14. MCP Server#
FlareInspect v2.0 ships a Model Context Protocol (MCP) server that exposes the assess → find → path → plan → apply → rollback loop to any MCP-aware agent (Claude Code, Cowork, Hermes, OpenClaw). The server uses stdio transport and re-uses the existing engine seams — no logic is duplicated.
14.1. Install#
The MCP server is a binary in the package: flareinspect-mcp,
pointing at mcp/server.mjs. The Model Context Protocol SDK
(@modelcontextprotocol/sdk) is declared as an optional dependency
so the package installs cleanly on machines that never need the
server. When the SDK is missing the server starts and prints a clean
error; when it’s present the server comes up immediately.
# From a checkout of the repo
node mcp/server.mjs
# Or via npx (with the SDK available)
npx -y flareinspect-mcp
# Or, if you want the SDK pinned, install it explicitly
npm install --no-save @modelcontextprotocol/sdk
Register it with an MCP-aware client (Claude Code example, in
.mcp.json):
{
"mcpServers": {
"flareinspect": {
"command": "node",
"args": ["/absolute/path/to/flareinspect/mcp/server.mjs"],
"env": { "FLAREINSPECT_ALLOW_REMEDIATION": "true" }
}
}
}
14.2. Tools#
The server registers six tools, all read-only by default.
Tool |
Mutates? |
Purpose |
|---|---|---|
|
no |
Run a new assessment; return the summary |
|
no |
Filter findings on an existing assessment (severity / status / limit) |
|
no |
Build the resource graph and run all attack-path rules |
|
no |
Build a remediation plan (before→after diff) — no mutation |
|
gated |
Apply a plan — mutates Cloudflare; requires |
|
gated |
Roll back from a backup bundle — mutates Cloudflare; same gate |
The two gated tools share the same policy as the web
/api/remediate/apply and /api/remediate/rollback endpoints.
See Edit-Scope Policy for the full policy.
14.3. Example session#
A typical agent loop looks like:
flareinspect_assess { token, zones: ["example.com"] }→ returnsassessmentId, score, grade, finding count.flareinspect_list_findings { assessment, severity: "high" }→ the high-severity findings.flareinspect_get_attack_paths { assessment }→ the resource graph and the attack paths the findings participate in.flareinspect_plan_remediation { assessment, checks: ["CFL-SSL-001"] }→ the dry-run plan (proposed changes, before→after diff).The agent confirms with the user, then
flareinspect_apply_remediation { assessment, checkIds: ["CFL-SSL-001"], token }→ applies the plan and returns abackupId.If something goes wrong,
flareinspect_rollback { backupId, token }→ restores the previous state.
Each step calls into the same engine module the CLI and the web API use; an investigation started in the dashboard can be handed off to an MCP-aware agent (or vice versa) without re-implementing logic.
14.4. Edit-scope policy#
The two gated tools refuse to run unless both conditions hold:
FLAREINSPECT_ALLOW_REMEDIATIONis set totrue(or1,yes,on). This is the global kill-switch — it is off by default and turning it on is an explicit operator decision.The
tokenargument the agent supplies satisfiesverifyEditScope(). The token may be an opaque secret matchingFLAREINSPECT_EDIT_SCOPE, or a JWT whose payload carriespermission: 'edit'(oraudcontainingtag:editorscopecontainingedit).
A read-only Cloudflare API token will fail step 2 — this is by design. See Edit-Scope Policy for the full policy matrix.
14.5. Failure modes#
SDK missing — the server prints a clean error pointing at
npm install --no-save @modelcontextprotocol/sdk. No stack trace.Remediation disabled — the gated tools throw
Remediation is disabled. Set FLAREINSPECT_ALLOW_REMEDIATION=true to enable it.Token rejected — the gated tools throw a structured error describing which check failed (no token / wrong shape / not edit-scoped).
Engine error — propagated as a structured MCP error response; the agent sees the message.
14.6. Next steps#
Edit-Scope Policy — the token policy in detail
Architecture Overview — how the MCP server fits into the engine seams
mcp/server.mjs— the source of truth