Edison Watch
Admin Guide

Configuring Servers

Manage MCP servers and tool availability.

Admins control which MCP servers and tools are available to the organization.

Adding a Server

Option 1: Marketplace

  1. Click Browse Marketplace.
  2. Select a server and click Add.
Marketplace view

Option 2: Custom Server

  1. Click Add Custom.
  2. Manual: Enter the name, command (e.g., uvx, npx), and arguments.
  3. JSON: Paste a configuration in VS Code or standard MCP format.
Add Custom MCP Server view

Template Variables

Use {VARIABLE_NAME} in arguments or environment variables. These can be configured globally by admins or individually by each user.

Server Management

Overview

View the server's command, status, and detected capabilities (tools, resources, prompts).

Server overview

Status Toggles

  • Enable/Disable: Turn servers on or off globally.
  • Validate: Test the configuration. Edison Watch will attempt to start the server and discover its tools.
  • Reinitialize: Restart all servers to apply configuration changes.

Tool Configuration

In the Tools tab, classify each tool:

  • Enabled: Allow or block usage.
  • Security Flags: Mark as Write Operation, Private Data, or Untrusted Data.
  • ACL: Set the data sensitivity level.

Supply-Chain Security

Edison Watch automatically pins dependencies for servers that use package runners like npx or uvx. This prevents supply-chain attacks by locking exact package versions.

How Pinning Works

When a server is first mounted:

  1. Edison Watch resolves the full dependency tree (including transitive dependencies)
  2. Creates a lockfile (e.g., package-lock.json for npm, uv.lock for Python)
  3. Stores the lockfile securely in the database
  4. Creates an ephemeral runtime environment from the locked dependencies

On subsequent mounts, the server uses the cached lockfile, ensuring identical dependency versions every time.

Pinning Status

In the server overview, you'll see:

  • Pinned badge: Shows the package version that's locked (e.g., @modelcontextprotocol/[email protected])
  • Pinned on [date]: When the dependencies were last locked
Supply-Chain Security section showing pinned status

Clear Pin

Use the Clear Pin button to:

  • Force re-pinning after updating a server's package version
  • Resolve issues if a server misbehaves due to a corrupted pin
  • Update dependencies when a new version is available
Server actions view

After clearing, the server will re-pin on the next mount. This may take 30-60 seconds on first run.

You can also clear all pins at once using the Clear All Pins button in the server list sidebar:

Clear All Pins button

First Run: Servers using npx or uvx will take longer to start on first mount while dependencies are being pinned. This is a one-time process.

Interface Locking

Edison Watch monitors the interface (tools, prompts, and resources) that each MCP server exposes. This detects unexpected changes that could indicate a compromised or misconfigured server.

How Interface Locking Works

When a server is first mounted:

  1. Edison Watch discovers all tools, prompts, and resources the server exposes
  2. Records the complete metadata (names, descriptions, schemas) for each element
  3. Computes a cryptographic hash of this metadata
  4. Stores the "interface lock" in the database

On subsequent mounts, Edison Watch compares the current interface against the stored lock. Any differences are flagged as interface drift.

Types of Drift Detected

  • New elements: A tool, prompt, or resource appears that wasn't there before
  • Removed elements: A previously-seen element is missing
  • Modified metadata: A description or schema has changed

Interface Drift Warning: When drift is detected, Edison Watch logs a warning and fires a security event. This helps you catch malicious updates or accidental misconfigurations.

Disabling Interface Locking

Interface locking is enabled by default for all servers. In some cases, you may want to disable it:

  • Development servers that change frequently
  • Servers with dynamically-generated tool lists
  • Testing environments where drift is expected

To disable interface locking for a server:

# Via API
PUT /api/server/{server_name}/interface-locking
Content-Type: application/json
Authorization: Bearer <admin_api_key>
 
{"enabled": false}

Admin Only: Only administrators can enable or disable interface locking. This setting is per-server and persists across restarts.

Example Configurations

GitHub Integration

GitHub
{
  "command": "npx",
  "args": [
    "-y",
    "mcp-remote",
    "https://api.githubcopilot.com/mcp/",
    "--header",
    "Authorization: Bearer {GITHUB_TOKEN}"
  ]
}

PostgreSQL Database

PostgreSQL
{
  "command": "npx",
  "args": [
    "-y",
    "@modelcontextprotocol/server-postgres",
    "postgresql://localhost/mydb"
  ]
}

Zapier Automations

Zapier
{
  "command": "npx",
  "args": [
    "-y",
    "mcp-remote",
    "https://mcp.zapier.com/api/mcp/s/{ZAPIER_ACCESS_TOKEN}/mcp"
  ]
}

Local Filesystem

Filesystem
{
  "command": "uvx",
  "args": ["mcp-server-filesystem", "/path/to/dir"]
}

Active Sessions: Reinitializing servers may briefly interrupt active AI sessions.

Previous

Policy Rules (CEL)

Next

Setting Permissions

On this page