MCP Tools
The Tentacular MCP server exposes tools via the Model Context Protocol. These tools are used by the tntc CLI and can be called directly by AI agents.
Enclave Management
Section titled “Enclave Management”| Tool | Description |
|---|---|
enclave_provision | Provision a new enclave (namespace + quota + policies + exoskeleton services) with owner and optional initial members |
enclave_info | Get enclave details including ownership, membership, quota, and exoskeleton service status |
enclave_list | List accessible enclaves, optionally filtered by caller email |
enclave_sync | Update enclave membership, status (freeze/unfreeze), or transfer ownership |
enclave_deprovision | Permanently delete an enclave and all its resources (irreversible) |
Workflow Lifecycle
Section titled “Workflow Lifecycle”| Tool | Description |
|---|---|
wf_apply | Apply workflow manifests to the cluster. The exoskeleton intercepts this to run registrars, enrich contracts, and inject credentials. |
wf_remove | Remove a workflow’s K8s resources. When cleanup is enabled, also runs unregistrars. |
wf_list | List all tentacular-managed workflows in a namespace |
wf_status | Get deployment status (replicas, conditions, image) |
wf_describe | Detailed workflow description including pods and events |
wf_run | Trigger a deployed workflow via HTTP POST to /run |
wf_restart | Restart a workflow deployment (rolling restart) |
wf_logs | Get pod logs (snapshot, not streaming) |
wf_pods | List pods for a workflow |
wf_events | Get recent events for a workflow’s resources |
wf_jobs | List jobs associated with a workflow |
Workflow Health
Section titled “Workflow Health”| Tool | Description |
|---|---|
wf_health | Health check for a single workflow (Green/Amber/Red classification) |
wf_health_ns | Health check for all workflows in a namespace |
Cluster Operations
Section titled “Cluster Operations”| Tool | Description |
|---|---|
cluster_preflight | Preflight validation: MCP connectivity, namespace creation, RuntimeClass, NetworkPolicy |
cluster_profile | Cluster capability snapshot: K8s version, CNI, storage, gVisor, extensions, exoskeleton service inventory (host, port, protocol, availability), and OIDC auth configuration |
health_cluster_summary | Overall cluster health summary |
health_nodes | Node health and resource usage |
health_ns_usage | Namespace resource usage |
Security Audit
Section titled “Security Audit”| Tool | Description |
|---|---|
audit_rbac | Verify service account has minimal permissions |
audit_netpol | Verify NetworkPolicy matches contract |
audit_psa | Verify Pod Security Admission labels |
Authorization is enforced only when OIDC authentication is active. Bearer-token requests bypass authorization entirely. Enclave permissions are managed through enclave_sync. Tentacle permissions are managed through enclave_sync (enclave-level) and deployment annotations (tentacle-level).
Module Proxy
Section titled “Module Proxy”| Tool | Description |
|---|---|
proxy_status | Check ESM module proxy status and cached modules |
Tool Groups
Section titled “Tool Groups”Tools are organized into functional groups:
- Enclave —
enclave_provision,enclave_info,enclave_list,enclave_sync,enclave_deprovision(5 tools) - Workflow Lifecycle —
wf_apply,wf_remove,wf_list,wf_status,wf_describe,wf_run,wf_restart,wf_logs,wf_pods,wf_events,wf_jobs(11 tools) - Workflow Health —
wf_health,wf_health_ns(2 tools) - Cluster —
cluster_preflight,cluster_profile(2 tools) - Health —
health_cluster_summary,health_nodes,health_ns_usage(3 tools) - Audit —
audit_rbac,audit_netpol,audit_psa(3 tools) - Module Proxy —
proxy_status(1 tool)
Authentication
Section titled “Authentication”All MCP tools require authentication. The server supports dual auth:
- OIDC tokens — from Keycloak/Google SSO, tried first
- Bearer tokens — fallback, always accepted
Tools that modify state (deploy, undeploy, credential operations) record deployer provenance when OIDC authentication is used.
Authorization
Section titled “Authorization”When OIDC authentication is active, the MCP server enforces POSIX-like permissions on both namespaces and tentacles. Namespaces act as directories and tentacles as files — both layers must pass for an operation to succeed. Each has an owner, group, and mode that control who can read (list/status), write (deploy/update/remove), or execute (run/restart) it. Bearer-token requests bypass authorization entirely.
See the Authorization guide for details on the permission model, annotation schema, and configuration.
See MCP Server Setup for installation and authentication details.