Contents
NAPT MCP Best Practices
How to prompt your AI assistant effectively when using NAPT tools
Prompt Patterns That Work
AI assistants call NAPT tools based on how you phrase your request. These prompt patterns consistently produce the best results.
1Be specific about environment
Why: The tool accepts vendor, framework, and environment parameters. Without them, NAPT uses defaults that may not match your setup.
2Chain tools naturally
Why: Claude can call napt_search_templates then napt_get_script in one turn, giving you a complete answer without back-and-forth.
3Use dry-run explicitly
Why: napt_run_script defaults to dry_run=true, but being explicit ensures Claude passes it correctly and you stay safe.
4Ask for context before action
Why: napt_get_findings gives you situational awareness before you decide which script to run. Use it as triage before action.
5Combine NAPT with your own context
Why: Giving Claude the specific IP and device makes NAPT’s intent parser generate a script tailored to your exact situation, not a generic template.
6Parse intent before scripting
Why: napt_parse_intent returns risk level and pre-flight checks. Review them before asking Claude to generate the execution script.
7Pipeline status as morning routine
Why: napt_get_findings + napt_get_pipeline_status together give you an overnight NOC summary without opening any browser tabs.
Tool Combinations That Work Together
Combo 1 — Morning NOC Check
- 1
napt_get_findings(critical, last 12 hours) - 2
napt_get_pipeline_status(last run of nightly pipelines) - 3
napt_get_compliance(production score)
Prompt
“Give me the NAPT morning check: critical findings last 12 hours, pipeline status, and compliance score”
Combo 2 — Incident Response Flow
- 1
napt_get_findings(filter by device) - 2
napt_get_script(relevant diagnostic) - 3
napt_run_script(dry-run first) - 4(if dry-run passes)
napt_run_script(live)
Prompt
“edge-rtr-01 is showing high CPU. Check NAPT findings for it, get the appropriate diagnostic script, and run it in dry-run mode”
Combo 3 — Change Preparation
- 1
napt_parse_intent(risk assessment) - 2
napt_search_templates(find relevant template) - 3
napt_get_script(full script) - 4
napt_trigger_pipeline(after review)
Prompt
“I need to add a new VLAN 200 across the campus distribution layer. Use NAPT to assess the risk, find the right template, and prepare the change script”
Combo 4 — Compliance Investigation
- 1
napt_get_compliance(overall score + failing controls) - 2
napt_search_templates(find remediation template) - 3
napt_generate_script(generate targeted fix)
Prompt
“My CIS compliance score dropped. Use NAPT to find what's failing and generate a script to fix the top 3 issues”
Security Best Practices
1. Scope your MCP key permissions
Only enable the permissions your workflow needs:
- Read only: Use for morning checks and query-only workflows
- Read + Generate: Add when you want script generation
- Read + Generate + Execute: Only when running scripts (use staging env)
- All including Pipelines: Only for automated CI/CD scenarios
2. Never paste your key in a prompt
The MCP client reads the key from the environment variable, never from the conversation. Claude never sees your key.
3. Rotate keys regularly
- Go to /mcp/keys → Regenerate
- Update all MCP client configs with the new key
- Old key is immediately invalidated
- All past calls remain logged under the old key ID for audit
4. Use separate keys per environment
Create one key for your AI assistant (read + generate). Create a separate key for your CI/CD automation (execute + pipelines). This limits blast radius if a key is compromised.
5. Review the call log
/mcp/keys shows last used timestamp and source IP. If you see unexpected calls, regenerate immediately. All MCP calls are logged in napt_mcp_calls for audit.
6. Never allow production execute without MFA
What MCP Cannot Do
Be clear about MCP limitations so engineers don’t over-trust it.
MCP cannot modify live network devices without dry-run first
napt_run_script call defaults to dry_run=true. Live execution requires explicit dry_run=false AND execute permission.MCP cannot access devices directly
MCP cannot see your device credentials
MCP calls are rate-limited
MCP cannot run scripts larger than 30 seconds via the API
napt_trigger_pipeline) which run asynchronously and return a run_id for status polling.Example Conversations
Example 1 — Generating a script in Cursor IDE
pip install netmiko ntc-templates rich python bgp_uptime_checker.py --inventory devices.csv --dry-run
Example 2 — Morning NOC check in Claude Desktop
Example 3 — Incident response in Claude Desktop
Sample Prompt Templates
Download these ready-to-use prompt templates as Markdown files. Fill in the placeholders and paste them into Claude, Cursor, or any MCP client to get consistent results.
Morning NOC Check
Overnight findings, pipeline status, and compliance summary.
Incident Response
Triage a device, fetch a diagnostic, and run a safe dry-run.
Change Preparation
Risk-assess a change, find a template, and prepare the script.
Script Generation
Generate a tailored script with explicit vendor and framework.