MCP Server Production-Readiness Checklist (Ops + Security) Use this to review any MCP server before it’s allowed to touch real systems (tickets, code, billing, customer data). 1) Identity and Access - Define the execution identity model: user-scoped, service-scoped, or hybrid. Default to user-scoped. - Map every tool call to an attributable human identity (who initiated it) plus a technical principal (what executed it). - Implement least privilege per tool: separate scopes for read vs write; separate credentials for high-impact actions. - Prefer short-lived credentials where possible; rotate long-lived secrets; document rotation owners. 2) Tool Contract and Validation - Write explicit schemas for tool inputs and outputs. Reject unknown fields. - Validate parameters server-side (types, ranges, enums). Never rely on prompt instructions for safety. - Make side-effecting tools idempotent (idempotency keys) and safe to retry. - Separate “preview” from “apply”: provide dry-run or diff outputs for risky operations. 3) Policy and Approvals - Deny-by-default for destructive actions (delete, refund, disable, deploy). - Add explicit confirmation flags for sensitive actions and require a human approval step for the highest-impact ones. - Maintain allow-lists for writable fields (e.g., which CRM fields can be changed). - Add guardrails against cross-tenant or cross-customer access in multi-tenant systems. 4) Logging, Tracing, and Redaction - Log every tool call with: timestamp, actor, tool name, parameters (redacted), outcome, and correlation ID. - Store logs with an access policy and retention policy aligned to your compliance needs. - Capture references to retrieved context (document IDs/URLs) so incidents are explainable. 5) Rate Limits and Blast-Radius Controls - Rate-limit per user and per tool. Add concurrency caps for expensive or dangerous tools. - Add circuit breakers for upstream outages and safe fallbacks (fail closed for sensitive actions). - Add quotas for write actions to prevent runaway automation. 6) Change Management - Version tool schemas and document backwards compatibility. - Use staged rollout (canary) for tool behavior changes. - Provide deprecation windows and monitoring for clients still using older tool versions. 7) Security Testing - Test prompt-injection pathways using untrusted inputs (emails, web pages, tickets) that try to trigger tool calls. - Verify the tool refuses actions outside policy even if the model requests them. - Conduct a permissions review: prove the agent cannot escalate privileges through tool combinations. Exit Criteria - You can answer: who did what, using which permission, based on what retrieved context, with what approval. - You can disable the server (or specific tools) quickly without taking down unrelated systems. - You can reproduce and explain a bad action from logs alone.