Available Tools
What your IDE can do over MCP — the read tools, the cygent_chat companion, and what each key scope unlocks.
Overview
When you connect an MCP client (Claude Code, Cursor, Codex, VS Code, Windsurf, Zed) to your Cygent agent, the client's AI agent picks up two kinds of capability:
- Atomic read tools — fast, direct lookups that never start a job (
cygent_findings,cygent_list_projects, …). cygent_chat— one conversational tool that routes plain English through the same brain that powers your Slack/Discord/Telegram agent. This is how the IDE triggers audits and reviews, runs dependency scans, and changes findings.
You don't call these tools directly. Your IDE's agent composes them from your natural-language requests. This page is for understanding what it can do.
Everything an MCP key can do is bounded by its scope (read / operate / mutate) — see What each scope unlocks. There are no confirmation prompts over MCP; the scope is the guard.
Read tools
These return instantly and never start a job:
| Tool | Purpose |
|---|---|
cygent_list_projects | Every connected repo with its findings summary. Call this first — use the exact owner-repo name everywhere else. |
cygent_project_status | Detailed status for one project. |
cygent_findings | Compact list of findings, filterable by severity/status. |
cygent_finding_detail | Full body for one finding (issue_N): root cause, affected code, attack vector, and the authoritative recommendation. |
cygent_job_status | Poll an audit/review/scan job_id to completion. |
cygent_dependency_vulnerabilities | Vulnerability counts + severity breakdown for a project. |
cygent_dependency_advisories | Paginated list of dependency advisories. |
cygent_dependency_advisory | One advisory's detail. |
cygent_kb_query | Semantic Q&A over the audited codebase's knowledge base. |
cygent_check_code is the one analysis tool that isn't instant: pass Solidity (or Rust/Go/Move) source and it starts a short, one-off CARA analysis, returning a job_id to poll with cygent_job_status. It doesn't touch any project's findings.
cygent_chat — the conversational companion
cygent_chat is the main surface for anything beyond a read. You describe an intent in plain English and the brain reasons across multiple steps, exactly as it does in Slack:
- "Audit
owner-repo" → queues an audit, returns ajob_idimmediately. - "Review PR 42 on
owner-repo" → queues a PR review, returns ajob_id. - "Scan dependencies for
owner-repo" → queues a dependency scan. - "Triage and file this finding: …" → routes through the engine-validated triage job (returns a
job_id; the finding appears or is rejected once the job completes). - "Mark
issue_3as a false positive" → updates the finding (mutate scope).
Long-running work never blocks the call: cygent_chat returns a job_id fast, and your agent polls cygent_job_status until it's done. Replies cite findings by their canonical issue_N id and include a structured referenced_findings list, so your IDE can reliably branch on exactly which findings were discussed.
cygent_chat requires a per-user key (created in Settings → API Keys) and is only available on orgs with the companion feature enabled. Triggering audits/reviews/triage happens through cygent_chat, not as standalone tools.
What each scope unlocks
| Capability | Read | Operate | Mutate |
|---|---|---|---|
| Read tools (findings, projects, dependencies, KB, job status) | ✅ | ✅ | ✅ |
Repo exploration, memory search, knowledge queries via cygent_chat | ✅ | ✅ | ✅ |
| Trigger audits, PR reviews, triage, dependency scans, code checks | — | ✅ | ✅ |
| Change findings (mark fixed/invalid, update status) and settings | — | — | ✅ |
Blocked at every scope, by design — the companion can never:
- Run shell commands, manage GitHub, open issues, schedule tasks, join meetings, or post to chat channels.
- Write a finding directly. Finding creation always goes through the async, engine-validated triage job, so nothing is written without the analysis engine confirming it.
Catalog evolution
The read tools and cygent_chat are defined centrally and exposed over MCP. As new capabilities ship, they appear in your IDE automatically — you don't update anything on your end. Clients that show the MCP tool list (e.g. /mcp in Claude Code) display the current tools with a cygent_ prefix; rely on the capability descriptions above rather than memorizing exact names.