kiro-discord-bot

Bot Tools MCP #

Every initialized channel gets a built-in bot-tools MCP server. It exposes bot-native operations to the active ACP agent while still enforcing the current Discord channel, thread, MCP policy, and safe egress rules.

This server is separate from external MCP servers listed in the MCP catalog.

Default Tool Policy #

On first channel setup, these safe tools are enabled by default:

ToolKindPurpose
bot_data_summaryReadSummarize the bot data directory without message content.
bot_list_channel_dataReadList known channel data folders and metadata presence without message content.
bot_list_cronReadList scheduled jobs for the current channel.
bot_send_fileWrite, non-destructiveQueue a sanitized file upload for Discord delivery.
bot_create_cronWrite, non-destructiveQueue creation of a scheduled task.

These tools are available but not enabled by default:

ToolKindPurpose
bot_send_messageWrite, non-destructiveQueue an additional Discord message.
bot_delete_cronWrite, destructiveQueue deletion of a scheduled task.
bot_query_auditRead, sensitiveQuery scoped audit timeline rows.

/audit <prompt> temporarily grants only bot_query_audit to the private audit investigation agent. That agent cannot use normal Discord egress tools.

Scope Enforcement #

bot-tools sessions are bound to the current channel or thread target. Calls that try to operate on a different channel fail with a channel-scope error.

Thread IDs are normalized to the parent channel for cron management where the runtime stores scheduled work at channel scope.

Safe Discord Egress #

bot_send_message and bot_send_file do not directly write to Discord from the MCP call. They enqueue safe egress actions and the bot performs delivery through its normal Discord path.

File egress is intentionally conservative:

Audit Query Tool #

bot_query_audit is read-only and scoped to the current bot-tools context. It supports filters such as:

The tool returns timeline rows, not unrestricted SQL access.