A feature like the Cross-Repo Token Broker needs two separate things turned on: your plan has to include it, and an admin has to flip its switch on the Settings → Security tab. Until now an agent connected over MCP could read your plan entitlements (list_entitlements) but had no way to see the workspace toggle. So when token minting refused, the agent could tell you the plan gate — but never that the switch was simply off.

The new get_workspace_settings tool closes that gap. It returns the per-workspace admin toggles — stsEnabled (Cross-Repo Token Broker) and githubChatopsEnabled — alongside the existing entitlement view. Ask your agent "why can't I mint cross-repo tokens?" and it now checks both gates and tells you exactly which one is closed: plan not entitled, or entitled but toggled off.

The tool is read-only and scoped to the workspace your MCP token is bound to, like the rest of the workspace introspection tools. Enabling a feature is still a deliberate action you take in the dashboard — the agent can see the switch, not flip it.