MCP, canonical projection.
Vadyl exposes Model Context Protocol as a peer projection — never a second authority. tools/list filters by ProjectCapabilityGrant. tools/call dispatches through the same IApiOperationDispatcher that handles REST, SDK, GraphQL, gRPC, and CLI. JSON-RPC 2.0. RFC 9728 OAuth resource metadata. Anti-pattern #46 codified: there is no MCP-only path.
The same authority that runs REST, runs MCP.
tools/list as projection
Returns the tools the caller's capability grants permit. No tool is exposed by side door — every tool you see corresponds to an authorized canonical operation.
tools/call through canonical dispatcher
IApiOperationDispatcher is the same authority REST controllers, SDK clients, gRPC services, and the CLI all dispatch through. MCP gets no privileged shortcut.
JSON-RPC 2.0 + RFC 9728
Standards-conformant transport. OAuth resource metadata advertised at the canonical /.well-known location. Token validation through the foundational auth kernel.
Capability grant filtered
ProjectCapabilityGrant decides what an MCP client can see and call. Same grants that govern REST, SDK, agent dispatch — one authority, one decision model.
Audit and explain
Every tools/call flows through canonical observability and explainability. The audit trail tells you what was called. The explainer tells you why it was permitted.
Agent-native
Vadyl agents consume MCP servers as ordinary capability surfaces. External MCP-compatible clients (Claude, Cursor, IDE plugins) consume Vadyl projects through the canonical projection.
As REST, SDK, CLI, gRPC
No side-door exposure
RFC 9728 OAuth metadata
Anti-pattern #46 absolute
MCP without a second authority.
Expose your project to MCP-aware clients. Capability grants govern visibility. Canonical dispatcher governs invocation. Audit and explainability hold for every call.