MCP tools overview¶
yorishiro-proxy exposes its entire feature set through MCP tools. Each tool handles a specific domain of functionality, and you interact with them by sending JSON objects through your MCP client.
Per-protocol typed split (RFC-001 N9)¶
The resend and fuzz surfaces are split per protocol. Each tool owns a typed JSON schema mirroring the corresponding Message type (HTTPMessage, WSMessage, GRPCStartMessage/GRPCDataMessage, RawMessage), so AI agents address fields by name instead of round-tripping opaque URL strings or message-sequence indices. Per-variant SafetyFilter input gating is enforced at the same boundary across every typed tool.
Tool catalog¶
| Tool | Purpose |
|---|---|
proxy_start |
Start a proxy listener. Listen address, capture scope, TLS passthrough, intercept rules, auto-transform, TCP forwarding |
proxy_stop |
Stop a single listener by name or all listeners |
configure |
Modify runtime settings (upstream proxy, scope, TLS passthrough, intercept rules, auto-transform, limits, timeouts) |
query |
Retrieve flows, flow details, messages, status, config, CA cert, intercept queue, macros, fuzz jobs, fuzz results |
resend_http |
Resend an HTTP/1.x or HTTP/2 request with HTTPMessage-typed schema |
resend_ws |
Resend a WebSocket frame with WSMessage-typed schema |
resend_grpc |
Resend a gRPC RPC with GRPCStart/Data/End-typed schema |
resend_raw |
Resend a recorded raw byte payload (TCP or TLS upstream); covers what the legacy tcp_replay action did |
fuzz_http |
Synchronous HTTP fuzz with HTTPMessage-typed positions |
fuzz_ws |
Synchronous WebSocket fuzz with WSMessage-typed positions |
fuzz_grpc |
Synchronous gRPC fuzz with GRPCStart/Data-typed positions |
fuzz_raw |
Synchronous raw-byte fuzz; owns the from-scratch byte injection path |
macro |
Multi-step workflows (define, run, delete) |
intercept |
Act on intercepted traffic (release, modify and forward, drop) with per-protocol typed payloads |
manage |
Manage flow data and CA (delete, export, import, regenerate) |
security |
Security controls (target scope, rate limits, diagnostic budgets, SafetyFilter) |
grpc_schema |
Manage .proto schemas for schema-aware gRPC decode (query) and encode (resend_grpc); supports descriptor-set upload, host protoc, and reflection-based discovery |
plugin_introspect |
Read-only list of loaded plugins, their hook registrations, and redacted vars |
Tool calling format¶
All MCP tool calls use JSON. Examples in this documentation follow this format:
Action-based tools¶
Several tools use an action parameter to select the operation:
| Tool | Actions |
|---|---|
macro |
define_macro, run_macro, delete_macro |
intercept |
release, modify_and_forward, drop |
manage |
delete_flows, export_flows, import_flows, regenerate_ca_cert |
security |
set_target_scope, update_target_scope, get_target_scope, test_target, set_rate_limits, get_rate_limits, set_budget, get_budget, get_safety_filter |
The resend, fuzz, and plugin surfaces no longer use action dispatch -- each typed sibling tool is its own MCP entry point.
Typical workflow¶
A common session follows this pattern:
- Start the proxy with
proxy_start - Configure scope with
configureor at start time - Capture traffic by routing your application through the proxy
- Query flows with
queryto find interesting requests - Resend or fuzz specific flows with the matching typed tool (
resend_http,fuzz_http, etc.) - Analyze results with
queryto inspect responses (clients perform diff over query results -- there is no longer acompareaction) - Export findings with
managefor reporting - Stop the proxy with
proxy_stop
MCP prompts (vulnerability-verification playbooks)¶
Alongside the typed tools above, the MCP server publishes nine prompts -- self-contained vulnerability-verification playbooks (verify-idor, verify-sqli, verify-xss, verify-csrf, audit-auth, fuzz-endpoint, replay-with-mods, capture-traffic, stateful-fuzz-loop). Prompts ship inside the binary and are delivered to MCP hosts via the standard prompts/list / prompts/get surface; the model executes the playbook by issuing the typed tool calls listed above. See MCP prompts for the catalogue, arguments, and host-side usage.
Related pages¶
- MCP prompts -- Vulnerability-verification playbooks delivered over MCP
- Architecture -- How yorishiro-proxy is built
- MCP-first design -- Why everything is an MCP tool
- Quick setup -- Getting started guide