Connection Manager
Downstream MCP server lifecycle, schema merging, and delegation
The Connection Manager handles the lifecycle of downstream MCP server connections, merges their tool schemas into a unified namespace, and supports cross-organization agent delegation.
How It Works
ConnectionManager (connection_manager.py)
The ConnectionManager manages stdio connections to downstream MCP servers:
- Spawn — Starts a child process for each registered downstream server
- Track — Monitors connection health and restarts on failure
- Teardown — Gracefully shuts down connections when the workspace is deactivated
Each downstream connection is represented by a DownstreamConnection dataclass with:
- Server name and command
- Process handle and transport
- Health status and last heartbeat
SchemaMerger (schema_merger.py)
The SchemaMerger aggregates tool lists from multiple downstream servers and prefixes names to prevent collisions:
Features:
- Namespace prefixing — Each tool gets a
server_name.tool_nameprefix - Description sanitization — Tool descriptions are sanitized to prevent injection (
_sanitize_tool_description()) - Input schema sanitization — Input schemas are validated and cleaned (
_sanitize_input_schema()) - TTL cache — Merged schema is cached for 5 minutes to meet NFR-AEG-01 latency targets
Delegation (delegation.py)
Cross-organization agent delegation for the agentic web:
- Signing — Delegation tokens are cryptographically signed
- Rate limiting — Per-delegator rate limits prevent abuse
- Inbound handling — Validates incoming delegation tokens from partner organizations
- Outbound handling — Signs and sends delegation requests to partner organizations
Delegation supports glob-based tool pattern matching (e.g., delegate access to salesforce.read_* but not salesforce.delete_*).
Architecture
Configuration
Downstream connections are registered via the REST API:
Connection credentials are encrypted at rest using Fernet encryption (crypto.py).
Technical Details
- Schema merger sanitization prevents downstream servers from injecting malicious content into tool descriptions
- The 5-minute TTL cache balances freshness against latency requirements
- Delegation uses
fnmatchfor tool pattern matching, consistent with policy engine patterns - Connection health is monitored via heartbeats; unhealthy connections trigger automatic restart
- The
escalation_notifier.pysends notifications when actions require human approval - The
identity_adapter.pyandexternal_identity_verifier.pyintegrate with external IAM/NHI systems for agent identity resolution