Integration

MCP connector catalog

Two use modes, the access-rule schema, per-tool-type controls, and the GA connector catalog your tenant can enable.

10 min read

Every tool Verosek can run on your behalf, the access-rule schema that governs each call, and how you add connectors to your tenant.

TL;DR

Two use modes: the gateway runs tools for you during a chat completion, or an MCP client (Claude Desktop, Cursor, VS Code) talks to /mcp directly and gets the tools the virtual key is allowed to call.
Ten connectors ship GA today: databases, developer tools, observability, and SaaS.
Each (key, connection, tool) combination has an access config — operation allowlist, blocked resources, redaction rules, amount limits.
Connectors are enabled on your tenant through the onboarding engagement. New connectors are requested the same way.

Overview

Verosek exposes two surfaces where MCP tools are used.

LLM + tools — your application calls /v1/chat/completions (or the Anthropic / Gemini equivalent). If the LLM decides to call a tool, the gateway intercepts that call, applies the access rules for the requesting virtual key, runs the tool via the registered MCP connection, and feeds the result back into the LLM loop.

MCP-only — MCP-native clients (Claude Desktop, Cursor, VS Code) can connect directly to POST /mcp with Authorization: Bearer vsk_.... The gateway serves a JSON-RPC session. Methods implemented: initialize, tools/list, tools/call, ping.

Tool discovery uses the standard MCP tools/list JSON-RPC method on each backing server. The tools the gateway discovers on startup are cached per connection; the client sees only the tools the calling key has access rules for, with names namespaced as {connection_alias}__{tool_name}.

Two transports are supported:

stdio — the gateway runs the MCP server as a local subprocess. Used by the connectors in this catalog.
HTTP — remote MCP servers reachable over HTTPS.

Access-rule schema

For every (virtual key, connection, tool) triplet you want to allow, a rule is stored in tool_access_rules:

{
  "id": "rule_...",
  "key_id": "...",
  "connection_id": "conn_...",
  "tool_name": "query_database",
  "allowed": true,
  "access_config": {
    "type": "sql",
    "allowed_operations": ["SELECT"],
    "blocked_tables": ["admin_users", "audit_log"],
    "masked_columns": ["card_number"],
    "max_rows": 100,
    "read_only": true
  }
}

The admin API accepts key_ref (the non-secret vkr_... identifier) — not the plaintext virtual key.

Rule admin endpoints

Method	Path	Body / purpose
POST	`/api/v1/tool-access`	`ToolAccessRuleCreate` — `{ key_ref, connection_id, tool_name, allowed, access_config }`.
GET	`/api/v1/tool-access?key_ref=...` or `?connection_id=...`	List rules with filters.
PATCH	`/api/v1/tool-access/{rule_id}`	Update `allowed` or `access_config`.
DELETE	`/api/v1/tool-access/{rule_id}`	Revoke a rule.

`access_config.type` dispatch

The type field selects which enforcer runs against the tool call arguments. Every enforcer returns either allowed=True (possibly with modified_args) or allowed=False with a block_reason.

`type`	Enforcer	Supported arguments
`sql`	SQL	`sql` / `query` / `statement` string
`nosql`	MongoDB-style	`operation` / `method`, `collection`, `limit`
`keyvalue`	Redis-style	`command` or first word of `query`
`search`	Elasticsearch-style	`operation`, `index`, `size`
`filesystem`	Filesystem	tool name maps to read/write category; `path` / `file` / `directory`
`api`	Generic API	`repo` / `repository` / `project`, `channel`, `amount`, `api_key`

Per-tool-type control sets

Generated from the enforcer code — every option below is a key accepted by access_config.

SQL (`type: sql`)

Option	Type	Default	Behaviour
`allowed_operations`	list of strings	`["SELECT"]`	Only these operations pass. Violations BLOCK.
`read_only`	bool	`false`	If true, INSERT / UPDATE / DELETE / DROP / TRUNCATE / ALTER / CREATE / GRANT / REVOKE are BLOCKED regardless of `allowed_operations`.
`blocked_tables`	list of strings	`[]`	Queries touching any listed table are BLOCKED.
`masked_columns`	list of strings	`[]`	`SELECT *` against the query produces a modification warning. Column masking at result time is a future feature.
`max_rows`	int	(none)	If set and a SELECT lacks `LIMIT`, the gateway injects `LIMIT <max_rows>` and records the modification in the audit trace.

NoSQL (`type: nosql`)

Option	Type	Default	Behaviour
`allowed_operations`	list of strings	`["find", "aggregate", "count"]`	Anything else BLOCKED.
`read_only`	bool	`false`	Blocks write operations (`insert`, `update`, `delete`, `drop`, `create`, `insertOne`, `insertMany`, `updateOne`, `updateMany`, `deleteOne`, `deleteMany`, `dropCollection`).
`blocked_collections`	list of strings	`[]`	BLOCKED.
`max_results`	int	(none)	If set and no `limit` in args, injects `limit: <max_results>`.

Key-value (`type: keyvalue`)

Option	Type	Default	Behaviour
`allowed_commands`	list of strings	`["GET", "KEYS"]`	Anything else BLOCKED.
`read_only`	bool	`false`	Blocks write commands (`SET`, `DEL`, `HSET`, `LPUSH`, `RPUSH`, `EXPIRE`, `RENAME`, `FLUSHDB`, `FLUSHALL`, `HDEL`, `LREM`, `SREM`, `ZADD`, `ZREM`).
`blocked_key_patterns`	list of glob patterns	`[]`	Key matches (`*` wildcard) are BLOCKED.

Search (`type: search`)

Option	Type	Default	Behaviour
`allowed_operations`	list of strings	`["search"]`	Anything else BLOCKED.
`read_only`	bool	`false`	Blocks write operations (`index`, `delete`, `update`, `bulk`, `create_index`, `delete_index`).
`blocked_indices`	list of strings	`[]`	BLOCKED.
`max_results`	int	(none)	If set and no `size` in args, injects `size: <max_results>`.

Filesystem (`type: filesystem`)

Option	Type	Default	Behaviour
`allowed_operations`	list of strings	`["read_file", "list_directory"]`	Anything else BLOCKED.
`read_only`	bool	`false`	Blocks write tools (`write_file`, `create_directory`, `move_file`, `edit_file`).
`blocked_paths`	list of substrings / suffixes	`[]`	BLOCKED if tool arguments contain them.

API (`type: api`)

Option	Type	Default	Behaviour
`allowed_operations`	list of strings	`[]` (empty = all)	If set, tool names not in the list are BLOCKED.
`blocked_operations`	list of strings	`[]`	Tool names in the list are BLOCKED.
`read_only`	bool	`false`	Heuristic block on tool names containing `create`, `update`, `delete`, `remove`, `merge`, `close`, `push`, `post`, `send`, `write`, `edit`, `set`.
`blocked_repos` / `allowed_repos`	list of strings (glob)	`[]`	Applied when arguments include `repo` / `repository` / `project`.
`blocked_channels` / `allowed_channels`	list of strings	`[]`	Applied when arguments include `channel` / `channel_name`.
`max_amount_cents`	int	(none)	Applied when arguments include `amount` / `amount_cents`. Values above the limit are BLOCKED.
`test_mode_only`	bool	`false`	Blocks calls whose `api_key` argument does not begin with `sk_test_`.

Catalog

Ten connectors are wired up today. Each tile below describes the real connector definition in gateway/catalog/templates/*.yaml. To enable one on your tenant — or to ask for a connector not on this list — raise it during onboarding or contact info@verosek.com.

Databases

PostgreSQL

ID: postgres · Category: databases · Transport: stdio
Auth: connection URL credential (URI form).
Access-rule type: sql
Default allowed operations: SELECT · INSERT · UPDATE · DELETE · CREATE · DROP (selector); shipped default is SELECT only.
Access fields available: allowed_operations, blocked_tables, masked_columns, max_rows, read_only.
Typical tools: query, list tables, describe table (discovered via MCP tools/list).
Status: GA.

MySQL

ID: mysql · Category: databases · Transport: stdio
Auth: host / port / username / password / database credentials.
Access-rule type: sql (same schema as PostgreSQL).
Status: GA.

MongoDB

ID: mongodb · Category: databases · Transport: stdio
Auth: connection URI.
Access-rule type: nosql
Default allowed operations: find · aggregate · count · listCollections.
Access fields: allowed_operations, blocked_collections, max_results, read_only.
Status: GA.

Redis

ID: redis · Category: databases · Transport: stdio
Auth: Redis URL.
Access-rule type: keyvalue
Default allowed commands: GET, KEYS, HGET, LRANGE, EXISTS, TTL.
Access fields: allowed_commands, blocked_key_patterns, read_only.
Status: GA.

Developer tools

GitHub

ID: github · Category: developer_tools · Transport: stdio
Auth: personal access token.
Access-rule type: api
Default allowed operations: list_repos, get_repo, list_issues, get_file, search_code.
Access fields: allowed_operations, blocked_repos, allowed_repos (empty = all), read_only.
Status: GA.

GitLab

ID: gitlab · Category: developer_tools · Transport: stdio
Auth: personal access token + API base URL.
Access-rule type: api
Default allowed operations: list_projects, get_project, list_issues, get_file, search.
Access fields: allowed_operations, blocked_projects, read_only.
Status: GA.

Filesystem

ID: filesystem · Category: developer_tools · Transport: stdio
Auth: the MCP server is scoped to a single configured directory.
Access-rule type: filesystem
Default allowed operations: read_file, list_directory, search_files, get_file_info.
Access fields: allowed_operations, blocked_paths, read_only (defaults to true).
Status: GA.

Observability

Elasticsearch

ID: elasticsearch · Category: observability · Transport: stdio
Auth: ES URL + API key.
Access-rule type: search
Default allowed operations: search, get_mappings, list_indices.
Access fields: allowed_operations, blocked_indices, max_results, read_only.
Status: GA.

SaaS

Slack

ID: slack · Category: saas · Transport: stdio
Auth: bot user OAuth token + team ID.
Access-rule type: api
Default allowed operations: list_channels, read_channel, search_messages.
Access fields: allowed_operations, allowed_channels (empty = all), blocked_channels.
Status: GA.

Stripe

ID: stripe · Category: saas · Transport: stdio
Auth: Stripe API key.
Access-rule type: api
Default allowed operations: list_customers, get_customer, list_charges, list_invoices.
Access fields: allowed_operations, blocked_operations, max_amount_cents, test_mode_only.
Status: GA.

Requesting a connector not in this list

Any additional connector referenced on the marketing site is shipped on a per-tenant basis. Raise the request during onboarding or email info@verosek.com.

Status: on-roadmap — not wired in the current build. Do not publish as GA.

Adding a custom connector

Verosek supports stdio and HTTP MCP transports. To add a private MCP server (internal tool, custom integration) your Verosek engineer registers it against your tenant during onboarding — you provide the server binary or endpoint, and the access-rule type you want applied to its tool calls (one of sql, nosql, keyvalue, search, filesystem, api).

Onboarding-only

Handled during onboarding — not public. The registration flow, credential-injection templating, and tool-discovery plumbing live in the onboarding playbook.

Auto-reconnect

When the gateway process starts, every connection previously marked CONNECTED or CONNECTING is reconnected automatically. Failures are logged as mcp_connection_restore_failed but do not prevent other connections from starting.

Credential encryption

Connection credentials are encrypted at rest with AES-256-GCM before being written to the connections.config_encrypted column. Secrets are never returned in API responses — ConnectionResponse.credentials is explicitly absent from the schema.

What's next

Read Shield configuration for the Shield check catalog, how profiles layer on top of each other, and how to move checks from shadow mode to enforce once you're satisfied with the verdicts in the trace.

#TL;DR

#Overview

#Access-rule schema

#Rule admin endpoints

#access_config.type dispatch

#Per-tool-type control sets

#SQL (type: sql)

#NoSQL (type: nosql)

#Key-value (type: keyvalue)

#Search (type: search)

#Filesystem (type: filesystem)

#API (type: api)

#Catalog

#Databases