The rule:
tools/list is discovery. At least one real tools/call through MCP Boundary is runtime proof.
Current Evidence Summary
| Area | Status | What it means |
|---|---|---|
| Local Email Demo | verified local demo | Simulated read/draft/send-block flow. No provider or real email. |
| Gmail-like local stdio server | scoped runtime proof | Downstream-managed OAuth path proved read metadata, controlled draft, controlled send, and selected controlled label/archive/trash actions for configured candidates. |
| Taylor Google Workspace candidate | scoped candidate proof | Downstream-managed stdio OAuth path proved selected Gmail read/draft/send/trash-label actions. Not a full Workspace claim. |
| Official Gmail MCP endpoint | provider blocked | OAuth and tools/list worked, but real tool execution was blocked by provider permission. |
| Database examples | scoped smoke | Useful for read/write policy examples and state binding with synthetic data. |
| GitHub test repo | scoped smoke | Useful for selected repo/test-account behavior. Not full GitHub support. |
| Microsoft 365 / Outlook | setup dependent | Discovery/auth setup depends on Graph app setup, account type, tenant, and permissions. |
Safe Claims
Good:
MCP Boundary can run a configured local MCP server through a checked tool-call path.
Good:
A configured downstream-managed local Gmail-like MCP server has scoped read, draft, send, and selected label/archive/trash evidence.
Bad:
MCP Boundary supports Gmail.
Bad:
MCP Boundary makes email safe.
Not Claimed
MCP Boundary does not claim:
- production security
- DLP
- prompt-injection protection
- universal provider support
- safe-by-default sending or deletion
- full Google Workspace / Gmail / Outlook / GitHub / database support
- hosted multi-tenant gateway behavior
Use the full evidence document for details:
docs/publish/tested-servers-and-limits.md