Hosted MCP Readiness Pack
Why this page exists. SecurityRecipes already ships a credible open corpus and local read-only MCP server. The next enterprise gap is hosted MCP: tenant isolation, private evidence ingestion, protected-resource authorization, receipt integrity, SOC evidence, metering, and operational readiness.
SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. The long-term product is not just documentation. It is a hosted secure context and MCP control plane that lets agent hosts ask safer questions, call tools with bounded authority, and produce evidence that security, GRC, and reviewers can inspect.
The Hosted MCP Readiness Pack makes that path concrete. It names the controls that are already reference-ready, the controls that need design-partner runtime evidence, and the controls that block production hosted claims until a tenant-safe service exists.
What was added
data/assurance/hosted-mcp-readiness-profile.json- source profile for hosted MCP positioning, current source references, source-pack dependencies, stages, controls, rollout gates, reviewer evidence, vendorization, risks, and next 90 days.data/evidence/hosted-mcp-readiness-pack.json- generated pack with 14 source packs, 5 rollout stages, 21 readiness controls, 7 gates, 5 reviewer evidence items, and 7 hosted-product risks.recipes_hosted_mcp_readiness_pack- MCP tool for the full pack, one readiness stage, control, rollout gate, reviewer evidence item, risk, or implementation-status view.
Product decision
The generated artifact currently reports:
| Field | Value |
|---|---|
contract_status |
hosted_mcp_readiness_contract_ready |
product_readiness_decision |
hold_for_hosted_runtime_implementation |
production_ready |
false |
source_pack_ready_count |
14 |
control_count |
21 |
hosted_runtime_required_count |
18 |
That is intentional. The open reference layer is credible, but a production hosted MCP service must still prove tenant isolation, private evidence ingestion, protected-resource authorization, receipt integrity, operational controls, metering, and customer proof.
Readiness stages
| Stage | Meaning |
|---|---|
| Open reference MCP server | Public read-only site and generated packs are ready for reference use. |
| Design partner private context pilot | One scoped tenant binds private context, redacted telemetry, proof metrics, and reviewer outcomes. |
| Protected hosted MCP gateway | Hosted MCP enforces resource indicators, audience validation, scope challenge, no token passthrough, connector isolation, and tool-surface drift controls. |
| Assurance and operations | Receipts, SOC detection, incident containment, retention/deletion, SLO, and recovery controls become inspectable. |
| Operational packaging and trust readiness | Metering, plan boundaries, renewal metrics, support model, and hosted-ready-proof proof become explicit. |
Controls that matter most
The pack intentionally focuses on high-leverage enterprise controls:
- Tenant-bound context index - private context cannot cross tenant, package, egress, retention, or receipt boundaries.
- Protected-resource authorization - hosted MCP calls require resource indicators, token audience validation, issuer checks, session binding, scope state, and explicit pre-execution decisions.
- No token passthrough - the service kills sessions on token reuse, wrong audience, secret capture, or cross-tenant credential signals.
- Connector runtime isolation - hosted connectors need namespace, sandbox, egress, promotion, and rollback boundaries.
- Tool-surface drift monitoring - tool descriptions, schemas, annotations, and capability flags cannot silently expand authority.
- Metadata-first telemetry - customer proof uses traces, hashes, decisions, and redacted summaries instead of raw prompts, secrets, or private code.
- Signed or verifiable run receipts - every governed run needs tamper-evident proof linking identity, context, MCP authorization, egress, approvals, verifier output, and closure.
- Metering and entitlement - the hosted-ready proof path is usage of tenant-bound context packages, governed MCP decisions, connector namespaces, trust-center exports, and proof retention.
Rollout gates
| Gate | Decision |
|---|---|
| Tenant isolation gate | Deny private context until tenant, egress, retention, and deletion controls pass. |
| Protected-resource authorization gate | Hold hosted MCP until resource, audience, issuer, session, scope, and token checks pass. |
| Connector promotion gate | Hold connector promotion until isolation, tool-surface drift, and elicitation checks pass. |
| Telemetry redaction gate | Hold customer proof until telemetry is useful without leaking sensitive data. |
| Receipt integrity gate | Hold trust review claims until receipts are tamper-evident or externally verifiable. |
| Operations gate | Hold enterprise rollout until incident, support, SLO, recovery, and disablement paths are tested. |
| Trust gate | Hold the trust story until usage meters, renewal metrics, and a budget-owned hosted-ready proof path exist. |
Why it is review-ready
This pack turns the trusted-source vision into diligence artifacts an reviewer can inspect:
- It separates the open reference moat from the future hosted service.
- It names the runtime controls that must exist before private customer context is allowed.
- It maps MCP authorization, connector drift, source freshness, telemetry, SOC detection, receipts, and trust-center exports into one hosted roadmap.
- It treats no-token-passthrough, step-up authorization, egress holds, and kill decisions as trusted-source value.
- It defines usage meters and plan boundaries before adoption proof is claimed.
The resulting story is more credible: open knowledge creates distribution and trust; hosted MCP turns that knowledge into enforceable context; customer proof and metering create the trust value.
MCP examples
Inspect the full hosted MCP readiness pack:
recipes_hosted_mcp_readiness_pack()
Inspect one readiness control:
recipes_hosted_mcp_readiness_pack(control_id="protected-resource-authorization")
Inspect one rollout gate:
recipes_hosted_mcp_readiness_pack(gate_id="receipt-integrity-gate")
Find all controls that still need hosted runtime implementation:
recipes_hosted_mcp_readiness_pack(status="hosted_runtime_required")
Find reviewer evidence for the reviewer trust story:
recipes_hosted_mcp_readiness_pack(buyer_evidence_id="reviewer-adoption proof-proof")
Industry alignment
The profile is grounded in current primary sources:
- MCP basic specification for protocol layers, lifecycle, resources, prompts, tools, client features, and utilities.
- MCP Authorization for protected-resource metadata, resource indicators, token audience binding, scope minimization, step-up authorization, PKCE, and no token passthrough.
- MCP Elicitation for form-mode and URL-mode interaction boundaries.
- OpenTelemetry MCP semantic conventions for MCP spans, sessions, methods, transports, errors, and duration metrics.
- OWASP Top 10 for Agentic Applications and OWASP MCP Top 10 for agentic and MCP-specific threat classes.
- CSA AI Controls Matrix and CSA capabilities-based risk assessment for enterprise AI assurance and consequence-driven agentic risk.
- NIST AI Agent Standards Initiative and NIST CAISI agent security RFI for secure, interoperable agent infrastructure and deployment measurement.
- CISA AI Data Security and CISA Deploying AI Systems Securely for data security, integrity, monitoring, detection, response, and secure AI deployment.