An MCP server is, in effect, a set of capabilities you hand to an AI assistant. Safeguard's exposes more than 650 tools — querying vulnerabilities and SBOMs, scanning packages, managing SCM integrations, checking compliance, and much more. That breadth is useful. It is also a governance problem: the more an assistant can do, the more carefully you want to decide what it should do, for each team.
We now gate every tool individually, per tenant.
One flag per tool
Each tool has its own feature flag, keyed mcp:tool:<tool_name>. When an assistant connects, the server resolves the set of tools enabled for that tenant and uses it for both halves of the protocol:
- Discovery (
tools/list) advertises only the enabled tools. - Execution (
tools/call) refuses any tool that isn't enabled for the tenant.
Both come from the same resolution, so the two can never disagree. An assistant is never shown a tool it can't run, and never able to run a tool it wasn't shown. That symmetry removes a whole category of confusing — and occasionally dangerous — mismatches.
Safe by default
A new workspace doesn't start with 650 tools switched on. It starts with a small, curated default set that covers the core onboarding loop:
- Add an SCM integration
- Scan a repository
- List projects, vulnerabilities, and findings
Everything else stays implemented and ready, but off, until an administrator turns it on for the tenant. Teams begin narrow and widen access deliberately, tool by tool, as they build confidence in each capability. In the admin console, that's a search box and a toggle.
The failure mode is the point
Any access-control system is defined less by its happy path than by what it does when something breaks. Ours is deliberately conservative: if the enabled-tool set can't be resolved — a transient outage, a timeout — the server falls back to the small default set rather than exposing anything wider.
An outage can never broaden what an assistant can do. Least privilege that evaporates the moment a dependency hiccups isn't least privilege; it's least privilege on a good day.
Stateless enforcement
The MCP server holds no database of its own. It resolves each tenant's enabled tools from Safeguard's authentication service at connection time, scoped to the tenant, organization, and product context. That keeps the server easy to reason about and easy to run, and it keeps the source of truth — which tools a tenant is entitled to — in one place.
Why it matters
Coding agents made the software supply chain mutable in real time. The controls around them have to be precise enough to trust and simple enough to audit. Per-tool flags give security teams a dial they can actually turn: default to almost nothing, enable exactly what a team has earned, and show the decision later. And when infrastructure misbehaves, the dial turns down, not up.