You are exposing internal systems to an AI assistant through a remote MCP server that several employees use. Threat-model it. How do you authenticate and authorize callers, how do you keep tool inputs from being abused (injection, over-broad queries), and how do you prevent a confused-deputy problem where the server uses its own privileges on behalf of a request it should not honor? Cover both a malicious user and an indirect prompt injection arriving through tool-fetched content.