Tool reference
The gateway's tool surface is deliberately small per family and deliberately gated per tier: tools outside your tier are absent from tools/list entirely. This page is the orientation map. The contract is what your own session reports — run describe_capabilities for the live list with schemas, quotas, and the sources your tier can reach.
Research — the core loop — All tiers (Free +)
search— Full-text search across in-scope sources, routed by jurisdiction, framework, sector, or source. Needs at least one scope. On Premium+ it automatically fans out into case law, preparatory works, and agency guidance.get_provision— One article, verbatim, by (jurisdiction, law, article) or canonical_ref — with source URL, publisher, license.validate_citation— Check a citation resolves and is still in force — a deterministic, non-model check.list_coverage— What's live: by jurisdiction, by domain ("which jurisdictions for NIS2?"), or by region.get_changes— Recorded changes to tracked instruments — what moved and when.diff— Compare two versions of a tracked provision.describe_capabilities / get_my_capabilities— Your tier's live tool list, sources, quotas, and limits. The authoritative answer to "what can I call?"
Vulnerability intelligence — All tiers (Free +)
search_cve / get_cve_details— CVE search and detail from the live-synced CVE/NVD engine.get_epss_score / check_kev_status / get_exploits— Exploit-prediction score, CISA KEV membership, and known exploits for a CVE.search_by_product— CVEs affecting a product/vendor.get_data_freshness— Per-feed last-sync timestamps for the live data — how fresh the answer is.
Served by the CVE intelligence engine (daily-synced NVD, KEV, EPSS feeds), so answers carry sync timestamps rather than a static corpus date.
Legal evidence layer — Premium +
search_guidance— Agency guidance from regulators, standalone (the guidance slice of the premium fan-out).get_decision— One court decision plus its cross-references — the case-law analog of get_provision.
Case law and preparatory works have no standalone search tool — they arrive inside search's automatic premium fan-out.
Your documents — Premium + (read) · Team + (library)
get_document_segments / resolve_document_segment— Read uploaded documents at paragraph level and round-trip doc:// citations with content hashes (Premium+).list_my_documents / register_document_init / register_document_finalize / delete_my_document— The document library: list, upload (presigned PUT), and delete (Team+).
See the Cite your documents guide for the full loop.
Your standards — Premium +
list_org_standards / get_org_standard_clause / search_org_standards— Query your organization's own uploaded standards and clause library the same way you query law.
Workflows — Team +
list_workflow_types / start_workflow / resume_workflow / list_workflows / cancel_workflow— Discover and manage structured workflow runs.get_current_step / submit_response / get_progress / get_review_context— Drive a run: what's needed next, answer it, track it, read a review gate's context.generate_report / list_workflow_evidence / get_workflow_threats— The final deliverable, its evidence register, and (threat workflows) the structured threat list.register_document / unregister_document— Bind an uploaded document to a workflow step as evidence.create_dfd / recommend_subagents— Threat-modeling specialists: validate and render a data-flow diagram; plan parallel sub-analyses for a phase.
Effective risk — Team +
effective_risk / effective_risk_inline / effective_risk_inline_batch— Context-aware CVSS rescoring of a CVE against your asset configuration — persistent-context or inline, single or batch.list_scoring_contexts / list_scoring_policies— Enumerate the asset contexts and rule sets the scorer can apply.record_review_decision / export_vex— Finalize an exploitability disposition and serialize it as an OpenVEX document.
Audit ledger — Company
get_receipt / list_receipts / verify_receipt— Tamper-proof receipts: each query generates a cryptographic record of what was asked, what was returned, and when.export_audit_package / decrypt_receipt— Offline-verifiable audit bundle export; receipts decrypt client-side with your tenant's KMS key.
Conformity engines
Product-conformity tools (check_conformity for the EU Machinery Regulation engine, plus applicability and requirements-mapping tools declared by the regulation corpora) are rolling out as curated additions to this surface — their tier placement is per-tool. describe_capabilities shows which your account has.