Skip to content

Consensus MCP runbook

backend-core registers Consensus as the consensus-mcp Agent Gateway target. Consensus is metered, so the integration has two separate controls:

  • Server-to-Consensus credential: akv:consensus-api||env:CONSENSUS_API_KEY.
  • Human/operator access to the MCP/ops surface: Cloudflare Access policy.

Quota

The current Consensus Pro account has 1000 MCP calls per month, anchored to 2026-05-31. The default registry metadata emits these non-secret FinOps fields in agent.invoke and agent.task.submit audit events:

  • finops_metered
  • finops_unit
  • finops_plan
  • monthly_call_cap
  • quota_start_date
  • monthly_period_start
  • monthly_calls_used

Set these env vars if the plan changes:

AGENT_GATEWAY_CONSENSUS_MONTHLY_CAP=1000
AGENT_GATEWAY_CONSENSUS_QUOTA_START=2026-05-31

Cloudflare Access policy

Protect any public or operator-facing MCP entrypoint with a Cloudflare Access application. The human allow policy should include only:

[email protected]

Recommended policy shape:

Application: mcp.untool.ai or the concrete MCP/operator hostname
Policy name: Allow Consensus Pro owner
Action: Allow
Include: Emails -> [email protected]
Session duration: short operational window, for example 8h

Do not use this human email policy as the backend service credential. backend-core should continue to call Consensus with the server-side bearer secret resolved from AGENT_GATEWAY_CONSENSUS_MCP_SECRET.

If this repo later owns Cloudflare Terraform, model the rule as a cloudflare_zero_trust_access_policy include-email condition attached to the MCP Access application.