Tool Permissions
Per-tool, per-agent, per-tenant permission scopes enforced by the MCP registry — the boundary between 'an agent can call X' and 'an agent will call X with these credentials'.
Tools without permission scopes are tools that any agent can call with full credentials. The registry is the layer that turns 'this tool exists' into 'this agent can call it with this scope on behalf of this principal'.
What it solves
Removes shared-credential anti-patterns. Lets least-privilege apply at the tool-call boundary, not just at the human IAM layer.
How we build it
Each MCP tool declares the scopes it requires. The registry maps agents and tenants to the scopes they hold. Tool invocations carry a scoped, time-limited token; the underlying API never sees a shared credential. Scope changes are logged; out-of-scope calls are rejected before they reach the API.
- Per-tool scope declaration
- Per-agent and per-tenant scope assignment
- Scoped, time-limited tokens at invocation
- Audit log on scope grant and revocation
What changes when it is in place
A compromised agent cannot do more than its scope allows. An audit query answers 'who had what scope when' as data, not as guesswork.