How do I know a connected tool is still the one I approved?

The registry: your team's approved-packages list

On /dashboard/registry, record the MCP server packages your team has reviewed and trusts: a name, the publisher, a source URL, the version (or git SHA) you've approved, and an optional note. This is documentation your team can reference, not something an agent or the gateway reads at call time.

Manifest pinning happens automatically, for every connected tool

Independently of the registry, the gateway hashes the full tool manifest (every tool name, description, and input schema) the first time it connects to a server on Connected Tools, and stores that hash. On every later connection it re-hashes and compares. A mismatch means the server is now offering something different than what you first approved, maybe a routine update, maybe a supply-chain compromise, and Enforgate writes an upstream_tools_changedentry to the org's activity log so your team notices either way.

The allowlist alert

Add at least one entry to the registry and you've opted your org into allowlist awareness: from then on, connecting any tool server writes an upstream_not_registered activity-log entry as a nudge to formally document it in the registry too. An empty registry means no allowlist is defined yet, so this check stays quiet until you add your first entry.

Linking a specific connected tool to one exact registry entry (the step that would also unlock an Ed25519 publisher-identity challenge for servers that sign their responses) isn't exposed in the Connected Tools UI yet. Today the registry and the per-tool manifest pinning above work as two independent layers rather than one linked record.

How this fits with the rest of the security model

The registry and manifest pinning answer "is this still the server I approved". Policiesanswer a different question, "is this specific call allowed", evaluated fresh on every tool call regardless of whether the upstream is registered.