Skip to main content
Glama
dschnurbusch

mattergate

by dschnurbusch

Mattergate

A self-hostable MCP permissions gateway for legal-tech systems.

The goal is simple: connect legal apps once, then expose only the MCP tools each team member should actually use. Mattergate is not a data lake. It is a thin policy and audit layer over vendor APIs.

Current status

This is a scaffold. It includes:

  • TypeScript npm workspace project

  • Policy engine with job-title presets and deny precedence

  • Connector SDK with a mock legal connector

  • MCP gateway core that filters visible tools and enforces permissions on invocation

  • Minimal HTTP server and CLI placeholders

  • Lightweight admin UI scaffold

  • Public landing page app for the open-source project

  • Research and planning docs

Real Lawmatics/Filevine/Clio/MyCase/etc. connectors come later.

Related MCP server: MCPGate

Why this exists

Legal-tech APIs are inconsistent. Some vendors enforce the authenticated user's in-app permissions. Others expose broad account-level API access, weak scopes, service-account access, or docs that are silent. Lawmatics is the clearest reason to build a policy gateway: its public OAuth docs state that it does not support scopes and authorization grants full CRUD access to the account.

Quick start

npm install
npm run verify
npm run dev:server

In another shell:

curl http://127.0.0.1:4317/health
curl -H 'x-legal-mcp-user-id: demo-paralegal' http://127.0.0.1:4317/tools

Admin UI scaffold:

npm run dev:admin

Public landing page:

npm run dev:landing

Repository layout

apps/
  server/     Minimal HTTP gateway API scaffold
  cli/        Local stdio/CLI scaffold
  admin/      Lightweight admin UI scaffold
  landing/    Public open-source project landing page
packages/
  core/       Shared domain types, errors, audit helpers, external-content labels
  policy/     RBAC/ABAC evaluator and job-title presets
  connectors/ Connector SDK and mock legal connector
  mcp/        Tool filtering and policy-enforced invocation core
docs/
  architecture.md
  connector-development.md
  deployment.md
  policy-model.md
  project-plan.md
  project-tracker.md
  research/   Ignored local research markdown files

Security posture

  • Bring-your-own vendor OAuth app/client credentials. Do not ship shared client secrets.

  • Encrypt OAuth refresh tokens, API keys, and vendor client secrets before any real connector work.

  • Hide tools a user cannot invoke, but also enforce permission checks on every invocation.

  • Default writes to dry-run where possible.

  • Label external vendor content as untrusted data.

  • Audit metadata, not raw legal content.

License

MIT.

A
license - permissive license
-
quality - not tested
B
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dschnurbusch/mattergate'

If you have feedback or need assistance with the MCP directory API, please join our Discord server