Access tierMCP gateway
MCP gateway / agent-client interface
The northbound interface where RecoSearch presents itself to an AI assistant. It speaks the Model Context Protocol (MCP) — the open standard AI clients like Claude and ChatGPT already use — and exposes a small set of governed, named tools (e.g. ask-a-business-question, list-metrics, run-verified-query) rather than raw database access. Every tool call is authenticated to a caller identity, permission-checked, and returns a proof-carrying, cited answer or a structured refusal.
Why it is in the architecture
RecoSearch's whole value proposition — proof-carrying, cited, governed answers — only matters if an AI assistant can actually reach it without bypassing it. The Access tier is the chokepoint: if the assistant can also reach the database directly, governance is theater. MCP is the right transport because it is the standard the target clients already speak ("build once, integrate everywhere"), so RecoSearch needs zero bespoke client work to be usable from Claude, Cursor, VS Code, or ChatGPT. Exposing governed *tools* (verbs) instead of a SQL endpoint keeps interpretation, permissioning, and citation on RecoSearch's side of the boundary, which is exactly where the trust guarantees live.
Company precedents
Snowflake (Cortex / Horizon Context) — Exposes governed Semantic Views over MCP so any external AI agent — explicitly Claude, Cursor, or any MCP-compatible framework — can consume them 'with governance enforced at the source.' MCP is positioned as one activation surface alongside Cortex Analyst, treating the protocol as the agent-facing front door to governed definitions.
Snowflake (Cortex Analyst) — Ships an API-first, 'convenient REST API' that turns natural-language questions into governed answers without the caller writing SQL, and fully integrates Snowflake RBAC so generated/executed SQL adheres to established access controls — i.e. the agent-facing endpoint enforces governance at the source rather than handing out a DB connection. Cortex Agents wraps this as the tool-calling orchestration layer.
Microsoft (Fabric data agent) — Provides a conversational agent over governed semantic models where data access runs under the caller's Microsoft Entra ID identity and workspace/data permissions — the agent reads schemas and runs SQL/DAX/KQL only if the user has access, honors Purview policies and sensitivity labels, and 'simply retrieves and processes structured data' (no exfiltration of raw DB credentials to the model).
Alternatives rejected
Bespoke REST/GraphQL API as the only agent interface → A custom REST surface forces every AI client to be taught RecoSearch's endpoints, auth, and schemas individually — losing MCP's 'build once, integrate everywhere' leverage across Claude, ChatGPT, Cursor, and VS Code (scraped/docs/modelcontextprotocol.io-docs-getting-started-intro.md). Vendors that lead with REST (Cortex Analyst) still bolt MCP on top precisely to reach 'any MCP-compatible framework' (scraped/open-interoperable-agent-ready-122d8a2d67c2.md). RecoSearch keeps an internal REST/contract layer but leads with MCP as the agent-facing transport.
Direct database access (hand the agent a connection string / full DB credentials) → This is the failure mode the sources explicitly indict: 'hardcoded credentials, full database access, zero audit trail, and prayer' (scraped/universal-agent-connector-mcp-ontology-production-ready-ai-infrastructure-0b4e35f22942.md). It moves interpretation, permissioning, and citation to the model's side of the boundary, which destroys RecoSearch's proof-carrying/governed guarantees. The Universal Agent Connector and Fabric data agent both replace this with identity-bound, permission-checked, audited tool access (scraped/github/cloudbadal007-universal-agent-connector.md; scraped/docs/learn.microsoft.com-en-us-fabric-data-science-how-to-create-data-agent.md).
Text-to-SQL exposed as the primary tool (let the agent generate arbitrary SQL the gateway runs) → The 'semantic-layer-is-dead' thesis warns that raw SQL generation makes the agent a 'translator' guessing at meaning, when what is needed is interpretation: agents must call meanings expressed as functions/protocols, not tables (scraped/the-semantic-layer-is-dead-now-its-an-api-for-ai-agents-f91d48a0c74a.md). RecoSearch exposes governed question/metric tools so interpretation stays server-side; any internal SQL is constrained by the semantic/metric layer, not free-form from the model.
Depends on
Identity & authentication (caller identity binding)Authorization / policy engine (permission + access-control checks)Semantic / metric layer (the governed verbs and definitions the tools expose)Audit & observability log (records every tool call)
Feeds
AI assistant / MCP client (Claude, ChatGPT, Cursor, VS Code)Refusal & error contract (structured denials returned to the caller)Proof / citation envelope (cited, evidence-bearing answers returned over the protocol)
Encapsulates
MCP server runtime / transportTool registry & schema definitions (named governed verbs)Request authentication & API-key/identity validation at the edgePer-call permission gate / SHACL-style delegation guardRate limiting & per-agent quotasTool-call audit emission
Evidence sources (6)
open-interoperable-agent-ready-122d8a2d67c2docs.snowflake.com-en-user-guide-snowflake-cortex-cortex-analystlearn.microsoft.com-en-us-fabric-data-science-how-to-create-data-agentmodelcontextprotocol.io-docs-getting-started-introcloudbadal007-universal-agent-connectorcloudbadal007-agentic-mesh-security