policy | Get, validate, or set workspace access rules and limits. Use action ‘read’ to fetch current policy, action ‘validate’ to preview a replace/merge update without applying it, and action ‘write’ to apply path ACL, size limit, extension rule, and rate cap changes. |
vault_secret | Securely store, retrieve, list, rotate, and delete workspace secrets. Encrypted at rest, never in file listings or audit plaintext. |
share_with_public | Share a file via an unlisted public link (experimental). Requires enabling at /keys. Shared links need Undisk auth to view. Flagged content blocked. |
audit_trail | Query the workspace’s tamper-evident audit trail. Use ‘list’ to browse entries with filters, ‘export’ for JSON/NDJSON evidence dumps, and ‘verify’ to validate hash-chain integrity. Supports filtering by agent, time, operation, and path. |
workspace_collaborate | Multi-agent coordination: claim/release file locks, leave handoff notes, discover active agents. Locks auto-expire after a configurable TTL. Use for collaborative workspace scenarios. |
webhook | Manage webhook endpoints for real-time event notifications. Register HTTPS URLs to receive HMAC-SHA256 signed POST requests when workspace events occur (file changes, policy updates, etc.). Supports create, list, get, update, delete, and list_deliveries actions. |
federation | Cross-workspace file federation: create read-only links to files in other workspaces you own. Read federated files without switching workspaces. Supports create_link, list_links, read, and delete_link actions. |
list_workspaces | List all workspaces accessible to the current API key. Returns provider, org membership, current workspace, and current server time, and gives a better hint when only one workspace is available. |
