Parent: #7681 (5.12 Team data and packages)
Tool file: forge/ee/lib/mcp/tools/devices.js (extend)
Read tools for the remote instance (device) resource. Filed in devices.js alongside the existing device tools, following the one-file-per-resource convention (a tool lives in the file for the noun it is about, regardless of the URL's first path segment). The team-data and package tools that previously sat under this issue now live with the team resource in teams.js.
readOnlyHint: true.
| Tool |
Endpoint |
Scope |
Annotation |
platform_get_remote_instance_audit_log |
GET /devices/:deviceId/audit-log |
device:audit-log |
read |
platform_export_remote_instance_audit_log |
GET /devices/:deviceId/audit-log/export |
device:audit-log |
read |
platform_get_remote_instance_history |
GET /devices/:deviceId/history |
project:history |
read |
platform_list_remote_instance_http_tokens |
GET /devices/:deviceId/httpTokens |
device:edit |
read |
platform_list_team_provisioning_tokens |
GET /teams/:teamId/devices/provisioning |
team:device:provisioning-token:list |
read |
Design notes:
- Device history reuses the
project:history scope (there is no device-specific history scope). It is plan-gated on feature key projectHistory, which defaults to enabled; a disabled team returns a 404 regardless of the caller's permissions, so the tool surfaces a clear "feature not enabled for this team" message rather than a bare not-found.
- The HTTP-token list uses
device:edit on devices. It is still a read for MCP purposes: annotate readOnlyHint: true and allow-list accordingly.
platform_list_team_provisioning_tokens describes device provisioning, so it is filed with the device tools. The summary view omits the token secret (unlike the create route), so it is safe to expose read-only.
Scopes to allow-list (IMPLICIT_TOKEN_SCOPES['user:expert-mcp']) and access-tag (#7445):
device:audit-log (read), project:history (read), team:device:provisioning-token:list (read). device:edit is already present from the shipped device tools.
Tests:
- Read tools allowed for read-only PAT.
- Feature-disabled team returns the descriptive gate error for device history.
- Provisioning-token list never surfaces the token secret.
Parent: #7681 (5.12 Team data and packages)
Tool file:
forge/ee/lib/mcp/tools/devices.js(extend)Read tools for the remote instance (device) resource. Filed in
devices.jsalongside the existing device tools, following the one-file-per-resource convention (a tool lives in the file for the noun it is about, regardless of the URL's first path segment). The team-data and package tools that previously sat under this issue now live with the team resource inteams.js.readOnlyHint: true.platform_get_remote_instance_audit_logGET /devices/:deviceId/audit-logdevice:audit-logplatform_export_remote_instance_audit_logGET /devices/:deviceId/audit-log/exportdevice:audit-logplatform_get_remote_instance_historyGET /devices/:deviceId/historyproject:historyplatform_list_remote_instance_http_tokensGET /devices/:deviceId/httpTokensdevice:editplatform_list_team_provisioning_tokensGET /teams/:teamId/devices/provisioningteam:device:provisioning-token:listDesign notes:
project:historyscope (there is no device-specific history scope). It is plan-gated on feature keyprojectHistory, which defaults to enabled; a disabled team returns a 404 regardless of the caller's permissions, so the tool surfaces a clear "feature not enabled for this team" message rather than a bare not-found.device:editon devices. It is still a read for MCP purposes: annotatereadOnlyHint: trueand allow-list accordingly.platform_list_team_provisioning_tokensdescribes device provisioning, so it is filed with the device tools. The summary view omits the token secret (unlike the create route), so it is safe to expose read-only.Scopes to allow-list (
IMPLICIT_TOKEN_SCOPES['user:expert-mcp']) and access-tag (#7445):device:audit-log(read),project:history(read),team:device:provisioning-token:list(read).device:editis already present from the shipped device tools.Tests: