Interacts | MCP Server for Fluid API | Fluid Attacks Help

Introduction

Interacts is a Model Context Protocol (MCP) server programmed with Pydantic AI that provides tools for interacting with the Fluid API, enabling vulnerability management, organization insights, and GraphQL query execution. While used in the platform as the AI Agent, it allows integration with AI tools.

Features

  1. Vulnerability Management: Fetch and analyze vulnerabilities across groups.
  2. Organization Insights: Access organization and group information.
  3. Analytics: Retrieve analytics data for organizations and groups.
  4. GraphQL Integration: Execute custom GraphQL queries.
  5. Type System Exploration: Inspect API types, mutations, and queries.
  6. Knowledge Base: Access to AI-powered knowledge base assistance.

Architecture

Architecture of Fluid Attacks Interacts

  1. User writes request on chat
    1. An authenticated user enters a question in the AI Agent chat interface
    2. The request is sent from the Client (views component)
  2. Request routing
    1. The user's question is sent to the backend (Integrates component) to the websocket endpoint (/mcp/chat)
    2. Integrates verifies the request and forwards it to the Interacts component to the /prompt endpoint
  3. Conversation context retrieval
    1. Interacts queries Amazon ElastiCache to search for relevant conversation history
    2. This provides context for the AI to maintain conversation continuity
  4. AI processing: The user's question is sent to two Bedrock components
    1. Bedrock (Guardrail): Ensures the response meets safety and appropriateness standards
    2. Bedrock (AI model): Generates the actual AI response
  5. Response generation and validation
    1. The AI model generates a response based on the user's question and conversation history
    2. The response passes through the Guardrail for safety validation and PII masking
    3. If the response meets safety criteria, it proceeds; otherwise, it may be modified or rejected
  6. Conversation history update: After processing, the updated conversation history is stored back in Amazon ElastiCache, ensuring future interactions have the complete conversation context
  7. Monitoring and logging: Conversation traces are sent to LangSmith for monitoring and debugging purposes
  8. Response delivery
    1. The validated response is sent from Interacts back to Integrates
    2. Integrates forwards the response to the Client (views)
    3. The AI Agent's answer is displayed to the authenticated user
  9. Error handling: Throughout the process, any errors are captured and logged to SmartBear for monitoring and debugging

Tools

Information Retrieval Tools

  1. get_organization_groups 
    1. Get groups associated with an organization
    2. Parameters:
      1. organization_id_or_name: Organization identifier or name
  2. get_group_git_roots 
    1. Get Git root information for a specific group
    2. Parameters:
      1. group_name: Name of the group
      2. nickname: Root nickname (optional)
      3. search: Word to match on git URL or nickname (optional)
      4. start_cursor: Cursor to start from (optional)
  3. get_group_ip_roots 
    1. Get IP root information for a specific group
    2. Parameters:
      1. group_name: Name of the group
      2. search: Word to match on IP address (optional)
      3. start_cursor: Cursor to start from (optional)
  4. get_group_url_roots 
    1. Get URL root information for a specific group
    2. Parameters:
      1. group_name: Name of the group
      2. search: Word to match on URL (optional)
      3. start_cursor: Cursor to start from (optional)
  5. describe_graphql_type
    1. Get detailed information about a specific GraphQL type
    2. Parameters:
      1. type_name: Name of the type to inspect
  6. query
    1. Execute a custom GraphQL query
    2. Parameters:
      1. query: GraphQL query to execute
      2. variables: Variables for the query (optional)
  7. get_organization_analytics 
    1. Retrieve analytics information for an organization
    2. Parameters:
      1. organization_id_or_name: Organization identifier or name
      2. document_name: Type of analytics document
  8. get_group_analytics
    1. Retrieve analytics information for a group
    2. Parameters:
      1. group_name: Group name
      2. document_name: Type of analytics document
  9. get_devsecops_agent_executions
    1. Retrieve Forces execution information for a group
    2. Parameters:
      1. group_name: Name of the group to fetch executions for
      2. after: Cursor for pagination (optional)
      3. exit_code: Filter by execution exit code (“0” for success, “1” for failure) (optional)
      4. first: Number of results to return (optional)
      5. from_date: Filter executions from this date (optional)
      6. git_repo: Filter by repository (optional)
      7. git_repo_exact_filter: Exact match filter for repository (optional)
  10. fetch_finding_vulnerabilities
    1. Fetch vulnerabilities for a specific finding
    2. Parameters:
      1. finding_id: ID of the finding to fetch vulnerabilities for
      2. state: Filter by vulnerability state (optional)
      3. sort_criteria: Criteria to sort vulnerabilities (optional)
      4. sort_order: Order to sort vulnerabilities (optional)
      5. first: Number of results to return (optional)
      6. cursor: Cursor for pagination (optional)
      7. tags: Filter by tags (optional)
      8. package_manager: Filter by package manager (optional)
      9. technique: Filter by technique (optional)
      10. where: Filter by location (optional)
      11. treatment: Filter by treatment status (optional)
      12. severity_rating: Filter by severity rating (optional)
  11. fetch_group_findings
    1. Fetch findings for a specific group
    2. Parameters:
      1. group: Name of the group to fetch findings for
      2. state: Filter by finding state (optional)
      3. severity: Filter by severity (optional)
      4. technique: Filter by technique (optional)
      5. where: Filter by location (optional)
  12. fetch_group_root_vulnerabilities
    1. Fetch vulnerabilities for a specific group root
    2. Parameters:
      1. group_name: Name of the group
      2. root_nickname: Nickname of the root to fetch vulnerabilities for
      3. state: Filter by vulnerability state (optional)
      4. severity: Filter by severity (optional)
      5. first: Number of results to return (optional)
      6. after: Cursor to start from (optional)
  13. get_unsolved_events
    1. Get unsolved events for a group
    2. Parameters:
      1. first: Number of results to return (optional)
      2. after: Cursor to start from (optional)
  14. ask_to_knowledge_base_assistant
    1. Ask questions to the knowledge base AI assistant
    2. Parameters:
      1. query: The question to ask the knowledge base assistant

Inspection Tools

  1. get_api_queries
    1. Get available API query operations
    2. Parameters: None
  2. get_api_mutations
    1. Get available API mutation operations
    2. Parameters: None
  3. get_mutation_details
    1. Get detailed information about a specific mutation
    2. Parameters:
      1. mutation_name: Name of the mutation to inspect

Resources

  1. Api SDL (~50058 tokens)
    1. GraphQL Schema Definition Language file
  2. Fluid Attacks Overview (~2881 tokens)
    1. Documentation about API entities, roles, and permissions

Setup

API Token

  1. Generate an API token for authentication with the Fluid Attacks API

Usage with Cursor and VSCode

{
  "mcpServers": {
    "fluidattacks-mcp": {
      "type": "http",
      "url": "https://app.fluidattacks.com/mcp/messages/",
      "headers": {
        "Authorization": "Bearer YOUR_API_TOKEN_HERE"
      }
    }
  }
}

Usage with Claude Desktop

Requirements

  1. Node.js 18 or higher installed on your system. If you don’t have it, install it from the official website.
Add the following to your mcp.json:

{
  "mcpServers": {
    "fluidattacks-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@fluidattacks/mcp"
      ],
      "env": {
        "API_TOKEN": "your_api_token_here"
      }
    }
  }
}

Idea
Tip
Have an idea to simplify our architecture or noticed docs that could use some love? Don't hesitate to open an issue or submit improvements.