GPT Review — Phase 2A MCP Audit Path B Directive — 2026-05-13

Verdict

Accept Phase 2A MCP audit results. Choose Path B in principle: add read-only mode to existing AgentData MCP, then expose only read tools for ChatGPT Developer Mode.

Accepted findings

• Existing AgentData MCP /mcp is functional end-to-end.
• MCP schema gpt-agent-data-2026-05-12.1 responds correctly.
• Read tools pass: search_knowledge, list_documents, get_document, batch_read.
• Destructive/write/admin tools were not called.
• There is no current env-driven readonly/allowlist mode.
• Directly exposing existing /mcp would expose delete_document and move_document to ChatGPT, which is not allowed for Phase 1.

Decision

Path A is rejected for Phase 1. Path C is held as fallback. Path B is selected, but implementation must be designed as a separate read-only surface or strict runtime allowlist, not a fragile UI-only expectation.

Required next phase

Phase 2B-Design-Patch only. Do not deploy yet.

Design requirements:

1. Add an explicit read-only mode for MCP tools.
2. Allowed tools for GPT Phase 1:
   • search_knowledge
   • list_documents
   • get_document
   • get_document_for_rewrite
   • batch_read
3. Disallowed tools must not appear in tools/list and must be rejected in tools/call even if called by name:
   • upload_document
   • update_document
   • patch_document
   • delete_document
   • move_document
   • ingest_document
4. Prefer a separate public-facing route/environment for GPT readonly MCP, for example /gpt-mcp/<secret>/mcp, with nginx injecting X-API-Key to upstream.
5. Existing internal MCP behavior for Claude/Codex/ops must not be broken.
6. No public route deploy and no ChatGPT connector until patch design and tests are reviewed.

Status

APPROVE Path B direction. HOLD deploy. Request Opus/Agent to prepare Phase 2B patch design and test plan.