ReplenishRadar's MCP server is designed with defense-in-depth. Every tool call passes through authentication, authorization, rate limiting, and audit logging before reaching inventory data.

Three frameworks govern this work:

1. Amazon BSA Agent Policy (March 2026) — binding for all features touching Amazon data
2. OWASP LLM Top 10 — security risks specific to AI agent integrations
3. Org-scoped RLS model — all queries are scoped to the authenticated organization

ReplenishRadar is registered as an Agent under Amazon's March 2026 Business Solutions Agreement.

• All MCP tool outputs are structured JSON — never raw text flowing into LLM prompts
• String fields are sanitized before returning in tool responses

• rr_create_purchase_order always creates draft status — enforced server-side
• No MCP tool can change order status from draft to sent without human approval
• Review URLs are included in write-action responses

• API keys are org-scoped; cross-org data access is impossible
• unit_cost fields are only returned for write-scope API keys
• PII is excluded from all MCP tool responses
• Internal IDs and debug fields are stripped

• Write tools require Scale+ tier and buyer role minimum
• No MCP tool can delete items, merge SKUs, send POs, or modify prices without approval
• Restrictions are enforced server-side; cannot be overridden by prompt engineering

• Suggested PO responses include as_of timestamp and confidence metadata
• PO creation responses include a review_url deep link
• Stale forecast data (>24 hours) is flagged with data_freshness: stale

• Keys are stored as sha256(key) — plaintext is shown once at creation
• Keys are prefixed rr_sk_live_ to enable automatic secret scanning in GitHub, GitLab, and CI systems

Read-only keys cannot be escalated to write scope by an agent.

• Keys can be revoked instantly from Settings > API Keys
• Revoked keys fail immediately on the next request (no caching)
• Admins can see all active keys and their last-used timestamp

If a key exceeds 200% of its hourly limit in a 5-minute window, it is automatically suspended for 60 minutes and an email alert is sent to the org owner.

Every MCP tool call is logged:

{
  "event": "mcp_tool_call",
  "org_id": "...",
  "api_key_id": "...",
  "tool": "rr_get_suggested_purchase_orders",
  "duration_ms": 143,
  "timestamp": "2026-03-08T14:32:01Z"
}

Write actions additionally log the full input and output for audit reconstruction.

Retention: 7 years. Logs are immutable — no update or delete operations.

MCP tool responses do not include:

• Internal user IDs or emails
• Raw Shopify/Amazon tokens or credentials
• Supabase row IDs that expose internal DB structure
• Debug fields or ML feature vectors
• Other organizations' data

• Agent audit logs containing IP addresses are subject to GDPR/CCPA deletion requests
• MCP tool responses do not contain end-customer PII
• ReplenishRadar's API Terms of Service prohibit using inventory data for training third-party AI models

If a compromised API key is detected:

1. Revoke the key immediately from Settings > API Keys
2. Review the audit log for all actions taken by the key
3. Review any draft POs created by the key — do not send them
4. If Amazon SP-API calls were triggered: review for policy violations
5. Notify the org owner via email within 24 hours