Kaiza MCP Server

README.md•41.4 KiB

# ATLAS-GATE-MCP ## Enterprise Model Context Protocol Security Gateway with MCP-Only Sandbox Enforcement [![CI Status](https://github.com/dylanmarriner/ATLAS-GATE-MCP-server/workflows/CI/badge.svg)](https://github.com/dylanmarriner/ATLAS-GATE-MCP-server/actions) [![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg)](https://opensource.org/licenses/ISC) [![Node.js Version](https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen.svg)](https://nodejs.org/) [![Version](https://img.shields.io/badge/version-2.0.0-blue.svg)](https://github.com/dylanmarriner/ATLAS-GATE-MCP-server) [![Security Score](https://img.shields.io/badge/security-A-brightgreen.svg)](./SECURITY.md) ## High-Level Overview ATLAS-GATE-MCP is a production-grade Model Context Protocol (MCP) server that implements enterprise-grade security governance, process-level sandbox enforcement, and comprehensive audit trails for AI agent operations. The system transforms unconstrained AI agents into governed execution authorities through a multi-layered security architecture that enforces zero-trust principles, plan-based authorization, and immutable audit logging. The system addresses the fundamental security challenge of allowing AI agents to interact with critical systems while maintaining enterprise-grade security posture, compliance requirements, and operational visibility. ATLAS-GATE-MCP serves as a security gateway that mediates all AI agent interactions with development environments, enforcing strict governance policies while providing the flexibility required for modern AI-assisted development workflows. ATLAS-GATE-MCP operates as an MCP server/gateway in modern AI infrastructure, sitting between AI models/clients and target systems (filesystems, databases, APIs, development tools). It is designed for enterprise environments where security, auditability, and compliance are non-negotiable requirements. ## MCP Fundamentals The Model Context Protocol (MCP) is a standardized protocol for enabling AI models to securely interact with external systems, tools, and data sources. MCP provides a structured framework for AI agent operations that addresses the limitations of traditional integration approaches. ### Core Concepts and Terminology - **MCP Server**: A process that exposes capabilities to AI models through standardized interfaces. ATLAS-GATE-MCP is an MCP server. - **Tools**: Executable functions that AI models can invoke. Tools have defined schemas, parameters, and return values. Examples include file operations, API calls, database queries. - **Resources**: Read-only data sources that AI models can access. Resources represent static or dynamic data like configuration files, documentation, or system state. - **Prompts**: Reusable prompt templates that guide AI model behavior for specific tasks or contexts. - **Transport Layer**: Communication mechanism between AI models and MCP servers, typically JSON-RPC 2.0 over stdio or HTTP. - **Session**: A bounded interaction context between an AI model and MCP server with associated state and permissions. ### Design Philosophy MCP exists to solve fundamental architectural problems in AI agent integration: 1. **Security Isolation**: Prevents AI models from having unrestricted system access 2. **Standardization**: Provides consistent interfaces across different AI models and tools 3. **Governance**: Enables policy enforcement and audit trails for AI operations 4. **Composability**: Allows tools and capabilities to be combined safely 5. **Observability**: Provides visibility into AI agent operations and decision-making Compared to traditional APIs, MCP offers: - **Schema Validation**: All tool inputs/outputs are validated against defined schemas - **Capability Discovery**: AI models can discover available capabilities dynamically - **Security Boundaries**: Built-in authentication, authorization, and audit mechanisms - **State Management**: Proper session handling and state isolation - **Error Handling**: Structured error responses with appropriate context Compared to plugin-based systems, MCP provides: - **Protocol Standardization**: Consistent interface across different implementations - **Security Model**: Built-in security considerations rather than afterthought - **Transport Independence**: Multiple communication patterns supported - **AI-First Design**: Designed specifically for AI model interaction patterns ## Atlas-Gate Architecture ATLAS-GATE-MCP implements MCP through a multi-layered security architecture with strict separation of concerns and comprehensive enforcement mechanisms. ### Core Components - **MCP Server Core** (`server.js`): Central request handling, tool registration, and session management. Implements JSON-RPC 2.0 transport, input normalization, and request routing. - **Dual-Role System**: Two distinct operational modes with different security boundaries: - **Windsurf Role**: Execution and mutation capabilities with full audit logging - **Antigravity Role**: Read-only analysis and planning capabilities - **Tool Registry**: 17 specialized tools covering file operations, plan management, audit logging, and attestation services. Each tool implements comprehensive validation and enforcement. - **Governance Engine**: Multi-layer policy enforcement including: - Input validation with Zod schemas - Plan-based authorization checking - Static analysis for forbidden patterns - Content integrity verification - Audit trail generation - **Security Layers**: - Process-level sandbox enforcement - MCP-only operation restrictions - Session-based isolation - Cryptographic audit trails - Role-based access control ### Trust and Authorization Boundaries - **Trust Boundary 1**: Process isolation through MCP sandbox prevents direct system access - **Trust Boundary 2**: Role separation ensures read-only operations cannot mutate data - **Trust Boundary 3**: Plan authorization requires explicit approval for operations - **Trust Boundary 4**: Content validation prevents injection of malicious code - **Trust Boundary 5**: Audit logging provides non-repudiation and traceability ### Component Security Responsibilities - **Server Core**: Request validation, session management, transport security - **Tool Handlers**: Input validation, business logic enforcement, audit generation - **Governance Engine**: Policy enforcement, content analysis, authorization checking - **Audit System**: Immutable logging, tamper detection, compliance reporting - **Sandbox Layer**: Process isolation, resource restriction, capability limiting ## Architecture Diagram ```text ┌─────────────────────────────────────────────────────────────────────────────────┐ │ AI Models / Clients │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Claude │ │ Windsurf │ │ Antigravity│ │ Custom LLM │ │ │ │ Desktop │ │ IDE │ │ Analysis │ │ Integration │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ └─────────────────────────────────────────────────────────────────────────────────┘ │ JSON-RPC 2.0 over stdio/HTTP │ ┌─────────────────────────────────────────────────────────────────────────────────┐ │ ATLAS-GATE-MCP SERVER │ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │ │ MCP Transport Layer │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ Request │ │ Session │ │ Response │ │ Error │ │ │ │ │ │ Normalizer │ │ Management │ │ Formatting │ │ Handling │ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │ │ Security & Governance Layer │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ Input │ │ Plan │ │ Content │ │ Audit │ │ │ │ │ │ Validation │ │ Authority │ │ Analysis │ │ Logging │ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │ │ Tool Registry │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ File Ops │ │ Plan Mgmt │ │ Audit │ │ Attestation │ │ │ │ │ │ (read/write)│ │ (list/lint) │ │ (log/replay)│ │ (gen/verify)│ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ │ │ ┌─────────────────────────────────────────────────────────────────────────────┐ │ │ │ Role-Based Access │ │ │ │ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ Windsurf │ │ Antigravity│ │ │ │ │ │ (Execution) │ │ (Read-Only) │ │ │ │ │ └─────────────┘ └─────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────────────────────┘ │ MCP Protocol Interface │ ┌─────────────────────────────────────────────────────────────────────────────────┐ │ Backing Services & Systems │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ Filesystem │ │ Plans Store │ │ Audit Log │ │ Database │ │ │ │ (Read/Write)│ │ (Authority) │ │ (Immutable) │ │ (Optional) │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ │ └─────────────────────────────────────────────────────────────────────────────────┘ Security Boundaries: ─────────────────────────────────────────────────────────────────────────────────── 1. Process Sandbox: MCP-only execution, no direct system access 2. Role Separation: Windsurf (write) vs Antigravity (read-only) 3. Plan Authority: Operations require approved plan references 4. Content Validation: Static analysis prevents malicious code injection 5. Audit Trail: Immutable logging provides non-repudiation ``` ## How Atlas-Gate Works (Step-by-Step) ### Initialization and Startup 1. **Process Launch**: Server starts as either Windsurf or Antigravity role based on entry point 2. **Sandbox Activation**: Process-level restrictions are applied via `lockdownProcess()` and `freezeGlobalObjects()` 3. **Self-Audit**: Server analyzes its own code for governance violations before accepting connections 4. **Session Generation**: Cryptographic `SESSION_ID` is generated for audit trail correlation 5. **Transport Binding**: JSON-RPC 2.0 server binds to stdio transport for MCP communication 6. **Tool Registration**: All available tools are registered with their Zod schemas and handlers 7. **Capability Discovery**: Server publishes available capabilities to connecting clients ### Configuration and Capability Registration 1. **Role Determination**: Server capabilities are filtered based on role (Windsurf vs Antigravity) 2. **Tool Schema Definition**: Each tool defines input/output schemas using Zod for validation 3. **Permission Mapping**: Tools are mapped to required permissions and authorization levels 4. **Plan Discovery**: Available plans are scanned and cached for authorization checking 5. **Audit Configuration**: Audit logging parameters and retention policies are established ### Server Lifecycle and Request Handling 1. **Connection Acceptance**: New JSON-RPC connections are accepted and authenticated 2. **Session Initialization**: `begin_session` must be called to establish workspace context 3. **Request Reception**: JSON-RPC 2.0 requests are received via stdio transport 4. **Input Normalization**: Raw inputs are normalized to structured objects 5. **Schema Validation**: Request parameters are validated against tool schemas 6. **Authorization Checking**: Plan-based authorization is verified before execution 7. **Content Analysis**: Static analysis scans for forbidden patterns and security violations 8. **Execution**: Business logic is executed with comprehensive error handling 9. **Audit Logging**: All operations are logged with full context and cryptographic signatures 10. **Response Generation**: Structured responses are formatted and returned ### Model Discovery and Invocation of MCP Capabilities 1. **Capability Enumeration**: AI models can list available tools and their schemas 2. **Tool Selection**: Models select appropriate tools based on task requirements 3. **Parameter Preparation**: Input parameters are prepared according to tool schemas 4. **Plan Reference**: Operations must reference an approved plan for authorization 5. **Invocation**: Tools are invoked via JSON-RPC 2.0 method calls 6. **Result Processing**: Responses are parsed and integrated into model reasoning 7. **Error Handling**: Structured error responses guide model recovery strategies ### Request/Response Flow 1. **Request Reception**: JSON-RPC 2.0 call received with method, parameters, and request ID 2. **Method Resolution**: Appropriate tool handler is selected based on method name 3. **Parameter Extraction**: Parameters are extracted and type-validated 4. **Context Establishment**: Session context and workspace state are resolved 5. **Authorization Verification**: Plan-based authorization is checked and validated 6. **Pre-execution Validation**: Input sanitization and security scanning occur 7. **Business Logic Execution**: Core tool functionality is executed with error handling 8. **Post-execution Processing**: Results are formatted and audit entries are created 9. **Response Construction**: JSON-RPC 2.0 response is built with result or error 10. **Transmission**: Response is transmitted via stdio transport to client ### State Handling and Isolation 1. **Session Isolation**: Each session maintains independent state and permissions 2. **Workspace Binding**: Operations are bound to specific workspace directories 3. **Plan Context**: Authorization context is maintained throughout request lifecycle 4. **Audit Correlation**: All operations are correlated via session and request IDs 5. **Stateless Design**: Server does not maintain persistent state between requests 6. **Immutable Audit**: Audit log provides the only persistent state management ### Permission Evaluation and Enforcement 1. **Role-Based Access**: Windsurf role allows mutations, Antigravity role is read-only 2. **Plan Authorization**: Operations must reference valid, approved plans 3. **Capability Scoping**: Tools have scoped permissions based on their function 4. **Content Restrictions**: Static analysis prevents unauthorized code patterns 5. **Resource Limits**: Filesystem access is limited to authorized directories 6. **Audit Requirements**: All operations must pass audit logging requirements 7. **Failure Modes**: Security violations result in immediate operation termination ## Security and Permission Model ATLAS-GATE-MCP implements a comprehensive, defense-in-depth security model designed for enterprise environments where security, compliance, and auditability are paramount. ### Authentication Assumptions ATLAS-GATE-MCP operates under a zero-trust security model with the following authentication assumptions: **Transport Security**: Communication occurs over controlled stdio transport or authenticated HTTP channels. The protocol assumes the transport layer provides basic authentication and integrity protection. **Session Authentication**: Sessions are established via `begin_session` with workspace binding and cryptographic session identifiers. Session state is maintained server-side with proper isolation. **Plan-Based Authentication**: Operations are authenticated against approved plans stored in the governance repository. Plans serve as capability tokens that authorize specific operations within defined scopes. **Bootstrap Authentication**: Initial system setup requires bootstrap secret authentication for creating the first governance plans. This secret is single-use and destroyed after initial configuration. ### Authorization and Permission Boundaries The authorization model implements multiple, overlapping permission boundaries: **Role-Based Authorization**: - **Windsurf Role**: Full execution capabilities including file writes, plan creation, and system modifications - **Antigravity Role**: Read-only capabilities including file reads, plan inspection, and analysis operations - **Role Separation**: Strict enforcement prevents privilege escalation between roles **Plan-Based Authorization**: - **Plan Reference**: All operations must reference an approved plan ID - **Scope Validation**: Operations are validated against plan-defined scopes and constraints - **Hash Verification**: Plan integrity is verified via cryptographic hashes - **Temporal Validity**: Plans may include temporal constraints and expiration **Capability-Based Authorization**: - **Tool Scoping**: Each tool has defined capabilities and required permissions - **Parameter Validation**: Tool parameters are validated against schemas and security policies - **Resource Access**: Filesystem and resource access is limited to authorized paths - **Operation Constraints**: Specific operations may have additional constraints (e.g., file size limits) ### Access Control Mechanisms **MCP-Only Enforcement**: - Process sandbox prevents direct system access - All operations must go through MCP tool interfaces - Filesystem access is mediated through authorized tools only - Network access is blocked by default with explicit allowances **Content Security**: - Static analysis prevents injection of malicious code patterns - Stub detection prevents deployment of incomplete or placeholder code - Policy enforcement blocks prohibited constructs and practices - Content integrity verification ensures file consistency **Audit and Compliance**: - Comprehensive audit logging captures all operations with full context - Cryptographic signatures ensure audit log integrity - Tamper detection mechanisms prevent audit log manipulation - Compliance reporting supports regulatory requirements ### Data Exposure and Capability Escalation Prevention **Data Isolation**: - Session-based isolation prevents cross-session data leakage - Workspace binding limits operations to authorized directories - Path traversal protection prevents unauthorized file access - Content filtering prevents sensitive data exposure in responses **Capability Escalation Prevention**: - Role separation prevents read-to-write privilege escalation - Plan authorization prevents unauthorized capability acquisition - Tool scoping limits operations to defined boundaries - Static analysis prevents privilege escalation through code injection **Least Privilege Enforcement**: - Default-deny security posture with explicit authorization - Minimal required permissions for each operation - Time-limited authorization tokens where applicable - Revocation capabilities for compromised sessions or plans ### Design Principles **Zero Trust**: Never trust, always verify. All operations require explicit authorization regardless of source. **Fail-Secure**: Security violations result in operation termination rather than risky fallbacks. **Defense in Depth**: Multiple, overlapping security controls ensure no single point of failure. **Audit by Design**: All operations are auditable by design with comprehensive logging and integrity protection. **Least Privilege**: Operations are granted minimal necessary permissions with scoped access. **Transparency**: Security decisions are logged and auditable with clear reasoning and evidence. ## MCP Capabilities in Atlas-Gate ATLAS-GATE-MCP implements comprehensive MCP primitives with enterprise-grade security extensions. ### Supported MCP Primitives **Tools**: 17 specialized tools covering core operations: - **File Operations**: `read_file`, `write_file` with comprehensive validation - **Plan Management**: `list_plans`, `lint_plan`, `bootstrap_tool` for governance - **Audit Operations**: `read_audit_log`, `replay_execution`, `verify_workspace_integrity` - **Attestation**: `generate_attestation_bundle`, `verify_attestation_bundle`, `export_attestation_bundle` - **Session Management**: `begin_session`, `read_prompt` for session initialization **Resources**: Read-only access to system state and configuration: - **Plan Resources**: Approved governance plans and their metadata - **Audit Resources**: Historical audit logs and compliance data - **Configuration Resources**: System configuration and security policies - **Documentation Resources**: System documentation and operational guides **Prompts**: Reusable prompt templates for common operations: - **Planning Prompts**: Templates for creating and validating governance plans - **Analysis Prompts**: Templates for security analysis and compliance checking - **Operational Prompts**: Templates for common operational tasks ### Security Extensions **Enhanced Validation**: All inputs undergo comprehensive security validation beyond standard MCP schema validation: - Static analysis for security patterns - Content integrity verification - Policy compliance checking - Threat pattern detection **Audit Integration**: All operations are integrated with the audit system: - Pre-execution audit logging - Post-execution result capture - Cryptographic signature generation - Tamper-evident storage **Authorization Extensions**: Plan-based authorization extends standard MCP capabilities: - Capability token management - Scope-based access control - Temporal authorization constraints - Revocation and renewal mechanisms ### Extensibility and Interoperability **Tool Registration**: New tools can be registered with comprehensive security validation: - Schema definition and validation - Security policy integration - Audit logging integration - Authorization mapping **Protocol Compatibility**: Full MCP protocol compliance ensures interoperability: - Standard JSON-RPC 2.0 transport - Compliant tool and resource definitions - Standard error handling and response formats - Capability discovery mechanisms **Integration Points**: Well-defined interfaces for system integration: - Authentication provider interfaces - Authorization system hooks - Audit log consumers - Monitoring and alerting endpoints ### Differentiation from Other MCP Servers **Enterprise Security Focus**: Unlike development-focused MCP servers, ATLAS-GATE-MCP prioritizes security, compliance, and auditability over flexibility. **Governance Integration**: Built-in plan-based governance system provides structured authorization lacking in standard MCP implementations. **Comprehensive Auditing**: Immutable, cryptographically-signed audit trails exceed standard MCP logging capabilities. **Process Isolation**: MCP-only sandbox enforcement provides stronger isolation than typical MCP server implementations. **Static Analysis Integration**: Real-time code analysis and security scanning are unique capabilities not found in standard MCP servers. ## Usage Overview ### Primary Use Cases **Enterprise AI Development**: Secure AI-assisted development in regulated environments where code quality, security, and compliance are mandatory. **Compliance-Driven Development**: Development workflows requiring comprehensive audit trails, change approval, and regulatory compliance documentation. **High-Security Environments**: Development of security-critical systems where code injection, privilege escalation, and data leakage must be prevented. **Multi-Tenant Development**: Shared development environments where strict isolation and auditability between teams and projects are required. **Governed AI Operations**: Organizations requiring structured approval processes for AI-assisted operations with clear accountability and traceability. ### Typical Deployment Scenarios **Development Gateway**: ATLAS-GATE-MCP deployed as a gateway between AI development tools and code repositories, enforcing governance policies and maintaining audit trails. **Compliance Enforcement**: Integration with compliance systems to ensure all AI-assisted development meets regulatory requirements and organizational policies. **Security Monitoring**: Integration with security operations centers to monitor AI agent activities and detect potential security violations. **Audit and Forensics**: Providing comprehensive audit trails for incident response, forensic analysis, and compliance reporting. ### Target Users **Platform Engineers**: Responsible for maintaining secure development infrastructure and ensuring compliance with organizational policies. **Security Engineers**: Focused on preventing security vulnerabilities, maintaining audit trails, and ensuring secure AI operations. **Compliance Officers**: Ensuring development activities meet regulatory requirements and organizational standards. **Development Teams**: Using AI assistance while maintaining security, quality, and compliance standards. **DevOps Engineers**: Integrating AI-assisted development into CI/CD pipelines with proper governance and monitoring. ### When to Use Atlas-Gate **Use Atlas-Gate when**: - Enterprise-grade security is non-negotiable - Comprehensive audit trails are required - Regulatory compliance must be maintained - Multiple teams share development resources - AI assistance is needed but must be tightly controlled - Code quality and security standards must be enforced - Change approval processes are required **Consider alternatives when**: - Development speed is the primary concern over security - Simple, single-developer projects without compliance requirements - Experimental development where flexibility is more important than governance - Organizations without established security and compliance frameworks ## How Atlas-Gate Compares to Alternatives ### Traditional REST/GraphQL APIs **Security Model**: - **REST/GraphQL**: Typically rely on network-level security (TLS, API keys) with application-level authorization - **Atlas-Gate**: Multi-layer security with process isolation, content validation, and comprehensive audit trails **State Management**: - **REST/GraphQL**: Often stateless or require explicit session management - **Atlas-Gate**: Built-in session management with cryptographic isolation and audit correlation **Schema Validation**: - **REST/GraphQL**: Schema validation varies by implementation; often optional - **Atlas-Gate**: Mandatory schema validation with Zod and additional security scanning **AI Integration**: - **REST/GraphQL**: Not designed for AI model interaction patterns - **Atlas-Gate**: Specifically designed for AI model interaction with appropriate error handling and response formats **Compliance**: - **REST/GraphQL**: Audit logging must be implemented manually - **Atlas-Gate**: Comprehensive, immutable audit trails built into the protocol ### Plugin-based LLM Systems **Security Boundaries**: - **Plugin Systems**: Often rely on plugin developer security practices; vulnerabilities can affect entire system - **Atlas-Gate**: Process-level isolation prevents plugin vulnerabilities from affecting system security **Update Mechanisms**: - **Plugin Systems**: Dynamic loading can introduce security risks and version conflicts - **Atlas-Gate**: Static tool registration with comprehensive validation prevents runtime security issues **Authorization**: - **Plugin Systems**: Authorization varies by plugin implementation - **Atlas-Gate**: Consistent, plan-based authorization across all capabilities **Audit Trail**: - **Plugin Systems**: Audit logging is inconsistent across plugins - **Atlas-Gate**: Uniform, comprehensive audit trail for all operations ### Agent Frameworks with Embedded Tools **Tool Isolation**: - **Agent Frameworks**: Tools often run in same process as agent, increasing attack surface - **Atlas-Gate**: Process isolation and sandbox enforcement provide stronger security boundaries **Governance**: - **Agent Frameworks**: Governance varies by implementation; often lacks enterprise-grade controls - **Atlas-Gate**: Built-in governance system with plan-based authorization and compliance features **Scalability**: - **Agent Frameworks**: Often designed for single-agent scenarios - **Atlas-Gate**: Designed for multi-agent, multi-session enterprise environments **Compliance**: - **Agent Frameworks**: Compliance features vary; often inadequate for regulated environments - **Atlas-Gate**: Enterprise-grade compliance features with comprehensive audit trails ### Other MCP Servers **Security Focus**: - **Other MCP Servers**: Often prioritize flexibility and ease of use over security - **Atlas-Gate**: Security-first design with comprehensive enforcement mechanisms **Governance Integration**: - **Other MCP Servers**: Limited or no governance capabilities - **Atlas-Gate**: Built-in plan-based governance system with approval workflows **Audit Capabilities**: - **Other MCP Servers**: Basic logging capabilities - **Atlas-Gate**: Comprehensive, cryptographically-signed audit trails with tamper detection **Enterprise Features**: - **Other MCP Servers**: Often designed for development or experimental use - **Atlas-Gate**: Designed specifically for enterprise production environments ## Design Decisions and Tradeoffs ### Key Architectural Choices **MCP-Only Sandbox Enforcement**: - **Decision**: Restrict all operations to MCP protocol interfaces - **Rationale**: Prevents direct system access and ensures all operations are auditable - **Tradeoff**: Reduced flexibility for significantly improved security posture **Plan-Based Authorization**: - **Decision**: Require all operations to reference approved governance plans - **Rationale**: Provides structured authorization and change approval processes - **Tradeoff**: Additional complexity for improved governance and compliance **Static Analysis Integration**: - **Decision**: Scan all content for security patterns before execution - **Rationale**: Prevents injection of malicious code and policy violations - **Tradeoff**: Performance overhead for enhanced security assurance **Immutable Audit Trails**: - **Decision**: Maintain cryptographically-signed, tamper-evident audit logs - **Rationale**: Provides non-repudiation and compliance support - **Tradeoff**: Storage overhead and complexity for audit integrity ### Constraints and Limitations **Performance Considerations**: - Static analysis and content validation add latency to operations - Comprehensive audit logging generates significant data volume - Process isolation introduces communication overhead **Scalability Limitations**: - Single-server architecture limits horizontal scaling - Session state management constrains concurrent operations - File-based audit storage has performance implications **Operational Complexity**: - Plan governance requires administrative overhead - Security configuration requires specialized knowledge - Audit management and retention policies add operational burden **Flexibility Constraints**: - Strict security policies limit certain development patterns - Plan-based authorization can slow rapid iteration - MCP-only restriction prevents direct system integration ### Non-Goals **General-Purpose Server**: ATLAS-GATE-MCP is not designed to replace general-purpose application servers or API gateways. **Development Speed Optimization**: The system prioritizes security and compliance over development velocity. **Multi-Protocol Support**: Focus on MCP protocol rather than supporting multiple integration protocols. **Real-time Performance**: Not optimized for high-frequency, low-latency operations typical of trading systems or real-time analytics. **Dynamic Configuration**: Runtime reconfiguration is limited to maintain security guarantees. ## Future Directions / Roadmap ### Plausible Future Enhancements **Distributed Architecture**: Multi-server deployment with load balancing and horizontal scaling capabilities. **Database Integration**: Support for external databases for audit storage and session management. **Advanced Authentication**: Integration with enterprise authentication systems (LDAP, SAML, OAuth2). **Policy Engine**: Rule-based policy engine for more sophisticated authorization decisions. **Performance Optimization**: Caching mechanisms and optimized static analysis for improved performance. **Monitoring Integration**: Enhanced monitoring and alerting integration with enterprise observability platforms. **Compliance Automation**: Automated compliance reporting and regulatory requirement mapping. ### Areas of Exploration **Machine Learning Integration**: ML-based anomaly detection for security threat identification. **Advanced Threat Protection**: Integration with threat intelligence feeds and automated response capabilities. **Cross-Platform Support**: Support for additional operating systems and deployment environments. **Protocol Extensions**: Extensions to MCP protocol for enhanced security and governance features. **Community Ecosystem**: Development of additional tools and integrations by the community. **Enterprise Features**: Additional enterprise-specific features like role-based administration and advanced reporting. ### Long-Term Direction **Standardization Leadership**: Active participation in MCP protocol standardization and security best practices development. **Ecosystem Development**: Growth of a partner ecosystem for integrations and complementary tools. **Compliance Expansion**: Support for additional regulatory frameworks and compliance requirements. **Security Innovation**: Continued innovation in AI security and governance mechanisms. **Performance Evolution**: Ongoing performance optimization while maintaining security guarantees. ## Glossary **MCP (Model Context Protocol)**: Standardized protocol for AI model interaction with external systems, tools, and data sources. **Atlas-Gate**: Enterprise MCP server implementing security governance, sandbox enforcement, and comprehensive audit trails. **Windsurf Role**: Atlas-Gate operational mode with execution and mutation capabilities, including file writes and system modifications. **Antigravity Role**: Atlas-Gate operational mode with read-only capabilities for analysis and planning operations. **Plan**: Governance document that defines authorization scopes, constraints, and approval requirements for operations. **Tool**: Executable function exposed through MCP interface with defined schemas and security policies. **Resource**: Read-only data source accessible through MCP interface with proper authorization. **Session**: Bounded interaction context between AI model and Atlas-Gate server with associated state and permissions. **Audit Trail**: Comprehensive, immutable log of all operations with cryptographic integrity protection. **Sandbox**: Process-level isolation mechanism that restricts operations to MCP protocol interfaces only. **Static Analysis**: Automated code scanning for security patterns, policy violations, and prohibited constructs. **Stub Detection**: Identification of incomplete, placeholder, or non-production code patterns. **Authorization**: Process of verifying that operations are permitted based on roles, plans, and security policies. **Governance**: System of rules, policies, and procedures for controlling and monitoring AI agent operations. **Compliance**: Adherence to regulatory requirements, organizational policies, and industry standards. **Zero Trust**: Security model that assumes no implicit trust and requires verification for all operations. **Least Privilege**: Security principle of granting minimal necessary permissions for required operations. **Non-repudiation**: Assurance that operations cannot be denied by their performers, typically through audit trails. **Tamper-evident**: Property that unauthorized modifications to data or systems can be detected. **Capability Token**: Authorization credential that grants specific permissions within defined scopes. **Content Integrity**: Assurance that content has not been altered in unauthorized ways. **Policy Enforcement**: Automated application of security policies and governance rules. **Transport Layer**: Communication mechanism between AI models and MCP servers, typically JSON-RPC 2.0. **Schema Validation**: Verification that input data conforms to defined structure and type requirements. **Session Isolation**: Separation of state and permissions between different concurrent sessions. **Workspace Binding**: Association of operations with specific workspace directories for security and organization. **Cryptographic Signature**: Digital signature used to verify authenticity and integrity of audit entries. **Threat Pattern**: Recognized pattern of malicious or unauthorized activity that security systems should detect. **Enterprise Grade**: Security and reliability standards suitable for large organizational deployment. **Production Ready**: System state appropriate for live operational use with proper security, monitoring, and support.

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dylanmarriner/MCP-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

README.md•41.4 KiB