MCP tools
External tool servers behind the same compliance gate, with per-key deny-by-default grants.
Register external MCP tool servers (HTTP, SSE, or stdio) in the Console with residency tags; auth secrets are sealed in the credential vault and never echoed back.
Every tool call clears the same gate as a chat completion: Inspect (data protection on the arguments), Route (residency on the server), Seal (audit chain), Meter (rate and budget). Tool grants are per-key and deny-by-default. Sluis also answers POST /v1/mcp as an MCP server itself, exposing exactly the tools the calling key is granted.
# list the tools this key is granted (deny-by-default) curl https://api.sluis.ai/v1/mcp \ -H "Authorization: Bearer $SLUIS_KEY" \ -d '{ "jsonrpc": "2.0", "id": 1, "method": "tools/list" }' # every tools/call clears Inspect → Route → Seal → Meter