# pabloMCP — full tool catalogue > 203 tools across 4 risk classes (READ 113, DRAFT 3, COMMIT 80, DANGEROUS 7). Endpoint: https://pablomcp.com/mcp. See https://pablomcp.com/llms.txt for the connection flow. Each tool's full JSON Schema is available via the MCP `tools/list` method or by calling `GET https://pablomcp.com/tools`. ## READ (113) - `admob_account_list` — List AdMob publisher accounts on the connected personal Google account. Returns publisher ID (pub-XXXXXXXX) needed by all other admob_* tools as the account path. - `admob_ad_unit_list` — List ad units (banner/interstitial/rewarded/native) under an AdMob account. Returns ad unit IDs needed by the mobile SDK to request ads. Requires account_path from admob_account_list. - `admob_app_list` — List apps registered under an AdMob account. Returns app IDs (ca-app-pub-...~...) needed for mobile SDK initialization. Requires account_path from admob_account_list (e.g. 'accounts/pub-12345'). - `admob_docs` — Return AdMob API reference: base URL, auth model, and docs index. Read this before admob_request. READ. - `admob_network_report` — Run an AdMob network report: earnings, impressions, clicks, eCPM. Group by date/country/app/ad_unit/format. Use for revenue dashboards or troubleshooting fill rate. Requires account_path and date range. - `agent_key_list` — List agent API keys for the current workspace. Raw tokens are never returned; only metadata, status, and hash previews. READ. - `anthropic_docs` — Return Anthropic API reference: base URL, auth model, version header, and docs index. Read this before anthropic_request. READ. - `approval_get` — Read a single approval request, including the stored tool arguments. READ. - `approval_list` — List approval requests for the current workspace. Use this to show pending risky actions before deciding. READ. - `audit_read` — Read recent COMMIT/DRAFT/DANGEROUS tool calls from the MCP audit log. Use to answer questions like 'what did you do for me yesterday' or to verify an earlier change actually went through. Optionally filter by tool name or tool_class. - `auth_pairing_status` — Inspect a pending agent-first pairing request. This does not reveal the email code. READ. - `auth_session_status` — Inspect the current session bound to this bearer token — whether it's active, when it expires, minutes remaining. Also reports whether TOTP is configured at all. READ. - `cloudbet_balance` — Retrieve Cloudbet sportsbook account balance for a given currency. Use when checking how much USDC (or other crypto) is available before placing a bet. - `cloudbet_bets` — List currently active (unsettled, in-play or pending) Cloudbet bets. Use to see what's currently riding; for finished bets use cloudbet_history instead. - `cloudbet_docs` — Return Cloudbet Sports API reference: base URL, auth model, and docs index. Read this before cloudbet_request to discover what's possible. READ. - `cloudbet_events` — List upcoming Cloudbet events for a sport (or specific competition). Use this first to discover event_ids and market_urls before calling cloudbet_odds or placing a bet. - `cloudbet_history` — List settled (won/lost/voided) historical Cloudbet bets. Use for P&L analysis or recent results; for unsettled bets use cloudbet_bets. - `cloudbet_odds` — Fetch live Cloudbet odds and markets for a single event. Requires event_id — discover IDs via cloudbet_events first. - `cloudflare_access_app_list` — List Cloudflare Access (Zero Trust) applications for an account. Use to audit which subdomains are gated by Access policies. Requires account_id. - `cloudflare_account_list` — List Cloudflare accounts the configured API token can access. Returns each account's id (use as account_id for cloudflare_registrar_* tools) and name. Run this first if CLOUDFLARE_ACCOUNT_ID env var is not set. READ. - `cloudflare_dns_list` — List DNS records for a Cloudflare-hosted zone. Use this (NOT vercel_dns_list) when the domain's nameservers point to Cloudflare. Requires zone_id from cloudflare_zone_list. - `cloudflare_docs` — Return Cloudflare API reference: base URL, auth model, account-scoped path conventions, and the official OpenAPI index. Read this before cloudflare_request to discover what's possible. READ. - `cloudflare_registrar_check` — Check real-time domain availability + pricing via Cloudflare Registrar (authoritative — queries the registry directly). Returns pricing.registration_cost / renewal_cost (USD/yr typically) for each domain. Use to compare Cloudflare rates against Dreamscape/GoDaddy before transferring or registering. Up to 20 domains per call. READ. - `cloudflare_registrar_get` — Get details for a single Cloudflare Registrar domain — including the transfer_in object (status fields like enter_auth_code, unlock_domain, accept_foa, approve_transfer). Use to monitor an in-progress inbound transfer or audit lock/auto-renew/privacy state. READ. - `cloudflare_registrar_list` — List domains registered with Cloudflare Registrar. Returns id, expiry, locked, transfer-in status, and registry status codes for each domain. Use to inventory Cloudflare-registered domains. Requires account_id (or CLOUDFLARE_ACCOUNT_ID env). READ. - `cloudflare_tunnel_list` — List Cloudflare Tunnels (cloudflared) for an account, including connection status. Use to inspect existing tunnels before configuring new origin routes. Requires account_id. - `cloudflare_zone_list` — List Cloudflare zones (domains) the account manages, including their zone IDs and nameservers. Use first to discover the zone_id needed by cloudflare_dns_list / cloudflare_dns_add / cloudflare_dns_delete. - `connector_list` — List pabloMCP connectors, connection status, required credentials, and available tools. Use during agent-accessible onboarding to see what is ready or missing. READ. - `connector_status` — Inspect one connector by id, including required credentials and the tools it exposes. READ. - `domain_check` — Check whether one or more domain names are available to register through Dreamscape. Use before domain_register to confirm availability and pricing eligibility. Requires an array of fully-qualified domain names. - `domain_list` — List domains held in the Dreamscape reseller account, with expiry dates and status. Use to inventory owned domains or look up a domain's expiry/status before transfer/renewal operations. - `domain_transfer_check` — Check whether a domain (held at another registrar) is eligible to transfer into Dreamscape using its EPP/auth key. Use before domain_transfer_start to validate the auth key and see renewal/pricing. Requires domain and auth_key. - `dreamscape_docs` — Return Dreamscape SOAP API reference info: docs URL, production/test WSDL & endpoints, key operation notes, and transfer-flow gotchas. Use when you need to recall operation names (DomainCreate vs DomainRegister) or the auth-in-header convention before calling another dreamscape_/domain_ tool. - `elevenlabs_docs` — Return ElevenLabs API reference: base URL, auth model, and docs index. Read this before elevenlabs_request. READ. - `ga_account_list` — List Google Analytics 4 accounts on the connected personal Google account. Use first to discover account IDs needed by ga_property_list and ga_property_create. - `ga_docs` — Return GA4 Admin + Data API reference: base URLs, auth model, and docs index. Read this before ga_request. READ. - `ga_property_list` — List GA4 properties under an account. Returns property IDs (use as property_id in ga_report / ga_realtime — strip 'properties/' prefix). Requires account from ga_account_list (format: 'accounts/12345'). - `ga_realtime` — Run a GA4 realtime report: active users in the last 30 minutes by country/page/source. Use to verify tracking is firing after deploy or to spot live traffic spikes. - `ga_report` — Run a GA4 report: pick metrics (sessions, activeUsers, screenPageViews, etc.) and dimensions (date, pagePath, source, country, etc.) over a date range. Use for traffic dashboards, top-pages reports, source attribution. Requires property_id (numeric, from ga_property_list — drop 'properties/' prefix). - `gdocs_read` — Read the full plain-text body of a Google Doc by document ID. Use for Google Docs specifically; for arbitrary Drive files (Sheets, text files, binaries) use gdrive_read. - `gdrive_list` — List files in Google Drive (impersonating GOOGLE_IMPERSONATE_USER, default pablo@popasite.com), optionally filtered by a Drive query or folder. Use to find file IDs before gdrive_read or gdocs_read. Distinct from notion_search (Notion) and gmail tools. - `gdrive_read` — Read or export a Google Drive file by ID. Returns plain-text content for Google Docs/Sheets and text/JSON files; metadata only for binary types. For full structured Doc content use gdocs_read. Requires file_id (find via gdrive_list). - `github_docs` — Return GitHub REST API reference: base URL, auth model, API version, and the official docs index. Read this before github_request to discover what's possible. READ. - `github_issue_list` — List issues (excluding pull requests) for a GitHub repository, filterable by state and labels. Use for issues only — for PRs use github_pr_list. Requires owner and repo. - `github_pr_list` — List pull requests for a GitHub repository, filterable by state. Use specifically for PRs; for plain issues use github_issue_list. Requires owner and repo. - `github_repo_list` — List GitHub repositories for the authenticated user, or for a given user/org if `owner` is set. Use to look up repo names before github_issue_list / github_pr_list / vercel_deploy. - `godaddy_authcode_get` — Fetch the transfer-out auth code (EPP code / .nz UDAI) for a GoDaddy domain — required to start an outbound transfer. Uses GET /v1/domains/{domain}?includes=authCode (the documented path; no separate /transferAuthCode endpoint exists). Domain must be unlocked first via godaddy_set_lock. NOTE: For .nz TLDs the value returned IS the registry UDAI, but it is only accepted by the receiving registrar AFTER the GoDaddy dashboard 'Request UDAI / Transfer Out' action has been clicked once — that action releases the UDAI to the .nz registry. Until then receiving registrars reject it as 'Incorrect AuthKey'. For .com/.org/etc the API code works immediately. READ. - `godaddy_dns_list` — List DNS records for a GoDaddy-hosted domain. Use to audit current DNS before adding/changing records. Returns all record types unless filtered. READ. - `godaddy_docs` — Return GoDaddy API reference: base URL, auth model, and the official docs index. Read this before godaddy_request to discover what's possible. READ. - `godaddy_domain_get` — Get full details for a single GoDaddy domain. Pass includes:['authCode'] to retrieve the transfer-out auth code / .nz UDAI in the same call (this is the documented way per swagger_domains.json — there's no separate /transferAuthCode endpoint). Other supported includes: 'contacts', 'nameServers'. Use before transferring out or changing nameservers. READ. - `godaddy_domain_list` — List domains in the GoDaddy account with status, expiry, and auto-renew flag. Use to inventory GoDaddy-registered domains before deciding where DNS or transfers should happen. READ. - `google_ads_campaigns` — List all Google Ads campaigns with status, budget, and performance. READ. - `google_ads_docs` — Return Google Ads API reference: base URL, auth model, customer scoping, and docs index. Read this before google_ads_request to discover what's possible. READ. - `google_ads_stats` — Get Google Ads performance stats for a date range. READ. - `google_alias_list` — List Google Workspace email aliases attached to a user (default pablo@popasite.com) via the Admin Directory API. Use to audit which alias addresses already exist before google_alias_add. - `gsc_docs` — Return Google Search Console + Indexing API reference: base URLs, auth model, and docs index. Read this before gsc_request. READ. - `gsc_search_analytics` — Query Search Console performance data: clicks, impressions, CTR, position. Group by query/page/country/device/date. Use to see which queries drive traffic, find page-level CTR issues, or track ranking changes. Requires site_url, start_date, end_date. - `gsc_site_list` — List Search Console verified properties on the connected personal Google account. Returns siteUrl (use as site_url in other gsc_* tools) and permission level. Run first to discover which properties exist. - `gsc_url_inspect` — Inspect a single URL's Search Console index status: when last crawled, indexing verdict, mobile usability, structured data findings. Use when debugging why a specific URL isn't ranking or appearing in search. - `gtm_account_list` — List GTM accounts on the connected personal Google account. Run first to discover account paths needed by gtm_container_list. - `gtm_container_list` — List GTM containers under an account. Returns the container public ID (GTM-XXXX) needed for the GTM snippet on a site. Requires account_path from gtm_account_list (e.g. 'accounts/12345'). - `gtm_docs` — Return Google Tag Manager API reference: base URL, auth model, and docs index. Read this before gtm_request. READ. - `gtm_tag_list` — List tags inside a GTM container's workspace (defaults to the default workspace). Use to audit which tags are firing on a site. Requires workspace_path (e.g. 'accounts/X/containers/Y/workspaces/Z'). - `health_check` — Probe every configured external service (Dreamscape, Vercel, GitHub, Google, Stripe, Resend, Cloudflare, Neon, Notion) and report which credentials are present and which APIs answer. Use first when something seems broken or after env var changes. - `neon_database_list` — List databases inside a Neon project branch (defaults to the primary branch). Use to find database names before neon_sql. Requires project_id from neon_project_list. - `neon_docs` — Return Neon API reference: base URL, auth model, and docs index. Read this before neon_request to discover what's possible. READ. - `neon_project_list` — List Neon Postgres projects on the account, with project IDs and regions. Use first to discover the project_id needed by neon_database_list / neon_database_create / neon_sql. - `notion_database_query` — Query rows in a Notion database, optionally with a Notion filter object and sorts array. Use to read structured data; for free-text discovery use notion_search. Requires database_id. - `notion_docs` — Return Notion API reference: base URL, auth model, version header, and docs index. Read this before notion_request to discover what's possible. READ. - `notion_page_read` — Read a Notion page's properties plus the first 100 child blocks (raw block JSON). Use to inspect a page's content; for querying database rows use notion_database_query. Requires page_id from notion_search. - `notion_search` — Search Notion (only items shared with the integration) by title across pages and databases. Use first to find the page_id or database_id needed by other Notion tools. Distinct from gdrive_list (Drive). - `openai_docs` — Return OpenAI API reference: base URL, auth model, and docs index. Read this before openai_request. READ. - `policy_get` — Read the current workspace safety mode. Modes: relaxed, balanced, locked_down. READ. - `polymarket_balance` — Retrieve Polymarket on-chain USDC.e balance (Polygon) plus CLOB collateral balance for the configured proxy wallet. Use to verify funds before polymarket_order. - `polymarket_docs` — Return Polymarket API reference: base URLs (Gamma + CLOB), auth model, signing notes, and docs index. No generic passthrough — order placement requires EIP-712 signing handled in-process by @polymarket/clob-client. Use the curated tools for writes. READ. - `polymarket_markets` — Search Polymarket events and their markets via the public Gamma API. Use to discover token_ids (needed by polymarket_orderbook / polymarket_order). Filter with `query` (title), `tag` (e.g. tennis/politics/crypto), and `active`. - `polymarket_orderbook` — Fetch the live CLOB order book (top bids/asks, spread, midpoint) for a Polymarket outcome token. Use to check current pricing before polymarket_order_preview / polymarket_order. Requires token_id (find via polymarket_markets). - `polymarket_positions` — List currently open Polymarket CLOB orders for the configured wallet via L2-authenticated CLOB API. Use to inspect resting orders before placing new ones; for past fills use polymarket_trades. - `polymarket_trade_allowed` — Check whether the configured Polymarket execution path is reachable before placing orders. If TT_EXECUTOR_URL is configured, checks the TT executor bridge health; otherwise checks local MCP CLOB client setup. READ. - `polymarket_trades` — List recent Polymarket trade fills for the wallet via the authenticated CLOB API. Use for fill history / P&L; for resting orders use polymarket_positions. - `resend_docs` — Return Resend API reference: base URL, auth model, and docs index. Read this before resend_request to discover what's possible. READ. - `secrets_get` — Return the value of an env var (e.g. ELEVENLABS_API_KEY, OPENAI_API_KEY) so other agents can use it without touching the Vercel dashboard. Every fetch is audit-logged. Use secrets_list to discover available names. - `secrets_list` — List the names of every env var currently set on pablo-mcp (values are NOT returned). Use to discover what secrets_get can return. READ. - `stripe_balance` — Retrieve the current Stripe account balance — `available` (already paid out / spendable) and `pending` (awaiting clearing). Use to check working capital across currencies. - `stripe_charges_list` — List recent Stripe charges (most recent first), with amount, status, and customer ID. Use to investigate recent payments or find a charge ID for stripe_refund. - `stripe_customer_list` — List recent Stripe customers, optionally filtered by email. Use to look up a customer ID before deeper Stripe operations or to confirm an account exists. - `supabase_docs` — Return Supabase Management API reference: base URL, auth model, and docs index. Read this before supabase_request to discover what's possible. READ. - `supabase_org_list` — List Supabase organizations the access token can see. Use first to discover the organization_id (slug) needed by supabase_project_create. - `supabase_project_keys` — Fetch the anon and service_role API keys for a Supabase project. Anon key is safe for client-side use; service_role bypasses RLS and must stay server-side. Requires project_ref from supabase_project_list. - `supabase_project_list` — List Supabase projects on the account, with project ref, region, and status. Use first to discover the project_ref needed by supabase_sql / supabase_project_keys / supabase_project_pause. - `supabase_storage_bucket_list` — List Storage buckets in a Supabase project. Buckets are namespaces for files; each can be public or private. Requires project_ref from supabase_project_list. - `telegram_docs` — Return Telegram Bot API reference: base URL, auth model, key methods, and the official method index. Read this before telegram_request to discover what's possible. READ. - `telegram_get_me` — Verify the configured Telegram bot token is valid — returns the bot's id, username, and capabilities. Use as a health probe. READ. - `twilio_balance` — Get Twilio account balance (USD by default). Use to check credit before sending SMS or making calls. Returns balance as a string + currency. Slight lag — not real-time. READ. - `twilio_calls_list` — List recent Twilio voice calls. Filter by `to`, `from`, `status`, or start-time range. Direction (`inbound`/`outbound-api`/`outbound-dial`) is in each row, not a query filter. READ. - `twilio_docs` — Return Twilio REST API reference: base URL, auth pattern, key endpoint paths and their doc URLs. Read this before calling twilio_request to discover what's possible beyond the curated tools. READ. - `twilio_messages_list` — List recent Twilio SMS/MMS messages, sorted by date_sent desc. Filter by `to`, `from`, or date. Use to audit delivery or search for a specific message. READ. - `twilio_numbers_search` — Search Twilio's inventory for available phone numbers to buy. Specify ISO `country` (e.g. NZ, US, AU) and `type` (Local/Mobile/TollFree). Optional filters: area_code, contains (digits or glob like 555*), sms_enabled, voice_enabled. Use before twilio_number_buy. READ. - `twilio_phone_numbers_list` — List Twilio phone numbers owned by the account, with capabilities (voice/sms/mms) and webhook URLs. Use to find a `from` number for twilio_message_send. READ. - `vapi_assistant_get` — Get a single Vapi assistant by id, including model, voice, transcriber, firstMessage, and all plan fields. Use to inspect or copy an existing assistant config. READ. - `vapi_assistant_list` — List Vapi assistants in the account. Returns id, name, model/voice config, createdAt. Use to find an assistantId for vapi_call_create. READ. - `vapi_call_get` — Get a single Vapi call by id — includes the artifact object (transcript, recordingUrl, stereoRecordingUrl, messages, logUrl), analysis, and monitor URLs. Transcript/recording only populate after status='ended'. READ. - `vapi_call_list` — List recent Vapi calls. Filter by `assistantId` or `phoneNumberId`. Each row has id, type, status, endedReason, cost, and timing. For transcript/recording, fetch the row via vapi_call_get. READ. - `vapi_docs` — Return Vapi REST API reference: base URL, auth pattern, key endpoint paths and doc URLs. Read this before vapi_request to discover what's possible beyond the curated tools. READ. - `vapi_phone_number_list` — List Vapi phone numbers (paginated). Each row's `provider` field discriminates Vapi-native / Twilio-BYO / Vonage / Telnyx. Use to find a phoneNumberId for vapi_call_create. READ. - `vault_get` — Fetch a single project-scoped secret from the vault by (project, name) and return its decrypted value. Use this when you need an API key for any project — pass project='ecostore' (or whatever namespace), name='NETSUITE_API_KEY' style. Every fetch is audit-logged. Discover available secrets with vault_list. Add new ones with vault_set. READ. - `vault_list` — List secrets stored in the vault. Pass `project` to scope to one namespace (e.g. 'ecostore'), or omit to see every project. Returns {project, name, updated_at} tuples — values are NEVER returned (use vault_get for that). Call this first when you don't know what key names exist for a project. READ. - `vercel_dns_list` — List DNS records for a Vercel-managed domain. Use this (NOT cloudflare_dns_list) when the domain's nameservers point to Vercel. Find available domains via vercel_domain_list. - `vercel_docs` — Return Vercel API reference: base URL, auth model, team scoping rules, and the official docs index. Read this before vercel_request to discover what's possible. READ. - `vercel_domain_list` — List domains registered or managed in Vercel, with verification/configuration status. Use to confirm whether DNS for a given domain is on Vercel (and so vercel_dns_* tools apply) vs Cloudflare or elsewhere. - `vercel_project_list` — List Vercel projects on the team (scoped by VERCEL_TEAM_ID env var). Use first to discover the project name/ID needed by vercel_deploy or vercel_env_set. - `workspace_status` — Inspect the current pabloMCP workspace and caller context. This is the agent-accessible starting point for onboarding and diagnostics. READ. - `xai_docs` — Return xAI (Grok) API reference: base URL, auth model, and docs index. The REST surface is OpenAI-compatible. Read this before xai_request. READ. ## DRAFT (3) - `cloudbet_bet_preview` — Preview a Cloudbet bet without placing it — computes estimated payout/profit and fetches the current live odds for sanity-check. Use before cloudbet_bet to confirm the market is still trading at your price. Requires event_id, market_url, price, stake. - `cloudbet_multi_preview` — Preview a Cloudbet multi/parlay without placing it — computes combined odds, estimated payout/profit, and returns the exact selections for cloudbet_multi_bet. Use before cloudbet_multi_bet. - `polymarket_order_preview` — Preview a Polymarket CLOB limit order without placing it — returns estimated shares and the current best bid/ask for sanity-check. Use before polymarket_order. Requires token_id, side, price (0.01-0.99), size (USDC). ## COMMIT (80) - `admob_request` — Generic AdMob API passthrough — call ANY endpoint at admob.googleapis.com/v1. POST :generate are read-style and treated as READ; other POST/PATCH/PUT=COMMIT, GET=READ, DELETE=DANGEROUS. - `agent_key_create` — Create a named agent API key for this workspace. The raw token is returned once; store it in the target agent/client. This is the public pabloMCP replacement for one global MCP_API_KEY while preserving the simple paste-a-key UX. Preview unless confirm:true. COMMIT. - `agent_key_revoke` — Revoke a named agent API key by id. Existing TOTP sessions for that key stop mattering because bearer auth will fail first. Preview unless confirm:true. COMMIT. - `anthropic_request` — Generic Anthropic API passthrough — call ANY endpoint at api.anthropic.com/v1. POST /messages and /complete are inference and treated as READ. Other POST/PATCH/PUT=COMMIT, GET=READ, DELETE=DANGEROUS. - `approval_decide` — Approve or reject a pending approval request. Approval does not execute by itself; call approval_execute after approval. Preview unless confirm:true. COMMIT. - `approval_execute` — Execute an approved approval request by replaying the stored tool call once. This bypasses the policy approval gate but still runs the tool's own schema, preview, confirm, and safety logic. COMMIT. - `approval_respond` — One-call approval response for agents. If the human approves, this records approval and immediately executes the stored tool call. If rejected, it records rejection and does not execute. Use this as the simple in-band approval path. COMMIT. - `auth_handshake` — Open or refresh a 60-minute session by providing the current 6-digit code from your TOTP authenticator app. Required before any other HTTP tool call once TOTP is configured. Idle for 60 min ⇒ session expires and you must handshake again. The session is tied to the bearer token used on this request. COMMIT. - `auth_logout` — Close the current session immediately. The next non-auth call from this bearer will require a fresh handshake. Useful before stepping away from a shared machine. COMMIT. - `auth_pairing_complete` — Complete agent-first pairing. Requires the emailed magic code and the current TOTP code. On success, creates a named revocable agent key and opens its first 60-minute session. The raw token is returned once. COMMIT. - `auth_pairing_start` — Start agent-first pabloMCP pairing without an existing agent key. The user gives their email, pabloMCP emails a short magic code, then the agent calls auth_pairing_complete with that email code plus the user's TOTP code. COMMIT. - `auth_setup_totp` — Bootstrap TOTP second-factor on this server. Generates a new TOTP secret, stores it encrypted in the vault, and returns the otpauth:// URL to scan with Google Authenticator / 1Password / Authy. Once set, every HTTP tools/call requires a fresh 6-digit code via auth_handshake. SETUP IS LOCAL-ONLY: must be called over stdio (local Claude Code), or over HTTP with an already-valid session (rotation). This prevents a leaked bearer alone from claiming the TOTP slot. Refuses to overwrite an existing secret unless `replace:true` is passed. COMMIT. - `cloudbet_bet` — Place a straight (single) bet on a Cloudbet market for real money. Requires event_id, market_url, price, stake, currency, and confirm:true to actually submit; otherwise returns a preview. Use cloudbet_bet_preview first to sanity-check. - `cloudbet_multi_bet` — Place a Cloudbet multi/parlay for real money. Requires selections, stake, currency, and confirm:true. Smartly retries Cloudbet PRICE_ABOVE_MARKET stale-price rejects with returned reofferPrice(s), like Tennis Trader does. - `cloudbet_request` — Generic Cloudbet Sports API passthrough — call ANY endpoint at sports-api.cloudbet.com. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `cloudflare_dns_add` — Add a DNS record to a Cloudflare-hosted zone. Use (NOT vercel_dns_add) when the domain's DNS is on Cloudflare — e.g. adding a subdomain, pointing an A record at an IP, or adding MX/TXT records. Requires zone_id, type, name, content; preview unless confirm:true. - `cloudflare_registrar_set_auto_renew` — Enable or disable auto-renewal for a domain registered with Cloudflare Registrar. Setting true authorizes Cloudflare to charge the default payment method up to 30 days before expiry. Uses the new PATCH /registrations/{domain} endpoint (the deprecated PUT /domains/{domain} also worked but should not be used for new code). Preview unless confirm:true. COMMIT. - `cloudflare_registrar_update` — Update a Cloudflare Registrar domain — toggle locked or privacy. Uses the deprecated PUT /domains/{domain} endpoint (only API path for locked/privacy as of writing; Cloudflare has not announced a replacement). For auto_renew use cloudflare_registrar_set_auto_renew instead. Preview unless confirm:true. COMMIT. - `cloudflare_request` — Generic Cloudflare API passthrough — call ANY endpoint at api.cloudflare.com/client/v4. Path goes in `path` (e.g. '/zones' or '/accounts/{account_id}/...'). GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `connector_credential_set` — Store or update a declared connector credential in the encrypted vault. Use during agent-accessible onboarding after connector_status shows a required or optional key is missing. Preview unless confirm:true. COMMIT. - `domain_register` — Register (purchase) an available domain through Dreamscape via the DomainCreate SOAP op — actually charges the reseller account. Requires registrant/admin/billing/tech ContactIdentifiers from dreamscape_contact_create, and confirm:true to actually buy. Use domain_check first to verify availability. - `domain_transfer_start` — Initiate the inbound transfer of an existing domain into Dreamscape using its EPP/auth key. Run domain_transfer_check first to confirm eligibility, and dreamscape_contact_create to get the ContactIdentifier. Pass confirm:true to actually start (otherwise preview). - `domain_update_nameservers` — Replace the authoritative nameservers for a domain registered with Dreamscape (e.g. delegating DNS to Cloudflare or Vercel). Requires the domain and at least 2 nameserver hostnames; preview unless confirm:true. - `dreamscape_contact_create` — Create a Dreamscape contact record (registrant/admin/billing/tech) and return the resulting ContactIdentifier (C-...). Use as the first step before domain_register or domain_transfer_start, which both require contact identifiers. Requires full postal contact details; preview unless confirm:true. - `elevenlabs_request` — Generic ElevenLabs API passthrough — call ANY endpoint at api.elevenlabs.io/v1. Inference POSTs (text-to-speech, speech-to-text, voice-changer, sound-generation, etc.) are treated as READ. Other POST/PATCH/PUT=COMMIT, GET=READ, DELETE=DANGEROUS. - `ga_data_stream_create` — Create a web data stream on a GA4 property. Returns the Measurement ID (G-XXXXXXXXXX) — paste this into the site's gtag snippet or GTM. Required before any tracking data flows. Preview unless confirm:true. - `ga_property_create` — Create a new GA4 property under an account. After creation, call ga_data_stream_create to make it usable on a website (returns the G-XXX Measurement ID needed for gtag/GTM). Preview unless confirm:true. - `ga_request` — Generic GA4 API passthrough. Choose `api` ('admin' or 'data'). GET and POST :runReport/:runRealtimeReport=READ; other POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `gdrive_create` — Create a new file in Google Drive — defaults to a Google Doc and inserts initial text if `content` is provided. Use for spinning up a new Doc/Sheet/Slide; preview unless confirm:true. Requires name; optional folder_id parents the file. - `github_issue_create` — File a new issue on a GitHub repository, optionally with labels and a body. Use to log a bug/feature request from chat; preview unless confirm:true. Requires owner, repo, title. - `github_repo_create` — Create a new GitHub repository under the token owner or a specified org. Defaults to private with auto_init (creates README). Use when starting a new project; preview unless confirm:true. For full project bootstrapping (repo + DNS + alias) prefer scaffold_project. - `github_request` — Generic GitHub REST API passthrough — call ANY endpoint at api.github.com. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `godaddy_dns_add` — Append DNS records to a GoDaddy-hosted domain (does not replace existing records of the same type). Prefer godaddy_dns_replace_type for clean A/CNAME swaps. Preview unless confirm:true. COMMIT. - `godaddy_request` — Generic GoDaddy API passthrough — call ANY endpoint at api.godaddy.com/v1. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `godaddy_set_auto_renew` — Toggle auto-renew on a GoDaddy domain. Use to stop GoDaddy from auto-billing ~30 days before expiry when you plan to transfer the domain elsewhere or let it lapse. Preview unless confirm:true. COMMIT. - `godaddy_set_lock` — Toggle the transfer-lock on a GoDaddy domain. Must be UNLOCKED before transferring out to another registrar. Preview unless confirm:true. COMMIT. - `google_ads_enable_campaigns` — Re-enable one or more paused Google Ads campaigns. COMMIT. - `google_ads_pause_campaigns` — Pause one or more Google Ads campaigns by ID (or all active campaigns). COMMIT. - `google_ads_request` — Generic Google Ads API passthrough — call ANY endpoint at googleads.googleapis.com. Auto-prefixes /customers/{id} unless absolute:true. POST to :search or :searchStream is treated as READ; other POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS, GET=READ. COMMIT/DANGEROUS require confirm:true. - `google_alias_add` — Add a Google Workspace email alias to a user (default pablo@popasite.com). Use when a new domain has been added and you want a name@newdomain.com address routed to Pablo's primary mailbox. Preview unless confirm:true. - `google_domain_add` — Register a new secondary domain on the Google Workspace customer (so it can be used for aliases or send-as identities). Run this before google_alias_add for an address on a brand-new domain. Preview unless confirm:true. - `google_send_as_add` — Add a Gmail 'Send As' identity so the user can send messages from another address (e.g. an alias). Use after google_alias_add when you also want to compose mail from that alias. Preview unless confirm:true. - `gsc_indexing_request` — Request reindexing of a URL via the Indexing API (Google supports this for JobPosting and BroadcastEvent live streams; for general pages it's best-effort). Use after publishing a new page for fastest crawl. Preview unless confirm:true. - `gsc_request` — Generic Search Console / Indexing API passthrough. Choose `api` ('search_console' or 'indexing'). GET and searchanalytics POST=READ; other POST/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `gsc_site_add` — Add a property to Search Console (must be verified afterwards via DNS TXT or HTML file). Use after registering a new domain to begin tracking it. Pass site_url like 'https://example.com/' or 'sc-domain:example.com'. Preview unless confirm:true. - `gsc_sitemap_submit` — Submit a sitemap URL to Search Console for a verified property. Use after deploying a site to nudge Google to recrawl. Requires site_url (gsc_site_list) and sitemap_url. Preview unless confirm:true. - `gtm_request` — Generic GTM API passthrough — call ANY endpoint at tagmanager.googleapis.com/tagmanager/v2. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `neon_database_create` — Create a new database inside an existing Neon project branch (defaults to primary). Use when adding a logical DB to an existing project; for a brand-new project use neon_project_create. Preview unless confirm:true. - `neon_project_create` — Create a brand-new Neon Postgres project (with primary branch + default neondb database) and return the connection URI. Use when bootstrapping storage for a new app; for adding a DB to an existing project use neon_database_create. Preview unless confirm:true. - `neon_request` — Generic Neon API passthrough — call ANY endpoint at console.neon.tech/api/v2. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. Does NOT execute SQL — use neon_sql for that. - `neon_sql` — Execute a SQL query against a Neon database over the SQL-over-HTTP proxy. SELECT/EXPLAIN/SHOW run immediately as READ; INSERT/UPDATE/DELETE/DDL require confirm:true. Use for ad-hoc queries or migrations. Requires project_id (find via neon_project_list). - `notion_page_create` — Create a new Notion page under a parent page or database, optionally with body text split into paragraph blocks. Set parent_type='database_id' to add a row to a database (then pass database properties via `properties`). Requires parent_id and title; preview unless confirm:true. - `notion_page_update` — Update properties on an existing Notion page (e.g. change title, status, select fields). Does NOT modify block content — use the Notion UI for body edits. Requires page_id and a `properties` object; preview unless confirm:true. - `notion_request` — Generic Notion API passthrough — call ANY endpoint at api.notion.com/v1. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. Note: Notion uses POST for queries (search, db queries) — those will be COMMIT-classed; pass confirm:true for read-style POSTs too. - `openai_request` — Generic OpenAI API passthrough — call ANY endpoint at api.openai.com/v1. Most OpenAI POSTs are inference (chat, responses, embeddings, images) and are treated as READ. Other POST/PATCH/PUT=COMMIT, GET=READ, DELETE=DANGEROUS. - `policy_set_mode` — Set the workspace safety mode. This controls when pabloMCP pauses an agent action and creates an approval instead of executing. Preview unless confirm:true. COMMIT. - `polymarket_order` — Place a real Polymarket CLOB limit order on Polygon. If TT_EXECUTOR_URL is configured, MCP relays to the TT executor (tt.pa13lo.com) so order submission happens from the working TT bridge instead of Vercel. Otherwise falls back to in-process @polymarket/clob-client signing. Spends real USDC. Defaults to GTC; FOK fills-or-kills immediately. Requires token_id, side, price (0.01-0.99), size (USDC), and confirm:true (otherwise preview). Run polymarket_order_preview first. - `resend_request` — Generic Resend API passthrough — call ANY endpoint at api.resend.com. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `resend_send` — Send a transactional email via Resend (api.resend.com). Use for outbound notifications/receipts; the `from` address must be on a verified Resend domain. Requires to, subject, and at least one of text/html. Preview unless confirm:true. - `scaffold_project` — Bootstrap a new project end-to-end in one call: creates a private GitHub repo, optionally adds a Vercel-managed DNS A record for the domain, and optionally adds a Google email alias to pablo@popasite.com. Use when starting a brand-new site/app. Preview unless confirm:true. - `stripe_payment_link_create` — Create a hosted Stripe Payment Link for a one-off product/price (creates Product + Price + PaymentLink in one call). Use to share a checkout URL for a single SKU. Requires name and amount (in smallest currency unit, e.g. cents). Preview unless confirm:true. - `stripe_refund` — Refund a Stripe charge or PaymentIntent (full by default, partial if `amount` is given). Accepts both ch_… and pi_… IDs (find via stripe_charges_list). Preview unless confirm:true — actual refund moves real money. - `supabase_project_create` — Create a brand-new Supabase project (Postgres + Auth + Storage + REST/Realtime). Returns the project ref + dashboard URL; fetch keys via supabase_project_keys once status is ACTIVE_HEALTHY (provisioning takes ~1-2 min). Use when bootstrapping a new app's full BaaS stack. Preview unless confirm:true. - `supabase_project_pause` — Pause a Supabase project (free tier idles automatically; this forces it). Pausing stops all compute but preserves data. To delete entirely use supabase_project_delete. Requires project_ref. Preview unless confirm:true. - `supabase_request` — Generic Supabase Management API passthrough — call ANY endpoint at api.supabase.com/v1. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `supabase_sql` — Execute a SQL query against a Supabase project's Postgres via the Management API. SELECT/EXPLAIN/SHOW run immediately as READ; INSERT/UPDATE/DELETE/DDL require confirm:true. Use for ad-hoc queries, schema changes, or migrations. Requires project_ref (find via supabase_project_list). - `telegram_request` — Generic Telegram Bot API passthrough — call ANY Bot API method. Method name (e.g. 'sendPhoto', 'editMessageText') goes in `method`; payload in `body`. All Bot API methods are POST to the bot URL — class is COMMIT (confirm-gated) for everything except a hardcoded list of read-only methods. - `telegram_send_message` — Send a Telegram message via the configured bot. Defaults to TELEGRAM_PABLO_CHAT_ID for the recipient — use this for proactive notifications/alerts to Pablo. Pass `chat_id` to target a different chat. Supports `parse_mode='MarkdownV2'|'HTML'`. Preview unless confirm:true. COMMIT. - `twilio_message_send` — Send an SMS or MMS via Twilio. Use for outbound notifications/2FA. Requires `to` (E.164) and `body` (or `media_url`); pass either `from` (your Twilio number) or `messaging_service_sid`. Preview unless confirm:true. COMMIT. - `twilio_number_buy` — Purchase a Twilio phone number — actually charges the account ($1–$15/mo depending on country/type, plus first-month prorate). Pass either `phone_number` (E.164 from twilio_numbers_search) or `area_code`. Preview unless confirm:true. COMMIT. - `twilio_request` — Generic Twilio REST passthrough — call ANY Twilio API endpoint under /2010-04-01/Accounts/{Sid}/. Path is relative; AccountSid is auto-injected. GET = READ; POST/PATCH/PUT = COMMIT (confirm-gated); DELETE = DANGEROUS (confirm-gated). Use twilio_docs first to find the right path. - `vapi_assistant_create` — Create a Vapi assistant. Provide at minimum `name`, `model` (provider+model+system prompt), `voice`, and optionally `firstMessage`/`transcriber`. Returns the new assistantId. Preview unless confirm:true. COMMIT. - `vapi_call_create` — Place an outbound Vapi phone call: pass `assistant_id` + `phone_number_id` + `customer_number` (E.164). Returns the queued call id immediately — poll vapi_call_get until status='ended' for transcript/recording. Preview unless confirm:true. COMMIT. - `vapi_request` — Generic Vapi REST passthrough — call ANY Vapi API endpoint. GET = READ; POST/PATCH/PUT = COMMIT (confirm-gated); DELETE = DANGEROUS (confirm-gated). Use vapi_docs first to find the right path. - `vault_set` — Store or update a project-scoped API key/credential in the encrypted vault. `project` is a free-form namespace (e.g. 'ecostore', 'duel', 'pablo-mcp'); `name` is the secret key (uppercase env-style, e.g. 'NETSUITE_API_KEY'). Values are AES-256-GCM encrypted at rest in Neon. Use this whenever a user asks to add/update a key for any project — no Vercel dashboard needed. Retrieve with vault_get, list with vault_list, remove with vault_delete. Preview unless confirm:true. COMMIT. - `vercel_deploy` — Trigger a new Vercel deployment for an existing project from its linked Git repo (GitHub/GitLab/Bitbucket). Use to redeploy after merging or to pin to a specific branch. Requires the project to already be linked. Preview unless confirm:true. - `vercel_dns_add` — Add a DNS record to a Vercel-managed domain. Use (NOT cloudflare_dns_add) when the domain's DNS is hosted on Vercel — e.g. adding a subdomain, pointing an A record at an IP, or setting a CNAME. Requires domain, name, type, value; preview unless confirm:true. - `vercel_env_set` — Create or update an environment variable on a Vercel project (uses upsert). Defaults to applying to all targets (production/preview/development) and encrypted storage. Use to push secrets/config; preview unless confirm:true. - `vercel_request` — Generic Vercel API passthrough — call ANY endpoint at api.vercel.com. teamId is auto-injected from VERCEL_TEAM_ID. GET=READ, POST/PATCH/PUT=COMMIT, DELETE=DANGEROUS. COMMIT/DANGEROUS require confirm:true. - `xai_request` — Generic xAI API passthrough — call ANY endpoint at api.x.ai/v1. POST inference (chat/completions, completions, embeddings, images) is treated as READ. Other POST/PATCH/PUT=COMMIT, GET=READ, DELETE=DANGEROUS. ## DANGEROUS (7) - `cloudflare_dns_delete` — Delete a DNS record from a Cloudflare-hosted zone. Irreversible. Requires zone_id and record_id (find via cloudflare_dns_list). Pass confirm:true to actually delete. - `godaddy_dns_replace_type` — Replace ALL records of a given type/name on a GoDaddy domain (destructive for existing records of that type). Use for clean A or CNAME swaps. Preview unless confirm:true. DANGEROUS. - `godaddy_nameservers_set` — Update nameservers on a GoDaddy-registered domain. Use this when delegating DNS to Cloudflare or Vercel. Preview unless confirm:true. DANGEROUS. - `supabase_project_delete` — Permanently delete a Supabase project, destroying the database and all storage. Irreversible. To temporarily stop compute use supabase_project_pause. Requires project_ref. Pass confirm:true to actually delete. - `twilio_number_release` — Release (delete) a Twilio phone number you own — IRREVERSIBLE: the number returns to the pool and may be claimed by another customer. Stops all billing for that number. Requires the IncomingPhoneNumber sid (PNxxx) from twilio_phone_numbers_list. Pass confirm:true to actually release. DANGEROUS. - `vault_delete` — Delete a project-scoped secret from the vault by (project, name). Irreversible — there is no undo, and consumers reading via vault_get or getKey() will start failing immediately. Always preview first; only pass confirm:true after the user explicitly approves. DANGEROUS. - `vercel_dns_delete` — Permanently delete a DNS record from a Vercel-managed domain. Irreversible. Requires domain and record_id (find via vercel_dns_list). Pass confirm:true to actually delete.