MCP Server Integration
Build Model Context Protocol (MCP) servers with enterprise governance using ASCEND's authorization center. This integration ensures every tool invocation is evaluated against your policies.
Status
Integration Status: Available
Package: @ascend-ai/mcp-server (Node.js) / ascend-ai-sdk (Python)
Architecture
┌──────────────┐ ┌──────────────────┐ ┌──────────────┐
│ MCP Client │────►│ Your MCP Server │────►│ ASCEND API │
│ (Claude, │ │ (Governance │ │ (Policy │
│ etc.) │◄────│ Gateway) │◄────│ Engine) │
└──────────────┘ └──────────────────┘ └──────────────┘
Installation
npm install @ascend-ai/mcp-server
Quick Start
1. Initialize the Governed MCP Server
import { AscendMCPServer, FailMode } from '@ascend-ai/mcp-server';
const server = new AscendMCPServer({
apiKey: process.env.ASCEND_API_KEY,
agentId: 'mcp-enterprise-tools',
agentName: 'Enterprise Tools Server',
apiUrl: 'https://pilot.owkai.app',
failMode: FailMode.CLOSED
});
2. Register Governed Tools
// Each tool call is automatically evaluated against ASCEND policies
server.addTool({
name: 'query_database',
description: 'Execute SQL queries on the database',
inputSchema: {
type: 'object',
properties: {
query: { type: 'string', description: 'SQL query' },
database: {
type: 'string',
enum: ['production', 'staging', 'development']
}
},
required: ['query', 'database']
},
handler: async (args) => {
// Tool execution happens only if ASCEND approves
return await executeQuery(args.query, args.database);
}
});
server.addTool({
name: 'write_file',
description: 'Write content to a file',
inputSchema: {
type: 'object',
properties: {
path: { type: 'string' },
content: { type: 'string' }
},
required: ['path', 'content']
},
handler: async (args) => {
return await writeFile(args.path, args.content);
}
});
3. Start the Server
// Start over stdio (for Claude Desktop)
await server.start();
Claude Desktop Configuration
Add to claude_desktop_config.json:
{
"mcpServers": {
"enterprise-tools": {
"command": "npx",
"args": ["@ascend-ai/mcp-server", "--config", "/path/to/config.json"],
"env": {
"ASCEND_API_KEY": "owkai_your_key_here"
}
}
}
}
Or run your own server script:
{
"mcpServers": {
"enterprise-tools": {
"command": "node",
"args": ["/path/to/your/server.js"],
"env": {
"ASCEND_API_KEY": "owkai_your_key_here"
}
}
}
}
SDK v2.1.0 Decorator Pattern (Python)
The ascend-ai-sdk v2.1.0 provides decorators for wrapping MCP tool handlers with governance:
import os
from ascend import AscendClient
from ascend.mcp import mcp_governance, high_risk_action
# Initialize client
ascend = AscendClient(
api_key=os.getenv("ASCEND_API_KEY"),
agent_id="mcp-server-001"
)
@mcp_governance(
ascend,
action_type="database.query",
resource="analytics_db"
)
async def query_analytics(sql: str) -> dict:
"""Query with automatic governance"""
return await execute_query(sql)
@high_risk_action(
ascend,
action_type="database.delete",
resource="production_db"
)
async def delete_records(table: str, where_clause: str) -> dict:
"""Delete with required approval"""
return await execute_delete(table, where_clause)
Governance Flow
When a tool is invoked, the @ascend-ai/mcp-server package:
- Intercepts the tool call before execution
- Evaluates the action against ASCEND policies (risk scoring, policy matching)
- Decides: ALLOW, DENY, or REQUIRE_APPROVAL
- Executes the tool handler only if approved
- Logs the action result to the immutable audit trail
If the decision is REQUIRE_APPROVAL, the server polls for human approval with jittered backoff before proceeding or timing out.
Risk Levels by Operation
| Operation | Namespace | Verb | Risk Level | Approval Required |
|---|---|---|---|---|
| SELECT query | database | read | LOW (15-30) | No |
| INSERT/UPDATE | database | write | MEDIUM (40-60) | Conditional |
| DELETE query | database | delete | HIGH (70-85) | Yes |
| Read file | filesystem | read | LOW (20) | No |
| Write file | filesystem | write | MEDIUM (50) | Conditional |
| Shell command | system | execute | HIGH (80-95) | Yes |
Security Features (v1.1.0)
The @ascend-ai/mcp-server package includes banking-grade security:
| Feature | Description |
|---|---|
| API Key Masking | Keys are never logged in plaintext — shows owkai_****xyz |
| TLS Enforcement | Rejects http:// URLs for non-localhost connections |
| Retry with Jitter | Transient errors retry with exponential backoff + random jitter |
| Input Validation | Validates agentId, agentName, and toolName before API calls |
| Risk Score Stripping | Internal risk_score fields are never leaked to tool metadata |
Security Best Practices
1. Environment Variables
# Never hardcode API keys
export ASCEND_API_KEY="owkai_your_key_here"
2. Tool Allowlisting
const ALLOWED_TOOLS = new Set(['query_database', 'read_file']);
const BLOCKED_TOOLS = new Set(['execute_command', 'delete_all']);
// Only register approved tools
if (BLOCKED_TOOLS.has(toolName)) {
throw new Error('Tool blocked by server policy');
}
3. Localhost Only
// Only listen on localhost for security
server.start({ host: '127.0.0.1', port: 3000 });
Troubleshooting
Connection Issues
# Test ASCEND connectivity
curl -H "Authorization: Bearer $ASCEND_API_KEY" \
https://pilot.owkai.app/health
Tool Not Responding
// Enable debug logging
import { createLogger } from '@ascend-ai/mcp-server';
const logger = createLogger({ level: 'debug' });
Approval Timeout
The server polls with jittered intervals. To increase the timeout:
const server = new AscendMCPServer({
apiKey: process.env.ASCEND_API_KEY,
agentId: 'mcp-server-001',
agentName: 'Enterprise Tools',
approvalTimeout: 600, // 10 minutes
pollInterval: 5000 // 5 seconds
});
Next Steps
- LangChain Integration - LangChain with governance
- Custom Agents - Python SDK usage
- Boto3 Wrapper - AWS SDK governance
Last Updated: 2026-03-29