Skip to main content

General

MCP Server Administration

Deploy and operate Proxus MCP Server with production endpoint controls, role-based access, guarded telemetry, rate limits, and audit verification.

This guide is for administrators who enable, secure, and operate Proxus MCP Server. It covers the production boundary around AI-agent access; the agent integration guide covers how a user connects and runs workflows.

Administration Outcome

A production-ready MCP deployment should provide all of the following:

  • One approved HTTPS endpoint for MCP traffic
  • Authentication bound to the current MCP transport session
  • Proxus role, object, and field permissions enforced on every protected call
  • Administrator-only guarded telemetry analysis
  • No direct database credentials or control-system sessions exposed to agents
  • Bounded queries, rate limits, session limits, and audited operations
  • Structured, secrets-free errors that tell an agent how to recover safely

Production Rollout Checklist

  1. Prepare HTTPS Publish the Proxus Hub behind a trusted HTTPS endpoint. Confirm certificate validity, proxy forwarding, and the final public origin before enabling remote clients.
  2. Pin the server origin Set the canonical MCP server origin in the MCP section of the Configuration Reference. Do not rely on a request-supplied host outside loopback development.
  3. Choose discovery exposure Decide whether anonymous clients can see tools plus a secrets-free overview, tools only, or no discovery beyond the protocol handshake and authentication helpers.
  4. Prepare roles Create or review Proxus users and roles. Grant only the entity, object, field, log, and UNS scopes required for each workflow.
  5. Prepare telemetry access Configure a dedicated read-only telemetry account and bounded resource limits. Keep unrestricted or shared production credentials disabled.
  6. Choose the write posture Start read-only. Enable only the specific mutation methods required by an approved business workflow; keep delete and bulk operations independently blocked unless explicitly needed.
  7. Set operational limits Configure per-user request limits, graph/telemetry-specific limits, concurrent sessions, session lifetime, and optional IP restrictions.
  8. Enable audit operations Confirm authentication, authorization failures, tool calls, guarded queries, and approved mutations are visible through the intended audit and support workflow.
  9. Run the acceptance matrix Validate anonymous, restricted-user, administrative, invalid-argument, logout, and stale-client behavior before exposing the endpoint to production agents.

Connection and Origin Boundary

MCP clients connect to one Streamable HTTP endpoint:

https://your-proxus.example/mcp

Production deployments must use an administrator-configured canonical origin. Additional Proxus endpoints or browser origins are explicit exceptions, not automatic trust derived from the incoming Host header.

The origin policy rejects:

  • A different host supplied by an agent or tool argument
  • Browser requests from an unapproved Origin
  • Origin values containing credentials, paths, queries, or fragments
  • Silent fallback from a production endpoint to a development destination

Use TLS Certificates and the MCP section of the Configuration Reference together when preparing the endpoint.

Anonymous Discovery Policy

Choose the smallest discovery mode that still supports your clients:

ModeAnonymous behaviorRecommended use
Tools and overviewTool contracts and a secrets-free bootstrap overview are visible; data calls still require loginDefault for general MCP compatibility
Tools onlyTool contracts are visible; overview, resource, and prompt discovery are reducedRestricted environments where clients can route from tool schemas
DisabledUnknown or disabled discovery modes fail closed; only protocol and authentication bootstrap remainsHighly controlled deployments with preconfigured clients

Tool visibility never grants data access. Every protected call is authorized again at execution time.

Identity and Permission Model

MCP does not create a parallel permission system. The authenticated Proxus user and existing role permissions remain the authority.

SurfaceRequired authorization
Protocol handshake, tool discovery, authentication helpersAnonymous bootstrap policy
Entity schema and recordsAuthenticated user plus visible entity and field scope
Current device healthAuthenticated user plus visible Device scope
Operational GraphAuthenticated user; graph snapshot is isolated to that security scope
Operational logsExplicit log permission plus visible gateway scope
Raw metadata and guarded telemetry SQLAdministrative Proxus role
MutationsAuthenticated user, allowed server method, entity/object/field permission, and explicit human intent

Administrative users can legitimately see the whole configured estate. They cannot prove that negative role isolation works. Acceptance testing therefore needs a restricted account with one known in-scope object and one known out-of-scope object.

UNS and device scope

Where a workflow uses UNS-scoped data, explicit deny takes precedence over allow and path matching follows segment boundaries. Do not grant a broad parent path merely to make one agent test pass. Use UNS Topic Permissions to define and review the scope.

Session and Downstream Identity

The normal stateful flow is:

MCP transport session
  -> authenticated Proxus business session
  -> current Proxus user and role scope
  -> protected tool and downstream request

Inbound HTTP authorization or general cookie headers do not replace the authenticated MCP business session when a protected tool calls another Proxus endpoint. Tool arguments cannot provide a different password or redirect the session to another host.

A protocol-bound login intentionally does not require a compatibility cookie or a business session identifier in subsequent tool arguments. Compatibility state is used only for clients that cannot preserve the protocol session. Logout invalidates the bound business session; the next protected call must be rejected until the user authenticates again.

Telemetry Security and Resource Limits

Guarded telemetry analysis is administrator-only and read-only. Configure a dedicated account with read access only to the required telemetry and log tables. Do not silently fall back to a broad production database account.

Set finite limits for:

  • Rows and bytes read
  • Result rows and result bytes
  • Query execution time
  • Memory use and worker threads
  • Per-user telemetry request rate

The server also validates the query structure. Writes, unrelated databases or tables, external sources, table functions, multiple statements, and attempts to escape the approved telemetry surface are rejected.

Resource-limit errors are expected safety outcomes. An agent should aggregate earlier, narrow device and key scopes, or split independent scopes; it must not ask the administrator to weaken production limits for one analysis.

Read-Only and Controlled-Write Profiles

  • Read operations only
  • Administrative telemetry enabled only for named administrators
  • Delete and bulk operations blocked
  • Explicit IP restrictions where the deployment network permits them
  • Conservative request and session limits
  • Audit logging enabled

Controlled-write profile

Enable controlled writes only when a defined business workflow requires them. Keep these conditions together:

  • The human explicitly requests the exact change
  • The agent reads the current target first
  • The method is enabled by server policy
  • The Proxus user can write that object and every changed field
  • The request carries a truthful change intent and minimal body
  • The agent reads the target again and reports the verified result

Do not expose direct OT setpoint or control-system sessions through MCP. Approved business-data changes are not a reason to open a control path.

Audit and Monitoring

Review MCP operations alongside normal platform audit and system diagnostics.

Monitor at least:

  • Successful and failed authentication
  • Session conflicts and expired sessions
  • Authorization denials by user and tool family
  • Origin and endpoint rejections
  • Rate-limit and query-resource-limit events
  • Guarded telemetry query outcomes
  • Mutations, change intent, target, and verification result
  • Repeated invalid arguments or suspicious destination attempts

Audit output must not include passwords, session identifiers, tokens, cookies, database credentials, function code, connection parameters, notification secrets, or raw dashboard SQL.

See Audit Logs and System Logs for the platform-wide operational model.

Acceptance Matrix

Run this matrix from a fresh MCP transport after every server upgrade or security-policy change.

TestExpected result
Anonymous protected tool callJSON-RPC authentication-required error; no operational data
Tool discoveryCurrent catalog; retired tools absent
Restricted user, in-scope objectAuthorized data only
Restricted user, known out-of-scope objectNo data leak; indistinguishable missing/not-visible boundary where applicable
Administrative telemetry queryGuarded read succeeds within configured limits
Query against an unrelated system tableRejected before execution
Missing graph oid or invalid directionRecoverable tool_arguments_invalid result
Fake inbound authorization or cookie headerCannot replace the protocol-bound Proxus identity
Logout followed by protected callAuthentication required
Agent-supplied destinationRejected by endpoint policy
Configuration unchanged during observation windowNo new periodic edge polling or reconciliation traffic

Record the server version, test account type, time, and high-level result. Never paste credentials, session identifiers, or raw tokens into the report.

Upgrade and Tool Catalog Behavior

An MCP business login and the client’s tool catalog have separate lifecycles.

  • Login or logout changes the Proxus business session.
  • It does not force a client to discard a cached tool list.
  • Proxus sends the standard tool-list change notification after initialization.
  • A client that still shows a retired tool must fully reconnect the MCP transport and refresh discovery.

Test upgrades from a new transport. Do not use a successful login as proof that the client loaded the current tool catalog.

Troubleshooting

The agent sees tools but calls are denied

This is expected when discovery is visible but the current transport has not authenticated. Call auth_whoami, then let the human provide the intended Proxus account.

An administrative test cannot prove access denial

Use a restricted test account and known in-scope/out-of-scope objects. A missing random identifier tests only not-found behavior.

A telemetry query reaches a resource limit

Keep the requested time window when possible, remove unused columns, aggregate earlier, and split independent device or key scopes. Do not repeat the unchanged query.

The client still exposes an old tool

Close the MCP transport, create a new connection, and refresh tools/list. Repeating auth_login is not a catalog refresh.

Browser-origin requests are rejected

Verify the browser’s exact scheme, host, and port against the administrator-approved origin. Do not add wildcard origins to bypass the check.