Ascend Gateway V5 — Declared Tool Manifest
Ascend Gateway V5 — Declared Tool Manifest
This file is the source of truth for which MCP tools are allowed to exist.
Check
scripts/checks/04-simple.tscompares the files insrc/tools/*.tsagainst this table. Any drift is a deploy-blocking failure at the pre-deploy gate. Adding a tool means editing both places in the same commit.
Allowed Tools
| Tool | Kind | Purpose | Write ops? |
|---|---|---|---|
google-ads | curated | GAQL queries — campaigns, ads, metrics, keywords | read |
google-ads-mutate | curated | Google Ads write ops — create/update/remove campaigns, ad groups, keywords, budgets | write |
aws-bedrock | curated | AWS Bedrock LLM invoke (Claude, Nova) via InvokeModel — IAM-bound, SigV4 auth, extended thinking, prompt caching, guardrail pass-through | read |
aws-bedrock-converse | curated | AWS Bedrock Converse API — unified cross-model interface with native tool use, multimodal content blocks (image, document, cachePoint), guardrail body injection, performance config, additional_model_request_fields for model-specific params | read |
aws-nova-canvas | curated | Amazon Nova Canvas image generation (us-east-1 only) — 6 task types: TEXT_IMAGE, COLOR_GUIDED_GENERATION, IMAGE_VARIATION, INPAINTING, OUTPAINTING, BACKGROUND_REMOVAL; outputs to R2 by default, inline base64 on request | write |
aws-ses | curated | SES transactional email send | send |
aws-textract | curated | Textract document analysis (tables, forms, signatures) | read |
discover | platform | Lists connected providers + endpoints for the tenant | read |
call-api | platform | Generic authenticated proxy for any registered provider | any |
batch | platform | Parallel execution of up to 10 API calls | any |
agent-state | platform | Tenant-scoped KV persistence for AI agent context | read + write |
claude | curated | Unified Anthropic API tool — action: invoke|batch|files|agents. Messages API (effort, thinking, structured outputs, citations, fast mode, server tools, advisor, prompt caching, compaction), Batches (50% discount, 300K output, 10K requests), Files (upload/list/get/delete), Managed Agents (create/manage sessions). Consolidated 2026-04-23. | read + write |
llm-invoke | curated | Tier-aware economy LLM invoker (ADR-027). tier="bulk" (default) → Workers AI + Qwen3-30B via binding call, zero egress, $0.051/$0.34 per 1M. tier="standard" → DeepSeek V4-Flash. tier="frontier" → caller sets provider+model explicitly. Legacy aliases auto-map (deepseek-chat→V4-Flash, deepseek-reasoner→V4-Pro). AI Gateway routing via CF_AI_GATEWAY_WORKERS_AI_SLUG. Providers: workers_ai | deepseek | openrouter | groq | cerebras | gemini. 50–300× cheaper than Sonnet on matched workloads. | read |
context-query | platform | Semantic + structural query over the Ascend Context Plane (ADR-016). Returns facts with source quotes and authority tiers. Proxies to ascend-context-worker over Service Binding; returns CONTEXT_PLANE_UNAVAILABLE when binding is absent. | read |
context-explain | platform | Provenance lookup — given (subject, predicate) returns the chain of sources, timestamps, and authority tiers that back (or contradict) a claim in the Context Plane (ADR-016). Same Service Binding + graceful-degradation pattern as context-query. | read |
web-fetch | platform | Public-web reader — fetches an https:// URL through the gateway’s unrestricted CF egress and returns either raw bytes or clean markdown via Jina Reader (r.jina.ai). No tenant token injected. Use case: MCP clients in egress-restricted sandboxes (Claude Code on the web) that need to read competitor sites, partner docs, or any unauth public URL. 30s timeout, no retries, output truncated to max_chars. | read |
ai-invoke | platform | Smart LLM router — one tool, automatic provider selection. Routing: needs_web=true / intent=search → Gemini 2.5 Flash + Google Search grounding; context_tokens > 180k / intent=doc → Gemini 2.5 Pro; quality=economy / intent=bulk → DeepSeek; quality=premium → Claude Opus 4.7; default → Claude Sonnet 4.6. Use ai_invoke instead of hand-picking a model. | read |
submit-feedback | platform | Agent-to-platform feedback channel (ADR-036 Decision 2). Calling agents (Claude Code, Cursor, ChatGPT, Codex, Hermes) post structured feedback when blocked or when capabilities are missing. V5 cannot see calling-agent chat — this tool is the direct line to the platform team. Persists to D1 agent_feedback; Mishaal triages weekly via GET /admin/feedback. Ramp pattern: “Designing for Agents” (Apr 2026). | write |
browser | platform | Headless Chromium screenshot via CF Browser Rendering binding ([browser] binding = "BROWSER"). Captures JS-rendered pages as base64 PNG/JPEG. Use-cases: competitor monitoring, visual page analysis, ad creative capture, UI verification. Unlike web-fetch (stripped text), returns the full rendered visual including CSS, images, and JS-driven content. SSRF-blocked (RFC-1918, loopback, link-local, CGNAT), HTTPS-only, 30s timeout, 50 000px full-page cap. Returns CONFIG_MISSING when binding absent (local dev). | read |
Architecture (ADR-042, 2026-05-07): 3 always-on platform tools statically registered (call_api, discover_apis, batch_execute). All curated tools indexed in Vectorize namespace capability_index and retrieved semantically at runtime (≤20 per LLM context). Catalog unbounded — no hard ceiling. Adding a tool requires a docs/tools/<slug>.md entry + TOOLS.md row + scripts/embed-tool-catalog.ts re-run.
Category definitions:
- curated — provider-specific tools with hand-crafted schemas and input validation (e.g.
google-ads,hubspot,claude). Each one wraps a specific SaaS API. - platform — gateway-level tools that are not tied to a single provider: generic proxy (
call-api), discovery (discover), parallelism (batch), tenant state (agent-state), and the Context Plane face (context-query,context-explain). Previously split into “meta” (call-api/discover/batch) vs “platform” (agent-state); collapsed 2026-04-24 (closed row 18 ofdocs/tech-debt-register.md) — the distinction was a judgment call with no runtime meaning.search-knowledgeremoved 2026-05-17 (ADR-054 P2 — client-knowledge Vectorize deleted).
Expansion Rules
- Every new tool must appear in this table in the same commit that adds
src/tools/{name}.ts. - Filename → table row: the first column must exactly match the filename (without
.ts). - Doc file is mandatory: every curated tool must have
docs/tools/{name}.mdlisting every action it supports (check 14). - Strict schemas: every tool must use
server.registerTool()withinputSchema: z.object({...}).strict()(check 08). - Tenant context: every tool must derive tenancy from
ctx.tenantId, never from an input parameter (check 03).
Historical Note
The v1 spec said “10 MCP tools maximum”. V5 grew to 22 as AWS, Gamma, CRM writes, batch execution, agent state, ad platform integrations (Microsoft Ads, LinkedIn Ads), and Microsoft Calendar (Point Field Partners) landed. Each addition was a conscious trade-off between coverage and complexity.
What NOT To Add
- Provider-specific tools that are 90% overlap with
call-api— use the meta tool instead. - Tools that wrap a single endpoint — promote the provider to a curated tool only if multiple endpoints share a complex auth or parameter pattern.
- Read-only variants of existing tools — extend the existing tool with an action parameter.