Back to Blog
Architecture 2026-03-06

The MCP Gateway

How iddio applies its classify-enforce-audit pipeline to Model Context Protocol tool calls. Protocol translation, fail-closed classification, and policy-filtered tool discovery.

MCP Meets Zero-Trust

The Model Context Protocol (MCP) gives AI agents a standard way to discover and invoke tools. An agent can call kubernetes_get_pods, ssh_run_command, or terraform_plan through a uniform JSON-RPC interface. But MCP itself has no concept of access control, risk classification, or audit logging.

Iddio acts as an MCP gateway — a policy-enforced intermediary that applies the same classify-enforce-audit pipeline to MCP tool calls as it does to Kubernetes API requests, SSH connections, and CLI commands.

Protocol Translation

The MCP classifier doesn’t classify tool calls from scratch. It translates them back into the native protocol they represent, then delegates to the existing protocol classifier.

When an agent calls kubernetes_get_secret, the classifier translates the tool name and arguments into an HTTP method and Kubernetes API path — GET /api/v1/namespaces/prod/secrets/db-creds — and hands it to the Kubernetes classifier. That classifier already knows GET on secrets is T3 (sensitive).

func (c *MCPClassifier) Classify(toolName string, args map[string]any) Classification {
    if strings.HasPrefix(toolName, "kubernetes_") {
        return c.classifyKubernetes(toolName, args)
    }
    if strings.HasPrefix(toolName, "ssh_") {
        return c.classifySSH(toolName, args)
    }
    // ... other protocols

    // Unknown tools — fail closed at T4
    return Classification{Tier: TierBreakGlass, Resource: toolName, Protocol: "mcp"}
}

Unknown tools that don’t match any protocol prefix are assigned T4 (break-glass) by default. This is fail-closed by design.

Policy-Filtered Tool Discovery

When an agent sends tools/list, iddio classifies every registered tool and evaluates each against the calling agent’s policy. Tools that policy would deny are stripped from the response — the agent never sees them.

This is defense in depth: even if an agent calls a hidden tool directly, the tools/call handler runs the same classify-then-enforce pipeline and denies it. But filtering at discovery saves the agent from wasting tokens on operations it can’t perform.

Progressive Disclosure

For large tool catalogs, iddio supports progressive disclosure. Instead of listing all tools upfront, the initial tools/list response contains only meta-tools:

  • iddio_list_categories — lists available tool categories
  • iddio_describe_tools — reveals tools in a specific category

This reduces token usage for agents that only need a subset of available tools.

Step-Up Authentication

When a tool call receives an Escalate decision from policy, the server returns a JSON-RPC error with code -32001 and includes an approval_url:

{
  "jsonrpc": "2.0",
  "id": 1,
  "error": {
    "code": -32001,
    "message": "approval required",
    "data": {
      "scope_required": "mcp:tools:write",
      "approval_url": "https://server.example.com/approvals/abc-123"
    }
  }
}

For desktop app users, this appears as a native approval dialog. Server-side approvals block until the operator responds.

Upstream Aggregation

Iddio proxies to external MCP servers. Register upstream servers, and iddio discovers their tools, merges them into a single catalog with configurable prefixes, and applies policy enforcement to forwarded calls:

mcp:
  upstreams:
    - name: internal-db
      url: https://db-mcp.internal:8443/mcp
      transport: streamable-http
      tools_prefix: db

    - name: monitoring
      url: https://grafana-mcp.internal:8443/mcp
      transport: streamable-http
      tools_prefix: grafana

Transports

Two transports are supported:

  • Stdio — JSON-RPC over stdin/stdout for local development
  • Streamable HTTP — JSON-RPC over HTTP POST for server deployments

Both support the full MCP protocol including tools/list, tools/call, and notification streams.

Audit Fields

MCP tool calls add three fields to audit events:

FieldDescription
mcp_toolThe tool name (e.g., kubernetes_get_pods)
mcp_upstreamThe upstream server that handled the call
mcp_session_idThe MCP session ID for the connection

These integrate into the same hash-chained audit log as all other protocols.

Try It Yourself

Iddio is open source. Deploy a zero-trust command proxy for your AI agents in minutes.

View on GitHub Read the Docs