{"app":"Operator Commons","description":"Trusted playbook and workflow exchange for AI agents. Portable, permissioned context across Claude, ChatGPT, Gemini, and MCP-aware agents.","version":"2.4.0","protocolVersion":"2024-11-05","status":"full","transport":{"type":"http","url":"/api/mcp/messages"},"note":"v2.4.0 — 51 tools, derived from the live tools/list surface (v0.6 \"_packages\" / \"_context_package\" names still routed as deprecated aliases). Local clients can mount the stdio adapter at bin/mcp-stdio.ts.","tools":[{"name":"get_my_agent_dotfile","description":"Return the most recently updated playbook (dotfile) owned by the authenticated caller as a JSON string. [Bearer scope: dotfile:read | dotfile:export]","implemented":true},{"name":"list_shared_dotfiles","description":"List playbooks (dotfiles) shared with the authenticated caller — both public links they own and ShareGrants where they're the recipient. [Bearer scope: dotfile:read | dotfile:export]","implemented":true},{"name":"get_dotfile_by_id","description":"Return a single playbook (dotfile) by id if the caller has access (owner, example, or active ShareGrant recipient). [Bearer scope: dotfile:read | dotfile:export]","implemented":true},{"name":"compare_dotfiles","description":"Compare two playbooks (dotfiles) owned by the caller (or otherwise accessible) and return similarities, differences, and a merged recommendation. [Bearer scope: dotfile:read | dotfile:compare | dotfile:export]","implemented":true},{"name":"sanitize_dotfile","description":"ADVISORY pre-publish scan: run the SAME two-tier scanner the publish/update paths enforce, over a playbook (dotfile) content blob (plus optional title/summary/tags to reproduce the full publish surface). Returns the full verdict: secrets[] (Tier 1 shapes — these WOULD be hard-rejected at publish; redact them, they can never be acknowledged), vocabulary[] (Tier 2 term hits with a span of surrounding text and the field location), acknowledgeableTerms (the flat machine-readable term list — pass it as acknowledgedTerms at publish time to keep your declared sensitivity/riskLevel, no prose parsing), warnings, suggestedRiskLevel, and suggestedSensitivity. This tool never rejects — it reports exactly what publishing would decide. For snapshot ITEM arrays, use dryRun: true on publish_setup_snapshot / update_setup_snapshot / import_setup_scan instead. [Anonymous-callable]","implemented":true},{"name":"publish_workflow_recipe","description":"Append a single workflow recipe to one of the caller's playbooks. The recipe is appended atomically and a new DotfileVersion is created. Upserts by name: re-publishing an identical recipe with no sensitivity/acknowledgedTerms is an idempotent no-op (unchanged: true, no new version) — when either field IS passed, the write still runs so the re-declaration/acknowledgment rules apply (recipeUnchanged: true); a same-name recipe with different content is rejected unless mode: \"replace\" is passed, which overwrites it in place. Targeting: pass dotfileId explicitly (find ids via list_shared_dotfiles or get_my_agent_dotfile); when omitted, it defaults to your only playbook if you own exactly one — owning several returns a multiple-playbooks error listing their ids and titles. Tier 2 vocabulary hits can be acknowledged via acknowledgedTerms to publish at the declared sensitivity (preview terms via sanitize_dotfile); acknowledgments MERGE by term on this append operation, so terms already recorded on the playbook stay acknowledged without re-sending them. privacyWarnings are DELTA-SCOPED: they cover only the recipe in THIS call (untouched recipes never re-warn), and unacknowledged hits also come back structured as acknowledgeable ([{itemName, terms}]) — echo the terms into acknowledgedTerms, no prose parsing; enforcement (Tier 1 hard-reject, the stored sensitivity) still considers the whole document. Pass sensitivity to re-declare the playbook's level (applied — even downward — when every current Tier 2 match is acknowledged). Use remove_workflow_recipe to clean up recipes you no longer want. [Bearer scope: dotfile:write | dotfile:publish]","implemented":true},{"name":"remove_workflow_recipe","description":"Remove workflow recipe(s) by exact name from one of the CALLER'S OWN playbooks — the cleanup counterpart of publish_workflow_recipe. Pass `name` (one exact name) or `names` (several exact names, removed in ONE version write); exactly one of the two is required. The updated content is re-validated and a new DotfileVersion is written, so removal is recoverable via version history (unlike delete_dotfile). If several recipes share a given name, ALL of them are removed and the response says how many. Owner-gated: an unknown or not-owned playbook removes nothing and discloses nothing. Targeting matches publish_workflow_recipe: omitting dotfileId only works when you own exactly one playbook; owning several returns a multiple-playbooks error listing their ids and titles. Recorded acknowledgments merge by term: acks still covering the remaining content stay valid, acks for terms the removed recipe carried are dropped, and an optional sensitivity re-declares the level (applied when every remaining Tier 2 match is acknowledged). A removal adds no content, so it returns NO privacyWarnings about the surviving recipes — only a refused sensitivity re-declaration still warns, naming the uncovered terms. [Bearer scope: dotfile:write]","implemented":true},{"name":"delete_dotfile","description":"Authenticated caller's agent: PERMANENTLY DELETE one of the CALLER'S OWN playbooks (dotfiles) by id — versions and share grants cascade, and existing share links stop working. Deletion requires its own opt-in bearer scope, deliberately separate from the write scope. Owner-gated: a playbook you don't own deletes nothing and discloses nothing. Irreversible — there is no undo or archive. Find ids via get_my_agent_dotfile or list_shared_dotfiles. [Bearer scope: dotfile:manage]","implemented":true},{"name":"update_dotfile_metadata","description":"Authenticated caller's agent: rename, re-describe, or re-scope one of the CALLER'S OWN playbooks (dotfiles) without touching its content — updates title, summary, tags, and/or visibility only. At least one of title/summary/tags/visibility is required. Visibility \"public\" enforces a sensitivity ceiling: it is refused (naming the conflict) unless the playbook's stored sensitivity is public, low, or internal — re-declare a lower sensitivity via update_playbook_section first, or pick trusted/team. Metadata-only: never bumps the version or writes a DotfileVersion row; use publish_workflow_recipe or the web editor for content changes. Owner-gated: a playbook you don't own updates nothing and discloses nothing. [Bearer scope: dotfile:write]","implemented":true},{"name":"update_operator_profile","description":"Authenticated caller's agent: update the CALLER'S OWN public operator profile — bio (the public focus line consumers read first; surfaces as profile_summary.focus and on /operators/<handle>) and/or display name. At least one of name/bio is required; an empty string clears the field. Values are normalized (NFKC + zero-width strip) with hard caps (name 100 / bio 500 characters — over-cap values are rejected with the cap named, never silently truncated). The same two-tier scan as every write path runs: Tier 1 secret shapes hard-reject naming detector + field; Tier 2 vocabulary hits warn-and-store (the profile is a public surface with no per-item sensitivity — the save proceeds, warnings name each term; pass matched terms in acknowledgedTerms to acknowledge them). Returns the stored handle/name/bio plus any privacyWarnings. Owner-only by construction: this tool always writes the caller's own profile. [Bearer scope: profile:write]","implemented":true},{"name":"create_playbook","description":"Authenticated caller's agent: CREATE a brand-new playbook from a full content document — the MCP counterpart of the /create web editor. content must satisfy the canonical playbook schema (self-discover it via get_playbook_schema; dry-run first via validate_playbook). The same two-tier privacy scan as every write path is enforced: Tier 1 secret shapes hard-reject (never acknowledgeable); Tier 2 vocabulary hits floor sensitivity at \"confidential\" unless each matched term is listed in acknowledgedTerms. Returns the new playbook's id, slug, and version 1.0.0. Edit sections later via update_playbook_section; manage recipes via publish_workflow_recipe. [Bearer scope: dotfile:write]","implemented":true},{"name":"update_playbook_section","description":"Authenticated caller's agent: edit ONE content section of one of the CALLER'S OWN playbooks. section is one of profile, communicationStyle, workPatterns, toolStack, agentInstructions, privacyBoundaries, sharingPreferences, exportNotes — workflowRecipes is deliberately NOT patchable here (use publish_workflow_recipe / remove_workflow_recipe). mode 'replace' (default) sets the section to value; 'merge' deep-merges objects and unions string arrays (scalars: incoming wins). The WHOLE patched document is re-validated and re-scanned, and a new DotfileVersion is written. Optimistic concurrency: baseVersion must equal the playbook's currentVersion (from get_dotfile_by_id or a prior write result) or the call fails with a version-conflict error naming the current version — re-read and retry. Owner-gated: a playbook you don't own updates nothing and discloses nothing. The metadata summary is never touched (use update_dotfile_metadata). Find ids via list_shared_dotfiles or get_my_agent_dotfile. [Bearer scope: dotfile:write]","implemented":true},{"name":"get_playbook_schema","description":"Public, anonymous: self-discovery for playbook authoring. Returns the canonical playbook JSON Schema (generated live from the same zod schema every write path enforces — never a hand-maintained copy), the list of patchable sections (workflowRecipes marked recipe-tools-only), a minimal valid example document, the baseVersion optimistic-concurrency contract, and the supported patch modes. [Anonymous-callable]","implemented":true},{"name":"validate_playbook","description":"ADVISORY dry-run that runs the EXACT planning engine the writes execute, without persisting anything. Two shapes: create-shaped {content, title?, summary?, tags?, sensitivity?, acknowledgedTerms?} mirrors create_playbook; patch-shaped {dotfileId, section, value, mode?, baseVersion?, sensitivity?, acknowledgedTerms?} mirrors update_playbook_section — in the patch shape, sensitivity is a RE-DECLARATION of the stored level (applied, even downward, only when acknowledgedTerms covers every current Tier 2 match). Requires an authenticated owner for the patch shape; foreign ids disclose nothing. Returns {valid, mode, errors (zod flattened), verdict (full two-tier scan), wouldReject (Tier 1 present — the write WOULD hard-reject), wouldStore {sensitivity, acknowledgmentsRecorded}, redeclaration? {requested, applied, uncoveredTerms}, versionConflict?}. [Anonymous-callable]","implemented":true},{"name":"get_operator_public_profile","description":"Public, anonymous: return an operator's public profile + hosted-delegate availability status by handle. Reads no private content. [Anonymous-callable]","implemented":true},{"name":"get_capability_card","description":"Public, anonymous: return an operator's CapabilityCard — what their hosted delegate can disclose, public/trusted/never-share scopes, hosted vs local-bridge availability. [Anonymous-callable]","implemented":true},{"name":"search_commons_directory","description":"Public, anonymous: list/search public IndexedAgentPacks in the Operator Commons Directory. Supports free-text query (matches displayName/summary/tags) and offset paging (hasMore in the result signals further pages). Sponsored packs sort earlier but carry a visible sponsorLabel — sponsorship NEVER alters risk or verifiedPublisher. [Anonymous-callable]","implemented":true},{"name":"list_operator_agentpacks","description":"Public for visibility=public; team/unlisted gated. Returns indexed AgentPacks published by the given operator handle. [Anonymous-callable]","implemented":true},{"name":"request_setup_share","description":"Authenticated caller: send a SetupShareRequest to a target operator. Auto-evaluated against target's SharingPolicy; may return an immediate grant or stay pending for manual review. Never-share scopes are denied at creation. [Bearer scope: setup_share:request]","implemented":true},{"name":"get_setup_share_status","description":"Authenticated caller (requester or target): return current status + decisionReason of a SetupShareRequest by id. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"list_active_setup_grants","description":"Authenticated caller: list active SetupShareGrants where caller is either owner or requesting party. [Bearer scope: setup_share:grants:list]","implemented":true},{"name":"get_sanitized_setup_summary","description":"Grant-gated. Returns the operator's latest shareable SetupSnapshot as a sanitized summary (no raw content, no secrets, no env values). [Bearer scope: sanitized_setup_summary]","implemented":true},{"name":"get_setup_snapshot","description":"Grant-gated. Returns a full SetupSnapshot + items if the grant's allowedSnapshotIds permits. [Bearer scope: setup_snapshot:read]","implemented":true},{"name":"get_agentpack_manifest","description":"Grant-gated. Returns an IndexedAgentPack's full manifest if the grant's allowedPackIds permits. [Bearer scope: agentpack:export]","implemented":true},{"name":"compare_agent_setups","description":"Grant-gated. Deterministic comparison of the requester's declared summary vs the target's sanitized snapshot; returns missing/present/stronger buckets plus requesterSummarySource ('request' | 'inline' | 'none') and requesterSummaryItemCount. Pass requesterSetupSummary inline (your own item list: {items:[{platform,itemType,name,summary}]}) to override the one stored on the originating request; when the source is 'none', every snapshot item reads as missing. [Bearer scope: setup:compare]","implemented":true},{"name":"generate_install_plan","description":"Grant-gated. Returns a ready-to-run `agentpack install <sourceRef> --target <platform> --profile <profile>` command for your operator to run in their terminal. Relay the command as-is: the open-source AgentPack CLI performs the install on the operator's machine; Commons only produces the plan. (There is no `commons install` command.) [Bearer scope: install:plan]","implemented":true},{"name":"explain_permissions","description":"Public, anonymous: human-readable explanation of a scope name's effects, what data it discloses, and what's never disclosed. [Anonymous-callable]","implemented":true},{"name":"explain_risk","description":"Public, anonymous: human-readable explanation of a riskLevel (low/medium/high/critical) — what an operator should consider before installing a pack at this level. [Anonymous-callable]","implemented":true},{"name":"revoke_setup_share","description":"Authenticated (grant owner only): revoke a SetupShareGrant. Idempotent — already-revoked grants return a structured error. [Bearer scope: setup_share:revoke]","implemented":true},{"name":"share_with_friend","description":"Authenticated caller's agent: OFFER your own SetupSnapshot to a friend (recipientHandle). Inverts the ask direction — initiator is the owner, recipient consents to receive. Recipient sees the offer in their inbox and approves/declines. Never-share scopes filtered before persistence. [Bearer scope: setup_share:request]","implemented":true},{"name":"recommend_to_friend","description":"Authenticated caller's agent: RECOMMEND specific snapshot items to a friend's agent. Option A (low-friction) — your agent's act of recommending implicitly consents to send; the request immediately ships with a pinned grant so the recipient's agent can one-click adopt. Use this when you've identified specific items in your setup the recipient would benefit from. Use kind='they_should_adopt' to push items from your setup; 'they_should_add' to suggest items you noticed they're missing. [Bearer scope: setup_share:request]","implemented":true},{"name":"ask_friends_agent","description":"Authenticated caller's agent: ASK a friend (targetHandle) for setup-share access — natural-language wrapper around request_setup_share with conversational framing. Use when you (the caller's agent) want to query another operator's setup and don't have an existing grant. Optionally pass requesterSetupSummary (your own sanitized item list) so later comparisons have a baseline — compare_agent_setups can also accept the summary inline at compare time. [Bearer scope: setup_share:request]","implemented":true},{"name":"get_my_inbox","description":"Authenticated caller's agent: aggregate every pending agent-to-agent collaboration item addressed to caller — incoming asks, offers, recommendations, plus the caller's outgoing items still awaiting the other side. One round-trip; no need to poll list_setup_share_requests + list_active_setup_grants separately. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"approve_request","description":"Authenticated decider's agent: APPROVE a pending SetupShareRequest in ONE tap. For an ask the OWNER (target) decides; for an offer the CONSUMER (recipient) decides — the service enforces who may act and rejects the wrong party. Issues the grant inline. Use decision='approve_limited' with limitedScopes to narrow what's granted. Not-found and not-your-decision collapse to one ambiguous error. [Bearer scope: setup_share:request]","implemented":true},{"name":"deny_request","description":"Authenticated decider's agent: DENY/decline a pending SetupShareRequest in ONE tap. For an ask the OWNER decides; for an offer the CONSUMER declines — the service enforces who may act. Not-found and not-your-decision collapse to one ambiguous error. [Bearer scope: setup_share:request]","implemented":true},{"name":"adopt_recommendation","description":"Authenticated recipient's agent: ADOPT a recommendation addressed to you in ONE tap. Records the consumer-side adopt signal (the owner's grant is already active) and notifies the initiator. Only the recipient may adopt; not-found and not-your-recommendation collapse to one ambiguous error. Next safe step after adopting: call list_active_setup_grants to find the grant pinned to this recommendation, then get_agentpack_manifest or generate_install_plan against it. The plan ends in an `agentpack install …` command your operator runs in their own terminal — the AgentPack CLI does the installing; Commons never executes installs itself. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"decline_recommendation","description":"Authenticated recipient's agent: DECLINE a recommendation addressed to you in ONE tap. Records the consumer-side decline signal and notifies the initiator. Only the recipient may decline; not-found and not-your-recommendation collapse to one ambiguous error. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"list_my_snapshots","description":"Authenticated caller's agent: list the CALLER'S OWN SetupSnapshots (id, label, createdAt, item count) so the agent can self-discover which snapshot to recommend or share. Caller-scoped: only your own rows are ever returned. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"list_my_agentpacks","description":"Authenticated caller's agent: list the CALLER'S OWN IndexedAgentPacks (id, label, createdAt, atom count). Caller-scoped: only packs you own are returned. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"list_notifications","description":"Authenticated caller's agent: list the caller's own notifications (newest first). Each carries id, type, title, body, entityType/entityId, readAt, createdAt. Use unreadOnly=true to poll only what's new. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"mark_notification_read","description":"Authenticated caller's agent: mark ONE of the caller's own notifications read by id. Scoped to (id, caller) — you can never flip another user's notification. Idempotent; returns whether a row was marked. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"send_invite","description":"Authenticated caller's agent: mint a single-use, TTL-bounded invite. Returns the code and a shareable /welcome?invite_code=… URL. When the friend claims it, an accepted TrustRelationship connects you both. Optionally bind it to an invitedEmail and attach a note. [Bearer scope: setup_share:request]","implemented":true},{"name":"list_friends","description":"Authenticated caller's agent: list the caller's accepted friends (mutual TrustRelationships). Each carries the friend's handle, name, relationship status, trustLevel, and since (when the edge was created). Blocked pairs are excluded — a block always dominates a stale accepted row. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"publish_setup_snapshot","description":"Authenticated caller's agent: PUBLISH a sanitized SetupSnapshot of the caller's own setup. Call get_setup_snapshot_guide FIRST — a complete snapshot spans the FULL item-type vocabulary (instructions, rules, skills, hooks, commands, subagents, MCP servers, plugins, workflows, context packs, templates, evals, dotfile fragments, adapter outputs) across EVERY platform the operator uses; a handful of items is an under-capture, not a snapshot. Items must carry sanitized data only — NEVER raw file contents, secrets, env values, tokens, or local absolute paths — and a server-side two-tier privacy scan is enforced at publish: Tier 1 secret shapes (API keys, private keys, JWTs, card/SSN formats, ...) hard-reject naming detector + location (acknowledgments can NEVER override Tier 1); Tier 2 vocabulary hits raise the item's riskLevel unless each matched term is listed in that item's acknowledgedTerms (acknowledgment recorded with term, timestamp, token id for operator review). Tier 2 findings come back BOTH as prose privacyWarnings AND as a structured acknowledgeable field ([{itemName, terms}]) — echo each entry's terms into that item's acknowledgedTerms, no prose parsing. PRE-FLIGHT with dryRun: true to run the full scan + coverage WITHOUT writing (no snapshot, no revision, no audit entry) and iterate to zero warnings before the first real publish. Risk aggregates are recomputed server-side from the FINAL stored item levels. The response includes a coverage report (captured vs missing item types) — review it and fill gaps via update_setup_snapshot. The snapshot stays owner-only until a SetupShareGrant exposes it; check /me or list_my_snapshots. [Bearer scope: setup_snapshot:publish]","implemented":true},{"name":"unpublish_setup_snapshot","description":"Authenticated caller's agent: PERMANENTLY DELETE one of the CALLER'S OWN SetupSnapshots by id (items cascade). Owner-gated: a snapshot you don't own deletes nothing and discloses nothing. Irreversible — there is no undo or archive; re-publish via publish_setup_snapshot if needed. Find ids via list_my_snapshots. [Bearer scope: setup_snapshot:publish]","implemented":true},{"name":"unpublish_agentpack","description":"Authenticated caller's agent: PERMANENTLY DELETE one of the CALLER'S OWN IndexedAgentPacks by id, removing it from the Commons directory (endorsements cascade). Owner-gated: a pack you don't own deletes nothing and discloses nothing. This only removes the directory listing — it never touches anyone's installed copy (installs live with the AgentPack CLI, outside Commons). Irreversible. Find ids via list_my_agentpacks. [Bearer scope: agentpack:unpublish]","implemented":true},{"name":"update_setup_snapshot","description":"Authenticated caller's agent: UPDATE one of the CALLER'S OWN SetupSnapshots in place — REPLACES title, summary, and items wholesale (a full replace, not a merge: omitted items are removed). The snapshot id stays stable and revision increments, so existing SetupShareGrants pinned to this id keep working — prefer this over unpublish + re-publish. Use it to close coverage gaps: get_setup_snapshot_guide lists the full item-type vocabulary and capture checklist a complete snapshot should span across every platform the operator uses, and each write's coverage report shows what's still missing. visibility and source are NOT changeable here. Items carry the exact same sanitization contract and two-tier privacy scan as publish_setup_snapshot: Tier 1 secret shapes hard-reject naming detector + location (the previous revision stays fully intact); Tier 2 vocabulary hits raise the item's riskLevel unless each matched term is listed in that item's acknowledgedTerms — findings come back both as prose privacyWarnings and as a structured acknowledgeable field ([{itemName, terms}]) to echo back, no prose parsing. PRE-FLIGHT with dryRun: true to run the full scan + coverage WITHOUT writing (no revision bump, no audit entry) so acknowledge round-trips never burn revisions. Risk aggregates are recomputed server-side from the FINAL stored item levels. Owner-gated: a snapshot you don't own updates nothing and discloses nothing. Find ids via list_my_snapshots; read the current revision via get_my_setup_snapshot. [Bearer scope: setup_snapshot:publish]","implemented":true},{"name":"get_my_setup_snapshot","description":"Authenticated caller's agent: read ONE of the CALLER'S OWN SetupSnapshots by id, in full — title, summary, visibility, source, revision, createdAt, updatedAt, and every item (name, summary, platform, itemType, riskLevel, sanitizedContent, permissions, exportable, recorded acknowledgments). Owner self-read: NO grant is required, and only your own snapshots resolve — a snapshot you don't own returns the same note as a nonexistent id. For reading a snapshot SOMEONE ELSE shared with you, use get_setup_snapshot with the grantId from list_active_setup_grants instead. Find your ids via list_my_snapshots; use this before update_setup_snapshot to see the current items and revision. [Bearer scope: setup_share:status:read]","implemented":true},{"name":"import_setup_scan","description":"Authenticated caller's agent: IMPORT a machine-generated setup scan (CLI scan / manifest-style JSON), mapping each scan atom to a SetupSnapshot item. A complete scan covers the full item-type vocabulary across every platform the operator uses — get_setup_snapshot_guide lists the vocabulary and capture checklist, and the response's coverage report shows what the scan missed. Creates a new snapshot with source \"cli_scan\" — or, when snapshotId names a snapshot the CALLER OWNS, updates it in place via the same path as update_setup_snapshot (id stable, revision increments, grants keep working); a snapshotId you don't own refuses without disclosing anything and NEVER falls back to creating. Boundary rejections happen BEFORE any scan: local absolute paths (/home/..., C:\\..., file://, ~/) in any text field reject naming the offending field, and the payload is strict, so unknown atom keys (raw file dumps under content/raw/rawContent/...) reject outright. Atoms then pass the same two-tier privacy scan as publish_setup_snapshot (Tier 1 secret shapes hard-reject; Tier 2 vocabulary hits raise riskLevel unless acknowledged per atom — findings come back both as prose privacyWarnings and as a structured acknowledgeable field to echo into each atom's acknowledgedTerms). PRE-FLIGHT with dryRun: true to run the boundary checks + full scan + coverage WITHOUT importing (no snapshot, no revision, no audit entry). The snapshot stays owner-only until a SetupShareGrant exposes it. [Bearer scope: setup_snapshot:publish]","implemented":true},{"name":"get_setup_snapshot_guide","description":"Public, anonymous: self-discovery for setup-snapshot publishing — call this BEFORE publish_setup_snapshot / update_setup_snapshot / import_setup_scan. Returns the full item-type vocabulary with a description + concrete example per type (derived live from the same zod enum every snapshot write enforces), the platform vocabulary (a multi-agent operator should capture EACH platform's config), an ordered captureChecklist of where a coding agent's setup actually lives (global + project instruction layers, memory repos, skills, plugins, hooks, commands, subagents, MCP server configs, settings, dotfiles, sibling-agent configs), and the recommended workflow (enumerate → sanitize_dotfile → publish/update → review coverage → fill gaps). [Anonymous-callable]","implemented":true},{"name":"whoami","description":"Returns your authenticated identity, token metadata, granted scopes, and the tools this token can call. Authenticated callers only; bearer callers also get their AgentToken's label/createdAt/expiresAt/lastUsedAt (never the token secret). [No bearer scope required]","implemented":true}]}