Database MCP

MCP trusted context

Trusted context comes from backend auth, Cloud session, or runner environment, not model arguments.

Overview

The model can supply ordinary business arguments such as invoice_id, ticket_id, order_id, reason, or requested action text. It must not supply the tenant, principal, approval identity, write credential, source id, allowed columns, or expected row version.

In local mode, trusted context can come from static_dev or environment providers. In Cloud-linked mode, trusted context comes from the scoped Cloud session and runner token.

If a model tries to pass tenant_id, principal, source_id, allowed_columns, row_version, expected_version, or approval_identity as ordinary arguments, the runner rejects the call.

Developer notes

Treat all model arguments as untrusted.
Bind tenant and principal from backend/session state.
Record binding provenance in evidence and replay.
Reject any model attempt to override trusted context.

Local config

trusted-context.json

{
  "trusted_context": {
    "provider": "environment",
    "values": {
      "tenant_id_env": "SYNAPSOR_TENANT_ID",
      "principal_env": "SYNAPSOR_PRINCIPAL"
    }
  }
}

Examples

json

{
  "invoice_id": "INV-3001",
  "tenant_id": "otherco"
}