Report a data quality issue or agent intent gap for a DataNexus tool response.

tool_id: e.g. "T10" or "security_fetch_cve_detail". query_hash: From the query_hash field of the response. signal: incorrect_data | missing_field | stale_data | not_useful | wrong_entity | data_quality. comment: Issue description. Max 500 chars. missing_fields: Absent or wrong field names. feedback_type: "user_feedback" (default) or "agent_gap". intended_query: Agent's goal. Max 256 chars. gap_description: What was missing. Max 256 chars.

Example: report_feedback(tool_id="T10", query_hash="abc123", signal="incorrect_data")

Check MCPize subscription status for a DataNexus tool.

tool_id: DataNexus tool identifier e.g. "T10". Pass the tool the user is asking about.

Returns: status ("free" | "subscription_required" | "not_configured"), message, tool_id, and upgrade_url when subscription is required.

Example: report_mcpize_link(tool_id="T10")

Validate a DataNexus tool response for data quality issues using two-layer validation: deterministic rules first, then AI review for ambiguous cases. Read-only. Never blocks. tool_id: DataNexus tool identifier e.g. T04, T10, T22. Required. Find in the tool_id field of any response. query_hash: Hash from the response you are validating. Required. Enables feedback correlation. response_json: Full tool response serialised as a JSON string. Required. Returns pass or issues_found, with issues from each layer and whether feedback was auto-filed. Both layers must agree before feedback is filed. Use validate_tool_output to check data quality. Use report_feedback instead to manually report an issue you have already identified. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="validate_tool_output", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Find the right DataNexus tool by describing your task in plain English. Read-only. No side effects. Call this before any other DataNexus tool to reduce context load from 40000 to 800 tokens. query: Plain English description of your task e.g. check if a Python package has CVEs or look up a UK charity by name. Required. domain: Restrict results to one sub-server: nonprofit, security, compliance, domain, legal, govcon, or regulatory. Optional. Returns matching tool names and parameter hints you can call directly. Do not call this recursively or to validate results — use validate_tool_output for that. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="search_datanexus_tools", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch IRS 990 filing data for any US nonprofit by EIN. Read-only. No side effects. Idempotent. US only. ein: 9-digit Employer ID with or without dash, e.g. 46-5734087 or 465734087. Required. Returns name, revenue, expenses, assets, NTEE code, and mission from the most recent 990 filing. Use this when you have the exact EIN. Use nonprofit_search_nonprofits_by_name instead when you only have a name. Verified source: IRS EO BMF + IRS TEOS. 7-day cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="nonprofit_fetch_nonprofit_by_ein", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Search US nonprofits by name with optional state filter. Read-only. No side effects. Idempotent. US only. Returns up to 25 matches. name: Full or partial organisation name. Required. state: Two-letter US state code e.g. CA, NY. Optional, defaults to all states. Returns EIN, name, state, revenue, and NTEE code for each match. Use this when you have a name but not the EIN. Use nonprofit_fetch_nonprofit_by_ein instead when you have the exact EIN for a precise single lookup. Verified source: IRS EO BMF. 7-day cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="nonprofit_search_nonprofits_by_name", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch UK registered charity details by charity number or organisation name. Read-only. No side effects. Idempotent. UK only. charity_number_or_name: UK registered charity number (7 digits, e.g. 1234567) or full/partial organisation name. Required. Returns registration status, income, expenditure, activities, and trustee count. Use this for UK charities. Use nonprofit_fetch_nonprofit_by_ein or nonprofit_search_nonprofits_by_name for US nonprofits. Verified source: UK Charity Commission OGL v3. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="nonprofit_fetch_charity_uk", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch all known CVEs for an open source package version or a batch of packages. Read-only. No side effects. Idempotent. Single-package mode: package (e.g. requests), version (e.g. 2.28.0), ecosystem (PyPI/npm/Maven/Go/Cargo/NuGet/RubyGems). Batch mode: packages array of {name, version, ecosystem} objects — max 50 per call. If packages array is provided and non-empty, batch mode is used and package/version/ecosystem are ignored. Batch returns {results: [...], partial: bool, failed_count: int}. Each result has vuln_count and vulnerabilities list. Returns CVE ID, severity, CVSS score, affected range, and fixed version. Use security_fetch_cve_detail for full detail by CVE ID. Use security_audit_sbom_vulnerabilities for SBOM files. Verified source: Google OSV.dev. 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_package_vulnerabilities", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch the full dependency tree for a package version including transitive dependencies. Read-only. No side effects. Idempotent. Hard 8-second timeout — large dependency trees may return partial results. package: Package name. Required. version: Exact version string e.g. 1.2.3. Required. ecosystem: One of PyPI, npm, Maven, Go, Cargo, NuGet, RubyGems. Required. Returns all direct and transitive dependencies with version constraints. Use this to understand full supply chain exposure. Use security_fetch_package_vulnerabilities instead when you only need CVEs for a single package. Verified source: deps.dev (Google). 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_dependency_graph", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch full detail for a specific CVE by ID. Read-only. No side effects. Idempotent. cve_id: CVE identifier in format CVE-YYYY-NNNNN e.g. CVE-2021-44228. Required. Returns description, CVSS base score, affected products, patch references, and publish date. Use this when you have a CVE ID and need complete detail beyond what a package scan returns. Use security_fetch_package_vulnerabilities instead when you want all CVEs for a package version. Verified source: NIST NVD. 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_cve_detail", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Audit a Software Bill of Materials for known vulnerabilities across all listed packages. Read-only. No side effects. Idempotent. sbom_json: CycloneDX or SPDX SBOM as a JSON string. Required. Large SBOMs (100+ packages) may take up to 10 seconds. Returns CVEs grouped by package with severity and fixed versions. Use this when you have a full SBOM to audit. Use security_fetch_package_vulnerabilities instead when checking a single package version. Verified source: Google OSV.dev batch API. 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_audit_sbom_vulnerabilities", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch the SPDX licence identifier for an open source package version. Read-only. No side effects. Idempotent. package: Package name e.g. flask. Required. version: Exact version string e.g. 2.3.0. Required. ecosystem: One of PyPI, npm, Maven, Go, Cargo, NuGet, RubyGems. Required. Returns the SPDX licence identifier e.g. MIT, Apache-2.0, GPL-3.0. Use this to verify licence compatibility before including a dependency. Use security_fetch_package_vulnerabilities instead when checking for security issues not licences. Verified source: deps.dev (Google). 1-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_package_licence", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Check whether a CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog. Read-only. No side effects. Idempotent. cve_id: CVE identifier in format CVE-YYYY-NNNNN e.g. CVE-2021-44228. Required. Returns in_kev (bool), date_added, due_date, ransomware_use, and notes from the CISA KEV catalog. KEV status answers 'Is this being actively exploited?' — a critical triage question not available in NIST NVD. Verified source: CISA KEV catalog (updated daily, cached). Use security_fetch_cve_detail for full CVE severity. Use security_fetch_cve_epss for exploit probability. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_cisa_kev", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

EPSS exploit probability score for a CVE — predicts likelihood of exploitation in the next 30 days.

cve_id: CVE identifier e.g. "CVE-2021-44228".

Returns: epss (float 0.0–1.0) and percentile (float 0.0–100.0). Thresholds: >0.7 patch immediately, 0.3–0.7 patch soon, <0.3 monitor. Use with security_fetch_cve_detail to prioritize patching — EPSS measures urgency, CVSS measures severity. Source: FIRST.org. 6-hour cache.

Example: fetch_cve_epss(cve_id="CVE-2021-44228")

Fetch NPI registration details for a US healthcare provider by NPI number. Read-only. No side effects. Idempotent. US only. npi_number: 10-digit NPI number e.g. 1003000126. Required. Do not include dashes or spaces. Returns provider name, credential type, speciality taxonomy, practice address, and active status. Use this when you have the exact 10-digit NPI. Use compliance_search_npi_by_name instead when you only have the provider name. Verified source: NPPES NPI Registry (CMS). 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="compliance_fetch_npi_provider", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Search the NPPES NPI Registry by provider name with optional state and speciality filters. Read-only. No side effects. Idempotent. US only. Returns up to 10 matches. name: Full or partial provider name. Required. state: Two-letter US state code e.g. CA. Optional. speciality: Speciality keyword e.g. Cardiology. Optional. Returns NPI number, name, speciality, and address for each match. Use this when you do not have the NPI number. Use compliance_fetch_npi_provider instead when you have the exact 10-digit NPI. Verified source: NPPES NPI Registry (CMS). 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="compliance_search_npi_by_name", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch FINRA BrokerCheck registration for a US broker or investment adviser by CRD number. Read-only. No side effects. Idempotent. US only. crd_number: Central Registration Depository number as a string of digits e.g. 1234567. Required. CRD number only — name lookup is not supported. Returns registration status, qualifications, disclosure history, and employment history. Use this when you have the CRD number. Use compliance_search_npi_by_name instead for healthcare providers, not financial advisers. Verified source: FINRA BrokerCheck. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="compliance_fetch_finra_broker", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Check whether an entity is on the US federal exclusions list (debarred from government contracts). Read-only. No side effects. Idempotent. US only. name_or_ein: Entity name or 9-digit EIN with or without dash e.g. Acme Corp or 13-1234567. Required. Name match is fuzzy — verify EIN for exact results. Returns excluded: true/false, exclusion type, and exclusion dates if found. Use this before awarding federal contracts or grants. Use govcon_search_contract_awards instead to find what contracts an entity has won. Verified source: SAM.gov. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="compliance_check_sam_exclusion", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch domain registration details via IANA RDAP (the modern structured replacement for WHOIS). Read-only. No side effects. Idempotent. domain: Domain name without protocol e.g. example.com not https://example.com. Required. Returns registrar, registration date, expiry date, nameservers, and registrant info where publicly available. Use this when you need registration metadata. Use domain_fetch_ssl_certificate_chain instead when you need certificate history. Use domain_fetch_dns_records instead when you need live DNS resolution. Verified source: IANA RDAP. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="domain_fetch_domain_rdap", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch SSL certificate history for a domain from Certificate Transparency logs. Read-only. No side effects. Idempotent. domain: Domain name without protocol e.g. github.com. Required. Does not support IP addresses or wildcard domains. Returns issuer, subject, validity period, and Subject Alternative Names for each logged cert. Use this to detect unexpected certificate issuance or audit certificate history. Use domain_fetch_domain_rdap instead when you need registration data not certificate data. Verified source: crt.sh Certificate Transparency. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="domain_fetch_ssl_certificate_chain", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch current DNS records for a domain via Cloudflare DNS over HTTPS. Read-only. No side effects. Idempotent. domain: Domain name without protocol e.g. cloudflare.com. Required. record_types: List of DNS record types to fetch. Required. Valid values: A, AAAA, MX, TXT, NS, CNAME, SOA. Example: ["A", "MX", "TXT"]. Returns all matching records currently in effect. Use this when you need live DNS resolution. Use domain_fetch_domain_rdap instead when you need registration metadata not DNS records. Verified source: Cloudflare DoH. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="domain_fetch_dns_records", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch historical SSL certificate issuance for a domain from Certificate Transparency logs. Read-only. No side effects. Idempotent. domain: Domain name without protocol e.g. example.com. Required. Returns all past certificates with issuer, validity dates, and SANs in reverse chronological order. Use this to detect domain hijacking or audit unexpected historical certificate issuance. Use domain_fetch_ssl_certificate_chain instead when you only need the current certificate chain. Verified source: crt.sh Certificate Transparency. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="domain_fetch_domain_history", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Enumerate subdomains for a domain via Certificate Transparency logs. Read-only. No side effects. Idempotent. domain: Domain name without protocol e.g. anthropic.com. Required. Returns deduplicated list of known subdomains. Primary source: crt.sh Certificate Transparency (free). Fallback source: RapidDNS (free, passive CT + DNS) — used automatically when crt.sh is unavailable. Response includes source field indicating which source was used. Results are cached 24h — second call returns in under 500ms. First call may be slower (8s max per source). Circuit breaker trips after 3 timeouts or 5xx errors within 600s. Verified sources: crt.sh Certificate Transparency, RapidDNS. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="domain_fetch_subdomains", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Check SPF, DMARC, and DKIM email authentication for a domain.

domain: Domain without protocol e.g. "google.com".

Returns: overall_grade (A–F), spf_score, dmarc_score, dkim_score (each 0–10), spf_record, dmarc_record, dkim_selectors_found. Scores reflect live DNS via Cloudflare DoH — no cache.

SPF: -all=10 (strict), ~all=7, ?all=4, none=2, +all=0 (open relay). DMARC: p=reject=10, p=quarantine=7, p=none=4, absent=0; +1 for rua set. DKIM: selector found=10, none=0. Checks 10 common selectors in parallel.

Example: check_email_security(domain="google.com")

Find domains co-hosted on the same IP address (reverse IP lookup). Read-only. No side effects. Idempotent. domain_or_ip: Domain name (e.g. shared.dreamhost.com) or IPv4 address (e.g. 1.2.3.4). Required. If a domain is given, it is first resolved to its IPv4 A record. IPv6-only domains are not supported. Returns list of co-hosted domains on the same IP. Useful for identifying shared hosting risk and mapping corporate infrastructure. Daily quota guard: 100 calls/day free tier. Verified source: HackerTarget API. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="domain_fetch_reverse_ip", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch full patent details by patent number and jurisdiction. Read-only. No side effects. Idempotent. patent_number: Patent number in EPODOC format e.g. EP1000000 for European, CN120586032 for Chinese, JP2020123456 for Japanese, WO2020123456 for PCT, US10000000 for US. Required. jurisdiction: Optional hint — one of EP, CN, JP, KR, US, WO, etc. Default EP. The tool normalises the patent number automatically; passing CN120586032 with jurisdiction EP is valid. Returns title, abstract, inventors, assignees, filing date, claims summary, and citation count. Use this when you have a specific patent number. Use legal_search_patents_by_keyword instead when you only have keywords and need to find patents. Verified source: EPO OPS. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="legal_fetch_patent_by_number", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Search patents by keyword across EPO, USPTO, or WIPO. Read-only. No side effects. Idempotent. Returns up to 10 matches. keywords: Search terms describing the invention e.g. neural network image classification. Required. jurisdiction: One of EP, US, or WO. Optional. Default EP. date_from: Earliest filing date in ISO 8601 format e.g. 2020-01-31. Optional, defaults to no lower bound. Returns patent numbers, titles, and filing dates. Use this when finding prior art or exploring a technology landscape without a specific number. Use legal_fetch_patent_by_number instead when you have the patent number already. Verified source: EPO OPS + USPTO. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="legal_search_patents_by_keyword", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch forward and backward citation chains for a specific patent. Read-only. No side effects. Idempotent. patent_number: Patent number in EPODOC format e.g. EP1000000 for European, CN120586032 for Chinese, JP2020123456 for Japanese, WO2020123456 for PCT, US10000000 for US. Required. jurisdiction: Optional hint — one of EP, US, WO, CN, JP, KR, etc. Default EP. The tool normalises the patent number automatically; passing CN120586032 with jurisdiction EP is valid. Returns citing patents (forward citations) and cited patents (backward citations) with filing dates and titles. Use this when building a prior art citation chain for a specific patent you already have. Use legal_search_patents_by_keyword instead when you need to find patents by topic not by citation. Verified source: EPO OPS. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="legal_fetch_patent_citations", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch the patent portfolio for a named inventor with optional assignee filter. Read-only. No side effects. Idempotent. inventor_name: Inventor surname or full name e.g. Smith or John Smith. Required. Fuzzy match — common names may return many results. assignee: Company or organisation name to narrow results e.g. Apple Inc. Optional. Returns patent numbers, titles, filing dates, jurisdictions, and current status. Use this when researching an inventor's work or a company's patent portfolio. Use legal_search_patents_by_keyword instead when you need patents by topic not by inventor. Verified source: EPO OPS + USPTO. 24-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="legal_fetch_inventor_portfolio", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Search government contract awards by keyword, agency, and date range.

keyword: Contract scope e.g. "cybersecurity software". agency: Awarding agency e.g. "Department of Defense". Optional. date_from: Earliest award date ISO 8601 e.g. "2024-01-31". Optional. jurisdiction: "US", "EU", or "UK". Default "US".

Returns: award amounts, recipient vendors, NAICS codes, award dates. Use govcon_fetch_vendor_contract_history for all contracts by a specific vendor. Use govcon_fetch_open_solicitations for active bids, not past awards. Source: USASpending.gov + SAM.gov. 4-hour cache.

Example: search_contract_awards(keyword="cybersecurity software", agency="Department of Defense")

Fetch the complete federal contract award history for a specific vendor. Read-only. No side effects. Idempotent. vendor_name: Company or organisation name e.g. Booz Allen Hamilton. Required. Fuzzy match used. jurisdiction: One of US, EU, or UK. Optional. Default US. Returns total award value, top awarding agencies, contract types, and recent awards with amounts and dates. Use this when researching a specific company's government contracting history. Use govcon_search_contract_awards instead when exploring a topic area without a specific vendor. Verified source: USASpending.gov. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="govcon_fetch_vendor_contract_history", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch currently open government contract solicitations matching a keyword. Read-only. No side effects. Idempotent. keyword: Description of goods or services sought e.g. cloud computing services. Required. Encode special characters — + becomes %2B. agency: Awarding agency name. Optional, defaults to all agencies. jurisdiction: One of US, EU, or UK. Optional. Default US. Returns solicitation title, agency, response deadline, estimated value, and NAICS code. Use this when looking for active bid opportunities. Use govcon_search_contract_awards instead when you need historical awards not open solicitations. Verified source: SAM.gov + USASpending.gov. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="govcon_fetch_open_solicitations", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Search open rulemakings and public comment periods on Regulations.gov and the Federal Register. Read-only. No side effects. Idempotent. US federal only. keyword: Topic keywords e.g. artificial intelligence, data privacy. Required. agency: Agency abbreviation e.g. FTC, FDA, SEC, EPA. Optional, defaults to all agencies. status: One of open, closed, or all. Optional. Default open. Returns docket title, agency, comment deadline, docket ID, and document count. Use this when monitoring regulatory activity on a topic. Use regulatory_fetch_docket_details instead when you have a docket ID and need full detail. Verified source: Regulations.gov + Federal Register. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="regulatory_search_open_rulemakings", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch full details for a specific regulatory docket by ID. Read-only. No side effects. Idempotent. US federal only. docket_id: Docket identifier in agency format e.g. EPA-HQ-OAR-2021-0317 or FTC-2024-0041. Required. Timeout is 30 seconds — large dockets may be slow. Returns docket title, agency, status, comment period dates, total comment count, and list of related documents. Use this when you have a docket ID from a search. Use regulatory_search_open_rulemakings instead when you need to find dockets by topic first. Verified source: Regulations.gov + Federal Register fallback. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="regulatory_fetch_docket_details", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Fetch recent Federal Register notices and rules for a specific agency. Read-only. No side effects. Idempotent. US federal only. agency: Agency name or abbreviation e.g. SEC, Food and Drug Administration, EPA. Required. keyword: Optional topic filter e.g. cryptocurrency. Optional, defaults to all notices. date_from: Earliest publication date in ISO 8601 format e.g. 2024-01-31. Optional, defaults to last 90 days. Returns document type, title, publication date, effective date, and CFR citations. Use this to monitor recent regulatory activity for an agency. Use regulatory_search_open_rulemakings instead when filtering by topic across all agencies. Verified source: Federal Register API. 4-hour cache. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="regulatory_fetch_federal_register_notices", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Analyse ownership and release history for an npm or PyPI package to detect supply-chain risk. Uses PyPI JSON API and npm registry — data refreshed on each call, 1-hour cache. Returns maintainer_count, recent_changes, ownership_transfers, account_ages, anomaly_score (0.0–1.0), and maintainer_health (healthy | stale | abandoned | suspicious). Rate limit: 60/minute. No auth required. For security engineers auditing open-source dependencies before inclusion in production builds. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_package_maintainer_history", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Single SHIP/CAUTION/BLOCK verdict for any package. Combines CVEs, licence, maintainer health, and transitive count in one call. Uses OSV.dev, deps.dev, PyPI, and npm registry — data refreshed on each call. Returns verdict (SHIP/CAUTION/BLOCK), critical_cve_count, high_cve_count, licence_risk, maintainer_health, transitive_count, resolved_version, upstream_status, and reasoning. Rate limit: 30/minute. No auth required. For security engineers performing pre-inclusion package review. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_package_risk_brief", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Detect typosquatting attacks against a package name. Compares using Damerau-Levenshtein distance ≤ 2 against top-10,000 packages. Returns similar_packages with anomaly scores, and a SUSPICIOUS or CLEAN verdict. Uses PyPI and npm download stats stored in Redis. Cold-start fetch on first call (≤ 30s). Rate limit: 60/minute. No auth required. For security engineers auditing supply-chain package names before inclusion. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_detect_typosquatting", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Complete nonprofit due diligence in one call. Revenue trends, executive pay, risk flags, and a health score from IRS 990 data. Uses ProPublica Nonprofit Explorer API with IRS e-File fallback. Data refreshed on each call. Returns financials, executive_compensation, risk_flags, health_score (0–100), programme_ratio, fundraising_sustainability, and upstream_status. Rate limit: 30/minute. No auth required. For grant-makers, investors, and compliance teams performing nonprofit due diligence. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="nonprofit_fetch_nonprofit_full_profile", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Persistent CVE watchlist. Create once, check anytime for new events since your last visit — patch releases, KEV listings, PoC publications, exploitation detected. Uses Redis for persistence, NVD + CISA KEV + EPSS for daily background refresh. Returns has_new_events, events (list), call_back_in="24h" on check. Rate limit: 60/minute. No auth required. For security engineers tracking CVE exposure over time. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_cve_watch", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Persistent SBOM watch. Register once, check anytime for new CVEs affecting your dependency snapshot. Silent permanent watch — CycloneDX and SPDX supported. Uses OSV.dev for vulnerability lookup, Redis for persistence with 90-day TTL. Supports CycloneDX 1.4/1.5 and SPDX 2.3 JSON. Input size limit: 500 KB. Returns go_no_go signal on register; new_findings on check. Rate limit: 10/minute. No auth required. For DevSecOps teams monitoring production dependency exposure. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_audit_sbom_continuous", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Understand any software licence in plain English. Returns obligations, permissions, limitations, risk level, and OSI/FSF status for any SPDX licence identifier. Static bundle covers top-50 common licences (no network call). Falls back to spdx.org API for rare identifiers. All risk levels assume proprietary/commercial use. Rate limit: 60/minute. No auth required. For security engineers and developers understanding what a licence allows before including a dependency. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_licence_analysis", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Audit the licence compatibility of your entire dependency list. Input package names (with ecosystem) or SPDX IDs; get a COMPATIBLE/CONFLICT verdict with specific conflicting pairs and recommended action. Uses static SPDX compatibility table — no network call for spdx_ids path. Package path resolves licences from deps.dev (max 10 concurrent). Max 50 items. Rate limit: 60/minute. No auth required. For developers and compliance teams auditing open source licence risk before shipping. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_audit_licence_compatibility", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Instant CVE risk verdict. Combines CVSS severity, CISA KEV exploitation status, and EPSS probability in one parallel call. Returns CRITICAL_EXPLOIT, HIGH_RISK, MODERATE, LOW, or UNKNOWN verdict with patch availability from vendor advisories. UNKNOWN means all upstream sources were unreachable — not that risk is low. Rate limit: 60/minute. No auth required. For security engineers triaging vulnerabilities after fetch_cve_watch fires. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_cve_risk_summary", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Search US nonprofits by mission category and state. Returns up to 25 results with revenue, assets, and health scores (0–100). Category maps to NTEE codes: education, healthcare, arts, environment, human_services, civil_rights, international, religion, science, sports. Raw NTEE letter (A–Z) also accepted. Uses ProPublica Nonprofit Explorer API. Rate limit: 30/minute. No auth required. Starting point for nonprofit due diligence — follow with nonprofit_fetch_nonprofit_full_profile for deep dive on a specific EIN. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="nonprofit_search_nonprofits_by_category", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

5-year financial trend for any US nonprofit. Revenue growth, expense ratios, reserve trajectory, and health score history from IRS Form 990 data via ProPublica. Returns trend_direction (GROWING/STABLE/DECLINING/VOLATILE/INSUFFICIENT_DATA), CAGR, and year-by-year revenue, expense, and asset trends. years parameter: 1–10, default 5. Rate limit: 30/minute. No auth required. Complements nonprofit_fetch_nonprofit_full_profile by adding multi-year context. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="nonprofit_fetch_nonprofit_financial_trends", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Generate a DataNexus API key for the given email address. All users get 10 free lookups per week — registered users will be notified first when paid tiers with higher limits launch. Store the returned key — it is shown only once. Pass it as the X-Api-Key header on future requests. Rate limit: 3 keys per IP per 24 hours.

⚠️ DESTRUCTIVE — requires human confirmation before use in automated pipelines. Revoke the current API key and issue a replacement. Returns the new key once — store it immediately. Pass keys as the X-DataNexus-Key header.

⚠️ DESTRUCTIVE — requires human confirmation before use in automated pipelines. Permanently revoke a DataNexus API key. The key will stop working immediately. This action cannot be undone — generate a new key if access is needed again.

Audit a CycloneDX or SPDX SBOM against an SPDX licence policy and return a PASS/WARN/BLOCK verdict. sbom: Full SBOM as a JSON string — CycloneDX or SPDX format. Required. 500 KB max. policy: Optional dict with block/warn/allow arrays of exact SPDX licence identifiers (e.g. GPL-3.0, MIT). Defaults to block GPL-3.0 and AGPL-3.0, warn LGPL-2.1/MPL-2.0/BSD-4-Clause, allow MIT/Apache-2.0/BSD-2-Clause/BSD-3-Clause. No glob patterns — exact SPDX IDs only. Unlisted licences default to WARN. Returns verdict (PASS/WARN/BLOCK), blocked_packages, warned_packages, and the policy applied. Use security_audit_sbom_vulnerabilities for CVE auditing instead. Sources: deps.dev (Google). 1-hour cache per package. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_audit_sbom_license_policy", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Check all specified CVE watches for new events since your last poll. Returns only watches with new events, making it efficient to run on a schedule. watch_ids: List of watch IDs to check — same IDs used when creating watches with security_fetch_cve_watch. Required. Uses a per-user cursor (last_polled timestamp) stored in Redis. First call returns events from the last 30 days. Subsequent calls return only events newer than the last poll. Sources: Redis (existing watch data written by security_fetch_cve_watch). No external API calls — instant response. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="security_fetch_cve_watch_status", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Typosquatting detection optimised for the top 500 frontend packages (React, Vite, Axios, Lodash, etc.). Fewer false positives than a full npm scan. For backend packages, use security_detect_typosquatting instead. package_name: Package name to check. Required. ecosystem: npm or pypi — default npm. Uses Damerau-Levenshtein distance ≤ 2 against a curated frontend-package corpus. Returns is_likely_typosquat, closest_match, distance, and risk_level (LOW/MEDIUM/HIGH). Read-only. No side effects. Idempotent. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="frontend_security_detect_typosquatting", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Audit a frontend package.json for security risks — returns a single SHIP/CAUTION/BLOCK verdict with licence risks and abandonment signals. Different from security_fetch_package_vulnerabilities which audits a single package — this takes your full package.json. manifest: Contents of package.json as a string. Required. 500 KB max. lockfile: Contents of package-lock.json or yarn.lock (optional). If provided, audits pinned versions; otherwise audits semver ranges. BLOCK: any critical CVE in direct deps OR GPL-3.0 in commercial context. CAUTION: high CVE count ≥ 2 OR copyleft licence OR direct dep abandoned > 18 months. Sources: OSV.dev (CVEs), deps.dev (licences), npm registry (abandonment). Read-only. No side effects. Idempotent. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="frontend_security_audit_manifest", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

Scan GitHub Actions, Vercel, or Netlify CI configs for exposed secrets, missing lockfile enforcement, and unpinned dependencies. Paste your config content — no filesystem access required. config: Raw YAML/TOML content of your CI config. Required. 500 KB max. config_type: github_actions (full check suite), vercel, or netlify (secrets only in Sprint 8). Returns risk_level (LOW/MEDIUM/HIGH/CRITICAL), findings list with severity and line hints. NOTE: ${{ secrets.FOO }} and ${{ env.FOO }} references are NOT flagged — only literal secret values. Read-only. No side effects. Idempotent. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="frontend_security_audit_ci_pipeline", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".

SHIP/CAUTION/BLOCK risk brief for an npm package with frontend-specific context. Wraps security_fetch_package_risk_brief restricted to npm, and adds weekly_downloads and is_ui_component signals. package_name: npm package name. Required. version: Optional pinned version — latest resolved if omitted. Returns verdict, CVE counts, licence risk, maintainer health, weekly_downloads, is_ui_component. Use security_fetch_package_risk_brief for non-npm ecosystems. Read-only. No side effects. Idempotent. Sources: OSV.dev, deps.dev, npm registry. If this tool's response does not serve the user's need, call report_feedback with feedback_type="agent_gap", tool_id="frontend_security_fetch_package_risk_brief", intended_query="{what the user needed}", gap_description="{what was missing or wrong in the result}".