Tool Catalog
Managing and securing MCP tools
The Tool Catalog is GNETiX's central registry of all tools available across your MCP servers. It provides visibility into what tools exist, who can use them, and a full audit trail of every invocation.
Syncing Tools
When you add or update an MCP server, you need to sync its tools into the catalog. Syncing connects to the live MCP server, pulls all tool definitions (name, description, input schema), and stores them in the database.
To sync:
- Navigate to MCP Servers in the portal
- Select the server
- Click Sync Tools
GNETiX compares the live tools with the catalog and adds new tools, updates changed descriptions/schemas, and marks removed tools as inactive.
Tools in the catalog are what the Director sees. If a tool exists on the MCP server but has not been synced, the Director cannot discover or call it.
Tag-Based Access Control
GNETiX uses a tag-based RBAC system to control which users can invoke which tools. The model is simple:
- Create tags (e.g.,
network,kubernetes,read-only,senior-engineer) - Assign tags to tools -- each tool can have one or more tags
- Assign tags to users -- each user can have one or more tags
- A user can invoke a tool only if they share at least one tag with that tool
Example
| Entity | Tags |
|---|---|
Tool: show_interface_status | network |
Tool: restart_pod | kubernetes, senior-engineer |
| User: Alice | network, kubernetes |
| User: Bob | network |
- Alice can call
show_interface_status(sharesnetwork) andrestart_pod(shareskubernetes) - Bob can call
show_interface_status(sharesnetwork) but notrestart_pod(no matching tag)
Tag Groups
Tags can be organized into tag groups for easier management. For example, a "Department" group might contain network, security, and cloud tags. Groups are purely organizational -- the access control logic operates on individual tags.
Default Deny Mode
By default, untagged tools are callable by any authenticated user. For stricter security, enable tools_default_deny mode at the org level:
- Default deny OFF (default): Untagged tools are available to all users
- Default deny ON: Untagged tools are blocked. Every tool must have at least one tag, and users must have a matching tag to call it
Enabling default deny will immediately block access to any untagged tools. Make sure all tools are properly tagged before turning this on.
Audit Log
Every tool invocation is logged with:
| Field | Description |
|---|---|
| Timestamp | When the tool was called |
| User | Who triggered the request (directly or via chat) |
| Tool | The tool name and MCP server |
| Input | The parameters passed to the tool |
| Output | The tool's response (or error) |
| Latency | How long the invocation took |
| Trace ID | Link to the Pipeline Monitor trace |
Access the audit log from MCP Servers > Audit Log in the portal, or query it via the API at /api/tool-logs.
The audit log is essential for compliance, debugging, and understanding how the AI is interacting with your infrastructure.