...",
"actor_type": "HUMAN | AGENT | SERVICE",
"reason": "...",
"dry_run": false,
"metadata": {}
}Optional correlation fields include correlation_id, agent_name, agent_session_id, client_name, and client_version.
Dry Run
When dry_run is true, MCP validates the envelope and tool-specific schema, records the MCP audit entry, and returns a validation result without calling REST or creating a job. Business validation remains in REST/application services for non-dry-run requests.
MCP Execution Audit
Controlled write tools record MCP execution audit entries before calling REST and update the same durable audit row after completion. Audit records include request/correlation IDs, actor metadata, tool name, operation details, canonical request hash, safe request summary, dry-run status, job ID, result reference, error details, and duration.
Full request payloads are not blindly stored. Sensitive fields such as provider_config, API keys, tokens, passwords, and secrets are redacted from the audit summary.
Settings Tools
settings.listandsettings.get— expose effective typed configurationsettings.categories— list the registry navigation modelsettings.validate— validate a proposed value without persistencesettings.update— write a mutable runtime value
Runtime Boundary
AI Assistant → MCP Tool → REST Client → Kavach REST Control Plane → Application Services
MCP handlers must not import repositories, provider SDKs, domain construction logic, or worker operations. Controlled writes return job references whenever they submit execution work.
