Foundry MCP Tool Allowlist Draft (Phase 1 Recon)
Status: Draft
Owner: Zack + GM
Scope: foundry-vtt-mcp exposed via Cloudflare Tunnel + Access for ingestion by the existing Pathfinder stack (pathfinder-experience, P2E_Buddy, Quartz publish pipeline).
Purpose
Use this sheet during recon to classify every exposed MCP tool/resource before app integration.
Classification labels:
SAFE_READ— acceptable for party-facing app flows.SENSITIVE_READ— contains potentially spoiler/private content; requires filter/guard before use.PROHIBITED— write/mutate/admin or high spoiler risk; block in adapter.
Policy Defaults
- Default classification for unknown tools:
PROHIBITED. - Any write/update/delete/execute action:
PROHIBITED. - Journals/scenes/notes are
SENSITIVE_READuntil validated player-safe. - Allowlist is enforced at adapter layer (not only by client prompt).
Tool Inventory Table
Fill one row per MCP tool/resource discovered.
| Tool/Resource Name | Category | Method/Action | Data Returned | Spoiler Risk | Classification | Adapter Rule | Notes |
|---|---|---|---|---|---|---|---|
| example.getWorldInfo | metadata | read | world metadata | low | SAFE_READ | allow | baseline health |
| example.listActors | actors | read | actor list | medium | SENSITIVE_READ | allow+filter | filter hidden NPC flags |
| example.updateActor | actors | write | mutation | high | PROHIBITED | deny | mutate action |
Category suggestions:
- metadata
- actors
- combat/initiative
- scenes
- journals
- items/spells
- compendia
- admin/system
Spoiler risk suggestions:
- low / medium / high
Adapter rule suggestions:
- allow
- allow+filter
- deny
Candidate SAFE_READ Set (initial hypothesis)
These are candidates only — confirm exact names from your tool list.
- world/system metadata (read-only)
- encounter/initiative read
- player character state read (HP/conditions/resources)
Candidate PROHIBITED Set (initial hypothesis)
- any create/update/delete action
- permission/user/admin configuration actions
- arbitrary command/eval hooks (if any)
- GM-only journal/scenes access without explicit safe tagging
Adapter Enforcement Contract (Phase 1)
- Only tools marked
SAFE_READare callable by default. SENSITIVE_READrequires explicit code path + field redaction + source tag.PROHIBITEDalways denied with audit log.- Every response includes
source=foundry-live. - On policy mismatch, fail closed.
Recon Output Checklist
- Full tool list captured from MCP endpoint
- Every tool classified
- High-risk tools reviewed with GM
- Draft adapter allowlist generated from this file
- One spoiler red-team pass executed
Sign-off
GM sign-off (initial): ____________________ Date: __________
Zack sign-off (initial): __________________ Date: __________