Glossary

Control plane — the system of record (:8080). Owns the registry, policy, approvals, credentials, audit config, and identity/RBAC, and serves the admin API.

Data plane — the runtime (:8081). Enforces policy, brokers credentials, and routes MCP calls on every request. Holds no standalone authority.

Projection — the versioned, compiled configuration the control plane hands to data planes. An approval takes effect only once projected.

Actor — the normalized identity of a caller (subject, agent, service account, workload) plus its surface, tenant, and environment.

Client surface — where a request entered (e.g. an external chat vs. an internal tool). Policy can decide differently per surface.

Tenant / environment — the gateway’s scope boundary. Tenant and environment describe the gateway, not upstream capabilities.

Catalog‑lite — the policy‑filtered list of capabilities a caller is allowed to discover. Unauthorized tools are absent, not hidden behind a lock.

Credential broker — the component that resolves an upstream credential at the edge under a credential mode, without exposing the secret.

Credential mode — how a call authenticates upstream: none, service_account, user_delegated, agent_scoped, or workload_mapped.

Manifest — the declaration of an MCP server or agent (transport, tools, owner, scope) submitted to the registry.

Snapshot — an immutable, approved version of a registry record. Audit events tie back to the exact snapshot that served a call.

Reason code — a stable machine identifier for a denial or error, safe to log and automate against.

Cedar — the policy language/engine MCP Gateway uses for default‑deny authorization.

API‑to‑MCP adapter — converts selected, approved REST operations into gateway‑hosted MCP tools.

Connector — a governed outbound egress path to a private network or region.