Your company is a typed callable substrate.
Every signed Capability is also an MCP tool. Claude Desktop, Cursor, Claude Code — any MCP client — can list your org’s catalog and call Capabilities directly. Same dispatcher, same signed receipts, same audit. Your AI infrastructure stops being trapped inside one UI.
Hard rule: destructive Capabilities are never exposed through Mode G
Side-effecting actions (sending email, posting to Slack, writing to external systems) require a human-in-the-loop gate, which lives in /ask’s Slack-magic-link flow. External MCP callers are read-and-compute; they cannot mutate external systems regardless of their key permissions.
tools/list — what Claude Desktop sees
- grounded llm
validate-business-reasonv1Given a free-text business reason for an expense, return whether it describes a clear business purpose, its category, and a one-sentence rationale.
1 input fields·readOnly=true·idempotent=false - composed
evaluate-business-expensev1End-to-end expense pre-approval: validates the business reason, then runs the tier-based pre-approval limit check. Returns both verdicts.
5 input fields·readOnly=true·idempotent=false - deterministic
compute-travel-expense-pre-approvalv1Given an expense amount and the employee's tier, return whether it's within the tier's pre-approval limit, the limit itself, and a one-sentence rationale.
4 input fields·readOnly=true·idempotent=true - deterministic
compute-customer-health-scorev1Blend MRR, support-ticket density, product-usage delta, and renewal proximity into a 0–100 health score with a verdict label (healthy / watch / at-risk).
4 input fields·readOnly=true·idempotent=true - deterministic
categorize-expense-accountv1Map an expense category + amount to the correct general-ledger account code. Used by the close pipeline to route expense rows into the chart of accounts.
2 input fields·readOnly=true·idempotent=true - deterministic
check-budget-variancev1Compare actual spend to budget for a given line item; return variance amount, percent, and whether it crosses the materiality threshold (10%).
3 input fields·readOnly=true·idempotent=true - grounded llm
interpret-data-handling-policy-clausev1Given a scenario involving customer data (storage, transit, deletion, third-party access), apply the signed data-handling policy and return a structured verdict: allowed / not_allowed / requires_dpo_review, with a citation back to the policy clause.
3 input fields·readOnly=true·idempotent=false - deterministic
check-pto-balancev1Compute available paid-time-off days for an employee given their accrual rate, used days, and start date. Returns days available + the next accrual date.
4 input fields·readOnly=true·idempotent=true - deterministic
lookup-crm-pipeline-summaryv1Snapshot of the active sales pipeline: target ARR for the quarter, closed-won, weighted pipeline, forecast vs target, gap, plus top open deals and at-risk deals. Used at every QBR and weekly forecast call.
2 input fields·readOnly=true·idempotent=true - deterministic
lookup-customer-statusv1Quick read of a customer's current MRR, plan tier, contract end date, primary contact, recent activity flag, and renewal status. The starting point for any customer-specific question.
1 input fields·readOnly=true·idempotent=true - composed
onboard-new-hire-checklistv1Composed Capability that runs the deterministic Day-1 onboarding checks for a new hire: laptop assignment, GL account categorization for IT spend, and PTO baseline. Returns a single checklist artifact.
4 input fields·readOnly=true·idempotent=false - human in loop
collect-time-off-requestv1Capture a time-off request from an employee via a structured form. The agent invokes this Capability; if any required field is missing, a form is rendered inline in the chat for the user to fill, and the agent re-invokes once submitted.
4 input fields·readOnly=true·idempotent=false - grounded llm
summarize-renewal-riskv1Given a customer's recent activity narrative, classify renewal risk (low / medium / high) and produce a 2-sentence rationale grounded in the input. Used in QBRs.
2 input fields·readOnly=true·idempotent=false
Wire Claude Desktop / Cursor in 5 lines
{
"mcpServers": {
"ctrlai-demo-acme": {
"url": "https://ctrlai.com/api/mcp/demo-acme",
"headers": {
"Authorization": "Bearer ctrlai_pk_..."
}
}
}
}Cursor uses ~/.cursor/mcp.json with the same shape. API keys are minted from /settings with the mcp:read_only permission.
Or skip the client and curl it
# tools/list — what tools the org exposes
curl -X POST https://ctrlai.com/api/mcp/demo-acme \
-H "Authorization: Bearer ctrlai_pk_..." \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
# tools/call — invoke a Capability
curl -X POST https://ctrlai.com/api/mcp/demo-acme \
-H "Authorization: Bearer ctrlai_pk_..." \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "compute-customer-health-score",
"arguments": {
"customerId": "ACME-INC",
"mrr": 4900,
"contractRenewalDate": "2026-06-19",
"lastQbrAt": "2026-02-10",
"productUsageScore": 78,
"supportTicketsLast90d": 1,
"championStillEngaged": true
}
}
}'
# Returns the structured output + _meta with ctrlai.invocationId,
# ctrlai.receiptId, ctrlai.trustLevel, ctrlai.durationMs.
# Same audit row as if the agent had invoked through /ask.Audit unification
Every tools/call through the MCP endpoint runs the same invokeCapability() dispatcher as the internal agent. Same audit row, same signed receipt, same trust-level computation, same Goal-criterion auto-eval, same trigger fan-out. The MCP skin is a different doorway, not a different runtime.
/.well-known/ctrlai/receipt-keys endpoint publishes the Ed25519 verification key as JWKS. Receipts verify offline against it.