Working notes from shipping agent systems into regulated environments. Each piece is a pattern I've watched succeed or fail in production.
Five architecture decisions the wizard quietly assumes you've made — identity (API key vs. OBO), DLP zone, generative orchestration, Streamable transport, tenant scoping — plus the threat model that isn't in the docs.
A five-layer architecture distilled from shipping three agent systems in regulated environments — identity, credential broker, scoped tools, policy gating, audit. Skip a layer and the review fails.
An MCP server is a security boundary, not a convenience layer. Six rules that keep tool surfaces narrow enough to defend without making them too narrow to use.