List all InfraDB repositories.

Get details for an InfraDB repository.

List branches in a repository.

Get branch details including head commit and graph stats.

Get the full materialized graph (nodes + edges) for a branch.

List attack paths stored on a branch in InfraDB (pre-triage, raw JEPA output).

Create a new branch in a repository.

Args: repo_id: Repository ID. name: Branch name. source_branch_id: Branch to fork from. If empty, forks from the repo's default branch.

List commits on a branch (newest first).

Diff two commits — shows added/removed/modified nodes and edges.

Search nodes in a repository by text query.

Get InfraDB stats (repo count, total nodes/edges, storage).

Trigger a manual infrastructure mapping scan.

Args: description: What to scan and why. credentials_profile: Credential profile to use (default: "default"). cloud_accounts: JSON array of {"provider", "account_id", "regions"} objects. repositories: JSON array of repo URL strings. domains: JSON array of domain strings.

List recent trigger events (scans, webhooks).

Get trigger service stats (active runs, rate limiting, failures).

List all scan schedules (cron-based recurring mapping runs).

Manually trigger a scan schedule to run now.

Get details of a specific trigger event.

Get status and details of a mapping run.

List recent mapping runs with status, trigger type, and graph stats.

Create a mapping run directly on the mapper, bypassing map-trigger.

Use this instead of trigger_scan when you need full control over scope or when map-trigger is returning errors.

Args: description: What to map and why. repositories: JSON array of repository URL strings. cloud_accounts: JSON array of {"provider", "account_id", "regions"} objects. kubernetes_clusters: JSON array of kubeconfig context strings. domains: JSON array of domain strings to probe. web_endpoints: JSON array of web endpoint URLs to probe. cidrs: JSON array of CIDR strings to probe. exclude_patterns: JSON array of glob patterns to exclude. credentials_profile: Credential broker profile (default: "default"). model: LLM model for mapping agents (default: "claude-sonnet-4-6"). dry_run: If true, validate the request without executing.

List agents spawned by a mapping run (planner, modality agents, etc.).

Cancel a running mapping run.

Trigger a JEPA inference run on a branch to discover attack paths.

List recent JEPA inference runs.

Get status and results of an inference run.

Ingest a security detection from an external tool (scanner, SIEM, etc.).

Args: source: Detection source (e.g. "vulnerability_scanner", "config_audit"). severity: One of "critical", "high", "medium", "low", "info". affected_resource_type: Resource type (e.g. "ec2_instance", "pod"). affected_resource_id: Resource identifier. title: Detection title. cve: CVE identifier if applicable.

List all JEPA inference schedules.

Create a recurring JEPA inference schedule.

Args: name: Schedule name. cron: Cron expression (e.g. "0 2 * * *" for 2 AM daily). branch_labels: JSON array of branch label strings to target. Ignored if all_branches is true. all_branches: Run on all branches if true.

Delete a JEPA inference schedule.

List attack paths, optionally filtered by status or risk score.

Status values: new, acknowledged, validating, validated, escalated, ticketed, closed.

Get full details of an attack path including steps, MITRE mappings, and risk score.

Update an attack path's triage status.

Args: path_id: Attack path ID. status: Target status (acknowledged, closed, etc.). reason: Optional reason for the status change.

Dispatch an attack path for sandbox validation (Parser → Exploit → Grader).

Escalate a validated attack path to the ticketing system.

Get triage statistics (counts by status, severity, repository).

Register a triage webhook to receive notifications on attack path events.

Args: url: Webhook endpoint URL. events: JSON array of event types (e.g. '["new_path", "status_change", "validated"]'). template: Optional Jinja2 template for the POST body. Variables: path, event, timestamp. secret: Optional HMAC-SHA256 secret for request signing. headers: Optional JSON object of extra headers to send.

List all registered triage webhooks.

Delete a triage webhook.

Get the status of a validation run (step counts, progress).

List remediation tickets.

Get remediation ticket details.

Get aggregate ticket statistics (counts by status, provider, and outcome).

Create a remediation ticket for an attack path and start two-step remediation.

Creates the upstream ticket on the active provider immediately (~seconds), then runs the LLM+JEPA remediation loop in the background and updates the ticket. Poll get_ticket_steps for per-iteration progress. Provider-agnostic: the ticket lands on whichever provider is currently active (see get_ticket_provider).

Args: path_id: Attack path ID (from triage / validation tools). repository_id: InfraDB repository ID the path belongs to. branch_id: InfraDB branch ID. entry_node: Path entry node ID. target_node: Path target node ID. steps: JSON array of path-step objects (source_node/target_node/...). step_count: Number of steps in the path. risk_score: Path risk score (0.0-1.0). mitre_techniques: JSON array of MITRE ATT&CK technique IDs. difficulty: Path difficulty ("low"/"medium"/"high"). source: Optional origin tag for the ticket. validation_verdict: Optional JSON object with the validation verdict.

Get per-iteration remediation steps/progress for a ticket.

Update a ticket's status.

Args: ticket_id: Ticket ID. status: New status. One of: pending, analyzing, remediating, verifying, creating_ticket, created, failed.

Force a one-off sync of a ticket's status from its upstream provider.

Re-run remediation from a failed ticket.

Get the active ticketing provider and all configured providers with verification state.

Register or update a ticketing provider configuration.

One tool configures any supported provider (jira, linear, github, servicenow, pagerduty, airtable, asana, custom) — the REST surface is provider-agnostic. Secrets must be written out-of-band via the credential broker; pass secret_keys to point at which Secret key holds each credential. Do NOT pass raw secret values.

Args: provider: Provider name (jira, linear, github, servicenow, pagerduty, airtable, asana, custom). config: JSON object with provider-specific non-secret config (base_url, project, etc.). secret_keys: Optional JSON object mapping credential roles to Secret keys. set_active: Make this the active provider after configuring (default true).

Test a ticketing provider's auth without making it active.

Args: provider: Provider name to test. Leave empty to test the currently-configured provider. config: Optional JSON object with config overrides to test.

Switch the active ticketing provider to an already-configured provider.

Remove a configured ticketing provider.

List the variables a ticket template can reference (Jinja2 cheatsheet).

Returns every {{ variable }} available to a TicketTemplate — dotted path, type, and description — plus the template schema_version. Fetch this before authoring or previewing a template with preview_ticket_template.

Dry-render a ticket template against synthetic content — no state touched.

Shows what a TicketTemplate will produce before it's saved on a provider. Returns rendered_title / rendered_description, plus fell_back + warning when a template fails to render (the hard-coded body is used instead), and a provider transform_hint (e.g. Jira flattens markdown into ADF). Does NOT modify the saved template on the active provider.

Args: template: JSON object for the TicketTemplate. Common fields: description_template, title_template (Jinja2 source strings); optional per-stage overrides description_template_{initial,final,failure} and title_template_{initial,final,failure}; field_defaults (dict of scalar custom-field defaults). enabled is forced on for the preview render. stage: Lifecycle slice to render — "initial" (creation), "final" (resolution), or "failure". Defaults to "final". provider: Optional provider name; when set, the response includes a transform hint for how that provider will mutate the rendered body.

List all configured data source connectors.

Create a data source connector for automated artifact ingestion.

Args: name: Connector display name. connector_type: Type (use list_connector_types to see available). E.g. "aws_guardduty", "aws_inspector", "qualys", "tenable". connection_config: JSON object with type-specific connection params (credentials, regions, etc.). poll_config: Optional JSON object with polling settings (interval_minutes, enabled, etc.). mapping_config: Optional JSON object with field mapping overrides.

Get connector details including status and last poll time.

Update a connector's configuration.

Args: connector_id: Connector ID. connection_config: JSON object with updated connection params (merged, not replaced). poll_config: JSON object with updated polling settings. enabled: Set to "true" or "false" to enable/disable. Leave empty to keep current.

Delete a data source connector.

Trigger an immediate poll on a connector (fetch latest data from the source).

List available connector types and their required configuration fields.

Get ingestion stats (total artifacts, connector health, last poll times).

Test a connector's connection without persisting artifacts. Returns record count or error details.

Get health summary across all connectors, sorted unhealthy-first. Shows circuit breaker state and consecutive failures.

Send a synthetic test event to a webhook and return the delivery result with per-attempt status codes.

Get recent delivery history for a webhook.

Args: webhook_id: Webhook ID. limit: Max records to return (default 20). status: Filter by "success" or "failed". Leave empty for all.

Validate a Jinja2 webhook template against a synthetic event. Returns rendered output or parse error.

Args: template: Jinja2 template string. sample_event_type: Event type for the sample data (default "new_path").

Load an InfraDB branch graph into the oracle session. Must be called before any graph exploration or threat-model matching.

For large graphs (1000+ nodes), encoding takes 2-5 minutes. This tool returns immediately once encoding has started. Use oracle_graph_info() to check when loading is complete.

Check whether the graph has finished loading after oracle_load_branch returned 'encoding_started'.

Get node/edge counts, type distribution, and available edge types for the loaded graph.

Browse nodes in the loaded graph, optionally filtered by type.

Look up a node by description. Finds the best semantic match with full details.

Search nodes by text similarity using MiniLM embeddings.

Add a node to the threat model.

Add an edge to the threat model.

View the current threat model (nodes and edges).

Clear the current threat model.

Match the threat model against the real infrastructure graph. Returns a Mermaid diagram with node matches (cosine scores), BFS paths (energy scores), and implicit edges.

Iterative energy-scored refinement of the threat model match. Returns Mermaid diagrams per iteration showing entry candidates, path transitions, and convergence.

Submit a discovered attack path as a chain of node descriptions (separated by ' -> '). The path is energy-scored and forwarded to triage.

Args: nodes: Node descriptions separated by ' -> '. Example: "public API gateway -> auth service -> database credentials -> production DB" description: Optional description of the attack path.

Submit attack paths from the current threat model's matched nodes. Requires tm_match or tm_match_refine to have been run first.

List available threat model templates. Categories: identity, network, data, supply_chain, cloud_services.

Load a threat model template by name. Replaces the current threat model.

Save the current threat model as a reusable template.

Args: name: Template name (kebab-case, e.g. 'refined-iam-escalation-aws-prod'). description: What this attack pattern does. category: One of: identity, network, data, supply_chain, cloud_services. source_template: Name of the seed template this was refined from, if any.

Destroy the current oracle session and start fresh on the next tool call.