{"name":"Smpl Security MCP","version":"1.0.0","description":"Security findings and compliance status for your organisation.","tools":[{"name":"list_connectors","description":"List all integrations connected to this organisation — GitHub, Vercel, Supabase, Stripe, Salesforce, HubSpot, etc. Returns the connector type, account name, status, and when it was last scanned. Use connector_type values from this response to filter get_findings by a specific integration."},{"name":"get_findings","description":"List open security findings for the organisation. Returns title, severity, affected asset, rule ID, and first-seen date. Filter by severity and/or connector_type to focus on what matters most."},{"name":"get_finding_detail","description":"Get full details and fix instructions for a specific finding. Returns the finding plus a remediation playbook with copy-paste fix steps."},{"name":"get_compliance_status","description":"Get the organisation's SOC 2 readiness score and a breakdown by control category (Common Criteria, Availability, Confidentiality). Useful for understanding compliance gaps."},{"name":"update_finding_status","description":"Update the status of a finding. Use 'dismissed' for false positives, 'wont_fix' for accepted risk, 'resolved' when manually fixed, or 'open' to reopen."},{"name":"check_vercel_headers","description":"Diagnostic tool: inspect exactly which security headers are present for a Vercel project. Two modes: (1) Pass vercel_json_content and/or build_output_config_content if you have local filesystem access to the project — the tool parses them directly and returns which security headers are configured vs missing. (2) Omit both to have the tool attempt to fetch via Vercel API — if the file tree is unavailable (common for git-triggered deployments), the response includes a next_step telling you exactly which files to read and which params to pass on the next call. Always prefer mode (1) if you can read the project files."},{"name":"get_guidance_for_diff","description":"Get org-specific security guidance for a file being written or modified. Pass the file path and unified diff — returns open findings relevant to the resources being touched (Supabase tables, auth calls, env vars, Stripe objects, API routes), plus remediation steps. Call this before writing security-sensitive code to surface known issues in your org's posture."}]}