loading…
Spring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
автор: Community
0.00
Search for a command to run...
loading…
Enables AI assistants to query software supply chain compliance data, including asset status, security vulnerabilities, and evidence lineage. It allows for natu
Enables AI assistants to query software supply chain compliance data, including asset status, security vulnerabilities, and evidence lineage. It allows for natural language analysis of compliance posture, policy violations, and deployment blockers across an organization.
AI-powered compliance intelligence for your software supply chain. This Model Context Protocol (MCP) server enables AI assistants like Claude Desktop to query Fianu's compliance data in natural language.
| Tool | Description | Example Question |
|---|---|---|
get_asset_compliance_status |
Get compliance status for a specific asset with all passing/failing controls | "What is the compliance status of my-repo?" |
list_controls |
List all compliance controls with filtering by severity or framework | "What controls do we have?" |
get_compliance_summary |
Executive-level organization-wide compliance overview with risk categorization | "How healthy is my compliance posture right now?" |
get_attestation_details |
Get attestation details - supports org-wide (control only) or asset-specific queries | "Show me pass/fail status for cycode.secret.detection across all repos" |
get_deployment_attestations |
Show all attestations from a specific deployment record | "Show me attestations from the last deployment of my-app" |
get_pipeline_vulnerabilities |
Get security vulnerabilities from pipeline scans (SAST, SCA, secrets, container) | "What vulnerabilities were found in my-repo?" |
get_evidence_chain |
Trace evidence lineage from origin through occurrences to attestations | "Show me the evidence chain for the secret detection failure in my-repo" |
get_policy_violations |
Get failing controls as "policy violations" across the org or for a specific asset | "What are all the policy violations?" or "Which assets are failing secret detection?" |
get_compliance_trends |
Analyze compliance trends over time using smart sampling | "How has compliance changed over the last 30 days?" or "Is my compliance improving?" |
get_deployment_blockers |
Find what's blocking an application from deploying to a specific gate/environment | "What's blocking DBX from deploying to production?" or "Can my-app deploy to staging?" |
get_policy_exceptions |
List and analyze policy exceptions (waivers/exemptions from controls) | "What policy exceptions are active?" or "Which controls have exceptions?" |
resolve_external_artifact |
Resolve artifact URI from Artifactory/container registries to Fianu dashboard | "Take me to Fianu for sha256:abc123..." or "Find Fianu dashboard for this container image" |
analyze_control_failure |
Analyze OPA Rego policy for a control to understand what it checks and why it fails | "Why is cycode.secret.detection failing?" or "Show me the OPA Rego for dependabot.alerts" |
list_releases |
List upcoming (pending) or past (released) releases for an application | "What are the upcoming releases for DBX?" or "Show me the last 5 releases for Digital Banking Experience" |
6841d88809021dab1138d0451d92f94e)cd /Users/petezimmerman/Documents/dev/mcp-compliance-intelligence
npm install
The wrangler.toml file is already configured with:
npx wrangler kv:namespace create CACHE_KV
Copy the namespace ID and update wrangler.toml:
[[kv_namespaces]]
binding = "CACHE_KV"
id = "<paste-namespace-id-here>"
Set Auth0 credentials (get these from the fianu.io Auth0 application):
npx wrangler secret put AUTH0_CLIENT_ID
# Paste client ID when prompted
npx wrangler secret put AUTH0_CLIENT_SECRET
# Paste client secret when prompted
# Optional: Set audience if Consulta requires it
npx wrangler secret put AUTH0_AUDIENCE
# Enter: https://fianu.io/api
In the Auth0 dashboard for the fianu.io application, add these callback URLs:
https://noah-684.workers.dev/mcp-compliance-intelligence/callbackhttps://noah-684.workers.dev/mcp-compliance-intelligence/tokenhttp://localhost:8788/callback (for local testing)http://localhost:8788/token (for local testing)The Fianu Compliance Intelligence MCP server works with both Claude Desktop and Cursor IDE using the same configuration. The server uses OAuth 2.0 for authentication, so no manual token setup is required.
Production: https://mcp.fianu.io/sse
Staging: https://mcp-compliance-intelligence-staging.noah-684.workers.dev/sse
Add this to your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"fianu-compliance": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp-compliance-intelligence-staging.noah-684.workers.dev/sse"
]
}
}
}
After adding the configuration:
/register/token/sse with Authorization: Bearer <token>Cursor uses the same JSON configuration file format as Claude Desktop. Add this to your Cursor MCP configuration file:
macOS/Linux: ~/.cursor/mcp.json
Windows: %APPDATA%\Cursor\mcp.json
{
"mcpServers": {
"fianu-compliance": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp-compliance-intelligence-staging.noah-684.workers.dev/sse"
]
}
}
}
After adding the configuration:
/register/token/sse with Authorization: Bearer <token>Alternative: UI Configuration
You can also configure via Cursor's UI:
Cmd/Ctrl + ,) > Features > MCP+ Add New MCP ServerFianu Compliance Intelligencestdionpx-y, mcp-remote, https://mcp-compliance-intelligence-staging.noah-684.workers.dev/sseOnce connected, these tools are available in both Claude Desktop and Cursor:
get_asset_compliance_statusGet compliance status for a specific asset. Returns compliance score, all controls (passing/failing/missing), and actionable recommendations.
assetIdentifier (required), assetType, branchlist_controlsList all compliance controls configured in the organization. Use this to discover available control paths.
severity, frameworkget_compliance_summaryExecutive-level organization-wide compliance overview for CISO reporting.
frameworkFilter, includeAssetsget_attestation_detailsTwo modes of operation:
controlPath, assetIdentifier, attestationUuid, branch, commitget_deployment_attestationsShow all attestations from a specific deployment record (not policy compliance).
assetIdentifier (required), deploymentId, environmentget_pipeline_vulnerabilitiesGet all vulnerabilities from security scans (SAST, SCA, secrets, container) for a repository.
assetIdentifier (required), branch, commit, severity, showIntroducedshowIntroduced=true to see only NEW vulnerabilities compared to the previous commitget_evidence_chainTrace the evidence chain (lineage) for a note, attestation, or commit. Shows how evidence flows from origin (trigger) through occurrences (data collection) to attestations (control evaluations).
Three modes of operation:
noteUuid to trace a specific noteassetIdentifier + commit for a specific commitassetIdentifier - auto-resolves to latest commit on default branchParameters:
noteUuid - UUID of a specific note (attestation, occurrence, or transaction)assetIdentifier - Asset/repo name (e.g., "fianu-fullstack-demo")commit - Specific commit SHA (full or short)branch - Branch name (defaults to default branch)controlPath - Filter for specific control (e.g., "secret.detection")direction - upstream (ancestors), downstream (children), or full (both)maxDepth - Maximum traversal depth (default: 10)Example questions:
get_policy_violationsGet policy violations (failing controls) across the organization or for a specific asset. This tool surfaces failing attestations as "policy violations" - a first-class concept for compliance monitoring.
Parameters:
assetIdentifier - Optional - filter to a specific asset (name or UUID)controlPath - Optional - filter to a specific control (e.g., "cycode.secret.detection")severity - Optional - filter by severity level (critical, high, medium, low)since - Optional - only show violations since this date (ISO 8601 format)limit - Optional - maximum violations to return (default 100, max 500)Returns: Violation count, risk level, violations grouped by control, and actionable recommendations.
Example questions:
get_compliance_trendsAnalyze compliance trends over time using smart sampling. Shows how compliance has changed and which controls have improved or declined.
Parameters:
assetIdentifier - Optional - filter to a specific asset (name or UUID). Omit for org-wide trends.period - Time period to analyze: "7d" (7 days), "30d" (30 days, default), "90d" (90 days)Returns:
Example questions:
Note: Uses smart sampling to ensure fast responses. For exact point-in-time data, use get_policy_violations with a specific date.
get_deployment_blockersFind what's blocking an application from deploying to a specific environment/gate. This tool checks all assets in an application against gate requirements and reports which controls are failing.
Parameters:
applicationName - REQUIRED - Application name or code (e.g., "DBX", "Digital Banking Experience")targetEnvironment - Optional - Target gate/environment (default: "production"). Examples: "staging", "qa", "prod"Returns:
canDeploy boolean - true if all required controls passExample questions:
Note: This tool checks current compliance state. For historical deployment records, use get_deployment_attestations.
get_policy_exceptionsList and analyze policy exceptions (waivers/exemptions from controls). This tool surfaces what exceptions are active, which controls have exceptions, and when exceptions are expiring.
Parameters:
controlPath - Optional - Filter to exceptions for a specific control (e.g., "ci.dependabot.alerts")status - Optional - Filter by status: "active" (default), "inactive", or "all"expiringSoon - Optional - If true, only show exceptions expiring in the next 30 daysReturns:
Example questions:
IMPORTANT LIMITATIONS:
resolve_external_artifactResolve an artifact URI from Artifactory or container registries to find the corresponding Fianu asset and dashboard URL. Bridges external tools with Fianu for quick compliance lookups.
Parameters:
artifactUri - REQUIRED - The artifact URI to resolveSupported Formats:
sha256:abc123...ghcr.io/org/repo/image@sha256:abc123...docker.io/org/image:tagartifactory.example.com/docker-local/image:tagReturns:
Example questions:
Use Case: Copy a resource URI from Artifactory and immediately see its compliance status in Fianu without manual navigation.
OAuth not triggering?
Connection failed?
curl https://mcp-compliance-intelligence-staging.noah-684.workers.dev/healthnpx wrangler tail --env stagingAuthentication failed?
For more detailed troubleshooting, see CURSOR_SETUP.md or CLAUDE_DESKTOP_SETUP.md.
npm run dev
This starts the Worker on http://localhost:8788.
curl http://localhost:8788/health
Expected response:
{
"status": "healthy",
"service": "Fianu Compliance Intelligence MCP",
"version": "0.1.0",
"environment": "development"
}
# Get a JWT token from Auth0 (use Fianu dev environment)
TOKEN="your-auth0-jwt-token"
# Test authentication
curl -X POST http://localhost:8788/auth \\
-H "Content-Type: application/json" \\
-d "{\"token\": \"$TOKEN\"}"
When creating new MCP tools, follow these patterns:
MCP tool schemas must be plain JSON Schema objects, not Zod schemas. Zod schemas will not serialize correctly and will cause tool registration to fail with errors like:
Error listing tools: Invalid literal value, expected "object"
✅ CORRECT - Plain JSON Schema:
export const myToolSchema = {
type: 'object',
properties: {
requiredParam: {
type: 'string',
description: 'Description of the parameter',
},
optionalParam: {
type: 'string',
description: 'Optional parameter description',
},
},
required: ['requiredParam'],
};
❌ WRONG - Zod Schema (will break MCP):
// DO NOT USE ZOD FOR MCP SCHEMAS
import { z } from 'zod';
export const myToolSchema = z.object({
requiredParam: z.string().describe('...'),
optionalParam: z.string().optional().describe('...'),
});
Create tools in src/tools/ following this pattern:
// src/tools/my-new-tool.ts
import type { Env, SessionState, ToolHandler } from '../types';
import { ConsultaClient } from '../api/consulta-client';
// Schema MUST be plain JSON Schema object
export const myNewToolSchema = {
type: 'object',
properties: {
// ... properties
},
required: ['requiredParam'],
};
export const myNewToolHandler: ToolHandler = async (
args: Record<string, unknown>,
env: Env,
session: SessionState
): Promise<any> => {
const client = new ConsultaClient(env, session);
// Extract args (no Zod parsing)
const requiredParam = args.requiredParam as string;
const optionalParam = args.optionalParam as string | undefined;
// ... tool logic ...
// Return MCP content format
return {
content: [{
type: 'text' as const,
text: JSON.stringify(result, null, 2),
}],
};
};
Import and register in src/compliance-mcp.ts:
import { myNewToolHandler, myNewToolSchema } from './tools/my-new-tool';
// In registerTools():
this.toolHandlers.set('my_new_tool', {
name: 'my_new_tool',
description: `Tool description for the LLM...`,
inputSchema: myNewToolSchema,
handler: async (params) => myNewToolHandler(params, this.env, this.state),
});
npm run deploy
# or: npx wrangler deploy --env production
npm run deploy:staging
# or: npx wrangler deploy --env staging
The MCP server now exposes standard OAuth 2.0 (client_credentials grant) endpoints so tools like mcp-remote and Claude Desktop can obtain tokens automatically.
| Endpoint | Description |
|---|---|
/.well-known/oauth-authorization-server |
Discovery document |
/register |
Dynamic client registration (returns short-lived client credentials) |
/token |
Exchanges the ephemeral credentials for an Auth0 access token |
/sse |
MCP SSE endpoint (requires Authorization: Bearer <token>) |
All OAuth endpoints are fronted by the Worker. /token proxies the request to Auth0 using the first-party client configured via AUTH0_CLIENT_ID / AUTH0_CLIENT_SECRET, so secrets are never exposed to users.
# 1. Register a temporary client (valid for 24h)
REG=$(curl -s -X POST https://mcp-compliance-intelligence-staging.noah-684.workers.dev/register)
CLIENT_ID=$(echo "$REG" | jq -r .client_id)
CLIENT_SECRET=$(echo "$REG" | jq -r .client_secret)
# 2. Exchange for a token
TOKEN=$(curl -s -X POST https://mcp-compliance-intelligence-staging.noah-684.workers.dev/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET" | jq -r .access_token)
# 3. Call the SSE endpoint
curl https://mcp-compliance-intelligence-staging.noah-684.workers.dev/sse \
-H "Authorization: Bearer $TOKEN" \
-H "Accept: text/event-stream"
Claude Desktop automatically:
/register to get client credentials/token/sse with the returned bearer tokenNo manual setup is required beyond adding the MCP server URL in Claude Desktop.
npm test
npm run test:watch
npm run test:coverage
npx wrangler tail
All tool invocations and API calls are logged to Cloudflare Analytics Engine for usage analysis.
Datasets:
compliance_mcp_staging - Staging environmentcompliance_mcp - Production environmentAnalytics Engine uses fixed column names. Here's what each column contains:
| Column | Tool Invocations (mcp_tool_invocation) |
API Calls (consulta_api_call) |
|---|---|---|
blob1 |
Event type: 'mcp_tool_invocation' |
Event type: 'consulta_api_call' |
blob2 |
Tool name (e.g., analyze_control_failure) |
API endpoint (e.g., /console/controls) |
blob3 |
User ID | User ID |
blob4 |
Tenant ID | Tenant ID |
blob5 |
Request params JSON (truncated to 1KB) | Status (success/failure) |
blob6 |
Response JSON (truncated to 1KB) | Timestamp (ISO 8601) |
blob7 |
Status (success/failure) |
- |
blob8 |
Timestamp (ISO 8601) | - |
double1 |
Duration (ms) | Duration (ms) |
double2 |
Request size (bytes) | HTTP status code |
double3 |
Response size (bytes) | Response size (bytes) |
index1 |
Status (success/failure) |
Status (success/failure) |
-- Recent tool invocations with full details
SELECT
blob8 as timestamp,
blob2 as tool_name,
blob3 as user_id,
blob4 as tenant_id,
blob5 as request_params,
blob6 as response,
blob7 as status,
double1 as duration_ms,
double3 as response_size_bytes
FROM compliance_mcp_staging
WHERE blob1 = 'mcp_tool_invocation'
ORDER BY blob8 DESC
LIMIT 100;
-- Tool usage summary by user
SELECT
blob3 as user_id,
blob2 as tool_name,
COUNT(*) as call_count,
AVG(double1) as avg_duration_ms,
SUM(double3) as total_response_bytes
FROM compliance_mcp_staging
WHERE blob1 = 'mcp_tool_invocation'
GROUP BY blob3, blob2
ORDER BY call_count DESC;
-- Most popular tools
SELECT
blob2 as tool_name,
COUNT(*) as calls,
AVG(double1) as avg_duration_ms
FROM compliance_mcp_staging
WHERE blob1 = 'mcp_tool_invocation'
GROUP BY blob2
ORDER BY calls DESC;
-- API latency by endpoint
SELECT
blob2 as endpoint,
COUNT(*) as calls,
AVG(double1) as avg_ms,
MAX(double1) as max_ms,
AVG(double3) as avg_response_bytes
FROM compliance_mcp_staging
WHERE blob1 = 'consulta_api_call'
GROUP BY blob2
ORDER BY calls DESC;
-- Failed requests
SELECT
blob8 as timestamp,
blob2 as tool_name,
blob3 as user_id,
blob5 as request_params,
blob6 as error_response
FROM compliance_mcp_staging
WHERE blob1 = 'mcp_tool_invocation'
AND blob7 = 'failure'
ORDER BY blob8 DESC;
For real-time debugging and full request/response data (not truncated), use Workers Logs:
npx wrangler tail --env stagingLog entries are tagged for easy filtering:
[AUDIT] - Tool request/response with full JSON[API] - Consulta API call summary[SECURITY] - Security-relevant events (403 errors, etc.)mcp-compliance-intelligence/
├── src/
│ ├── index.ts # OAuth provider entry point
│ ├── compliance-mcp.ts # McpAgent (Durable Object) - registers all tools
│ ├── types.ts # TypeScript definitions
│ ├── api/
│ │ └── consulta-client.ts # Consulta API client with caching
│ ├── auth/
│ │ └── auth0-handler.ts # Auth0 JWT validation
│ └── tools/
│ ├── get-asset-compliance-status.ts # Asset compliance with controls
│ ├── list-controls.ts # Control discovery
│ ├── get-compliance-summary.ts # Executive compliance overview
│ ├── get-attestation-details.ts # Attestation details (org-wide & asset-specific)
│ ├── get-deployment-attestations.ts # Deployment-specific attestations
│ ├── get-pipeline-vulnerabilities.ts # Security scan vulnerabilities
│ ├── get-evidence-chain.ts # Evidence lineage tracing
│ ├── get-policy-violations.ts # Policy violations (failing controls)
│ ├── get-compliance-trends.ts # Compliance trends over time
│ ├── get-deployment-blockers.ts # Deployment blocking issues
│ ├── get-policy-exceptions.ts # Policy exceptions/waivers
│ └── resolve-external-artifact.ts # External artifact deep linking
├── test/ # Unit and integration tests
├── wrangler.toml # Cloudflare configuration
├── package.json
├── tsconfig.json
├── env.example # Environment variables template
└── README.md
| Variable | Description | Set Via |
|---|---|---|
CLOUDFLARE_ACCOUNT_ID |
Account ID | wrangler.toml |
CONSULTA_URL |
Fianu Consulta API URL | wrangler.toml |
AUTH0_DOMAIN |
Auth0 domain | wrangler.toml |
AUTH0_ISSUER |
Auth0 issuer URL | wrangler.toml |
AUTH0_CLIENT_ID |
OAuth client ID | wrangler secret |
AUTH0_CLIENT_SECRET |
OAuth client secret | wrangler secret |
AUTH0_AUDIENCE |
API audience (optional) | wrangler secret |
Every API request includes:
Authorization: Bearer <jwt> - Auth0 tokenX-Tenant-ID: <tenant_id> - Extracted from JWTConsulta API enforces Row-Level Security (RLS) at the database level.
All events logged to Analytics Engine and Workers Logs. See Analytics Engine section for:
npx wrangler secret listX-Tenant-ID header matches JWT's tenant claimread:compliance scopenpx wrangler deploy/eng-specs/compliance-intelligence-mcp/implementation-plan.mdProprietary - Fianu Labs © 2025
Добавь это в claude_desktop_config.json и перезапусти Claude Desktop.
{
"mcpServers": {
"fianu-compliance-intelligence-mcp-server": {
"command": "npx",
"args": []
}
}
}