Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MCP_BASE_PATH | No | Single allowed root path for project scanning. | |
| MCP_MAX_FILES | No | Maximum number of files to enumerate per scan. | 5000 |
| MCP_BASE_PATHS | No | Comma-separated list of allowed root paths. Takes precedence over MCP_BASE_PATH. | |
| MCP_TIMEOUT_SECONDS | No | Logical timeout for audit operations. | 30 |
| MCP_MAX_FILE_SIZE_BYTES | No | Maximum file size (in bytes) to read per file. | 300000 |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| project_info | Return metadata for a Laravel project: composer constraints, framework detection, PHP version. |
| dependency_audit | Audit Composer dependencies against the OSV.dev vulnerability advisory database. Parses composer.lock and reports CVEs with severity and fix versions. |
| config_audit | Audit risky Laravel environment and configuration settings: APP_DEBUG, APP_ENV, APP_KEY, SESSION_SECURE_COOKIE, and CORS wildcard origins. |
| code_scan | Run static pattern analysis across all PHP source files. Detects SQL injection, RCE risks (eval/shell_exec/exec/system), unsafe unserialize, hardcoded credentials, weak cryptography (MD5/SHA1), mass assignment, path traversal, and LFI risks. |
| blade_scan | Scan Laravel Blade templates in resources/views/ for XSS vulnerabilities. Detects unescaped output ({!! !!}), raw user input rendering, and unsafe PHP echo in templates. |
| route_audit | Audit Laravel route files (routes/web.php, routes/api.php) for security misconfigurations. Detects admin routes without auth middleware, API routes without authentication, login routes without throttle, and CSRF exception wildcards in VerifyCsrfToken. |
| attack_simulate | Run active HTTP security probes against a running Laravel application. Probes: error/debug disclosure, SQL injection on /login, reflected XSS, CSRF enforcement, auth bypass on /api/user, and brute-force rate limiting. WARNING: only use against local or staging environments — never production. |
| full_audit | Run all static audits in parallel: dependency CVE check (OSV.dev), environment config, PHP code scan, Blade XSS scan, and route/middleware audit. Returns a single consolidated report with per-section summaries. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |