MCP Sidecar Deployment Topology

Reference architecture for sovereign MCP server deployment. Three deployment models โ€” subprocess, sidecar, and federated. Ring-based isolation. Defence-in-depth network policy. Zero-trust mTLS between MCPs.

3
Deployment Models
3
Trust Rings
30
MCPs In Production
0
Network Central Broker

1. Overview

The MCP Sidecar Deployment Topology defines how the 30 live DEFONEOS MCP servers are deployed, networked, and isolated. The architecture supports three deployment models โ€” SUBPROCESS, SIDECAR, and FEDERATED โ€” and applies ring-based isolation plus zero-trust mTLS across all MCP-to-MCP and MCP-to-agent traffic.

Sovereignty invariant: MCPs run on DEFONEOS hardware (MacBook M-series MLX runtime + Oracle UK-South region). Zero calls to Anthropic-hosted MCP, OpenAI-hosted MCP, or any US-jurisdiction MCP routing service. The MCP gateway is local code, SIGIL-audited.

2. Three Deployment Models

2.1 SUBPROCESS Model

MCP runs as a child process spawned by the agent runtime. Used for lightweight, high-trust MCPs that need direct lifecycle control.

PropertyValue
LifecycleSpawned by agent, killed on agent exit
IPCstdin/stdout JSON-RPC (model context protocol)
IsolationOS process + Ring0-namespace seccomp
Use casesRing0 MCPs (sigil-ledger, sovereign-secrets-keystore, bft-vote)
Examplesigil-mcp --subprocess --ring Ring0

2.2 SIDECAR Model

MCP runs as a separate OS process, co-located on the same host as the agent. Communicates over localhost HTTP/2 with mTLS.

PropertyValue
Lifecyclesystemd/launchd managed, restarts on crash
IPClocalhost:port HTTP/2 + mTLS (Ed25519 cert)
IsolationOS process + macOS sandbox-exec / Linux namespaces
Use casesRing1 MCPs (sentinel-hub, os-opendata, companies-house, aisstream)
Examplesentinel-hub-mcp --port 8201 --ring Ring1

2.3 FEDERATED Model

MCP runs on a remote host, accessed over the DEFONEOS federation protocol. Used for cross-region or cross-trust-ring deployments.

PropertyValue
LifecycleRemote systemd, federation manifest-controlled
IPCHTTPS + mTLS + federation-discovery attestation
IsolationRing2-only network policy, firewall ring enforcement
Use casesRing2 MCPs (gdelt-news, openaq-air, public data sources)
Examplegdelt-news-mcp --federation --ring Ring2 --manifest <URL>

3. Ring-Based Network Isolation

3.1 Firewall Rules

Each trust ring is bound to a distinct network policy zone. Cross-ring traffic must traverse a BFT-witnessed mediation gateway (Ring0-only).

RingAllowed DestinationsBlocked DestinationsMediation
Ring0 (sovereign)localhost, Oracle UK-South BFT gateway, sovereign secrets keystoreAll US-jurisdiction cloud, public internetNone โ€” direct
Ring1 (defence)Ring0 MCPs, MOD-accredited APIs, NATO-AUKUS federation endpointsRing2 civil MCPsRing0 mediation gateway
Ring2 (civil)Ring0 read-only MCPs, public APIs (gdelt, openaq, ons)Ring1 defence MCPsRing0 mediation gateway

3.2 mTLS Certificate Hierarchy

All MCP-to-MCP and MCP-to-agent traffic uses mutual TLS with Ed25519 certificates signed by the DEFONEOS internal CA. No public CA. No Let's Encrypt. No US-jurisdiction CA.

DEFONEOS Internal CA (root) โ”œโ”€โ”€ Ring0 Issuing CA (signs Ring0 MCP certs) โ”œโ”€โ”€ Ring1 Issuing CA (signs Ring1 MCP certs) โ””โ”€โ”€ Ring2 Issuing CA (signs Ring2 MCP certs) Certificate properties: - signature_algorithm: Ed25519 - validity: 90 days (auto-rotated) - revocation: CRL on SIGIL ledger, OCSP responder at localhost:8300 - SAN: ed25519:<pubkey-fingerprint>

4. Reference Topology

4.1 Production Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ DEFONEOS MacBook (M4 Pro, 48GB) โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ SOV3 Agent Runtime (MLX) โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ–บ Ring0 MCPs (subprocess) โ”‚ โ”‚ โ”‚ โ”‚ โ€ข sigil-ledger-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ€ข sovereign-secrets-keystore-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ€ข bft-vote-mcp โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ”‚ mTLS localhost โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ MCP Sidecar Manager (launchd) โ”‚ โ”‚ โ”‚ โ”‚ โ”œโ”€โ–บ Ring1 MCPs (localhost ports 8201-8215) โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข sentinel-hub-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข os-opendata-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข companies-house-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข aisstream-maritime-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข rtsp-camera-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข mqtt-bridge-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ”‚ โ€ข defoneos-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ””โ”€โ–บ Ring2 MCPs (localhost ports 8301-8315) โ”‚ โ”‚ โ”‚ โ”‚ โ€ข gdelt-news-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ€ข openaq-air-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ€ข ons-statistics-mcp โ”‚ โ”‚ โ”‚ โ”‚ โ€ข data-gov-uk-mcp โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ WireGuard tunnel (DEFONEOS sovereign mesh) โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ Oracle UK-South (Always Free tier, 4 ARM cores) โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ BFT Council Gateway โ”‚ โ”‚ โ”‚ โ”‚ โ€ข 33-agent PBFT consensus โ”‚ โ”‚ โ”‚ โ”‚ โ€ข Ring0 mediation gateway โ”‚ โ”‚ โ”‚ โ”‚ โ€ข Cross-ring policy enforcer โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

4.2 Port Allocation

Port RangeServiceRing
8100-8199Ring0 subprocess MCPs (stdin/stdout)Ring0
8200-8299Ring1 sidecar MCPsRing1
8300-8399Ring2 sidecar MCPs + OCSP responderRing2
8400-8499Federated MCPs (HTTPS gateway)Ring2
9000-9099DEFONEOS internal services (BFT, SIGIL, attestation)Ring0

5. Health Checks & Auto-Recovery

5.1 Liveness Probes

Each MCP exposes a /health endpoint over its IPC channel. Probes run every 15 seconds.

GET /health โ†’ 200 OK { "mcp": "sentinel-hub-mcp", "version": "1.2.3", "ring": "Ring1", "uptime_seconds": 86342, "last_successful_request": "2026-07-15T05:29:47Z", "attestation_state": "ACTIVE", "sigil_receipts_emitted": 14823, "memory_mb": 184, "cpu_percent": 12.4 }

5.2 Auto-Recovery Rules

ConditionActionSIGIL Event
Health probe fails 3x in 60sRestart (max 3 attempts in 5 min)mcp_restart
Restart attempts exceed 3 in 5 minQuarantine, alert owner, BFT vote to re-admitmcp_quarantine
Attestation state โ†’ SUSPENDEDImmediate stop, SIGIL emission, BFT reviewmcp_suspended
Memory > 1GB or CPU > 80% for 5 minWarning, throttlemcp_throttle
Red-line violationImmediate kill + key revocation + SIGIL red-line alertmcp_red_line_violation

6. Cross-Walk & Compliance

StandardCoverage
NCSC CAF C1 (Network)Ring-based firewall policy + mTLS + WireGuard
NCSC CAF C2 (Service Protection)Health probes + auto-recovery + attestation state
NCSC CAF C4 (Identity & Access)Ed25519 certs + Ring0 mediation + revocation
NIST SP 800-204D (Microservices Security)mTLS everywhere + namespace isolation + zero-trust
JSP 440 Ch7 (Defence AI Deployment)Ring-based isolation + defence-in-depth + audit trail
EU AI Act Art 15 (Cybersecurity)Resilience to circumvention + red-line defence
Topology status (tick 106): 30 MCPs deployed across 3 rings. 7 Ring0 / 11 Ring1 / 12 Ring2. Zero-trust mTLS on all 156 MCP-to-MCP and MCP-to-agent connections. BFT mediation gateway enforces cross-ring policy. Auto-recovery with SIGIL audit trail. Compliance: NCSC CAF C1/C2/C4, NIST SP 800-204D, JSP 440 Ch7, EU AI Act Art 15.