MCP Tools
The DPU tool surface is intentionally small. It groups operations by domain rather than exposing storage internals directly. Here, MCP stands for Model Context Protocol.
Why The Tool Surface Is Grouped
Explorer needs stable operations such as “list visible secrets” or “update this confidential object”. It does not need direct read/write access to DPU storage files. The tool surface therefore reflects the domain model: identity, secrets, confidential objects, comments, and permission checks.
Tool Groups
| Group | Tools |
|---|---|
| Identity and roots | dpu_whoami, dpu_workspace_roots |
| Secrets | dpu_secret_list, dpu_secret_get, dpu_secret_put, dpu_secret_delete, dpu_secret_grant, dpu_secret_revoke |
| Confidential objects | dpu_confidential_list, dpu_confidential_get, dpu_confidential_create, dpu_confidential_update, dpu_confidential_delete |
| Comments | dpu_confidential_comment_add, dpu_confidential_comment_delete |
| Permission checks | dpu_access_check, dpu_confidential_grant, dpu_confidential_revoke |
Input And Response Behavior
tools/dpu_tool.mjs normalizes the MCP envelope, reads the verified metadata.invocation grant, validates required strings and enum-like values, and only then dispatches into the domain layer. Tool responses are actor-filtered. For example, a caller may see a secret record in a list without seeing its plaintext value unless the resolved role allows read.
Execution Constraints
mcp-config.json sets maxParallelTasks to 1. Mutating operations are also serialized through the DPU file lock. This does not turn DPU into a database, but it does keep the state files and permissions manifest from being updated concurrently through competing writes.
For delegated Git/DPU calls, DPU verifies the caller assertion signature, audience, replay token, request hash, and delegated user token audience before authorizing the requested secret operation. The router relays the signed artifacts, but DPU remains the final policy authority.
Audit collection starts disabled and is enabled explicitly through dpu_audit_config_set. Once enabled, DPU appends JSONL records for audited secret and confidential mutations.