Tool reference

The gateway's tool surface is deliberately small per family and deliberately gated per tier: tools outside your tier are absent from tools/list entirely. This page is the orientation map. The contract is what your own session reports — run describe_capabilities for the live list with schemas, quotas, and the sources your tier can reach.

Research — the core loop All tiers (Free +)

  • searchFull-text search across in-scope sources, routed by jurisdiction, framework, sector, or source. Needs at least one scope. On Premium+ it automatically fans out into case law, preparatory works, and agency guidance.
  • get_provisionOne article, verbatim, by (jurisdiction, law, article) or canonical_ref — with source URL, publisher, license.
  • validate_citationCheck a citation resolves and is still in force — a deterministic, non-model check.
  • list_coverageWhat's live: by jurisdiction, by domain ("which jurisdictions for NIS2?"), or by region.
  • get_changesRecorded changes to tracked instruments — what moved and when.
  • diffCompare two versions of a tracked provision.
  • describe_capabilities / get_my_capabilitiesYour tier's live tool list, sources, quotas, and limits. The authoritative answer to "what can I call?"

Vulnerability intelligence All tiers (Free +)

  • search_cve / get_cve_detailsCVE search and detail from the live-synced CVE/NVD engine.
  • get_epss_score / check_kev_status / get_exploitsExploit-prediction score, CISA KEV membership, and known exploits for a CVE.
  • search_by_productCVEs affecting a product/vendor.
  • get_data_freshnessPer-feed last-sync timestamps for the live data — how fresh the answer is.

Served by the CVE intelligence engine (daily-synced NVD, KEV, EPSS feeds), so answers carry sync timestamps rather than a static corpus date.

Legal evidence layer Premium +

  • search_guidanceAgency guidance from regulators, standalone (the guidance slice of the premium fan-out).
  • get_decisionOne court decision plus its cross-references — the case-law analog of get_provision.

Case law and preparatory works have no standalone search tool — they arrive inside search's automatic premium fan-out.

Your documents Premium + (read) · Team + (library)

  • get_document_segments / resolve_document_segmentRead uploaded documents at paragraph level and round-trip doc:// citations with content hashes (Premium+).
  • list_my_documents / register_document_init / register_document_finalize / delete_my_documentThe document library: list, upload (presigned PUT), and delete (Team+).

See the Cite your documents guide for the full loop.

Your standards Premium +

  • list_org_standards / get_org_standard_clause / search_org_standardsQuery your organization's own uploaded standards and clause library the same way you query law.

Workflows Team +

  • list_workflow_types / start_workflow / resume_workflow / list_workflows / cancel_workflowDiscover and manage structured workflow runs.
  • get_current_step / submit_response / get_progress / get_review_contextDrive a run: what's needed next, answer it, track it, read a review gate's context.
  • generate_report / list_workflow_evidence / get_workflow_threatsThe final deliverable, its evidence register, and (threat workflows) the structured threat list.
  • register_document / unregister_documentBind an uploaded document to a workflow step as evidence.
  • create_dfd / recommend_subagentsThreat-modeling specialists: validate and render a data-flow diagram; plan parallel sub-analyses for a phase.

Effective risk Team +

  • effective_risk / effective_risk_inline / effective_risk_inline_batchContext-aware CVSS rescoring of a CVE against your asset configuration — persistent-context or inline, single or batch.
  • list_scoring_contexts / list_scoring_policiesEnumerate the asset contexts and rule sets the scorer can apply.
  • record_review_decision / export_vexFinalize an exploitability disposition and serialize it as an OpenVEX document.

Audit ledger Company

  • get_receipt / list_receipts / verify_receiptTamper-proof receipts: each query generates a cryptographic record of what was asked, what was returned, and when.
  • export_audit_package / decrypt_receiptOffline-verifiable audit bundle export; receipts decrypt client-side with your tenant's KMS key.

Conformity engines

Product-conformity tools (check_conformity for the EU Machinery Regulation engine, plus applicability and requirements-mapping tools declared by the regulation corpora) are rolling out as curated additions to this surface — their tier placement is per-tool. describe_capabilities shows which your account has.