Documentation menu

DOCUMENTATION

Tools & scopes

All MCP tools require a valid OAuth 2.1 token with the appropriate scope. Scopes are requested at authorization time; the MCP edge rejects requests that carry insufficient permissions before they reach the API. Rails re-enforces authorization server-side — scope grants at the edge are never the sole enforcement point.

Scopes

ScopeGrants
mcp:read:postureRead access to frameworks, controls, policies, evidence, vendors, reports, tasks, and compliance posture summaries. No write operations.
mcp:write:evidenceSubmit new evidence items and map evidence to controls. Evidence lands in a pending state and requires human approval before affecting posture.
mcp:write:tasksCreate tasks, update task status, and add comments. Task changes are visible immediately to the team.
mcp:write:answersSubmit answers to questionnaire questions. Answers land as drafts and require human review before publication.

Read tools

All read tools require mcp:read:posture.

ToolScopeWhat it does
list_frameworksmcp:read:postureReturns all frameworks active in your workspace (SOC 2, ISO 27001, HIPAA, etc.).
get_frameworkmcp:read:postureReturns a single framework with its control summary and coverage metrics.
list_controlsmcp:read:postureReturns controls for a given framework, with status (effective, gap, pending review).
get_controlmcp:read:postureReturns a single control with its linked policies and evidence items.
list_policiesmcp:read:postureReturns policies in your workspace, with approval status and version history.
get_policymcp:read:postureReturns the full text of a policy version, including inline source citations.
list_evidencemcp:read:postureReturns evidence items, filterable by control, status, or source system.
get_evidence_statusmcp:read:postureReturns the review status and metadata for a specific evidence item.
list_vendorsmcp:read:postureReturns sub-processors and vendors tracked in your workspace.
get_vendor_riskmcp:read:postureReturns the risk profile and review status for a specific vendor.
get_compliance_posturemcp:read:postureReturns a top-level summary of your posture across all active frameworks.
list_gapsmcp:read:postureReturns controls with open gaps — missing evidence, expired artifacts, or unresolved divergences.
get_audit_readinessmcp:read:postureReturns an audit-readiness score and a prioritized list of items to resolve before an audit.
list_tasksmcp:read:postureReturns open tasks in your workspace, filterable by assignee, status, or framework.

Resource

equanimgrc://framework/{slug}/controls — read the full control list for a framework as a structured resource rather than via a tool call. Requires mcp:read:posture.

Write tools

ToolScopeWhat it does
submit_evidencemcp:write:evidenceSubmits a new evidence item. Accepts a control ID, source system label, file name, and base64-encoded content. Content is hashed on arrival for deduplication. Evidence lands in a pending state and requires human approval.
map_evidence_to_controlmcp:write:evidenceMaps an existing approved evidence item to an additional control. Useful when one artifact satisfies multiple controls across frameworks.
create_taskmcp:write:tasksCreates a new task in the workspace, optionally linked to a control or gap.
update_taskmcp:write:tasksUpdates the status or details of an existing task.
comment_taskmcp:write:tasksAdds a comment to a task. Comments are attributed to the agent or user that submitted them.
answer_questionmcp:write:answersSubmits an answer to a questionnaire question. Answers land as drafts; a human must review and approve before the answer is published.

Security model

Scopes are enforced at the MCP edge and re-enforced server-side by the Rails API. A token with onlymcp:read:posture cannot call any write tool regardless of how the request is constructed — the API layer rejects it independently of the edge check.

No destructive operations (delete, overwrite, publish) are exposed via MCP. Write tools create or update records in ways that always land in a human-review queue first. Per-agent rate limits apply to all write operations.