Skip to main content
Most Consile connectors are read-only: Google Search Console, Uniconta and e-conomic expose only read tools, so the AI can read your numbers but can never change, create or delete anything upstream. The two advertising connectors are different. Meta Ads and LinkedIn Ads are read + guardrailed write: alongside their read tools they can create and manage campaigns, behind explicit safety defaults. This page documents the developer-facing mechanics of those write tools: the default-status behaviour, the confirm argument, and the WritePreview dry-run shape. For the plain-language safety model, see Handlinger & guardrails.
Each connector is its own named MCP at https://mcp.consile.ai/<id>/mcp with only its own tools. Tool calls go to the connector endpoint: the aggregate https://mcp.consile.ai/mcp is the Consile Concierge (management tools only), not where ad tools are called. The transport namespaces every tool as <id>__<tool> (e.g. meta-ads__create_campaign, linkedin-ads__update_status). The AI invokes these names on your behalf.

Which connectors have write tools

ConnectorEndpointCapabilityWrite tools
Google Search Consolemcp.consile.ai/gsc/mcpread-only0
Unicontamcp.consile.ai/uniconta/mcpread-only0
e-conomicmcp.consile.ai/economic/mcpread-only0
Meta Adsmcp.consile.ai/meta-ads/mcpread + guardrailed write5 of 39
LinkedIn Adsmcp.consile.ai/linkedin-ads/mcpread + guardrailed write19 of 64
The read-only connectors have zero write tools; every tool on those endpoints is a read. Everything below applies only to the two advertising connectors.

The three guardrail rules

Every write tool on Meta Ads and LinkedIn Ads obeys the same three rules:
  1. New objects are created paused. A new campaign, ad set / ad group, or ad is created PAUSED (Meta Ads) / DRAFT (LinkedIn Ads). It is never live and spends nothing until you explicitly activate it.
  2. Money / destructive / public actions require confirm: true. Anything that spends money (setting status to ACTIVE), changes a budget or bid, archives or deletes an object, or publishes public content requires an explicit confirm: true argument.
  3. Without confirm, you get a dry-run. A guarded tool called without confirm: true returns a WritePreview object describing exactly what would happen and calls no upstream API. Nothing changes until you re-issue the call with confirm: true.
These guardrails are connector-local application logic: designed-in safety defaults enforced inside each connector’s tool handlers. The platform’s readOnly flag on a tool is a hint only (it surfaces as annotations.readOnlyHint in the manifest); the core and transport will happily run a mutating handler. There is no separate core destructive-op gate that would stop a write tool independently of the connector’s own logic. So this is a strong safety default, not an unbreakable platform guarantee. Read tools, by contrast, are safe by construction: a read-only connector ships no write tools at all.

Default status: PAUSED / DRAFT

Creating an object never makes it live:
  • Meta Ads: create_campaign, create_ad_set and create_ad create the object with status PAUSED. It exists, but does not deliver and spends nothing.
  • LinkedIn Ads: the create tools produce the object in DRAFT status. It is not running.
To take an object live you must call update_status (Meta) / the equivalent LinkedIn status tool with the target status and confirm: true, because going live spends money (rule 2).

The confirm argument

Guarded tools accept a boolean confirm argument.
confirm
boolean
default:"false"
Set true to actually execute the mutation upstream. When omitted or false, the tool performs no upstream call and returns a WritePreview dry-run instead.
A call is guarded (needs confirm: true to execute) when it would:
  • spend money: set an object’s status to ACTIVE (go live);
  • change a budget or bid: e.g. update_budget on Meta Ads;
  • archive or delete an object;
  • publish public content (LinkedIn organic-social posts).
Creating a paused/draft object is itself low-risk, but the create + activate sequence still means the activation step is the guarded one.

The WritePreview dry-run shape

When a guarded tool is called without confirm: true, it returns a structured preview of the intended change and makes no upstream request. The exact field set varies by tool, but the shape is consistent:
WritePreview (dry-run, no confirm)
{
  "preview": true,
  "action": "update_status",
  "connector": "meta-ads",
  "wouldChange": {
    "objectType": "campaign",
    "objectId": "1203456789012345",
    "from": { "status": "PAUSED" },
    "to": { "status": "ACTIVE" }
  },
  "requiresConfirm": true,
  "message": "Dry-run only. Re-issue this call with confirm: true to apply."
}
Key fields:
preview
boolean
true whenever this is a dry-run: no upstream API was called.
action
string
The write tool that produced the preview (e.g. update_status, update_budget).
wouldChange
object
The intended mutation: object type, id, and the from / to field deltas that would be written if confirmed.
requiresConfirm
boolean
true for money / destructive / public actions; re-issue with confirm: true to apply.
To apply the change, the AI re-issues the same call with confirm: true:
Confirmed write (executes upstream)
{
  "name": "update_status",
  "arguments": {
    "campaignId": "1203456789012345",
    "status": "ACTIVE",
    "confirm": true
  }
}
The AI runs these calls for you. It is expected to show you the WritePreview and get your go-ahead before re-issuing with confirm: true. Treat the preview as the moment to review before any spend.

Meta Ads write tools

Meta Ads exposes 5 write tools (of 39 total):
ToolGuarded?Notes
create_campaigncreate → PAUSEDNew campaign, never live until activated.
create_ad_setcreate → PAUSED
create_adcreate → PAUSED
update_statusconfirmGoing ACTIVE spends money; archiving is destructive.
update_budgetconfirmBudget change spends money differently.
Meta Ads has no hard-delete: there is no delete tool. Objects can only be archived (via update_status), which is itself guarded by confirm: true.

LinkedIn Ads write tools

LinkedIn Ads exposes 19 write tools (of 64 total): 11 ad-management tools plus 8 organic-social tools.
  • Ad-management writes follow the standard model: new objects are created in DRAFT; activation, budget/bid changes, and archive/delete require confirm: true, otherwise a WritePreview is returned.
  • Organic-social writes publish public content, so they are confirm-gated by the same rules.
The 8 organic-social write tools are exposed but currently fail closed: until LinkedIn grants Community Management API approval, calling them returns HTTP 403. Treat them as “requires approval / not active yet”, as they are listed but not usable today. The 45 read tools and the 11 ad-management write tools are unaffected.

Why read-only connectors are different

To restate the boundary precisely: Google Search Console, Uniconta and e-conomic ship no write tools at all. Their safety is structural, not behavioural: there is no mutating handler to gate. For example, the Uniconta balance tool uniconta__get_account_balance only reads a balance; there is no Uniconta tool that posts an entry or edits a record. The guardrail machinery on this page exists specifically because Meta Ads and LinkedIn Ads can write. For the full plain-language model, see Handlinger & guardrails.
A failed or rejected upstream write surfaces as a normal tool error (e.g. a 400/403 from the provider, or LinkedIn’s 403 for un-approved organic-social tools). See Errors & limits.