Govern the headless body.
Headless does not mean ungoverned. Noodle Seed centralizes the runtime controls around every deployed app: identity, secrets, policy alpha, asset verification, release proof, tenant isolation, and scalar-safe audit events.
01Identity and groups
Current foundations include OAuth-protected deployments, owner-only access, and org-member access. Google Workspace group mapping, Entra, Okta, SAML/OIDC, and SCIM are private-preview or later identity lifecycle scope.
02Tenant isolation
Requests route by server identity and validate against the tenant artifact, connector catalog, policy context, and credential scope. Internal registry and group visibility must preserve that boundary for every customer tenant.
03Secrets and credentials
Service credentials stay out of specs, chats, logs, widget payloads, and runtime artifacts. They are stored encrypted and brokered to connectors at call time; delegated per-user credential brokering is the required plan for Workday, CRM, and user-scoped systems.
04Approval lifecycle
App deploys already carry tenant, environment, version, owner, and active deployment state. Tenant rollback can reactivate a stored target without changing the stable MCP endpoint. A full internal connector registry with lifecycle state, risk class, review cadence, and disablement is private-preview enterprise scope.
05Policy alpha
Policy assignment APIs and the noodle policy CLI can deny, suspend, quota, and rate-limit MCP requests before SDK dispatch. Active policy lookups are cached and invalidated on writes. Group-level governance and broader enterprise policy suites remain scoped work.
06Audit evidence
The platform emits scalar-safe events for deployment, rollback, policy denials, assets, and operator actions without request bodies, bearer tokens, signed URLs, or local absolute paths. Compliance exports are private-preview scope.
07Hosted assets
Packaged images are validated, uploaded through a keyless asset edge, re-hashed, re-sniffed, served from assets.noodleseed.dev, and kept separate from MCP/OAuth traffic.
08Release proof
Production deploys stamp the image with gitSha and buildTime, then fail unless the live service reports the expected commit through /v1/service/info.
09Private connectivity
The first pilot must choose a supported connectivity model: managed SaaS, customer-dedicated GCP, private GKE/GDC, customer-hosted runner, secure relay, or hybrid. Internal systems should fail closed if the selected path is unavailable.
10Threat model
Internal connectivity must account for prompt injection, tool poisoning, overbroad tools, data exfiltration, destructive actions, lateral movement, connector SSRF, credential misuse, and audit gaps before pilots expand.