gw.wardin.ai/mcp/servers/<name>, and every tools/call is governed (agent identity → tool allowlist), forwarded to the upstream, and written to the tamper-evident receipt chain with its real upstream outcome.
This works with any MCP client that speaks remote HTTP transport — Claude Code, Cursor, or your own agent.
1. Turn on agentic governance
In Console → Organization → Agentic Governance, set the tenant’s mode:- permissive — tool calls are metered and signed; only an explicit
tool_allowlistdenies. A good first step. - enforced — a covering
tool_allowlistand a registeredX-Wardin-Agent-Idare required (fail-closed).
/mcp/servers/<name> returns 404.
2. Connect the upstream server
In Console → MCP / Agents → MCP servers, connect the server you want to route:- Name — the
<name>in the proxy URL (e.g.deepwiki). - URL — the remote MCP endpoint (e.g.
https://mcp.deepwiki.com/mcp). - Transport —
http. - Credential —
none, a bearer token, or an API-key header. It’s encrypted at rest and never returned.
The proxy forwards to remote HTTP MCP servers with a public address. A dial that resolves to a loopback or private/link-local address is refused — this is an SSRF safeguard, so a local
stdio MCP server or an internal host can’t be reached through the hosted gateway.3. Point your MCP client at Wardin
The proxy URL ishttps://gw.wardin.ai/mcp/servers/<name>, authenticated with a virtual key. For Claude Code:
initialize and tools/list calls are forwarded transparently, so the handshake and tool discovery work as they would against the upstream directly (the proxy is POST-only and doesn’t consume server-initiated SSE streams). Only a tools/call is governed.
What gets governed and recorded
For eachtools/call the proxy:
- resolves the caller’s agent identity and checks the
tool_allowlist; - on allow, forwards to the upstream with the stored credential and relays the response, recording a signed
UPSTREAM: PASS/FAILcheck from the real outcome; - on deny, returns a JSON-RPC error (the MCP-native shape) without reaching the upstream, and still writes a
FAILreceipt.
X-Wardin-Session-Id), and Console → MCP / Agents shows a per-server LAST CALL badge with the most recent forwarded outcome. The receipts appear in the same chain as your model-call receipts — verify them with the offline verifier.
Restricting which tools an agent may call
Author atool_allowlist policy in Console → Policies — globs against the tool name:
tool_allowlist policy exists; in enforced mode a tool must match a covering allowlist or it’s blocked. Either way the denial is a signed TOOL_ALLOWLIST: FAIL check.
tools/list is forwarded whole, not filtered to the allowlist — an agent may see a tool it cannot invoke. The invocation is still blocked and recorded. Filtering discovery to the allowlist is a roadmap item.