Access

Create principal

Create policy

Create tool permission

Policies

Select a principal to view or create policies.

Tool permissions

Select a policy to inspect current tool permissions.

Tool catalog

Tap a tool to prefill the permission form with a governed target.

add_system_note

systems � Append an operational note to a system.

write

approve_deployment

deployments � Approve a pending deployment.

write

assign_system_responsibility

systems � Assign an owner or operator to a system.

write

create_container

systems � Add a container record to a system.

write

create_service_endpoint

systems � Add a service endpoint to a container.

write

create_system

systems � Create a new system inventory record.

write

create_wiki_commit_job

knowledge � Create a commit/push job for pending wiki edits.

write

execute_wiki_commit_job

knowledge � Execute a pending wiki commit job immediately.

write

get_control_room_overview

control-room � Fetch the current Control Room overview snapshot.

read

get_deployment

deployments � Fetch a single deployment record.

read

get_system_detail

systems � Read the full inventory record for a system.

read

get_wiki_commit_job

knowledge � Read the status of a wiki commit job.

read

hetzner.costs.recalculate

costs � Force a Hetzner cost recalculation for the selected scope.

write

hetzner.costs.resources.list

costs � List estimated Hetzner cost line items by resource.

read

hetzner.costs.summary

costs � Read the current estimated Hetzner 30-day cost summary.

read

hetzner.costs.trend

costs � Read the daily Hetzner cost trend series.

read

hetzner.pricing_map.import

costs � Import or replace the active Hetzner pricing map.

write

hetzner.provision_network_security

operations � Create or repair the managed Hetzner private network, subnet, firewall, and generated GitHub Actions secrets for an environment.

write

host.agent.end

operations � End an active host repair session.

write

host.agent.exec

operations � Execute an approved host repair command within an active session.

write

host.agent.logs

operations � Read bounded service, container, or file logs within an active host repair session.

write

host.agent.start

operations � Start an ephemeral host repair session for a specific environment.

write

index_repository

sources � Index repository content for search and knowledge discovery.

write

knowledge.add_to_wiki

knowledge � Create an intake draft under /drafts and prepare ranked merge targets.

write

knowledge.draft_intake.get

knowledge � Read a wiki draft intake record.

read

knowledge.draft_merge.accept

knowledge � Accept a draft merge preview and write a new revision to the target page.

write

knowledge.draft_merge.preview

knowledge � Generate a reviewable merge preview for a selected target page.

write

knowledge.draft_merge.reject

knowledge � Reject a draft merge preview without modifying the target page.

write

knowledge.draft_suggestions.list

knowledge � List ranked target-page suggestions for a draft intake.

read

knowledge.draft_target.select

knowledge � Select a target page for a wiki draft intake.

write

knowledge.tree.list

knowledge � List the wiki hierarchy for manual target selection.

read

list_repositories

sources � List tracked repository mirrors and sync/index status.

read

list_service_deployments

deployments � List recent deployments for a service.

read

list_systems

systems � List active systems in the Control Room inventory.

read

list_wiki_commit_jobs

knowledge � List recent wiki commit jobs for a repository.

read

migrations.discovery.start

migrations � Start a discovery run for a migration project.

write

migrations.execution.cutover

migrations � Request or perform migration cutover after required validation gates pass.

write

migrations.execution.get

migrations � Read a migration execution with step and validation state.

read

migrations.execution.rollback

migrations � Request or perform rollback for a migration execution.

write

migrations.execution.start

migrations � Start a governed migration execution from an approved migration plan.

write

migrations.execution.validate

migrations � Run or refresh validation gates for a migration execution.

write

migrations.get

migrations � Read a migration project and its target profile.

read

migrations.list

migrations � List migration projects and their current states.

read

migrations.plan.generate

migrations � Generate a migration plan with validation and rollback checkpoints.

write

migrations.plan.get

migrations � Read a generated migration plan with ordered steps and environment mappings.

read

read_wiki_document

knowledge � Read a wiki or markdown document from a mirrored repository.

read

refresh_ghcr_credentials

operations � Refresh REGISTRY_URL and REGISTRY_USERNAME for a GitHub environment. GHCR deployments use the GitHub Actions GITHUB_TOKEN.

write

reject_deployment

deployments � Reject a pending deployment.

write

request_deployment_approval

deployments � Create an approval request for a deployment.

write

request_rollback

deployments � Request a rollback to an earlier deployment.

write

search_docs

knowledge � Search indexed markdown and code content across configured repositories.

read

sync_repository

sources � Run repository synchronization against origin.

write

systems.windows.image_build_runs.create

systems � Trigger a new Windows golden image build run.

write

systems.windows.image_build_runs.get

systems � Get a Windows image build run.

read

systems.windows.image_families.create

systems � Create a Windows golden image family for Hetzner automation.

write

systems.windows.image_families.list

systems � List Windows golden image families through the image catalog.

read

systems.windows.image_versions.approve

systems � Approve a Windows image version for deployment.

write

systems.windows.image_versions.deprecate

systems � Deprecate a Windows image version.

write

systems.windows.image_versions.get

systems � Get a Windows image version with build lineage and linked servers.

read

systems.windows.image_versions.list

systems � List Windows image versions with approval and lifecycle state.

read

systems.windows.image_versions.reject

systems � Reject a Windows image version.

write

systems.windows.image_versions.set_default

systems � Mark an approved Windows image version as the default deployment image.

write

systems.windows.servers.deploy

systems � Deploy a managed Windows server from an approved image.

write

systems.windows.servers.get

systems � Get a managed Windows server with provisioning details.

read

systems.windows.servers.list

systems � List managed Windows servers deployed from golden images.

read

update_markdown_document

knowledge � Update markdown content in a controlled wiki repository.

write

update_system

systems � Update an existing system inventory record.

write

wiki.add_diary_entry

knowledge � Append to the Developer diary, creating the day page when needed.

write

wiki.append_note

knowledge � Append a timestamped note to an existing wiki page and create a revision.

write

wiki.register_repository

sources � Register a Git repository and one or more mirror profiles for mirrored wiki content.

write

wiki.search

knowledge � Search wiki pages with unified ranking across native, seeded, and mirrored content, including source labels and optional filters.

read

wiki.sync_repository

sources � Sync a registered repository and refresh mirrored wiki pages and search results.

write

windows.vm.create

systems � Create a disposable Windows VM and return a one-time Administrator password.

write

windows.vm.delete

systems � Delete a disposable Windows VM instance.

write

windows.vm.list

systems � List disposable Windows VM instances.

read

windows.vm.recreate

systems � Recreate a disposable Windows VM with a new one-time Administrator password.

write