← Back to Daily Builds

Daily build note · April 27, 2026

MCP Control Plane for Small Teams

A lightweight hosted/self-hostable governance and audit layer for Model Context Protocol (MCP) servers, targeting indie developers and small engineering teams (2-10 engineers).

AI Tools Focused local MVP built Live public demo

What shipped

This build delivers a focused local MVP of the MCP Control Plane concept:

  • a Go JSON-RPC proxy at POST /rpc
  • a demo upstream MCP server for local testing
  • an admin API for login, metrics, event listing, policies, and live tailing
  • a policy engine with immediate allow/deny enforcement by tool name
  • redaction of fields containing key, token, password, or secret
  • a Next.js dashboard with login, overview cards, calls-by-tool chart, session list, recent event table, and policy management
  • a Go mcpctl CLI for logs, live tailing, and policy CRUD
  • a smoke script and a compose file for local startup

Architecture

  • Proxy and CLI are stdlib-only Go binaries to keep the backend inspectable and easy to run without third-party packages.
  • The admin API and proxy live in the same Go process so the dashboard and CLI talk to the exact same source of truth that the proxy writes.
  • Event persistence is a local append-only JSONL log loaded into memory on boot, then updated asynchronously through a buffered channel for low write-path complexity.
  • The dashboard is a separate Next.js app using server-rendered fetches against the Go admin API plus a small client auto-refresh component.
  • Dashboard auth uses a minimal HMAC JWT issued by the Go API and stored in an HTTP-only cookie by Next route handlers.

Trimmed scope

  • Replaced SQLite with a file-backed JSONL event store for this pass.
  • Did not implement multi-user auth, billing, retention windows, or hosted-mode concerns.
  • Limited policy evaluation to tool-name matching.
  • Kept dashboard updates on short polling instead of implementing a live browser stream.
  • Used a demo upstream instead of integrating a real external MCP server during the build.

Limitations

  • JSON-RPC batch requests are not supported.
  • The proxy does not inspect or mutate response bodies beyond checking whether an upstream JSON-RPC error exists.
  • Free-tier enforcement is modeled as “single upstream only” using the X-MCP-Upstream header for simulation.
  • Cost estimation, alerting, and anomaly detection are not included.
  • The dashboard depends on npm install, so it was scaffolded but not fully executed in this environment.

Verification

Available verification path:

  • bash scripts/smoke.sh
  • go test ./... inside proxy/
  • go run ./cmd/mcpctl logs --limit 10 inside cli/

Build-time verification in this environment was partial:

  • confirmed Node and npm are available
  • confirmed dashboard/package.json is valid JSON
  • could not execute Go builds or Go tests here because the go toolchain is not installed in this workspace runtime

Suggested next steps

  1. Swap the JSONL store for SQLite while keeping the current store interface stable.
  2. Add batch JSON-RPC handling and better upstream compatibility coverage.
  3. Extend policies to support agent/session conditions and time windows.
  4. Add dashboard-side streaming for live timelines without polling.
  5. Add per-tool cost heuristics and simple anomaly alerts.