// MCP TOOL REFERENCE

FLEET TOOLS

39 tools from the Fleet MCP Server, categorised by risk level.

View the Fleet policy →
// ALL 39 FLEET TOOLS
READ 20 tools
Read fleet_secrets_drift Detect drift between vault (encrypted, survives reboot) and runtime (/run/fleet-secrets/, lost on reboot). Read fleet_audit_guidelines Look up Apple App Store Review Guidelines via greenlight. action Read fleet_audit_status Show the most recent App Store audit results from cache without re-running a scan. Read fleet_deps_app Dependency findings for a specific app Read fleet_deps_status Dependency health summary from cache — outdated packages, CVEs, EOL warnings, Docker image updates Read fleet_egress_snapshot Snapshot the current outbound TCP flows for an app and report which destinations are NOT in the configured ... Read fleet_git_pr_list List pull requests for an app Read fleet_git_status Git state for one or all apps: branch, clean/dirty, onboard status Read fleet_logs DEPRECATED — prefer fleet_logs_recent (token-conservative defaults) or fleet_logs_summary. Get recent conta... Read fleet_logs_recent Get recent log lines for an app, filtered to a level and bounded in size. Defaults are SMALL (50 lines, las... Read fleet_logs_search Bounded grep across recent container logs. Returns matching lines with 0 lines of context, capped at max_re... Read fleet_logs_status Per-container log driver, current size, and policy applied. Use to check which apps need fleet logs setup. Read fleet_logs_summary Cheap aggregate: counts of log lines by level + the top 10 distinct error/warning messages over a window. U... Read fleet_nginx_list List all nginx site configs Read fleet_secrets_get Get a single decrypted secret value from the vault. Read fleet_secrets_list List managed secrets for an app (masked values). Shows vault contents — use fleet_secrets_drift to check if... Read fleet_secrets_status Show vault initialisation state, sealed/unsealed, counts. The vault is the encrypted source of truth that s... Read fleet_secrets_validate Validate compose secrets match vault. Returns missing/extra secrets per app. This checks that docker-compos... Read fleet_testflight_builds List an app Read fleet_testflight_doctor Check TestFlight publishing readiness for an app: GitHub CLI availability, the
WRITE 14 tools
Write fleet_deps_fix Create a PR with dependency updates for an app (dry-run by default) Write fleet_audit_ignore Suppress a confirmed greenlight false positive from future audits. The finding is Write fleet_secrets_seal Seal runtime secrets back to the encrypted vault. Write fleet_deps_config Get or set dependency monitoring configuration Write fleet_deps_ignore Add an ignore rule for a dependency finding Write fleet_git_branch Create a feature branch from develop (or other base) and push it Write fleet_git_commit Stage tracked file changes and commit Write fleet_git_onboard Onboard an app to GitHub: create repo, push code, protect branches Write fleet_git_pr_create Create a pull request on GitHub Write fleet_git_release Create a release PR from develop to main Write fleet_nginx_add Create an nginx config for a domain Write fleet_register Register a new app in the fleet registry Write fleet_secrets_restore Restore vault from backup (.bak file). Write fleet_secrets_set Set a single secret key/value for an app.
EXECUTE 5 tools
Execute fleet_audit_run Run an App Store compliance audit on a mobile app project via greenlight preflight. Execute fleet_deploy Deploy an app: build and restart Execute fleet_secrets_unseal Decrypt vault to /run/fleet-secrets/. WARNING: This overwrites any runtime changes that were not sealed bac... Execute fleet_deps_scan Run a fresh dependency scan across all registered apps Execute fleet_git_push Push current branch to origin

Route Fleet through PolicyLayer and every one of its 39 tools is checked against your policy before it runs.

CHECK YOUR STACK →

See every tool, the dangerous ones, and the token cost across your stack.

// FAQ
How many tools does the Fleet MCP server have? +

The Fleet MCP server exposes 39 tools across 3 categories: Read, Write, Execute.

How do I enforce policies on Fleet tools? +

Route the Fleet server through the PolicyLayer gateway. Define allow, deny, or approval rules per tool in the dashboard; they are enforced on every call before it reaches the server.

What risk categories do Fleet tools fall into? +

Fleet tools are categorised as Read (20), Write (14), Execute (5). Each category has a recommended default policy.

Enforce policy on every Fleet tool call.

Start from Fleet, add the rest of your stack, and see everything your agents can call. Then put policy on all of it.

CHECK YOUR STACK →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.