Core
MCP Boundary - A local check layer that sits between your agent and a chosen MCP server, so concrete tool calls can be made visible, limited, blocked, reviewed, and recorded before they reach the server.
Downstream MCP server - The MCP server you already wanted to use. MCP Boundary starts or connects to it and checks calls in front of it.
Profile - One saved setup that protects one downstream MCP server. You can add several profiles (for example gmail, github, postgres); they are not merged into one shared tool list.
Transparent mode - A low-friction default that exposes discovered tools as requestable unless policy says otherwise. Calls still go through the checked runtime path; it is not a passthrough or Core bypass.
Dashboard And Setup
Dashboard - The localhost setup, visibility, and local review surface. It shows profiles, discovered tools, policy, Agent Config, activity, and pending approvals. With an operator token it can approve or reject pending local approval items, but it does not run or retry tool calls.
Agent Config (Protected config) - The replacement MCP client entry the dashboard generates after import. You paste it back into your MCP client in place of the original direct server entry.
Dashboard edit token - A local token required for setup import, Load tools, Save policy, and configured approval actions. It is printed when the dashboard starts. It is not a provider secret or password.
Operator token - The technical name for the same local token. The terminal prints it as dashboard_operator_token; the current UI calls it the Dashboard edit token and uses that value for protected local dashboard actions. It is not a provider secret.
Activity - The record of calls that passed through MCP Boundary, including blocked, failed, unknown, pending-approval, and completed outcomes.
tools/list vs tools/call - tools/list is discovery (what tools exist). tools/call is a real invocation. Only a tools/call through MCP Boundary is runtime proof that a path works.
Rule Fields
Client-visible tool name - The tool name exposed to the agent. It is client-safe and may use underscores instead of dots, for example email-demo_email_send_email.
Downstream tool name - The native tool name from the downstream MCP server. Policies use this value in downstream_tool_name, for example email.send_email.
Exposure - Whether the agent can see a tool: visible, dashboard_only, or hidden.
Handling mode - How a visible tool is executed: generic_guarded (the normal mode), profile_guarded, or unsupported. Only generic_guarded executes in the package runtime path.
Policy input mode - What happens when a tool is requested: allow, block, or review_required.
Human approval - The local review_required flow. The first call stops before execution and creates a pending approval. After approval, the agent must retry with top-level approval_retry metadata. See the concrete retry shape in the FAQ.
Argument rules - Top-level input restrictions such as allowed_values, denied_values, max_chars, max_items, and items_allowed_values.
Result limits - A cap on how much data a call may return (max_result_bytes).
Runtime limits - Caps on how often a tool may be called, such as max_tool_call_count and max_session_call_count.
Binding And State
Scope binding - Requiring an action to target exactly the resource that was read or confirmed, using stable IDs such as message_id, issue_number, or customer_id rather than text like a subject line.
Stale-state binding - Requiring that a write run only if the relevant state still matches what was read, using fields such as version, etag, or head_sha.
Observation rule - A read rule that records selected bounded facts from a result for a short time, so a later write can refer to them.
State binding - A write rule that requires a reference to a prior observation before the call is treated as normal work.
State hash - A value that represents the observed state of a resource; a write can require it to still match before running.
Credentials
Downstream-managed OAuth - An auth model where the downstream MCP server owns the provider login and token files; MCP Boundary owns the execution boundary and does not expose provider tokens to the agent config.
Credential profile - A narrower path for servers designed to use MCP Boundary credential storage. On Linux it depends on an OS keyring backend and may report credential_store_unavailable in minimal or headless environments.