Google MCP controlOS9 gated
WorkspaceAweb / command-private

Plan Google MCP access before any credential, OAuth, or tool call exists.

The operator surface binds official Google-managed MCP inventory to Mission Contracts, approval gates, and receipts. It creates access plans and approval evidence only; Google runtime stays behind MCP Warehouse policy.

Private route

This shell inherits authenticated page-route posture and is not exposed as a public marketing surface.

Bounded authority

Runner registration and connector mutation stay blocked; signed Mission approval issuing, sandbox eval summaries, cost visibility, and operator sandbox interrupts are live.

Manual API gate

Published /api/v2/os9 fleets, runners, approvals, and mission contracts use route-level auth and explicit OpenAPI registration; broader OS9 APIs remain closed.

Official servers52

Verified from Google source updated 2026-06-01.

Read-only runtime34

Registered slices expose L0/L1 tools only.

Catalog only18

Official servers still blocked from runtime.

Mission contractReady

google_mcp_provider_access gates are compiled.

Risk tiers5

Read, sensitive read, candidate, side effect, privileged.

Direct access0

Maestro and Prometheus do not receive Google credentials.

Governance boundary

Access planning uses official provider IDs, OS9 Mission Contract gates, and public-safe scope/IAM summaries. The flow never returns Google tokens or starts OAuth.

Default deny
/api/os9/google-mcp/access-request/plan/api/os9/google-mcp/workspace-oauth/preflight/api/os9/google-mcp/workspace-oauth/subject-binding/evaluate/api/os9/google-mcp/workspace-oauth/revocation/evaluate/api/os9/google-mcp/workspace-oauth/runtime-review/readiness/api/os9/google-mcp/workspace-oauth/evaluations/api/os9/google-mcp/cloud-iam/credential-binding/evaluate/api/os9/google-mcp/cloud-iam/credential-binding/evaluations/api/v2/integrations/google-mcp/access-request/api/v2/os9/approvalsNo direct Google MCP executionGeneric fan-out blocked

Public docs stay at /docs/google-mcp; this operator route is the authenticated planning lane.

Promotion blocker matrix

Public-safe evidence digest for official Google MCP providers that are not runtime-enabled. It exposes evidence IDs and counts only.

18 blocked
Runtime enabled0
Workspace OAuth5
Reviewed non-exec11
Disabled policy2
Credential contracts 16Adapter registration 16Mission gates 16Boundary tests 16Policy-blocked credentials 2
google.cloud.app_lifecycle_managerreviewed_non_executable
read_only_candidatepartial_observed40 observed tools9 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.bigquery_migrationreviewed_non_executable
inventory_onlypartial_observed5 observed tools9 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.customer_experience_agent_studioreviewed_non_executable
inventory_onlypartial_observed60 observed tools10 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, regional_binding, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.tracereviewed_non_executable
inventory_onlypartial_observed2 observed tools9 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.database_insightsreviewed_non_executable
inventory_onlypartial_observed2 observed tools9 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.error_reportingreviewed_non_executable
inventory_onlypartial_observed1 observed tools9 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.filestorereviewed_non_executable
inventory_onlypartial_observed8 observed tools9 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

google.cloud.security_operationsreviewed_non_executable
inventory_onlypartial_observed68 observed tools10 blockers

Required evidence: resources_prompts_snapshot, adapter_registration, credential_contract, regional_binding, sanitizer_coverage, policy_allowlist, mission_contract_gate, receipt_and_audit, boundary_tests; blocked evidence: none

This matrix deliberately omits raw tool-policy rows, classifier internals, credentials, OAuth subjects, project identifiers, approval tokens, and invocation authority.

Promotion workbench

Actionable evidence checklist for catalog-only providers. Each row points to existing OS9 evidence lanes or package gates and grants no runtime authority.

No promote
18 providersRuntime promotion blockedChecklist mapped yesExecution effect none
google.android.managementdisabled_by_policy
0 required8 blockedPromote no

resources/list and prompts/list review: Capture resources/list and prompts/list state and review any exposed resource or prompt surface. Lane package_manifest; routes package gate.

MCP Warehouse adapter registration: Add a reviewed adapter binding whose endpoint and tools match the official inventory and genome snapshot. Lane warehouse_registry; routes package gate.

Credential and auth contract: Attach the provider-specific credential boundary evidence before any runtime credential can load. Lane manual_high_risk_review; routes package gate.

Output sanitizer coverage: Land sanitizer tests for the provider output shape before runtime promotion. Lane test_gate; routes package gate.

google.payments_wallet.pay_walletdisabled_by_policy
0 required8 blockedPromote no

resources/list and prompts/list review: Capture resources/list and prompts/list state and review any exposed resource or prompt surface. Lane package_manifest; routes package gate.

MCP Warehouse adapter registration: Add a reviewed adapter binding whose endpoint and tools match the official inventory and genome snapshot. Lane warehouse_registry; routes package gate.

Credential and auth contract: Attach the provider-specific credential boundary evidence before any runtime credential can load. Lane manual_high_risk_review; routes package gate.

Output sanitizer coverage: Land sanitizer tests for the provider output shape before runtime promotion. Lane test_gate; routes package gate.

google.stitchreviewed_non_executable
8 required0 blockedPromote no

resources/list and prompts/list review: Capture resources/list and prompts/list state and review any exposed resource or prompt surface. Lane package_manifest; routes package gate.

MCP Warehouse adapter registration: Add a reviewed adapter binding whose endpoint and tools match the official inventory and genome snapshot. Lane warehouse_registry; routes package gate.

Credential and auth contract: Attach the provider-specific credential boundary evidence before any runtime credential can load. Lane manual_high_risk_review; routes package gate.

Output sanitizer coverage: Land sanitizer tests for the provider output shape before runtime promotion. Lane test_gate; routes package gate.

google.ai.agent_searchreviewed_non_executable
8 required0 blockedPromote no

resources/list and prompts/list review: Capture resources/list and prompts/list state and review any exposed resource or prompt surface. Lane package_manifest; routes package gate.

MCP Warehouse adapter registration: Add a reviewed adapter binding whose endpoint and tools match the official inventory and genome snapshot. Lane warehouse_registry; routes package gate.

Credential and auth contract: Complete Cloud IAM credential-boundary evidence with project, principal, API, MCP service, and least-privilege role review. Lane cloud_iam_evidence_ledger; routes /api/os9/google-mcp/cloud-iam/credential-binding/evaluate, /api/os9/google-mcp/cloud-iam/credential-binding/evaluations.

Output sanitizer coverage: Land sanitizer tests for the provider output shape before runtime promotion. Lane test_gate; routes package gate.

google.cloud.app_lifecycle_managerreviewed_non_executable
8 required0 blockedPromote no

resources/list and prompts/list review: Capture resources/list and prompts/list state and review any exposed resource or prompt surface. Lane package_manifest; routes package gate.

MCP Warehouse adapter registration: Add a reviewed adapter binding whose endpoint and tools match the official inventory and genome snapshot. Lane warehouse_registry; routes package gate.

Credential and auth contract: Complete Cloud IAM credential-boundary evidence with project, principal, API, MCP service, and least-privilege role review. Lane cloud_iam_evidence_ledger; routes /api/os9/google-mcp/cloud-iam/credential-binding/evaluate, /api/os9/google-mcp/cloud-iam/credential-binding/evaluations.

Output sanitizer coverage: Land sanitizer tests for the provider output shape before runtime promotion. Lane test_gate; routes package gate.

API projection: /api/os9/google-mcp/promotion/workbench. It returns checklist metadata, ledger query routes, and safety invariants only; it cannot issue approvals, load credentials, call Google MCP, or promote runtime.

Promotion evidence status

Live read-only snapshot of the evidence ledgers for one catalog-only provider. Evidence states are observability; they do not authorize runtime promotion.

Providergoogle.workspace.gmail
Satisfied0
Missing0
Repository gates0
Policy blocked0
Ledger unavailable0
Read-only queries pending No evidence mutation pending Ledger routes review State grants authority review
Dry-run statepending
Remaining blockers0
Receipt previewpending
Receipt decisionpending
Dry-run only pending Receipt preview pending Persisted review Runtime promotion review
PR checklist0
Files0
Commands0
Checklist authorityreview
Evidence packagepending
Review steps0
Package digestpending
Package authorityreview
Content addressed pending Approval evidence review Signature key loaded review Hash covers sources pending
Warehouse reviewpending
Candidate tools0
Canonical eligibleno
Review authorityreview
Package trusted for runtime review Canonical state pending Unsafe callable tools 0 Runtime grant review
Loading promotion evidence snapshot.

This panel reads /api/os9/google-mcp/promotion/workbench and /api/os9/google-mcp/promotion/dry-run and /api/os9/google-mcp/promotion/pr-checklist and /api/os9/google-mcp/promotion/evidence-package and /api/os9/google-mcp/promotion/warehouse-review with no-store caching. It cannot start OAuth, load credentials, issue approvals, call Google MCP, persist review artifacts, or promote runtime.

Workspace OAuth boundary

Workspace MCP is visible for planning, but Gmail, Drive, Calendar, Chat, and People stay blocked until user OAuth subject binding and credential-boundary receipts are attached to an OS9 contract.

Runtime 0
5 Workspace MCP serversEvidence evidence_lanes_ready_runtime_blocked5 L1 candidates30 L2+ blocked toolsSubject binding aweb.google-workspace-mcp-oauth-subject-binding.v1Revocation receipts requiredRuntime review requires prior revoked bindingSubmitted eval booleans recomputedRuntime lanes disabled 7

The access planner returns Workspace MCP services and recommended scopes, but does not start OAuth, store credentials, or make catalog-only Workspace tools callable. The preflight route returns a subject-binding draft and revocation plan only; the evaluation routes accept hash-only subject, revocation, and runtime-review readiness evidence and still keep runtime disabled.

Cloud IAM boundary

Google Cloud MCP runtime requires hash-only project and principal evidence before credentials can load.

Receipt required
40 Cloud IAM providersevidence_review_available_runtime_gatedSchema aweb.google-cloud-mcp-iam-credential-binding.v1Receipt aweb.google-cloud-mcp-iam-credential-receipt.v1Runtime identity modes 3Disabled lanes 8

The Cloud IAM evaluation route records accepted credential-boundary evidence only. The read-only runtime still requires the receipt hash, OS9 approval, Warehouse policy, sanitizer, and runtime receipts; it cannot grant IAM or enable APIs.

Planning-only L1 candidates

These candidates remain non-executable until the Workspace OAuth subject contract and provider-specific runtime tests are complete.

No execution
Drive: get_file_metadata, list_recent_files, search_filesGmail: list_labelsCalendar: list_calendarsChat: nonePeople API: none

Access planner

Select official Google MCP servers and request a bounded OS9 risk tier.

1 selected
Risk tier

Official provider scope

Provider options come from the verified Google MCP catalog.

Request body

No OAuth URL, approval token, credential, or Google tool result is produced here.

Developer Knowledge API / L0 Safe metadata/read-only public docs
{
  "provider_ids": [
    "google.developer.developer_knowledge"
  ],
  "risk_tier": "read_only",
  "mission_contract_id": "mission_contract_d1b1006685640fcfb675",
  "reason": "Review Google MCP access through OS9."
}

Approval package

Signed approval evidence can be issued only after OS9 validates the contract, gate, and capability.

Create a plan before issuing OS9 approval evidence.

Workspace OAuth evidence ledger

Hash-only subject, revocation, runtime-readiness, and promotion-review receipts for Workspace MCP.

Ledgerunavailable
Accepted0
Rejected0
Latest receiptnone
Loading Workspace OAuth evidence receipts.

Cloud IAM evidence ledger

Accepted hash-only credential-boundary receipts available for Google Cloud MCP runtime attachment.

Ledgerunavailable
Accepted0
Rejected0
Latest receiptnone
Loading Cloud IAM credential evidence receipts.

Runtime ledger

Governed read-only Google MCP attempts with receipt hashes and sanitizer evidence.

Ledgerunavailable
Completed0
Blocked0
Failed0
Loading runtime receipts.