MCP Tools Reference¶
Once configured, the GESF MCP server provides 43 tools to your AI assistant. This page documents every tool with exact prompts you can copy and paste into your AI assistant.
Tool Overview¶
Compliance Assessment¶
| Tool | Description | Parameters |
|---|---|---|
check_compliance |
Check compliance status for a project type | project_type (string) |
check_project_status |
Read actual .ges/ directory for real-time status |
project_path (string) |
list_missing_controls |
Show controls that are not passing | framework (string) |
list_framework_controls |
List all controls for a framework | framework (string), status_filter (string) |
run_audit |
Run a full 6-scanner source code audit | project_path (string) |
generate_compliance_report |
Full compliance report with scoring | project_name (string), project_type (string), frameworks (string) |
generate_audit_report |
Audit findings + compliance scoring | project_name (string), project_path (string) |
Fix & Implement¶
| Tool | Description | Parameters |
|---|---|---|
auto_fix |
Automatically fix security findings | project_path (string), dry_run (string), rule_ids (string) |
implement_control |
Generate implementation files for a control | control_id (string), project_path (string) |
apply_control_override |
Mark a control as not-applicable or pass | control_id (string), project_path (string), status (string), reason (string) |
fix_recommendation |
Step-by-step remediation guidance | control_id (string), finding_title (string) |
Document Generation¶
| Tool | Description | Parameters |
|---|---|---|
generate_retention_policy |
Generate a data retention policy | project_name (string) |
generate_incident_response |
Generate an incident response plan | project_name (string) |
generate_risk_assessment |
Generate a risk assessment | project_name (string) |
generate_dpa |
Generate a Data Processing Agreement | project_name (string) |
generate_data_inventory |
Generate a data inventory | project_name (string), project_type (string) |
generate_processing_records |
Generate Article 30 ROPA | project_name (string), controller_name (string) |
Governance Provenance¶
| Tool | Description | Parameters |
|---|---|---|
create_governance_record |
Create a governance provenance record | project_path (string), system_name (string), system_type (string), risk_level (string) |
approve_governance_record |
Record an approval decision | project_path (string), record_id (string), approver_name (string), decision (string) |
add_governance_evidence |
Attach an evidence reference | project_path (string), record_id (string), title (string), source_system (string), reference (string) |
list_governance_records |
List all governance records | project_path (string) |
get_governance_record |
Get full provenance chain | project_path (string), record_id (string) |
verify_governance_record |
Verify provenance completeness | project_path (string), record_id (string) |
set_governance_risk_assessment |
Link a risk assessment | project_path (string), record_id (string), assessor (string), methodology (string), risk_score (string) |
set_governance_policy_basis |
Document policy basis | project_path (string), record_id (string), policy_name (string), standard (string) |
set_governance_review_cycle |
Set periodic review | project_path (string), record_id (string), frequency (string), next_review (string) |
set_governance_data_inventory |
Document data inventory | project_path (string), record_id (string) |
set_governance_committee |
Record committee approval | project_path (string), record_id (string) |
set_governance_compliance_links |
Map compliance frameworks | project_path (string), record_id (string), frameworks (string) |
See the Governance guide for the full provenance chain workflow.
check_compliance¶
Returns the compliance score for a given project type, showing which policy packs apply and their control status.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_type |
string | No | Project type (default: saas) |
Valid project_type values:
saas, ai-application, mcp-server, blockchain, wallet, government-system, healthcare-system, event-platform, photo-storage-platform, vulnerability-scanner, generic-web-application, api-backend, mobile-application
Prompts to Try¶
The assistant calls check_compliance with project_type: "healthcare-system".
The assistant calls check_compliance with project_type: "ai-application".
Example response:
GDPR ................ 72%
OWASP ............... 65%
CIS ................. 80%
NIST ................ 58%
Overall ............. 69%
list_missing_controls¶
Shows compliance controls that are not in a passing state for a given framework.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
framework |
string | No | Framework name (default: GDPR) |
Valid framework values: GDPR, OWASP, CIS, NIST
Prompts to Try¶
The assistant calls list_missing_controls with framework: "OWASP".
The assistant calls list_missing_controls with framework: "CIS".
Example response:
- [CRITICAL] GDPR-ART32-002: Encryption at Rest
Implement AES-256-GCM encryption for all stored personal data.
- [CRITICAL] GDPR-ART32-006: Audit Logging
Implement audit trail for all access to personal data.
- [HIGH] GDPR-ART32-005: Automatic Session Timeout
Configure automatic session expiration after 30 minutes of inactivity.
- [HIGH] GDPR-ART5-005: Storage Limitation
Implement a data retention policy with defined retention periods.
generate_retention_policy¶
Generates a data retention policy template with standard retention periods aligned to GDPR Article 5(1)(e) storage limitation principle.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Your project name (default: Project) |
Prompts to Try¶
What the generated policy includes:
- Purpose and scope
- Data categories with specific retention periods
- Disposal procedures
- Legal basis references
- Review schedule
generate_incident_response¶
Generates an incident response plan template with severity levels, response procedures, and GDPR breach notification timelines (72-hour requirement from Article 33).
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Your project name (default: Project) |
Prompts to Try¶
What the generated plan includes:
- Severity classification (Critical, High, Medium, Low)
- Response team roles and responsibilities
- Detection and triage procedures
- Containment and eradication steps
- GDPR Article 33 notification timeline (72 hours)
- GDPR Article 34 data subject communication
- Post-incident review template
generate_risk_assessment¶
Generates a risk assessment template with common risk categories, likelihood/impact ratings, and mitigation strategies.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Your project name (default: Project) |
Prompts to Try¶
What the generated assessment includes:
- Risk register with categories (operational, technical, compliance, legal)
- Likelihood and impact ratings (1-5 scale)
- Risk score matrix
- Mitigation strategies per risk
- Residual risk acceptance
- Review schedule
generate_dpa¶
Generates a Data Processing Agreement template based on GDPR Article 28 requirements. A DPA is the legally required contract between a data controller and data processor.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Your project name (default: Project) |
Prompts to Try¶
What the generated DPA includes:
- Parties and roles (controller, processor, sub-processor)
- Processing scope and purposes
- Data subject rights handling
- Security measures (Article 32)
- Breach notification obligations
- Sub-processor management
- Data deletion and return
- Audit rights
- Liability and indemnification
check_project_status¶
Reads the actual .ges/ directory in your project to report real-time compliance status, scores, configuration, and overrides. Unlike check_compliance (which uses templates), this tool reads your project's actual files.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_path |
string | Yes | Absolute path to the project root |
Prompts to Try¶
What the response includes:
- Project name, type, and configured frameworks
- Current compliance scores from
.ges/score.json - Active control overrides from
.ges/control-overrides.json - Framework version
list_framework_controls¶
Lists all controls for a given framework with their status, severity, category, and implementation guidance.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
framework |
string | Yes | Framework name: GDPR, OWASP, CIS, NIST |
status_filter |
string | No | Filter by status: pass, fail, warning, not-implemented, not-applicable |
Prompts to Try¶
run_audit¶
Runs a full source code audit using 6 scanners (secrets, crypto, code security, authentication, configuration, database) against your project. Returns findings with severity, file locations, evidence, and fix suggestions.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_path |
string | Yes | Absolute path to the project root |
Prompts to Try¶
What the audit checks:
| Scanner | What It Detects |
|---|---|
| Secrets Scanner | Hardcoded passwords, API keys, connection strings, private keys, JWTs |
| Cryptographic Scanner | MD5, SHA1, weak AES, disabled TLS verification |
| Code Security Scanner | SQL injection, XSS, eval/code injection |
| Authentication Scanner | Routes without auth, missing rate limiting, no session timeout, wildcard CORS, no MFA |
| Configuration Scanner | Missing helmet/CORS, secrets in .env, Docker as root, missing .gitignore, no logging |
| Database Scanner | Missing timestamps, soft delete, user audit columns, no audit model |
generate_compliance_report¶
Generates a comprehensive compliance report with executive summary, framework scores, risk assessment, and recommendations — without scanning source code.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Project name for the report title |
project_type |
string | No | Project type (default: generic-web-application) |
frameworks |
string | No | Comma-separated framework names (default: GDPR,OWASP,CIS,NIST) |
Prompts to Try¶
generate_audit_report¶
Combines real source code audit findings with compliance scoring into a single report. This is the most comprehensive report — it both scans your code and evaluates compliance.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Project name for the report |
project_path |
string | Yes | Absolute path to the project root |
Prompts to Try¶
auto_fix¶
Scans your project for security findings and automatically applies fixes to source code files. Supports dry-run mode to preview changes before applying them. Covers 15 rule types across 7 programming languages.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_path |
string | Yes | Absolute path to the project root |
dry_run |
string | No | "true" to preview changes without applying (recommended first) |
rule_ids |
string | No | Comma-separated rule IDs to fix (e.g., CONFIG-001,AUTH-002). Omit to fix all. |
What Auto-Fix Can Fix (15 Rule Types)¶
| Rule | Fix Applied |
|---|---|
CONFIG-001 |
Security headers middleware (helmet/django-csp/tracing) |
CONFIG-002 |
CORS configuration with environment-based origins |
CONFIG-004 |
Add .env to .gitignore |
CONFIG-005 |
Add non-root USER to Dockerfile |
CONFIG-007 |
Re-enable TLS verification |
CONFIG-008 |
Create .gitignore with security entries |
CONFIG-009 |
Add missing entries to .gitignore |
CONFIG-010 |
Create logger with structured audit logging |
SECRETS-001 |
Extract hardcoded secrets to .env, replace with env vars |
CRYPTO-001 |
Replace MD5/SHA1 with SHA-256 |
CRYPTO-003 |
Create Argon2id password hashing utility |
AUTH-002 |
Add rate limiting middleware |
AUTH-003 |
Add session timeout configuration |
AUTH-004 |
Replace CORS wildcard with environment-configured origins |
DB-001/002/003 |
Add audit columns (timestamps, soft delete, user audit) |
DB-004 |
Add Audit model/table |
Supported Languages¶
| Language | Frameworks |
|---|---|
| JavaScript/TypeScript | Express, Fastify, Koa, Hono, Next, NestJS, SvelteKit |
| Python | Django, Flask, FastAPI, Sanic |
| Go | Gin, Fiber, Echo, Chi, Gorilla, net/http |
| Java | Spring, Ktor, Quarkus, Micronaut |
| Ruby | Rails, Sinatra |
| PHP | Laravel, Symfony, Slim, Lumen |
| Rust | Actix-web, Axum, Rocket, Warp |
Prompts to Try¶
What the response includes:
- Total findings before fix
- Auto-fixable findings count
- Actions applied (file modifications, new files created)
- Manual review items (issues that cannot be auto-fixed)
- npm/cargo/pip install guidance for new dependencies
implement_control¶
Generates production-ready implementation files for a specific compliance control. Detects your project's language and framework, then generates appropriate code.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
control_id |
string | Yes | Control ID (e.g., GDPR-ART32-002, GDPR-ART32-004) |
project_path |
string | Yes | Absolute path to the project root |
Supported Controls¶
| Control | What Gets Generated |
|---|---|
GDPR-ART32-002 (Encryption at Rest) |
AES-256-GCM encrypt/decrypt utility |
GDPR-ART32-003 (Encryption in Transit) |
TLS/HTTPS redirect middleware |
GDPR-ART32-004 (User Identification) |
Argon2id password hashing utility |
GDPR-ART32-005 (Session Timeout) |
Session expiration configuration |
GDPR-ART32-006 (Audit Logging) |
Structured audit logger |
GDPR-ART32-007 (Integrity Controls) |
SHA-256 integrity verification |
GDPR-ART32-008 (Backup & Recovery) |
Encrypted backup script |
GDPR-ART32-009 (Security Testing) |
CI/CD security scan workflow |
Prompts to Try¶
apply_control_override¶
Marks a compliance control as not-applicable or pass in .ges/control-overrides.json. This is useful when a control doesn't apply to your project or has been manually verified.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
control_id |
string | Yes | Control ID (e.g., GDPR-ART32-001) |
project_path |
string | Yes | Absolute path to the project root |
status |
string | Yes | New status: not-applicable or pass |
reason |
string | No | Reason for the override |
Prompts to Try¶
fix_recommendation¶
Provides step-by-step remediation guidance for a specific compliance control or finding. Gives implementation steps, code examples, and verification procedures.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
control_id |
string | No | Control ID (e.g., GDPR-ART32-002, OWASP-AUTH-001) |
finding_title |
string | No | Title of a specific audit finding to get fix guidance for |
Prompts to Try¶
generate_data_inventory¶
Generates a data inventory document listing data categories, classifications, retention periods, and legal basis. Required for GDPR Article 30 compliance.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Project name |
project_type |
string | No | Project type (affects data categories) |
Prompts to Try¶
generate_processing_records¶
Generates Article 30 Records of Processing Activities (ROPA). Documents all processing activities, purposes, data categories, recipients, and retention periods.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_name |
string | No | Project name |
controller_name |
string | No | Data controller organization name |
Prompts to Try¶
Combining Tools — Real-World Prompt Patterns¶
AI assistants can call multiple tools in sequence. Here are compound prompts that chain tools together for real-world compliance workflows:
Pattern 1: New Project Compliance Kickoff¶
I'm starting a new SaaS platform called "CloudMetrics" that will
process EU user data. Check our compliance status, show what's
missing for GDPR, and generate a risk assessment.
The assistant will:
1. Call check_compliance with project_type: "saas"
2. Call list_missing_controls with framework: "GDPR"
3. Call generate_risk_assessment with project_name: "CloudMetrics"
Pattern 2: Pre-Audit Document Package¶
We have an upcoming GDPR audit for "DataVault". Generate all
the documents we'll need: retention policy, incident response
plan, risk assessment, and a DPA template.
The assistant will call all 4 generation tools with project_name: "DataVault".
Pattern 3: Gap Analysis and Remediation Plan¶
Check compliance for our healthcare application. Then show me
what's missing for both GDPR and NIST frameworks, and generate
a risk assessment that accounts for those gaps.
The assistant will:
1. Call check_compliance with project_type: "healthcare-system"
2. Call list_missing_controls with framework: "GDPR"
3. Call list_missing_controls with framework: "NIST"
4. Call generate_risk_assessment with project_name: "MedTrack"
Pattern 4: Vendor Onboarding¶
We're onboarding a new payment processor for "ShopSecure".
Check our compliance, generate a DPA, and create a risk
assessment for the vendor relationship.
Pattern 5: Incident Preparation¶
We had a near-miss security incident today. Check our current
compliance posture, generate an incident response plan, and
create a risk assessment for our platform "SecurePay".
Pattern 6: Auto-Fix Dry Run + Apply¶
Run a dry-run auto-fix on /path/to/my/project. Review the
proposed changes, then apply them. After that, generate an
audit report.
The assistant will:
1. Call auto_fix with dry_run: "true"
2. Call auto_fix without dry_run (applies fixes)
3. Call generate_audit_report to show the improved state
Pattern 7: Full Remediation Workflow¶
Audit /path/to/my/project, auto-fix everything you can,
implement the remaining GDPR encryption controls, then
generate a compliance report.
The assistant will:
1. Call run_audit to scan the project
2. Call auto_fix to fix what's auto-fixable
3. Call implement_control for controls that need manual implementation
4. Call generate_compliance_report to show the updated posture
Pattern 8: Gap Analysis + Fix + Override¶
Check compliance for our SaaS platform, show missing GDPR
controls, auto-fix the code issues, implement the encryption
control, and mark the pseudonymisation control as
not-applicable since we don't store raw personal data.
The assistant will:
1. Call check_compliance with project_type: "saas"
2. Call list_missing_controls with framework: "GDPR"
3. Call auto_fix on the project
4. Call implement_control for encryption
5. Call apply_control_override for pseudonymisation
Pattern 9: Pre-Deploy Security Gate¶
We're about to deploy /path/to/my/project. Run a full audit,
dry-run auto-fix to see what can be improved, show me the
critical findings that MUST be fixed before deploy, and
generate an audit report.
Pattern 10: New Project Full Setup¶
We're starting a new SaaS platform called "CloudMetrics".
Check our initial compliance status, show all missing controls
across GDPR, OWASP, CIS, and NIST, generate all policy
documents, and auto-fix our codebase for security issues.
Prompt Writing Tips¶
Good Prompts¶
| Prompt | Why It Works |
|---|---|
| "Check compliance for a SaaS application" | Specific project type triggers accurate results |
| "Show missing GDPR controls" | Explicit framework name avoids ambiguity |
| "Generate a DPA for DataVault" | Project name personalizes the document |
| "Check compliance, show missing OWASP controls, and generate a risk assessment for CloudMetrics" | Compound prompt chains multiple tools |
Bad Prompts¶
| Prompt | Why It Fails |
|---|---|
| "Is everything ok?" | Too vague — no compliance context |
| "Tell me about security" | No specific question for a tool to answer |
| "Fix my code" | Too vague — specify the project path and whether you want auto_fix or implement_control |
Getting the Best Results¶
- Always name your project — Generated documents use the project name
- Specify the project type — "SaaS", "healthcare", "blockchain" — for accurate compliance checks
- Name the framework — "GDPR", "OWASP", "CIS", "NIST" — for targeted control analysis
- Chain requests — Ask for compliance check + gap analysis + document generation in one prompt
- Be specific about context — "We process healthcare data" produces better risk assessments than "generate a risk assessment"
Exercise: Test Every Tool Individually
In your AI assistant, try each tool one at a time. Record the response:
| # | Prompt Used | Tool Called | Response Quality (1-5) |
|---|---|---|---|
| 1 | "Are we GDPR compliant?" | ||
| 2 | "Show missing OWASP controls" | ||
| 3 | "Show missing NIST controls" | ||
| 4 | "Show missing CIS controls" | ||
| 5 | "Generate a retention policy for MyApp" | ||
| 6 | "Generate an incident response plan for MyApp" | ||
| 7 | "Generate a risk assessment for MyApp" | ||
| 8 | "Generate a DPA for MyApp" | ||
| 9 | "Generate a data inventory for MyApp" | ||
| 10 | "Generate processing records for MyApp" | ||
| 11 | "List all GDPR controls with status" | ||
| 12 | "Run an audit on /path/to/project" | ||
| 13 | "Generate a compliance report for MyApp" | ||
| 14 | "Dry-run auto-fix on /path/to/project" | ||
| 15 | "Implement GDPR-ART32-002 for /path/to/project" | ||
| 16 | "Mark GDPR-ART32-001 as not-applicable" | ||
| 17 | "How do I fix CONFIG-001?" |
Questions
- Which tool produces the most detailed response?
- Which tool would be most useful during a real audit?
- Did the assistant always call the correct tool, or did it sometimes answer without using a tool?
Exercise: Compound Prompt Progression
Start with a simple prompt, then add complexity. See how the assistant handles each:
Round 1 — Single tool:
Round 2 — Two tools:
Round 3 — Three tools:
Check compliance for a SaaS application called "CloudMetrics",
show missing GDPR controls, and generate a risk assessment.
Round 4 — Full workflow:
I'm building a SaaS platform called "CloudMetrics".
Check our compliance, show missing controls for GDPR,
OWASP, and NIST, then generate a retention policy,
incident response plan, and DPA.
Observe: - How many tool calls does the assistant make in each round? - Does the assistant maintain context between calls? - Does the compound prompt produce better results than individual calls?
Exercise: Multi-Tool Workflow
Ask your AI assistant to perform a complete compliance check with a single prompt:
I'm building a healthcare application called "MedTrack".
Check compliance for healthcare-system type, list all
missing GDPR controls, and generate both a risk assessment
and a data processing agreement.
Observe how the assistant chains multiple tool calls together.
Exercise: Prompt Engineering Challenge
Try to trigger all 17 tools with a single prompt:
We're launching "SecureBank", a financial SaaS platform at
/path/to/project. We need a full compliance review: check our
status, show every missing control across all frameworks, run
a source code audit, dry-run auto-fix, generate all policy
documents (retention, incident response, risk assessment, DPA,
data inventory, processing records), and generate a full
audit report.
Count: - How many tool calls did the assistant make? - Were all 17 tools called? - Which tools were missed, if any?
Exercise: Wrong Project Type Experiment
Try checking compliance with different project types and compare:
vs
vs
Questions
- How do the policy packs differ between project types?
- Which project type has the most controls to satisfy?
- Which controls are common across all project types?
Exercise: Document Quality Comparison
Generate the same document twice with different context:
Without context:
With context:
We run "MyApp", a photo storage platform that processes
biometric data (face detection), stores images in S3, uses
AI for image tagging, and serves EU customers. Generate
a risk assessment covering all these specific areas.
Compare the two outputs — does context improve the quality?
Exercise: Auto-Fix Workflow
This exercise tests the full audit → fix → verify workflow:
Step 1 — Audit:
Step 2 — Preview fixes:
Dry-run auto-fix on /path/to/my/project. Show me exactly what
would change without modifying anything.
Step 3 — Apply fixes:
Step 4 — Implement remaining controls:
Implement GDPR-ART32-002 (encryption), GDPR-ART32-006 (audit
logging), and GDPR-ART32-004 (user identification) for
/path/to/my/project.
Step 5 — Verify:
Run a new audit on /path/to/my/project and generate an audit
report to see how the compliance score improved.
Questions
- How many findings were there before vs after auto-fix?
- Which findings required manual review vs were auto-fixed?
- Did the compliance score improve after the fixes?
- Which controls still need manual implementation?
run_inference¶
Run AI-powered inference on GESF compliance data. Analyzes audit findings (clustering + deduplication), identifies root causes via graph analysis, detects score anomalies, and predicts compliance trends.
Parameters:
| Parameter | Type | Required | Description |
|---|---|---|---|
project_path |
string | No | Project root path (defaults to CWD) |
Returns: Structured report with four sections — Finding Clustering, Root Cause Analysis, Score Anomalies, and Trend Predictions.
Example prompt:
Run AI inference on my project and tell me:
1. What is the root cause of most findings?
2. Are my compliance scores trending up or down?
3. Should I be concerned about any anomalies?
Example exercise:
For /path/to/my/project, run AI inference and interpret the results.
Which 3 actions would have the biggest impact on our compliance score?
See the AI Inference guide for full documentation with output examples and interactive exercises.
Exercise: Control Override Workflow
Practice marking controls that don't apply or have been manually verified:
For /path/to/my/project, mark these controls as not-applicable:
- GDPR-ART33-001 (breach notification to authority) — internal tool
- GDPR-ART34-001 (breach communication to subjects) — no data subjects
- GDPR-ART30-002 (processor records) — we are the sole processor
And mark GDPR-ART32-003 as pass — we enforce TLS 1.3 everywhere.
Then verify: