Skip to content
AM

The MCP tool catalog

The canonical MCP tool catalog is apps/ai-coo-cf/src/tools/catalog.ts. It defines the tools exposed by the Cloudflare Worker runtime. Files under apps/ai-coo/ are compatibility and local-development code, not the source for production discovery.

Catalog shape

Each normalized ToolDefinition contains:

FieldMeaning
nameCanonical inblack_* tool name
descriptionAgent-facing capability description
tierRisk tier: T1, T2, T3, or T4
pillaraccounting, commerce, cx, portal, reporting, or studio
kindread, write, or simulate
schemaZod input shape used for validation and MCP input-schema generation
outputSchemaStructured output contract
errorCodesDeclared INBLACK_* errors for the tool
paginationcursor or none
provenancerequired for writes; not_applicable otherwise
surfacesPublic/internal exposure
visibilityFeature, entitlement, GL-layer, role, permission, and persona requirements
simulatedBy / simulatesLinks a write to its generated preview tool
deterministicReplay and canonicalization metadata

The catalog contains metadata and schemas. Execution is handled by the MCP router and its delegates; a handler is not embedded in each catalog entry.

Risk tiers

TierCatalog meaningRuntime behavior
T1Read-only, report, search, or simulationExecutes without a pending action
T2Low-risk writeUsually executes immediately; guardrail scoring can escalate it to review
T3Mutating writeCreates a pending action before execution
T4Destructive actionInternal-only in discovery; curated tools are hard-blocked and other allowed tools require destructive approval

Studio API-key rotation and revocation are also approval-required even though their catalog tier is T2.

Generated simulate tools

Every normalized write has a generated inblack_simulate_* twin. The simulate tool is kind: "simulate", tier: "T1", and links back through simulates; the write links forward through simulatedBy.

The complete unfiltered catalog currently contains 440 tools: 128 reads, 155 writes, and 157 simulations. Runtime results can be smaller because manifests and tools/list are filtered for the surface, tenant policy, and principal.

Visibility

Visibility is not encoded as fictional tier-name arrays on each tool. The Worker combines catalog metadata with the tenant’s current agent policy and principal:

  1. Surface exposure
  2. AI assistant enabled state
  3. Effective risk tier and destructive-action policy
  4. AI COO scope
  5. Enabled pillar
  6. Required features
  7. Minimum GL layer
  8. Required entitlements
  9. Allowed roles
  10. Required permissions
  11. Allowed personas

A tool that fails a gate is omitted from discovery. Tenant-scoped policy resolution fails closed when the Worker cannot verify the tenant’s AI policy.

See Pillars, tiers, and tool visibility for the full model.

Manifest contract

The public machine-readable catalog is:

GET https://ai-coo.inblack.app/mcp/manifest
Authorization: Bearer <zitadel-access-token>
X-Tenant-ID: <tenant-id>

The response identifies the canonical catalog and runtime contract:

{
"schema_version": "2026-05-01",
"canonical_catalog": "apps/ai-coo-cf/src/tools/catalog.ts",
"surface": "public",
"endpoint_path": "/mcp",
"transport": "mcp_streamable_http",
"auth": "zitadel_bearer",
"visibility_schema_version": "2026-05-01",
"tool_count": 0,
"counts_by_kind": { "read": 0, "write": 0, "simulate": 0 },
"counts_by_pillar": {
"accounting": 0,
"commerce": 0,
"cx": 0,
"portal": 0,
"reporting": 0,
"studio": 0
},
"tools": []
}

Each manifest tool entry exposes metadata and sorted input_schema_keys, not the full Zod or output schema. Use MCP tools/list for the protocol-level tool definitions.

The internal manifest is at /internal/mcp/manifest. It uses service_token_or_internal_scope auth and includes internal-surface definitions, including T4 entries, subject to policy filtering.

Catalog checks

From inblack-userguide/docs, run:

Terminal window
pnpm check:mcp

This checks the generated catalog and all generated pillar reference pages against the current platform source.