MCP Tools
ArmorClaude's MCP tools for intent plan registration, policy reading, and trust operations
MCP Tools
ArmorClaude exposes 5 MCP tools through the armorclaude-policy MCP server. These are available to Claude during a session - Claude uses them to register plans, read policy, and perform trust operations.
MCP tools are used by Claude (the LLM), not by the user directly. Users manage policy through /armor commands. There is intentionally no policy_update MCP tool - policy mutation is human-only.
policy_read
Read the current policy state.
Input:
| Parameter | Type | Required | Description |
|---|---|---|---|
id | string | No | Specific statement ID to read |
Without id: Returns the full policy state (version, policy JSON, history).
With id: Returns a single policy statement by its ID.
Example output:
{
"version": 3,
"policy": {
"schemaVersion": "armor.policy.v1",
"kind": "PolicyProfile",
"defaults": { "decision": "deny" },
"statements": [
{ "id": "stmt_1", "effect": "permit", "action": { "type": "tool", "eq": "Read" } }
]
}
}register_intent_plan
Declare the tools Claude intends to use for the current task. ArmorClaude requires this before any other tool call - without a registered plan, all tool calls are blocked.
Input:
| Parameter | Type | Required | Description |
|---|---|---|---|
goal | string | Yes | One-line summary of what the plan accomplishes |
steps | array or JSON string | Yes | Ordered list of tool calls |
plan | object or JSON string | No | Alternative: pass the whole plan as one object |
Each step in the steps array:
| Field | Type | Required | Description |
|---|---|---|---|
action | string | Yes | Tool name (e.g., Read, Edit, Bash, mcp__server__tool) |
description | string | No | Why this step is needed |
metadata.inputs | object | No | Expected tool parameters for enforcement |
Example input:
{
"goal": "Read and summarize README.md",
"steps": [
{
"action": "Read",
"description": "Read the README file",
"metadata": { "inputs": { "file_path": "/project/README.md" } }
}
]
}What happens when called:
- The plan is validated against the intent plan schema
- If an API key is configured, the plan is sent to the ArmorIQ backend for a signed JWT intent token
- The plan and token are stored locally as a pending plan file
- The next
PreToolUsehook consumes the pending plan and enforces it
Example output:
Intent registered: 2 steps. Token valid 3600s.trust_revoke
Revoke the currently active intent token. Use when the plan has gone wrong or needs to be stopped immediately.
Input:
| Parameter | Type | Required | Description |
|---|---|---|---|
reason | string | Yes | Why this revocation is happening |
cascade | boolean | No | If true, also revoke child tokens (subtree delegations) |
What happens when called:
- The active session's intent token is located
- A revocation delta is signed and broadcast to the ArmorIQ backend
- Within ~55ms, every enforcement point (PEP) in the fleet refuses the token
- The revocation is recorded in the runtime state's trust operation log
Example output:
Token revoked. trustId=tr_abc123 (2 descendants cascaded)trust_reanchor
Re-anchor to an updated plan without revoking the current token. Use when the plan needs to change mid-session (e.g., additional tools needed).
Input:
| Parameter | Type | Required | Description |
|---|---|---|---|
updatedPlan | object | Yes | The revised plan (same schema as register_intent_plan) |
reason | string | No | Why the plan changed - surfaces in the audit timeline |
What happens when called:
- The updated plan is validated
- A delta
δ(h_P → h'_P)is signed, linking the old plan hash to the new one - The working token is re-minted so subsequent tool calls succeed against the new plan
- The tamper-evident lineage is preserved in the IAP audit log
Example output:
ReAnchor recorded. trustId=tr_def456 delta(a1b2c3d4e5f6 → 7890abcd1234)trust_delegate
Issue a subtree-bounded child token with a Merkle inclusion proof. Used for multi-agent scenarios where a sub-agent needs authority over part of the plan.
Input:
| Parameter | Type | Required | Description |
|---|---|---|---|
delegatePublicKey | string | Yes | Public key of the sub-agent |
subtreePath | string | Yes | Plan subtree path (e.g., /steps/[1]) |
validitySeconds | number | No | Override the default validity period |
targetAgent | string | No | Human-readable label for the sub-agent |
What happens when called:
- A child token is minted, scoped to the specified subtree path
- A Merkle inclusion proof is generated, proving the subtree is part of the parent plan
- The sub-agent receives authority confined to the named subtree
- The delegation is recorded in the trust operation log
Example output:
Delegation issued. trustId=tr_ghi789 subtreePath=/steps/[1] (delegationId=del_xyz)Whitelisted Tools
These tools are never blocked by ArmorClaude's intent enforcement (they are needed for the system to function):
register_intent_plan- Claude needs this to declare planspolicy_read- Policy reading (read-only, no mutation)trust_revoke/trust_reanchor/trust_delegate- Trust operationsExitPlanMode- Plan mode approvalToolSearch/TodoWrite/ListMcpResourcesTool- Claude Code internals with no side effects
Verifying MCP Server Connection
Check that the ArmorClaude MCP server is connected:
claude mcp list | grep armorclaudeExpected output:
plugin:armorclaude:armorclaude-policy: ... ✓ Connected