MCP tools and safety
Use 18 management tools with exact permissions, Draft-first writes, concurrency checks, and scoped execution.
Tool listing is not execution authorization. Every call rechecks the target Backend and resource scopes against live effective access.
Tool permissions
All permissions in a row are required unless the row says “transition-specific.”
| Tool | Permission expression |
|---|---|
whoami |
None |
list_types, describe_type |
backend.read + model.read + content.read |
search_entries, get_entry, search_assets, get_asset |
content.read |
list_vocabularies |
vocabulary.read |
search_terms, get_term |
term.read |
create_entry |
content.create |
update_entry |
content.read + content.update |
change_status |
content.read + the transition-specific content.update, content.publish, or content.unpublish |
list_releases |
release.read |
create_release |
release.create |
add_to_release |
release.update + content.read + content.update |
validate_release |
release.update + content.read |
schedule_release |
release.update |
Scope dimensions follow each PermissionKey. Backend pinning and target scope are checked even after a tool was listed. schedule_release is listed with release.update, then execution also checks content.read for every target item.
Safe write sequence
- Call
whoami,list_types, anddescribe_type. - Read the current entry and version.
- Validate keys and values against the described model.
- Call
create_entryto create a Draft, orupdate_entrywithexpectedVersion. - On conflict, reread and decide whether to retry; never overwrite blindly.
- Reread the Draft before any explicit
change_statuscall.
change_status alone changes lifecycle. schedule_release stores a proposal for human activation; it does not schedule or execute the Release by itself.
Boundaries
The MCP surface does not provide entry deletion, upload, schema mutation, Component-field writes, semantic search, automatic Release activation, a generic dry-run flag, or rate metering. Component fields can be read but are not writable.
Management execution carries agent attribution and delegated user identity when available. Do not use that statement as a substitute for verifying the activity record required by your own workflow.