"A framework for web penetration testing" matching MCP tools:

• inspect_security_headers

  Ground Truth - First Tool Call

  Fetch a public URL and inspect security-relevant response headers before you claim that a product or endpoint has a strong browser-facing security baseline. Use this for quick due diligence on public apps and docs sites. It checks for common headers such as HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and X-Content-Type-Options. It does not replace a real security review, authenticated testing, or vulnerability scanning.

  Connector

• get_saved_visual_idea_preset

  Heista

  Get one saved visual ideas preset by id, including its full body payload (framework, agent config, etc.). Call the matching list tool first to discover ids. Free, read-only.

  Connector

• run_and_report

  Keploy

  Run test suites and return results with failures and coverage. !! DO NOT USE for local-app "tests for my changes" flows !! This tool sends the run to the SaaS backend which REJECTS private/localhost URLs ("IPv6 address is private / reserved"). It only works when base_url points at a PUBLIC, non-loopback address (a staging/prod deployment). For local-app testing, use record_sandbox_test / replay_sandbox_test instead — they drive the keploy local agent which happily records against http://localhost.

  Connector

• lyra_drain_invite_queue

  lyra-mcp-server

  Sends any of YOUR gatherings' queued invites to their recipients immediately, rather than waiting for the periodic background send. Useful right after you call lyra_send_invite if you want the email out the door without delay, or as a manual flush during testing. Only your gatherings' queued rows are processed — one user cannot drain another's queue. Returns a per-status summary { sent, blocked_by_allowlist, failed, skipped_unfinalised }. Requires API key authentication.

  Connector

• get_adoption_stage

  Stratalize Governance

  Public mode returns FS AI RMF framework reference data only — not org-specific scoring. Use when assessing an organization FS AI RMF governance maturity stage or preparing a regulatory AI roadmap presentation. Returns INITIAL, MINIMAL, EVOLVING, or EMBEDDED classification with stage criteria and remediation priorities. Example: EVOLVING stage organizations have documented AI policies but lack systematic model validation — typical gap to EMBEDDED is 18-24 months and 12-15 additional controls. Connect org MCP for org-specific scoring. Source: FS AI Risk Management Framework.

  Connector

• get_framework_docs

  main

  Retrieves authoritative documentation directly from the framework's official repository. ## When to Use **Called during i18n_checklist Steps 1-13.** The checklist tool coordinates when you need framework documentation. Each step will tell you if you need to fetch docs and which sections to read. If you're implementing i18n: Let the checklist guide you. Don't call this independently ## Why This Matters Your training data is a snapshot. Framework APIs evolve. The fetched documentation reflects the current state of the framework the user is actually running. Following official docs ensures you're working with the framework, not against it. ## How to Use **Two-Phase Workflow:** 1. **Discovery** - Call with action="index" to see available sections 2. **Reading** - Call with action="read" and section_id to get full content **Parameters:** - framework: Use the exact value from get_project_context output - version: Use "latest" unless you need version-specific docs - action: "index" or "read" - section_id: Required for action="read", format "fileIndex:headingIndex" (from index) **Example Flow:** ``` // See what's available get_framework_docs(framework="nextjs-app-router", action="index") // Read specific section get_framework_docs(framework="nextjs-app-router", action="read", section_id="0:2") ``` ## What You Get - **Index**: Table of contents with section IDs - **Read**: Full section with explanations and code examples Use these patterns directly in your implementation.

  Connector

• ateam_github_promote

  ateam-mcp

  SHIP DEV TO PROD. Merges the `dev` branch into `main` and auto-tags the new main HEAD as safe-YYYY-MM-DD-NNN. Use after testing your dev work, when you're ready to deploy changes to production. Workflow: 1) ateam_github_patch (writes to dev) → 2) ateam_github_promote (merges dev→main) → 3) ateam_build_and_run (deploys main). Pass dry_run:true to see what's about to ship without merging. On merge conflict the call returns 409 — resolve manually on GitHub (open a PR or use the web UI), then retry.

  Connector

• get_project_context

  main

  Captures the user's project architecture to inform i18n implementation strategy. ## When to Use **Called during i18n_checklist Step 1.** The checklist tool will tell you when to call this. If you're implementing i18n: 1. Call i18n_checklist(step_number=1, done=false) FIRST 2. The checklist will instruct you to call THIS tool 3. Then use the results for subsequent steps Do NOT call this before calling the checklist tool ## Why This Matters Frameworks handle i18n through completely different mechanisms. The same outcome (locale-aware routing) requires different code for Next.js vs TanStack Start vs React Router. Without accurate detection, you'll implement patterns that don't work. ## How to Use 1. Examine the user's project files (package.json, directories, config files) 2. Identify framework markers and version 3. Construct a detectionResults object matching the schema 4. Call this tool with your findings 5. Store the returned framework identifier for get_framework_docs calls The schema requires: - framework: Exact variant (nextjs-app-router, nextjs-pages-router, tanstack-start, react-router) - majorVersion: Specific version number (13-16 for Next.js, 1 for TanStack Start, 7 for React Router) - sourceDirectory, hasTypeScript, packageManager - Any detected locale configuration - Any detected i18n library (currently only react-intl supported) ## What You Get Returns the framework identifier needed for documentation fetching. The 'framework' field in the response is the exact string you'll use with get_framework_docs.

  Connector

• x711_code_sandbox

  x711 — Universal Agent Gas Station

  Execute JavaScript or Python code in an isolated sandbox. Use for: data processing, math, CSV parsing, JSON transformation, crypto calculations, algorithm testing. Secure — no filesystem access, no network. Returns: { output: string, runtime_ms: number, language: string }. Requires API key.

  Connector

• moxie.get_conventions

  Moxie Docs

  Get the coding conventions Moxie inferred for the repository. Read-only; no side effects. Returns a Markdown list grouped by category (e.g. testing, structure, docs, review); each convention has a title, summary, confidence score, agent guidance, and the source file paths that evidence it. Use this for the general rules to follow; when you already know the files you're about to edit, prefer moxie.get_doc_impact for conventions scoped to those paths.

  Connector

• pentest_lookup_technique

  pentest-mcp-server

  Look up a MITRE ATT&CK technique by ID or keyword for authorized penetration testing and security research. Returns the full technique record: name, associated tactics, description, detection opportunities (log sources, behavioral indicators), real-world procedure examples from public reporting, recommended mitigations, and related sub-techniques. The detection and mitigation sections make this equally useful for defenders building detection coverage. Accepts exact IDs (T1190, T1059.001) or keyword search (e.g., "sql injection", "pass the hash", "web shell upload").

  Connector

• generate_framework_analysis

  jeda-ai

  Runs a specific framework against a user's inputs and produces a full analysis: prose explanation + structured fields + a self-contained SVG visualisation. Powered by the Jeda.ai · Visual AI framework knowledge graph. ALWAYS call `recommend_framework` FIRST to obtain a valid framework_id -- it returns the exact namespaced slug to pass here. Framework ids are namespaced by category (e.g. SWOT = "cms_swot-analysis", Porter's 5 Forces = "cms_porters-five-forces"); a bare slug like "swot-analysis" will 404. REQUIRED post-processing on success: the response's first text block contains a `curl -fsSL` save-directive for the SVG. Save the file locally and surface it as a file chip — do NOT summarise the visual in prose. Input: framework_id (namespaced slug from `recommend_framework`) + user_inputs object (per-framework field set), OR a free-text `raw_prompt` fallback. Example: { "framework_id": "cms_swot-analysis", "user_inputs": { "subject": "Q3 EU market entry", "context": "B2B SaaS, $5M ARR, US-headquartered" } }

  Connector

• web__local_search

  dialogbrain

  Multi-source web research with citations. Returns a synthesized answer with numbered [^1] markers and a citations array of {url, title, snippet, index}. Use for evidence-backed synthesis (competitive analysis, regulatory summary, whitepaper section). For quick fact lookups use web.search instead.

  Connector

• aidefense_locate_concept

  website-search

  Reverse-lookup a single concept ID (MITRE ATLAS technique like 'AML.T0051', OWASP LLM Top 10 risk like 'LLM01', OWASP Agentic Top 10 issue like 'ASI03', or ISO 42001 Annex A clause like 'A.6') across the AI Defense Matrix. Returns which framework the concept belongs to, the asset rows whose alignment cites it, the cells whose evaluation cellPrompts cite it, and those prompts themselves. Useful when a vendor's product is defined by a specific technique ('we defend AML.T0051') and they need to find which matrix cells to claim. Recognizes only concepts with structured IDs; for prose-only frameworks (NIST IR 8596, CSA AICM, Google SAIF, OWASP AI Exchange) use aidefense_get_framework_alignment instead. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.

  Connector

• recommend_framework

  jeda-ai

  Recommends business / strategy / risk frameworks for a stated problem. Powered by the Jeda.ai · Visual AI framework knowledge graph (~2,100 frameworks across 19 categories, edge-curated). Use when the user describes a business problem ("customer churn rising", "evaluating market entry", "need to assess vendor risk") rather than naming a specific framework. Returns top-N frameworks ranked by fit, each with a concrete reason citing the specific problem signals matched. Input: just the problem statement is enough. Optional faceted filters (`persona`, `regulation`, `decision_stage`) narrow the candidate set. Set `limit` between 3 and 10 for picker UIs. Pair with `generate_framework_analysis` to actually run a recommended framework against the user's inputs. Example: { "problem_statement": "We need to decide whether to enter the EU SMB market in Q3", "decision_stage": "decide", "limit": 5 }

  Connector

• web__local_search

  DialogBrain

  Multi-source web research with citations. Returns a synthesized answer with numbered [^1] markers and a citations array of {url, title, snippet, index}. Use for evidence-backed synthesis (competitive analysis, regulatory summary, whitepaper section). For quick fact lookups use web.search instead.

  Connector

• get_domain_status

  SiteGuardian

  Returns the current security grade (A–F), last-scan timestamp, and list of active issues for a domain that is ALREADY under SiteGuardian monitoring by the authenticated account. Each issue carries a stable id, a severity, a short title, and an impact description. The response also includes a relative dashboard URL. Use this when the user asks about the current state of a specific monitored domain, wants to confirm a recent change landed, or needs issue ids to call get_fix_recommendations with a specific issue_id. Do NOT use this for domains not yet under monitoring — it will return a domain_not_monitored error; call scan_domain for one-off checks instead. Compliance framework tags (NIS2 / GDPR / DORA) are NOT included in v1; framework tagging on the monitored-domain path is tracked as a follow-up. Requires a valid API key.

  Connector

• prior_search

  Prior — Knowledge Exchange for AI Agents

  Search for solutions other agents already discovered. STOP and search before acting on any error — even mid-task. Do not chain fixes without searching each one. When: Any error, compile failure, stack trace, or unexpected output. Before config, integration, or setup tasks. When a fix attempt just failed — search before trying the next one. Unfamiliar library or framework combination. Do not skip because the fix seems obvious — obvious fixes are the most common and most likely to already be solved. How: Paste the exact error message, not your goal. Include framework or language name. Read failedApproaches first to skip dead ends. Feedback: Include previousSearchFeedback to rate a result from your last search — this refunds your search credit and costs nothing extra.

  Connector

• get_validation_framework

  Demand Discovery AI

  Returns the full three-step Demand Discovery validation framework: (1) Market Research, (2) Demand Discovery Report with the Demand Score and Build/Pivot/Kill verdict, (3) Agentic Launch (90-day continuous outreach). Use when a user asks "how do I validate an idea?", "what's the methodology?", or wants to understand the structured approach. Built on the "behavior over opinion" principle. Trigger phrases: "what's the framework", "demand discovery framework", "what's the methodology", "how does demand discovery work", "step by step validation", "what's the process", "how to structure validation", "validation framework", "validation methodology", "structured validation", "show me the framework", "explain the methodology".

  Connector

• aidefense_get_framework_alignment

  website-search

  Get AI Defense Matrix cross-mappings to nine external frameworks: NIST IR 8596, CSA AI Controls Matrix, ISO 42001, Google SAIF, SANS Critical AI Security Guidelines, MITRE ATLAS, OWASP AI Exchange, OWASP LLM Top 10, OWASP Agentic Security Top 10. Each row maps an AI asset class to how that framework applies. Each returned framework also carries a 'concepts' array of the structured IDs (MITRE ATLAS techniques, OWASP risks, ISO clauses) the matrix references for it. Supports a 'buyer' archetype shortcut to scope to the frameworks a particular buyer will care about. Use to translate between framework vocabularies. This server never requests your program docs or product roadmap and instructs your AI to keep them local—the matrix, framework alignments, and playbooks flow to your AI for local analysis.

  Connector