Expand description
MCP client lifecycle, multi-server management, and Qdrant tool registry.
zeph-mcp implements the Model Context Protocol
client for Zeph. It manages connections to multiple MCP servers simultaneously,
discovers and registers their tools, and executes tool calls with a layered security
pipeline.
§Architecture
McpManager ──► McpClient (one per server, via rmcp)
│ └── ToolListChangedHandler (refresh notifications)
│
├── PolicyEnforcer (allowlists, denylists, rate limiting)
├── DefaultMcpProber (pre-connect resource/prompt injection scan)
├── TrustScoreStore (per-server persistent score with decay)
├── EmbeddingAnomalyGuard (post-call drift detection)
└── sanitize_tools() (always-on prompt injection scrubbing)
McpToolExecutor ──► McpManager::call_tool()
implements ToolExecutor for zeph-tools dispatch
McpToolRegistry ──► Qdrant (vector search for tool discovery)
SemanticToolIndex ──► in-memory cosine similarity (fast, no Qdrant)§Transport types
Servers are connected via three transport types (see McpTransport):
- Stdio — spawns a child process; suitable for local MCP servers (e.g.
npx,uvx). - Http — streamable HTTP with optional static headers.
- OAuth — OAuth 2.1 authenticated HTTP; performs a browser-based authorization flow.
§Security pipeline
Every tool definition goes through the following checks before reaching the agent:
- Command allowlist (
security.rs) — Stdio server commands must be on the allowlist. - SSRF validation — HTTP URLs are resolved and blocked if they point to private/reserved IPs.
- Pre-connect probing (
prober.rs) — scansresources/listandprompts/listfor injection patterns; updates the persistent trust score. - Attestation (
attestation.rs) — compares the actual tool set against the operator’sexpected_toolslist and detects schema drift between connections. - Sanitization (
sanitize.rs) — scrubs toolname,description, andinput_schemafor prompt injection patterns; always on, cannot be disabled. - Data-flow policy (
policy.rs) — blocks high-sensitivity tools on untrusted servers. - Embedding anomaly guard (
embedding_guard.rs) — post-call drift detection.
§Trust levels
Each server is assigned a McpTrustLevel:
Trusted— SSRF skip, all tools exposed (operator-controlled servers).Untrusted(default) — SSRF enforced; tools shown with a warning when allowlist is absent.Sandboxed— strict mode; only allowlisted tools exposed; elicitation disabled.
§Examples
Connect to an stdio MCP server and call a tool:
use std::collections::HashMap;
use std::sync::Arc;
use std::time::Duration;
use zeph_mcp::{McpManager, McpTransport, ServerEntry, McpTrustLevel};
use zeph_mcp::policy::PolicyEnforcer;
let server = ServerEntry {
id: "filesystem".to_owned(),
transport: McpTransport::Stdio {
command: "npx".to_owned(),
args: vec!["-y".to_owned(), "@modelcontextprotocol/server-filesystem".to_owned()],
env: HashMap::new(),
},
timeout: Duration::from_secs(30),
trust_level: McpTrustLevel::Untrusted,
tool_allowlist: None,
expected_tools: vec![],
roots: vec![],
tool_metadata: HashMap::new(),
elicitation_enabled: false,
elicitation_timeout_secs: 120,
env_isolation: false,
};
let manager = McpManager::new(
vec![server],
vec!["npx".to_owned()],
PolicyEnforcer::new(vec![]),
);
let (tools, _outcomes) = manager.connect_all().await;
println!("Connected {} tools", tools.len());Re-exports§
pub use attestation::AttestationResult;pub use attestation::ServerTrustBoundary;pub use attestation::ToolFingerprint;pub use attestation::attest_tools;pub use caller::McpCaller;pub use client::OAuthConnectResult;pub use client::OAuthPending;pub use client::ToolRefreshEvent;pub use elicitation::ElicitationEvent;pub use embedding_guard::EmbeddingAnomalyGuard;pub use embedding_guard::EmbeddingGuardEvent;pub use embedding_guard::EmbeddingGuardResult;pub use error::McpError;pub use error::McpErrorCode;pub use executor::McpToolExecutor;pub use manager::McpManager;pub use manager::McpTransport;pub use manager::McpTrustLevel;pub use manager::ServerConnectOutcome;pub use manager::ServerEntry;pub use policy::DataFlowViolation;pub use policy::McpPolicy;pub use policy::PolicyEnforcer;pub use policy::PolicyViolation;pub use policy::RateLimit;pub use policy::check_data_flow;pub use prober::DefaultMcpProber;pub use prober::ProbeResult;pub use prompt::format_mcp_tools_prompt;pub use pruning::PruningCache;pub use pruning::PruningError;pub use pruning::PruningParams;pub use pruning::content_hash;pub use pruning::prune_tools;pub use pruning::prune_tools_cached;pub use pruning::tool_list_hash;pub use registry::McpToolRegistry;pub use sanitize::SanitizeResult;pub use semantic_index::DiscoveryParams;pub use semantic_index::SemanticIndexError;pub use semantic_index::SemanticToolIndex;pub use semantic_index::ToolDiscoveryStrategy;pub use tool::CapabilityClass;pub use tool::DataSensitivity;pub use tool::McpTool;pub use tool::ToolSecurityMeta;pub use tool::infer_security_meta;pub use trust_score::ServerTrustScore;pub use trust_score::TrustScoreStore;
Modules§
- attestation
- Tool attestation and schema drift detection.
- caller
McpCallertrait — minimal async interface overMcpManager.- client
- elicitation
- MCP elicitation event type.
- embedding_
guard - Async embedding-based anomaly detection for MCP tool outputs.
- error
- executor
- manager
- oauth
- OAuth 2.1 callback listener used by
McpTransport::OAuthconnections. - policy
- MCP declarative policy layer.
- prober
- Pre-invocation MCP server probing using protocol-level read-only operations.
- prompt
- Formats available MCP tools as an XML prompt block for the LLM system prompt.
- pruning
- Dynamic MCP tool pruning for context optimization (#2204).
- registry
- Qdrant-backed semantic tool registry for MCP tool discovery.
- sanitize
- Sanitization of MCP tool definitions to prevent prompt injection.
- security
- semantic_
index - In-memory embedding index for MCP tool selection (#2321).
- tool
- trust_
score