MCP prompts
MCP prompts are reusable workflow guides that an MCP client can invoke by name, distinct from tools (which act) and resources (which expose data). Each Alpacon prompt returns static guidance text—arguments only scope the context inside it—that walks an AI agent through the discipline required to operate Alpacon safely: every infrastructure action happens inside an approved Work Session, approval always routes to a human because an agent has no MFA presence, and denials are structured so the agent self-corrects instead of retrying blindly. The four prompts mirror Alpacon’s access model, ACCESS→EXECUTION→AUDIT.
Prompts don’t call the Alpacon API themselves—they return instructions that the agent then carries out using the corresponding tools. See Getting started for how your MCP client surfaces prompts.
Summary
| Prompt | Stage | Arguments |
|---|---|---|
work_session_workflow | ACCESS | intent (required), servers (optional) |
guarded_execution | EXECUTION | work_session_id (required) |
incident_response | Scenario | server_id (optional), workspace (optional) |
security_audit | AUDIT | work_session_id (optional), server_id (optional) |
work_session_workflow
Invoke this prompt before any infrastructure action, to scope and open a Work Session. Given a goal (intent) and optionally a list of target server UUIDs (servers), it walks the agent through:
- Declaring the goal as the session
descriptionand callingwork_session_createwith the requiredworkspace,scopes,servers, andexpires_at, scoped to the specific target servers rather than the whole workspace. It clarifies which scopes an agent can request directly (command,webftp,tunnel) versussudo(always routes to human approval) and which are unavailable to agents entirely (websh,editor, which require MFA presence). - Handling the result by status: a
pending_approvalsession means the agent must surface the request to a human and wait rather than retry—explain_approval_decisioncan relay why a human must act out-of-band. Anerrorwith a gatecodemeans readingnext_action, narrowing the scope, and retrying deliberately. - Once the session is
active(confirmed viawork_session_get), handing off to theguarded_executionprompt for the actual work.
Use it whenever a user’s request implies touching infrastructure—running a command, transferring a file, or opening a tunnel—and no Work Session is open yet.
guarded_execution
Invoke this prompt once a Work Session (work_session_id) is active, to run commands and file transfers inside it correctly. It walks the agent through:
- Confirming the session is
activeviawork_session_get, readingdata.statusrather than the top-level call-resultstatus, before doing anything. - Passing
work_session_idon every scoped call:execute_command,execute_command_multi_server, orwebftp_download_file(webftp_upload_fileis local-mode only and returnsremote_mode_unsupportedover remote/OAuth). - Expecting a risk verdict on every action—HIGH-risk commands and any
sudoinvocation route to human-in-the-loop, and the agent cannot self-approve. - Reading the structured
code/next_actionon denial and self-correcting instead of re-running the same denied command. - Calling
work_session_closeonce the work is done, which also triggers the AI security analysis over the session.
Use it for every command or file transfer that happens right after a Work Session becomes active.
incident_response
Invoke this prompt when responding to an alert or reported incident, to make sure triage happens before any remediation. Given an optional server_id or workspace, it walks the agent through:
- Read-only triage that needs no Work Session: active alerts, server overview and CPU/memory usage, and recent events, to identify the likely cause first.
- If remediation requires running commands, opening a Work Session through the
work_session_workflowprompt, scoped to the affected servers only with thecommandscope, instead of executing directly. - Running the remediation under
guarded_execution, expecting risky steps (restarts,sudo, destructive commands) to route to human approval. - Closing the session with
work_session_closeonce the incident is resolved, to complete the audit trail.
Use it when a user reports a problem with a server or asks the agent to investigate an alert.
security_audit
Invoke this prompt when a user asks an audit or forensic question about privileged activity, to pick the right lens instead of guessing which tool to call. Given an optional work_session_id or server_id as anchor, it maps five question types to the tools that answer them:
- Session forensic (“what happened in this session?”):
work_session_timeline. - Event forensic, cross-session (“every sudo call”, “every transfer of /etc/*”):
list_server_logs,list_webftp_logs,search_events. - Decision audit (“who approved this, when was it revoked?”):
list_approval_requests,get_approval_request. - Mutation audit (“what changed in roles, tokens, or policy?”):
list_activity_logs,get_activity_log. - AI-derived analysis (attack patterns, MITRE ATT&CK mapping):
list_session_analyses,get_session_analysis_detail.
It also directs the agent to link findings back to the Work Session that contains each event, since the session is the primary unit of the audit story.
Use it for any “what happened,” “who approved,” or “was this suspicious” question about workspace activity.
Related
- Work Session tools: the tools these prompts orchestrate, including
work_session_create,work_session_get, andwork_session_close - Audit log tools: the tools behind the
security_auditlenses - Getting started: connect your MCP client and see how it surfaces prompts and resources