spec v0.1
EN

Data Points

Data Points of Every System

Complete catalog of resources and tools that an MCP-first system should provide per domain area, from system metadata to Admin & Security.

An MCP-first system describes its capabilities completely. This applies not only to the architecture or the risk model, it applies to every domain entity the system knows. This catalog shows which resources and tools a modern system should provide per domain.

The base principle: every entity needs at minimum list, search, get, create, update, archive, audit, permissions, linked resources, and recommended next actions. delete is rare, it is replaced by archive or is a critical action protected with step-up auth.

System Metadata

The foundation of every agent session. Every agent needs these resources and tools before it performs any domain action: what capabilities exist? What am I allowed to do? Which policies apply?

Resources

Resources
  • system.capabilities
  • system.current_user
  • system.current_tenant
  • system.permissions
  • system.audit_policy
  • system.risk_policy
  • system.available_workflows
  • system.health

Tools

Tools
  • system.describe_capability Low
  • system.request_confirmation Low
  • system.check_permission Low
  • system.get_audit_log Medium
  • system.explain_denial Low

User & Identity

User management, roles, sessions, and agent identities. Most write operations here are at minimum high, role changes and secret rotation always critical.

Resources

Resources
  • users.list
  • users.get
  • users.current
  • roles.list
  • permissions.list
  • sessions.list
  • api_clients.list
  • agent_identities.list

Tools

Tools
  • users.invite High
  • users.update_role Critical
  • users.disable High
  • users.enable High
  • users.delete Critical
  • sessions.revoke High
  • api_clients.create High
  • api_clients.rotate_secret Critical
  • agent_identities.create High
  • agent_identities.disable High
  • permissions.grant Critical
  • password.read Forbidden for AI

Tenants

Tenant management for multi-tenant systems. Every access to tenant data must be tenant-bound. Exporting and archiving tenants are critical.

Resources

Resources
  • tenants.list
  • tenants.get
  • tenants.settings
  • tenants.members
  • tenants.audit_log

Tools

Tools
  • tenants.update_settings High
  • tenants.invite_member High
  • tenants.remove_member High
  • tenants.create_export Critical
  • tenants.archive Critical

Contacts / CRM

Contacts are the most frequent entry point for agents in sales and support. Communication histories and private notes may contain personal data under GDPR , AI access should be restricted depending on context and agent purpose.

Resources

Resources
  • contacts.list
  • contacts.search
  • contacts.get
  • contacts.timeline
  • contacts.communication_history
  • contacts.related_projects
  • contacts.tags

Tools

Tools
  • contacts.create Medium
  • contacts.update Medium
  • contacts.merge High
  • contacts.add_note Medium
  • contacts.add_tag Low
  • contacts.remove_tag Low
  • contacts.archive High
  • contacts.request_data_export Critical

Companies

Company and account master data with purchase profiles and communication history. Closely linked with contacts and projects.

Resources

Resources
  • companies.list
  • companies.search
  • companies.get
  • companies.contacts
  • companies.projects
  • companies.profile
  • companies.purchase_profile
  • companies.communication_history

Tools

Tools
  • companies.create Medium
  • companies.update Medium
  • companies.assign_contact Medium
  • companies.update_purchase_profile Medium
  • companies.add_note Medium
  • companies.archive High

Projects

Projects are the central context hub: they link contacts, files, activities, and recommended next actions. Agents make heavy use of project context, generate_summary and recommend_next_action are especially relevant for this.

Resources

Resources
  • projects.list
  • projects.search
  • projects.get
  • projects.status
  • projects.timeline
  • projects.files
  • projects.contacts
  • projects.exposes
  • projects.activities
  • projects.recommended_next_actions

Tools

Tools
  • projects.create Medium
  • projects.update Medium
  • projects.change_status High
  • projects.assign_contact Medium
  • projects.add_note Medium
  • projects.attach_file Medium
  • projects.generate_summary Low
  • projects.recommend_next_action Low
  • projects.archive High

Files

Files can be highly sensitive, contracts, personnel documents, financial records. Download links need expiry dates, tokens, and audit trails. Agents should not load file contents into context unchecked.

Resources

Resources
  • files.list
  • files.get_metadata
  • files.preview
  • files.permissions
  • files.related_entities

Tools

Tools
  • files.upload Medium
  • files.attach_to_project Medium
  • files.generate_download_link High
  • files.revoke_download_link High
  • files.rename Medium
  • files.move Medium
  • files.archive High

Email & Communication

Email is the highest-risk area for autonomous agents: external communication has legal external effect, can transmit personal data, and is irreversible. The policy is clear: agents may create drafts, not send.

Resources

Resources
  • emails.list
  • emails.get
  • emails.thread
  • emails.templates
  • emails.delivery_status
  • emails.engagement_status
  • communications.timeline

Tools

Tools
  • emails.create_draft Medium
  • emails.preview Low
  • emails.send Critical
  • emails.schedule_send Critical
  • emails.attach_file Medium
  • emails.generate_download_link High
  • emails.cancel_scheduled_send High
  • communications.add_note Medium

Calendar

Creating appointments is moderately risky. Inviting external parties or cancelling appointments affects other parties and is high.

Resources

Resources
  • calendar.events.list
  • calendar.events.get
  • calendar.availability
  • calendar.connected_accounts

Tools

Tools
  • calendar.create_event Medium
  • calendar.update_event Medium
  • calendar.cancel_event High
  • calendar.invite_contact High
  • calendar.find_free_slot Low

Reminders & Tasks

Reminders and tasks are the safest autonomous actions in the system. They produce no external effects and are easily reversible. Agents can create and manage them without confirmation.

Resources

Resources
  • reminders.list
  • reminders.get
  • tasks.list
  • tasks.get
  • tasks.assigned_to_me

Tools

Tools
  • reminders.create Low
  • reminders.update Low
  • reminders.complete Low
  • reminders.cancel Low
  • tasks.create Low
  • tasks.assign Medium
  • tasks.update_status Low
  • tasks.complete Low

Reports & Analytics

Reports and exports can contain sensitive personal data. The classification depends not on the tool itself but on the content: anonymized aggregates are medium, exports with personal data are critical.

Resources

Resources
  • reports.available
  • reports.get
  • analytics.kpis
  • analytics.activity_summary
  • analytics.risk_summary

Tools

Tools
  • reports.generate Medium
  • reports.schedule Medium
  • reports.export_anonymized Medium
  • reports.export_personal_data Critical
  • analytics.explain_metric Low
  • analytics.compare_periods Low

Billing

Almost all write billing operations are critical. AI may at most read, explain, or prepare here, never act autonomously. Payment execution is one of the hardest boundaries in the system.

Resources

Resources
  • billing.plan
  • billing.invoices
  • billing.payment_methods
  • billing.usage

Tools

Tools
  • billing.download_invoice Low
  • billing.change_plan Critical
  • billing.update_payment_method Critical
  • billing.cancel_subscription Critical
  • payment.execute Critical

Admin & Security

Security functions are the most sensitive layer of the system. Many of them are not only critical but completely forbidden for AI. Audit logs, session management, and API key rotation must never be autonomously modified by an agent.

Resources

Resources
  • security.settings
  • security.audit_log
  • security.active_sessions
  • security.api_keys
  • security.connected_clients
  • security.risk_events

Tools

Tools
  • security.export_audit_log Critical
  • security.revoke_session Critical
  • security.disable_client Critical
  • security.rotate_api_key Critical
  • security.update_policy Critical
  • secrets.rotate Critical
  • raw_access_token.read Forbidden for AI
  • private_key.read Forbidden for AI
  • full_database_export Forbidden for AI