← Selected work

Flagship infrastructure · Public v3.1.1

Local model access needed a control plane.

LMCP scopes which local clients can reach which servers, enforces tool policy at the data path, and gives the operator a visible place to inspect and manage the system.

  • Built
  • Tested
  • Boundary
Policy path · simplifiedLocal threat model
ClientAgent runtimeauthenticated identity
allowlist
Control planeLMCProute · enforce · record
tool policy
ServerMCP toolsbounded capability
append-only eventsAudit
permitted path enforced boundary observable event

The problem

Connectivity was easy. Legible authority was not.

Once several clients and local MCP servers share a machine, direct connections become difficult to reason about. Access policy lives in scattered configuration, tool exposure becomes coarse, and the operator has no single view of what is allowed or what occurred.

LMCP treats that as a control-plane problem rather than another convenience proxy. Client identity, server access, tool policy, live events, registry management, and operator UI belong to one inspectable system.

The correction

A configured boundary is not an enforced boundary.

01Policy existed

Per-server tool rules were configurable and visible.

02Review followed the data

Independent inspection found that configuration was not sufficient proof of enforcement.

03The path changed

Enforcement moved into the actual request flow and gained regression coverage.

The useful story is not that the first design was secure. It is that review exposed the gap between declared policy and runtime behavior—and the system was corrected around the evidence.

What shipped

An operator surface, not a black box.

Per-client accessExplicit server allowlists tied to authenticated local clients.
Per-server policyTool rules enforced where requests cross the control plane.
Audit and live eventsAppend-oriented records and an observable operational stream.
Registry managementAuthenticated operator control over the local server registry.
No-build UIA management surface that remains simple to run and inspect.
Cross-platform CIWindows and Linux coverage across Python 3.10 through 3.13.

Claim boundary

What this does not claim.

LMCP is designed for a local operating context. Tokens remain plaintext, management authority is intentionally powerful, and local audit files are not a tamper-proof security ledger. Those constraints are part of the case study, not footnotes to hide.