mcp-governance-autolisted

# MCP Governance Auto — allowlist drift detection + reconciliation ## Goal Keep `docs/governance/mcp-governance.md` (authoritative allowlist) in sync with `.mcp.json` (runtime config) and `settings.local.json permissions.allow` (operator scope). Detect drift early, propose reconciliation, never auto-apply. ## When to use - `/ulak-director komple` Phase 2: audits the MCP surface for governance drift - Quarterly governance review - Before adding a new MCP (the paper trail is generated from this skill) - Incident response: post-compromise check that no MCP was silently added ## Inputs ```yaml governance_doc: "docs/governance/mcp-governance.md" runtime_config: ".mcp.json" operator_scope: ".claude/settings.local.json" report_path: "reports/current/mcp-reconciliation.md" ``` ## Outputs ### `reports/current/mcp-reconciliation.md` Structured reconciliation: ```markdown # MCP Governance Reconciliation — 2026-NN-NN ## Allowlist-declared MCPs (governance/mcp-governance.md) - github (T2, rotation: 90d, last_rotated: 2026-NN) - context7 (T1, rotation: 180d) - ... ## Runtime MCPs (.mcp.json) - github ✓ matches allowlist - context7 ✓ - linear ✗ NOT in allowlist ## Operator-scope allow entries (settings.local.json) - mcp__github__* ✓ matches runtime - mcp__linear__* ✗ runtime-only; missing governance entry ## Drift | Kind | Detail | Action | |---|---|---| | **Undeclared MCP in runtime** | linear not in mcp-governance.md | Propose governance entry OR remove from .mcp.json | | **