Home / Client Stories / Goal Navigator / MCP in Production
Solution Story · MCP & Agent Governance

Agents that know your data

A coach that doesn't know your goals is a chatbot. The interesting question is how an AI agent gets access to real product data — without getting the keys to everything. In Goal Navigator, the answer is an MCP server built into the product, with governance designed in before the first tool call.

The problem

Every product will face this question in the next two years

AI agents are only as useful as the data they can reach. But "give the agent database access" is how security incidents are born, and "paste everything into the prompt" doesn't scale past a demo. The industry's answer is MCP — a protocol where products expose specific, governed tools that agents may call. We wanted to run that answer in production ourselves before recommending it to clients. So we did.

The agent doesn't get your database. It gets a menu — short, read-only at first, and every order is logged.
Least privilege, applied to AI
What we built

A governed front door for agents

The MCP server lives inside the ASP.NET application itself — same codebase, same deployment, same security review as the rest of the product.

MATE coach agent "What's my mission today?" → needs facts MCP · HTTPS The gate per-agent API key timing-safe comparison scoped to /mcp only unknown key → 401 every call audited: which agent, which tool The menu (allowlist) get_goal_status get_recent_activity read-only · GUID identity only write actions arrive later, one by one Product data read through the same query service the dashboard uses
The agent asks; the gate checks; the menu limits; the audit log remembers. That's the whole trick — and it's enough.

One key per agent

The coach's key isn't the welcome agent's key. Compromise or misbehavior is isolated and revocable per agent.

Explicit tool allowlist

The server registers exactly the tools intended — nothing is exposed by reflection or accident.

GUID-only identity

Tools accept opaque user GUIDs, never emails or names — the agent can't fish for identities.

Read first, write later

Phase A is read-only. Write actions (like adjusting a mission's scope) arrive individually, each with its own review.

Same logic as the UI

Tools read through the same query service the dashboard uses — the agent sees exactly what the user sees, never a privileged side channel.

Testable without the agent

The endpoint validates with standard MCP tooling (inspector, curl for the 401 path) before any agent connects — infrastructure first, magic second.

The pattern is portable

Nothing here is specific to goals. Orders, invoices, credentials, work orders — any product in this library could expose governed tools the same way. That's the point.

Why it matters

The next integration standard, already in our muscle memory

2
read-only tools in Phase A — small by design
1
API key per agent, revocable independently
100%
of tool calls audited — agent, tool, and when
401
what anyone without a key gets
When your clients' agents need to reach your clients' data, the question won't be whether to use MCP — it'll be whether your partner has run it in production. We have.
Practice on your own product; deliver on theirs