Skip to main content
Version: MVP

MCP client

3 min readReferenceUpdated 2026-05-23

What you'll find here

The MCP-client metadata contract Craik uses for provider and tool routing across an MCP boundary — what it records, the route shape, and the audit boundary.

Metadata, not a secret store.

Craik MCP client configuration is metadata for routing. It does not grant runtime authority by itself.

What it records

craik.runtime.mcp_client.MCPClientConfig records:

Stable client id and name

Transport

stdio · http · sse.

Non-secret server/endpoint/command/config refs

Secret reference names

Policy envelope id

When the client is bound to a policy.

Grant · receipt · redaction requirements

Docs & non-secret metadata

Transport
Requires
Notes
http · sse
endpoint_ref
Endpoint reference, never a raw URL with embedded secrets.
stdio
command_ref
Command reference for subprocess transport.

No embedded credentials.

Endpoint and command refs are references or configured names — never raw credentials, bearer tokens, API keys, passwords, or secret query values.

Routes

MCPClientRoute links a client to either a provider route or a tool route.

Route id

Client id

Route kind

provider or tool.

Target reference

Provider id or tool name.

Required capability

Grant + receipt required?

Routes are compatible only when they belong to the selected client and remain grant- and receipt-required.

Import/export

craik mcp client import --path ./mcp.json accepts either a Craik-shaped MCPClientConfig object or an external mcpServers object. Imported config is redacted before printing:

Command transport

command becomes command_ref; non-secret args become config_refs.

HTTP transport

url becomes endpoint_ref.

Environment secrets

Secret-like env var names become secret_ref_names; values are not copied.

Metadata

Secret-like metadata values are replaced before export.

craik mcp client export --path ./mcp.json emits redacted client metadata for review or migration evidence.

Audit boundary

Receipt-ready before dispatch.

Compatibility checks return route ids, required controls, and reasons for blocked routes so callers can write audit records through the normal receipt workflow. Raw endpoint secrets, bearer tokens, and credentials stay outside Craik configuration — referenced by name only.

What's next

ReferenceMCP export boundaryWhich Craik surfaces can be exported as MCP tools.GuideMCP ecosystem compatibilityCompatibility expectations and unsupported behavior.GuideProvider routing & sandboxesHow MCP fits into the broader routing flow.