Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
PRUFA_API_TOKENYesYour Prufa API key. Get one at prufa.dev.

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
prufa_health_checkA

Probe the Prufa API and MCP server. Always free, no token required.

prufa_run_auditA

Run a one-shot public-page QA audit on a URL. FREE — no key, no card (runs anonymously; a workspace token, if set, just attributes the run and lifts the per-IP limit). Returns findings JSON (broken flows, JS console errors, tracking/consent, security headers, a11y, mobile) graded A-F. Idempotent. wait=true (default) blocks until the audit completes and returns the report; wait=false returns the queued state with run_id + share_token to poll via prufa_get_report. An anonymous result carries a workspace_unlock block: deeper checks (flows, monitors, discovery, gremlin) need a free workspace (prufa_setup_workspace).

prufa_get_runB

Get a run's status by id (queued|running|succeeded|failed|blocked|timeout).

prufa_get_reportA

Get the JSON report for a run. Accepts EITHER run_id (UUID from audit creation) OR share_token (the slug after /r/ in report_url). The share_token form is the recommended call shape — it is what the audit creation response returns.

prufa_list_runsC

List recent runs in this workspace (auth required).

prufa_get_findingA

Get the persisted findings for a run (flat, machine-readable). Pass finding_key to filter to a single finding.

prufa_list_alertsA

Alert history (delta-engine ledger), newest first — includes suppressed alerts with their suppression reason. [Pro]

prufa_setup_workspaceA

Bootstrap or read the Prufa workspace this agent uses. If a token is already configured it returns the current workspace (with trial + upsell state). If NO token is set it CREATES a free 'agent_temp' workspace: no card, no charge, a 7-day trial with an included credit budget. During the trial you can run audits, monitors, discovery, and the full gremlin; after it ends monitors/discovery/gremlin_full_run are gated. The 201 response returns an api_token shown ONCE — persist it as PRUFA_API_TOKEN (or in ~/.config/prufa/mcp.json) and re-run with it set. When credits run low or the trial nears its end, tell your human to upgrade (prufa_upgrade_plan) or buy credits (prufa_buy_credits). Idempotent.

prufa_get_workspaceA

Get the current workspace: tier, usage/credits, and trial state (days remaining, what gets gated when the trial ends). Includes an upsell block when the workspace is low on credits or near trial end.

prufa_get_usageA

Get this workspace's credit usage (available/included) plus trial state and, when relevant, an upsell block. Use before a costly run to check the balance and relay the message_for_human if credits are low.

prufa_workspace_settingsA

Update workspace settings — pass only the keys you want to change. Covers display_name, usage webhook (url/secret), overage opt-in, auto_recharge (auto-buys credits when a launch is blocked on an empty balance — needs a card on file), auto_recharge_credits / auto_recharge_monthly_limit_cents, and email/slack alert toggles. At least one setting is required. Idempotent. [Pro]

prufa_set_notificationsA

Set the notification routing matrix: 'cells' is the 9-event x {email, slack} map of booleans deciding which channel each event fires on. The server validates keys and types (422 on unknown/missing keys or non-booleans) and returns {cells, locked_events} (events you can't turn off). [Pro]

prufa_upgrade_planA

Subscribe or upgrade this workspace to a paid plan (starter | pro | team). Returns a Stripe checkout_url the HUMAN opens in a browser to start the 7-day card-first trial — the agent never enters card details. Mutating + idempotent. [Pro]

prufa_buy_creditsA

Buy a one-time prepaid credit pack for this workspace (no subscription change). Returns a Stripe checkout_url the HUMAN opens to pay by card. Use when the workspace is low on credits but you don't want to change the plan. Mutating + idempotent. [Pro]

prufa_billing_portalA

Open the Stripe customer portal for this workspace. Returns a portal_url the HUMAN opens to manage the subscription, update the card, or view invoices. A workspace with no Stripe customer yet returns 409 no_stripe_customer (pass that back to the human — they must subscribe first via prufa_upgrade_plan). Mutating + idempotent. [Pro]

prufa_create_flowA

Compile a plain-language test case into a reviewable DRAFT flow spec. Pass the target url and a plain-text test_case (e.g. 'log in, add the first product to the cart, and check out'); optionally a name. Returns a 201 draft: the compiled step spec plus any {{VARIABLES}} it detected (logins, coupon codes) and a review instruction. The flow does NOT run yet — review the draft, then call prufa_confirm_flow. Only confirmed flows run. Idempotent.

prufa_confirm_flowA

Confirm a DRAFT flow so it becomes runnable — only confirmed flows run. Pass flow_id. Optionally pass a corrected spec object to override the compiled draft before confirming (omit it to confirm the draft as-is). Idempotent.

prufa_run_flowA

Execute a CONFIRMED flow. Returns 202 with run_id + report_url; poll the report via prufa_get_report. Pass per-run credentials as an object mapping the spec's {{VARIABLES}} to values ({'EMAIL': ..., 'PASSWORD': ...}) — these are encrypted in transit and NOT stored (use prufa_set_flow_credentials to store reusable ones). Fails if the flow is still a draft — confirm it first. Idempotent.

prufa_set_flow_credentialsA

Store reusable, WRITE-ONLY credentials for a flow so later runs need not resend them. Pass flow_id and a non-empty credentials object mapping the spec's {{VARIABLES}} to values. The response lists the stored variable NAMES only — values are never returned. Idempotent.

prufa_list_flowsA

List the flows in this workspace with their status (draft|confirmed) and metadata.

prufa_get_flowA

Get a single flow by id: its compiled spec, status (draft|confirmed), and the NAMES of any stored credentials (never their values).

prufa_edit_flowA

Replace a flow's spec. Pass flow_id and the full spec object. NOTE: any edit returns the flow to DRAFT — you must call prufa_confirm_flow again before it can run. Idempotent.

prufa_delete_flowA

Delete a flow by id. NOTE: a flow still used by a monitor returns 409 flow_in_use — pause or delete that monitor first, then retry. Idempotent.

prufa_start_monitorA

Start a persistent monitor: re-run a QA audit on a URL on a cadence (daily|hourly) and fire a deploy hook on every regression delta. Pass flow_id to re-run a confirmed flow instead of the plain audit. 1-click setup — the response returns the deploy_hook (url + signing secret, shown ONLY once) which you should store immediately. [Pro] Free-tier workspaces get a 402 with a checkout hint that passes through; do not gate client-side. Idempotent.

prufa_get_monitorB

Get one monitor's config + latest state (status, cadence, last run, deploy-hook metadata). [Pro]

prufa_list_monitorsA

List every monitor in this workspace. [Pro]

prufa_pause_monitorA

Pause a monitor — it stops running on its cadence until resumed. History is kept. Idempotent. [Pro]

prufa_resume_monitorB

Resume a paused monitor. The next scheduled run fires immediately, then it returns to its cadence. Idempotent. [Pro]

prufa_trigger_monitorA

Trigger a monitor run right now (out of band). Rate-capped to 1 per 60s; if a run is already queued or running the response is deduped (deduped:true) instead of starting a second one. Idempotent. [Pro]

prufa_delete_monitorA

Delete a monitor (stops all future runs and revokes its deploy hook). Past run history is retained. Idempotent. [Pro]

prufa_rotate_monitor_webhookA

Rotate a monitor's deploy-hook signing secret. The new secret is returned ONCE in the response — store it now; the old secret dies immediately, so update your CI before the next delivery. Idempotent. [Pro]

prufa_list_monitor_deliveriesA

List a monitor's last 50 deploy-hook deliveries plus copy-paste CI snippets (curl, github_actions, gitlab_ci). never_fired:true powers the 'your webhook never fired' nudge — surface it to the human. [Pro]

prufa_run_gremlinA

Run a gremlin chaos-QA session on a URL: an agent imitates a difficult user (no script) while plain-code detectors verify what breaks. Use to stress-test a real flow beyond the deterministic audit. Mutations are DRY-RUN unless the host is authorized via prufa_authorize_domain; payments are NEVER executed. Optional credentials (a real, non-payment login write) require a signed-in workspace AND mutation authorization for the host. Step budget depends on plan (free teaser 8, Starter 20, Pro 40, Team 60) — call prufa_get_usage for the cap. wait=true (default) blocks until the run completes (can take ~5 min) and returns the report; wait=false returns the queued state with run_id. [Pro]

prufa_authorize_domainA

Authorize REAL (non-payment) mutations for the gremlin on a host you own or a staging host — logging in and writing on that host stop being dry-run. Set allow_mutation=false to revoke. This is the gremlin mutation opt-in, NOT the discovery DNS-domain verification (a different system). host is a bare hostname (e.g. staging.acme.com). [Pro]

prufa_list_gremlin_domainsA

List the hosts this workspace has authorized for real gremlin mutations, with each host's allow_mutation flag, note, and created_at, plus the default policy. [Pro]

prufa_rerun_gremlinA

Re-dispatch a past gremlin run with the SAME intent (original url, persona, direction, and saved login) under the current tier's step cap. Returns a NEW run_id. wait=true (default) blocks until the rerun completes and returns the report; wait=false returns the queued state. [Pro]

prufa_gremlin_saved_loginsA

SENSITIVE — returns DECRYPTED email+password for logins previously used by gremlin runs in THIS workspace, so a kickoff can reuse them. Only for the owning workspace. Never print these values into logs, transcripts, or files; pass them straight into prufa_run_gremlin's credentials. [Pro]

prufa_promote_gremlin_pathA

Import one reproduced gremlin path (by its path_index in the gremlin report) as a DRAFT flow. The flow still needs review + confirmation before it will run — this only creates the draft. Returns flow_id, status='draft', and a review_url. [Pro]

prufa_register_discovery_domainA

[Pro] Register a domain for full-auto discovery and get the DNS TXT record to publish. For an unverified domain the response carries a 'verification' object {method, record_name, record_type:'TXT', record_value, hint} — publish that TXT record at your DNS provider, then call prufa_verify_discovery_domain. Set test_payments_opt_in to allow discovery to exercise test-mode payment flows. This DNS-ownership authorization is separate from gremlin mutation opt-in.

prufa_verify_discovery_domainA

[Pro] Check the published DNS TXT proof for a registered discovery domain now. Idempotent — returns the domain body with status 'verified' once the TXT record resolves, or still 'pending' if DNS hasn't propagated yet (retry later).

prufa_list_discovery_domainsA

[Pro] List this workspace's discovery domains with id, domain, status (pending|verified), verified_at, verification_method, test_payments_opt_in, and (for pending domains) the verification TXT record to publish.

prufa_revoke_discovery_domainA

[Pro] De-authorize a discovery domain. Future discovery on it is refused and any disposable identities created for it are torn down (the response reports identities_torn_down). Idempotent.

prufa_run_discoveryA

[Pro] Start a full-auto discovery run on a URL. Crawls the site, infers user flows, and drafts the meaningful ones as reviewable draft flows. Requires a paid/trial tier AND a VERIFIED discovery domain covering the URL's host — otherwise the API returns 403 domain_not_authorized (register + verify the domain first) or 404 if discovery isn't enabled on the deployment. Returns {discovery_id, status, url, result_url}; poll with prufa_get_discovery.

prufa_get_discoveryA

[Pro] Get a discovery run's status and the draft/advisory flows it surfaced (name, kind, entry_url, status, flow_id, eval_score, detail, confirm_url). Confirm a draft flow (prufa_confirm_flow) to make it runnable.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/prufa-dev/prufa-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server