Skip to content

MCP Tools

The MCP server exposes 14 tools over the Model Context Protocol. DEVI uses them. So can Claude Desktop, Cursor, or any MCP-compatible agent you point at it.

The 14 Tools

Tools are grouped into three categories based on risk level.

Read Tools

Safe: No Confirmation Required

These tools query the live graph and return data. No side effects.

query_graph

Query the Universal Graph by provider, resource type, or waste flag.

{
  "provider": "aws",
  "resource_type": "ec2:instance",
  "waste_only": true,
  "limit": 50
}

Returns: Array of matching nodes with CRN, cost, tags, phase, and risk score.

get_financial_ledger

Get the current waste count and projected monthly savings.

{}

Returns: { "waste_count": 47, "projected_savings_usd": 12840.50 }

get_taxonomy_schema

Get the full list of CEL environment variables available in policy expressions.

Returns: All variables (id, kind, cost, tags, traits, intent, target_location, resource) with their types and descriptions.

simulate_policy

Dry-run a CEL expression against the live graph without persisting the rule.

{
  "condition": "cost > 500.0 && provider == 'aws'",
  "target_kinds": ["ec2:instance"]
}

Returns: Matching nodes, violation count, and enforcement preview.

get_resource_provenance

Get the Git blame data for a Terraform-managed resource: who created it, which file, which line.

{
  "crn": "crn:devi:aws:us-east-1:ec2:instance:123456789012:i-0abc123"
}

Returns: { "commit": "abc1234f", "author": "[email protected]", "file": "infra/ec2.tf", "line": 47 }

run_oracle_simulation

Run the HMM Viterbi spot instance termination prediction for a resource.

{
  "crn": "crn:devi:aws:us-east-1:ec2:spot:123:sir-0abc",
  "availability_zone": "us-east-1a"
}

Returns: Termination probability, predicted termination window, and confidence score.

Action Tools

Require User Confirmation

These tools trigger state changes in the running daemon.

request_quarantine

Submit a quarantine request for a resource. Goes through the full s.a.u safety pipeline: reversibility check, blast radius guardrail, CEL policy evaluation: before isolating.

{
  "crn": "crn:devi:aws:us-east-1:ec2:instance:123:i-0abc123",
  "reason": "Idle for 45 days, no traffic observed"
}

update_configuration

Hot-reload a configuration value without restarting the daemon.

{
  "path": "daemon.scan_interval",
  "value": "10m"
}

Values are applied immediately. The typed UpdateConfigPayload schema prevents arbitrary key injection.

install_plugin

Download, verify (SHA-256 checksum), and hot-load a plugin from the registry.

{
  "name": "aws",
  "version": "latest"
}

The plugin binary is verified against its manifest checksum before being loaded. Zero-downtime hot-load via HotLoadPlugin().

force_state_sync

Trigger an immediate Swarm reconciliation scan outside the normal interval.

{}

Agentic Tools

Always Require Explicit User Confirmation

These tools can write files, compile code, or persist policies. DEVI always presents a confirmation prompt before executing any agentic tool: no autonomous action.

generate_plugin

Generate Go source code for a new CloudSlash plugin from a natural language description.

{
  "provider_name": "digitalocean",
  "description": "Scan Droplets, Volumes, and Load Balancers for waste"
}

Returns the generated Go source code for review. The code is shown before any file is written.

build_plugin

Compile a generated plugin binary using go build.

{
  "source_path": "~/.cloudslash/generated/cloudslash-plugin-digitalocean/"
}

Requires user confirmation. Output binary is placed in ~/.cloudslash/plugins/.

save_policy

Write a CEL policy to a .cel.yaml file in the policies directory.

{
  "filename": "cost-guardrails",
  "rules": [...]
}

Requires user confirmation. File is written to ~/.cloudslash/policies/cost-guardrails/rules.yaml and immediately hot-reloaded.

write_file

Write arbitrary content to a file, sandboxed within ~/.cloudslash/.

{
  "path": "~/.cloudslash/reports/custom-report.md",
  "content": "..."
}

Requires user confirmation. Path traversal outside ~/.cloudslash/ is rejected.

Security Model

  • Read tools: no confirmation, no side effects, safe to call any time
  • Action tools: confirmation prompted, side effects on daemon state
  • Agentic tools: always confirmation, sandboxed file access, no network access outside declared APIs
  • The deterministic classifier never calls an LLM for routing decisions: zero latency, zero cost per query
  • All tool arguments are validated against typed schemas before execution

Connecting

External AI Tools

The MCP server is embedded in the daemon and shares its Unix socket. External tools that support MCP can connect to it.

External MCP Integration

Configuration for connecting Claude Desktop, Cursor, or custom MCP clients is dependent on each tool's specific MCP client setup. The CloudSlash MCP server endpoint is accessible through the running daemon.