Problem
When a Langflow agent calls an MCP tool, there's no framework-level hook to verify the server's trustworthiness before execution. This creates a gap where malicious or misconfigured MCP servers can execute arbitrary operations without any trust validation.
Related: #9118 covers tool approval, but that's user-initiated. This proposal adds a programmable middleware layer for automated trust checks.
Proposal
Add a configurable middleware/hook point that runs before any MCP tool execution:
# Example: pluggable trust verification
class TrustVerifier(Protocol):
async def verify(self, server_uri: str) -> TrustResult: ...
# Users bring their own verification backend
flow = Flow(
trust_verifier=MyCustomVerifier() # Pluggable
)The hook should:
- Run before any MCP tool call is dispatched
- Receive the server URI, tool name, and parameters
- Return allow/deny/warn with optional metadata
- Be opt-in with zero overhead when not configured
Benefits
- Framework-agnostic: Users choose their own verification backend (local policy, external API, OWASP-aligned checks)
- Opt-in: Doesn't break existing workflows
- Extensible: Works with any trust scoring service or local policy engine
- Security: Addresses OWASP MCP Top 10 risks around unverified server trust
References
Problem
When a Langflow agent calls an MCP tool, there's no framework-level hook to verify the server's trustworthiness before execution. This creates a gap where malicious or misconfigured MCP servers can execute arbitrary operations without any trust validation.
Related: #9118 covers tool approval, but that's user-initiated. This proposal adds a programmable middleware layer for automated trust checks.
Proposal
Add a configurable middleware/hook point that runs before any MCP tool execution:
The hook should:
Benefits
References