Flocks speaks MCP (Model Context Protocol) on the agent-facing side. Every tool an agent calls — local shell, git, HTTP, or remote MCP server — flows through the gateway’s tool fabric, which is capability-scoped to the active grant.

What this buys you

  • One audit row per tool call, regardless of whether the tool was local or remote.
  • No tool-level secret sharing. A tool that needs an API key gets it through the grant, not from the agent’s process env.
  • Tenant-safe routing. A grant scoped to flocks.builtin.shell can’t reach flocks.builtin.git even if the agent asks for it.

Built-in tools

ToolWhat it does
flocks.builtin.shellRun a shell command in the agent’s run dir.
flocks.builtin.gitRead-only git operations on a workspace.
flocks.builtin.httpOutbound HTTP, scoped by allowlist.
External MCP servers can be registered and exposed under their own namespace; see the tool reference for the wire format.