github · mcp-server0cc90034bd39

RemediationAI

The problem is that the tool description contains an imperative instruction ('Use this first') that attempts to influence LLM routing priority, violating the principle that tool manifests should be declarative and neutral. Remove the phrase 'Use this first' and any other imperative language from the tool description in mcp-manifest.json. Replace it with a neutral, factual description of what the tool does (e.g., 'Searches DataNexus tools by keyword'). This ensures the LLM makes routing decisions based on semantic relevance, not embedded instructions. Verify by reviewing the updated manifest and confirming no imperative verbs (use, prefer, prioritize, etc.) appear in tool descriptions.

Evidence

#!/usr/bin/env node

/**

 * DataNexus MCP — stdio proxy for Glama and local MCP clients.

 *

 * Bridges stdio ↔ the live remote server at https://datanexusmcp.com/mcp

 * using mcp-remote. No Python, no Redis, no PostgreSQL required.

 *

 * Usage:

 *   npx -y @datanexusmcp/mcp-server

 *

 * Claude Desktop claude_desktop_config.json:

 *   {

 *     "mcpServers": {

 *       "datanexus": {

 *         "command": "npx",

 *         "args": ["-y", "@datanexusmcp/mcp-server"]

 *       }

 *     }

 *   }

 */

c

RemediationAI

The problem is that datanexus-mcp.js acts as a transparent proxy forwarding all tool calls to a remote endpoint (https://datanexusmcp.com/mcp) without any local validation, allowing the remote server to dynamically determine tool behavior, validation rules, and response formatting at runtime—creating an unauditable supply-chain risk. Replace the remote proxy pattern with local tool implementations: remove the mcp-remote forwarding logic and implement tool handlers directly in the MCP server process, or if remote calls are necessary, add a local validation layer that verifies responses against a schema defined in the manifest before returning to the client. This ensures all tool behavior is deterministic, auditable, and matches the declared manifest. Verify by running the MCP server locally, calling a tool, and confirming the response matches the schema declared in mcp-manifest.json without any remote server involvement.

RemediationAI

The problem is that the 'search_datanexus_tools' tool accepts natural language queries that are passed to a remote MCP server which determines tool routing and behavior dynamically based on query content at call-time, creating runtime behavior that is not reflected in the manifest and cannot be audited. Implement local query parsing and tool routing logic in the MCP server instead of delegating to a remote endpoint; define all possible routing outcomes and tool selections in the manifest schema. If remote augmentation is needed, add a local caching layer that pre-fetches and validates remote tool definitions at startup, not at call-time. This ensures tool behavior is deterministic and matches the manifest. Verify by inspecting the tool handler code to confirm all routing decisions are made locally based on a fixed set of rules, and by calling the tool multiple times with the same query to confirm identical results.

RemediationAI

The problem is that the 'nonprofit_fetch_charity_uk' tool returns complete UK charity registration data (income, activities, trustees) based solely on a charity number or name lookup without verifying that the caller is authorized to access that charity's sensitive information. Add a caller authorization check before returning data: implement a function that validates the caller's identity (from the MCP request context) against an access control list or permission model, and return only the fields the caller is entitled to see (or reject the request with a 403 Forbidden error). This prevents unauthorized disclosure of sensitive nonprofit financial and governance data. Verify by calling the tool with a test caller ID that lacks permission and confirming the tool returns an authorization error; then call with an authorized caller ID and confirm full data is returned.

RemediationAI

The problem is that the 'nonprofit_fetch_nonprofit_by_ein' tool returns complete nonprofit records (revenue, expenses, assets, mission) based solely on EIN lookup without verifying that the caller owns or is authorized to access that nonprofit's financial data. Add a caller authorization check: implement a function that validates the caller's identity against the nonprofit's ownership or a permission model, and return only permitted fields or reject with a 403 error. This prevents unauthorized access to sensitive financial and operational data. Verify by calling the tool with an unauthorized caller ID and confirming an authorization error is returned; then call with an authorized caller and confirming full data is returned.

RemediationAI

The problem is that the 'security_fetch_package_vulnerabilities' tool calls Google OSV.dev and NIST NVD using module-level NVD_API_KEY from config.py without consulting caller identity or per-request credentials, allowing all callers to share the same API quota and preventing per-caller rate limiting or audit trails. Modify the tool handler to accept an optional 'api_key' parameter in the tool input schema, and pass caller-provided credentials (or retrieve them from a per-request context object) to the upstream API calls instead of using a module-level key. If no per-request key is available, fall back to a shared key but log the caller identity alongside the API call. This enables per-caller quota management and audit trails. Verify by calling the tool twice with different caller IDs and confirming both the API call logs and the tool's response include the caller identity.

RemediationAI

The problem is that the 'nonprofit_search_nonprofits_by_name' tool calls the IRS EO BMF upstream API using a module-level IRS_EFTS_BASE URL from config.py without consulting caller identity or per-request credentials, preventing per-caller rate limiting and audit trails. Modify the tool handler to accept an optional 'caller_id' or 'api_key' parameter, and include it in the upstream API call headers or logs so that each request is attributed to the caller. If per-request credentials are not available, at minimum log the caller identity from the MCP request context alongside the API call. This enables audit trails and per-caller rate limiting. Verify by calling the tool twice with different caller IDs and confirming the server logs show both the caller identity and the upstream API call.

RemediationAI

The problem is that the 'security_fetch_dependency_graph' tool calls deps.dev (Google) using module-level credentials from config.py without consulting caller identity or per-request credentials, preventing per-caller quota management and audit trails. Modify the tool handler to accept an optional 'api_key' or 'caller_id' parameter, and pass it to the upstream API call or include it in request headers and logs. This ensures each call is attributed to the caller and enables per-caller rate limiting. Verify by calling the tool twice with different caller IDs and confirming the server logs show both the caller identity and the upstream API call.

RemediationAI

The problem is that the 'nonprofit_fetch_nonprofit_by_ein' tool calls the IRS EO BMF upstream API using a module-level IRS_EFTS_BASE URL from config.py without consulting caller identity or per-request credentials, preventing per-caller rate limiting and audit trails. Modify the tool handler to accept an optional 'caller_id' parameter and include it in the upstream API call headers or logs so that each request is attributed to the caller. This enables audit trails and per-caller rate limiting. Verify by calling the tool twice with different caller IDs and confirming the server logs show both the caller identity and the upstream API call.

RemediationAI

The problem is that the 'nonprofit_fetch_charity_uk' tool calls the UK Charity Commission API using a module-level UK_CHARITY_BASE URL from config.py without consulting caller identity or per-request credentials, preventing per-caller rate limiting and audit trails. Modify the tool handler to accept an optional 'caller_id' parameter and include it in the upstream API call headers or logs so that each request is attributed to the caller. This enables audit trails and per-caller rate limiting. Verify by calling the tool twice with different caller IDs and confirming the server logs show both the caller identity and the upstream API call.

RemediationAI

The problem is that the 'security_fetch_package_vulnerabilities' tool returns CVE data from untrusted external sources (Google OSV.dev and NIST NVD) including free-text fields (severity descriptions, CVSS vectors) without provenance delimiters, enabling indirect prompt injection if the LLM processes these fields as instructions. Add provenance markers to all external data: wrap each free-text field with a clear delimiter (e.g., `[EXTERNAL_DATA_START] ... [EXTERNAL_DATA_END]`) and include the source URL and fetch timestamp, or sanitize free-text fields by removing special characters and limiting to alphanumeric + basic punctuation. This prevents injected instructions from being interpreted as tool directives. Verify by calling the tool with a package known to have CVE descriptions, and confirming the response includes provenance markers or sanitized text without special characters.

RemediationAI

The problem is that the 'security_fetch_dependency_graph' tool returns transitive dependency metadata from untrusted external source (deps.dev) without visible provenance markers, risking indirect prompt injection through package names and descriptions. Add provenance markers to all external data: wrap each free-text field with a clear delimiter (e.g., `[EXTERNAL_DATA_START] ... [EXTERNAL_DATA_END]`) and include the source URL and fetch timestamp, or sanitize free-text fields by removing special characters. This prevents injected instructions from being interpreted as tool directives. Verify by calling the tool with a package known to have descriptions, and confirming the response includes provenance markers or sanitized text.

Evidence

"""

datanexus/agents/feedback_classifier.py — Haiku Trigger 2: feedback classification.

Spec: DataNexus_MCP_Spec_v7_4.docx  Section 13.4 / Phase 4

Most important file in Section 13. Closes the loop between user-reported

feedback and automated data quality triage.

Rules (CLAUDE.md):

  S13-1: This is Haiku Trigger T2. Delegate to haiku_classifier.classify() only.

  S13-4: Never raises. All exceptions caught. Always returns structured result.

  S13-5: FeedbackRecord.classification is ONE-WAY onl

RemediationAI

The problem is that the feedback_classifier tool calls the classify() function which invokes the Anthropic SDK without a max_tokens cap, allowing unbounded token consumption and potential cost explosion or denial of service. Add a max_tokens parameter to the anthropic.messages.create() call in the classify() function: set it to a reasonable limit (e.g., 500 tokens for classification tasks) based on the expected output size. This caps the cost and latency of each classification call. Verify by calling the feedback_classifier tool and confirming the Anthropic API call includes max_tokens in the request; check the response to confirm it is truncated if it would exceed the limit.

Evidence

"""

datanexus/agents/schema_monitor.py — Haiku Trigger 3: schema change assessment.

Spec: DataNexus_MCP_Spec_v7_4.docx  Section 13.5 / Phase 5

Called when the ingest worker detects a structural change between the

previously-stored schema fingerprint and the newly-fetched payload shape.

Haiku decides whether the change is breaking and what severity to assign.

Rules (CLAUDE.md):

  S13-1: This is Haiku Trigger T3. Delegate to haiku_classifier.classify() only.

  S13-4: Never raises. Always return

RemediationAI

The problem is that the schema_monitor tool calls the classify() function which invokes the Anthropic SDK without a max_tokens cap, allowing unbounded token consumption and potential cost explosion or denial of service. Add a max_tokens parameter to the anthropic.messages.create() call in the classify() function: set it to a reasonable limit (e.g., 500 tokens) based on the expected output size. This caps the cost and latency of each classification call. Verify by calling the schema_monitor tool and confirming the Anthropic API call includes max_tokens in the request.

Evidence

"""

datanexus/agents/anomaly_reviewer.py — Haiku Trigger 1: anomaly review.

Spec: DataNexus_MCP_Spec_v7_4.docx  Section 13.3 / Phase 3

Called when the deterministic validator (validator.py) flags an anomaly

that needs a second-opinion classification before deciding whether to

keep, suppress, or flag the affected record.

Rules (CLAUDE.md):

  S13-1: This is Haiku Trigger T1. Do NOT call Anthropic API directly —

         always delegate to haiku_classifier.classify().

  S13-4: Never raises. All 

RemediationAI

The problem is that the anomaly_reviewer tool calls the classify() function which invokes the Anthropic SDK without a max_tokens cap, allowing unbounded token consumption and potential cost explosion or denial of service. Add a max_tokens parameter to the anthropic.messages.create() call in the classify() function: set it to a reasonable limit (e.g., 500 tokens) based on the expected output size. This caps the cost and latency of each classification call. Verify by calling the anomaly_reviewer tool and confirming the Anthropic API call includes max_tokens in the request.

Evidence

"""

datanexus/agents/haiku_classifier.py — Shared Haiku API wrapper for all 4 triggers.

Spec: DataNexus_MCP_Spec_v7_4.docx  Section 13.2 / Phase 2

Rules (CLAUDE.md):

  S13-1: Called ONLY from the 4 permitted triggers — never directly from tool handlers.

  S13-2: HAIKU_MODEL imported from feedback/config.py. Never hardcoded here.

  S13-3: Daily cap HAIKU_MAX_CALLS_PER_DAY (100) enforced before every call.

         incr → expire → check, in that exact order.

  S13-4: On any API error: return err

RemediationAI

The problem is that the haiku_classifier.classify() function calls anthropic.messages.create() without passing a max_tokens parameter, allowing unbounded token consumption and potential cost explosion or denial of service. Add a max_tokens parameter to the anthropic.messages.create() call in haiku_classifier.py: set it to a reasonable limit (e.g., 500 tokens) based on the expected classification output size. This caps the cost and latency of each classification call. Verify by calling any of the four trigger tools (feedback_classifier, schema_monitor, anomaly_reviewer, digest_generator) and confirming the Anthropic API request includes max_tokens.

Evidence

"""

datanexus/agents/digest_generator.py — Haiku Trigger 4: weekly digest.

Spec: DataNexus_MCP_Spec_v7_4.docx  Section 13.6 / Phase 6

Batches ALL feedback records for a tool into ONE Haiku call (cost control)

and produces a DigestItem with data quality score, top issues, suggested

rules, and sprint recommendations.

Rules (CLAUDE.md):

  S13-1: This is Haiku Trigger T4. Delegate to haiku_classifier.classify() only.

  S13-4: Never raises. Always returns structured DigestItem.

Special case — emp

RemediationAI

The problem is that the digest_generator tool calls the classify() function which invokes the Anthropic SDK without a max_tokens cap, allowing unbounded token consumption and potential cost explosion or denial of service. Add a max_tokens parameter to the anthropic.messages.create() call in the classify() function: set it to a reasonable limit (e.g., 1000 tokens for digest generation) based on the expected output size. This caps the cost and latency of each digest generation call. Verify by calling the digest_generator tool and confirming the Anthropic API call includes max_tokens in the request.

Evidence

{ "name": "NPPES NPI Registry (CMS)", "url": "https://npiregistry.cms.hhs.gov/api/", "auth": "none" },

    { "name": "FINRA BrokerCheck", "url": "https://api.brokercheck.finra.org", "auth": "none" },

    { "name": "SAM.gov", "url": "https://api.sam.gov", "auth": "none" },

    { "name": "IANA RDAP", "url": "https://rdap.org", "auth": "none" },

    { "name": "crt.sh (Certificate Transparency)", "url": "https://crt.sh", "auth": "none" },

    { "name": "Cloudflare DoH", "url": "https://cloudflare-dn

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add a middleware or decorator to each tool handler that validates the caller's credentials before executing the tool. Alternatively, if the server must be unauthenticated, deploy it stdio-only behind a trusted host boundary (e.g., inside a private network or container) so that only trusted clients can reach it. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error; then call with valid credentials and confirming the tool executes.

Evidence

{ "name": "FINRA BrokerCheck", "url": "https://api.brokercheck.finra.org", "auth": "none" },

    { "name": "SAM.gov", "url": "https://api.sam.gov", "auth": "none" },

    { "name": "IANA RDAP", "url": "https://rdap.org", "auth": "none" },

    { "name": "crt.sh (Certificate Transparency)", "url": "https://crt.sh", "auth": "none" },

    { "name": "Cloudflare DoH", "url": "https://cloudflare-dns.com/dns-query", "auth": "none" },

    { "name": "EPO OPS (Open Patent Services)", "url": "https://ops.epo

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "IRS TEOS", "url": "https://apps.irs.gov/app/eos/", "auth": "none" },

    { "name": "Charity Commission England and Wales (CCEW)", "url": "https://api.charitycommission.gov.uk", "auth": "none" },

    { "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

    { "name": "NIST NVD", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0", "auth": "none" },

    { "name": "deps.dev (Google)", "url": "https://api.deps.dev", "auth": "none" },

    { "name": "NPPES NPI

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "SAM.gov", "url": "https://api.sam.gov", "auth": "none" },

    { "name": "IANA RDAP", "url": "https://rdap.org", "auth": "none" },

    { "name": "crt.sh (Certificate Transparency)", "url": "https://crt.sh", "auth": "none" },

    { "name": "Cloudflare DoH", "url": "https://cloudflare-dns.com/dns-query", "auth": "none" },

    { "name": "EPO OPS (Open Patent Services)", "url": "https://ops.epo.org/3.2/rest-services", "auth": "oauth2" },

    { "name": "USASpending.gov", "url": "https://api

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "Cloudflare DoH", "url": "https://cloudflare-dns.com/dns-query", "auth": "none" },

    { "name": "EPO OPS (Open Patent Services)", "url": "https://ops.epo.org/3.2/rest-services", "auth": "oauth2" },

    { "name": "USASpending.gov", "url": "https://api.usaspending.gov", "auth": "none" },

    { "name": "Federal Register API", "url": "https://www.federalregister.gov/api/v1", "auth": "none" },

    { "name": "Regulations.gov", "url": "https://api.regulations.gov/v4", "auth": "none" }

  ],

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

"data_sources": [

    { "name": "IRS EO BMF", "url": "https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf", "auth": "none" },

    { "name": "IRS TEOS", "url": "https://apps.irs.gov/app/eos/", "auth": "none" },

    { "name": "Charity Commission England and Wales (CCEW)", "url": "https://api.charitycommission.gov.uk", "auth": "none" },

    { "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

    { "name": "NIST NVD", "url": "

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

}

  ],

  "data_sources": [

    { "name": "IRS EO BMF", "url": "https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf", "auth": "none" },

    { "name": "IRS TEOS", "url": "https://apps.irs.gov/app/eos/", "auth": "none" },

    { "name": "Charity Commission England and Wales (CCEW)", "url": "https://api.charitycommission.gov.uk", "auth": "none" },

    { "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "Charity Commission England and Wales (CCEW)", "url": "https://api.charitycommission.gov.uk", "auth": "none" },

    { "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

    { "name": "NIST NVD", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0", "auth": "none" },

    { "name": "deps.dev (Google)", "url": "https://api.deps.dev", "auth": "none" },

    { "name": "NPPES NPI Registry (CMS)", "url": "https://npiregistry.cms.hhs.gov/api/", "auth": "none" },

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

    { "name": "NIST NVD", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0", "auth": "none" },

    { "name": "deps.dev (Google)", "url": "https://api.deps.dev", "auth": "none" },

    { "name": "NPPES NPI Registry (CMS)", "url": "https://npiregistry.cms.hhs.gov/api/", "auth": "none" },

    { "name": "FINRA BrokerCheck", "url": "https://api.brokercheck.finra.org", "auth": "none" },

    { "name": "SAM.gov", "url"

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "EPO OPS (Open Patent Services)", "url": "https://ops.epo.org/3.2/rest-services", "auth": "oauth2" },

    { "name": "USASpending.gov", "url": "https://api.usaspending.gov", "auth": "none" },

    { "name": "Federal Register API", "url": "https://www.federalregister.gov/api/v1", "auth": "none" },

    { "name": "Regulations.gov", "url": "https://api.regulations.gov/v4", "auth": "none" }

  ],

  "tools_count": 30,

  "cache_ttl_seconds": 86400,

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "NIST NVD", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0", "auth": "none" },

    { "name": "deps.dev (Google)", "url": "https://api.deps.dev", "auth": "none" },

    { "name": "NPPES NPI Registry (CMS)", "url": "https://npiregistry.cms.hhs.gov/api/", "auth": "none" },

    { "name": "FINRA BrokerCheck", "url": "https://api.brokercheck.finra.org", "auth": "none" },

    { "name": "SAM.gov", "url": "https://api.sam.gov", "auth": "none" },

    { "name": "IANA RDAP", "url": "https

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

],

  "data_sources": [

    { "name": "IRS EO BMF", "url": "https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf", "auth": "none" },

    { "name": "IRS TEOS", "url": "https://apps.irs.gov/app/eos/", "auth": "none" },

    { "name": "Charity Commission England and Wales (CCEW)", "url": "https://api.charitycommission.gov.uk", "auth": "none" },

    { "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

    { "name": "NIST NVD", "ur

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

{ "name": "IRS EO BMF", "url": "https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf", "auth": "none" },

    { "name": "IRS TEOS", "url": "https://apps.irs.gov/app/eos/", "auth": "none" },

    { "name": "Charity Commission England and Wales (CCEW)", "url": "https://api.charitycommission.gov.uk", "auth": "none" },

    { "name": "Google OSV.dev", "url": "https://api.osv.dev/v1", "auth": "none" },

    { "name": "NIST NVD", "url": "https://services.nvd.n

RemediationAI

The problem is that the manifest explicitly declares authentication is OFF (`"auth": "none"`), meaning every tool call reaches the server without credentials, allowing any caller to invoke any tool. Implement a real authentication mechanism: add a bearer token, OAuth 2.0, mTLS, or API key scheme to the manifest's authentication field, and add middleware to each tool handler that validates the caller's credentials before executing the tool. Alternatively, deploy the server stdio-only behind a trusted host boundary. This prevents unauthorized tool invocation. Verify by calling a tool without credentials and confirming the server returns a 401 Unauthorized error.

Evidence

"""

datanexus/tools/t11.py — T11 Global Patent Intelligence tool.

Spec: DataNexus_MCP_Spec_v7_4.docx  Section 4, T11 entry

Exactly 4 data functions. Shared infrastructure tools (report_feedback,

report_mcpize_link) are registered ONCE in main.py — NOT here.

Data sources:

  Primary:   EPO OPS (Open Patent Services) — ops.epo.org — OAuth client_credentials

             European Patent Office API; 4 GB/month free tier

  Secondary: USPTO PatentsView — api.patentsview.org — no key required

RemediationAI

The problem is that datanexus/tools/t11.py holds a mutable shared container (e.g., a process-global list or cache) that is mutated from inside a tool handler with no caller-identity marker (user_id, session_id, caller_id, request_id, org_id, tenant_id, actor_id, subject, or principal), allowing a later caller to read what an earlier caller wrote and causing cross-request data leakage. Add a caller-identity parameter to the tool input schema, thread it through the tool handler, and partition all mutable state by caller ID (e.g., use a dict keyed by caller_id instead of a single shared list). This ensures each caller's data is isolated. Verify by calling the tool twice with different caller IDs, confirming that the second caller cannot see data written by the first caller.

Evidence

def _set_redis_client(client: Optional[redis_lib.Redis]) -> None:

    """Inject a Redis client — used in tests (e.g. fakeredis). Pass None to reset."""

    global _redis_client

    _redis_client = client

RemediationAI

The problem is that feedback/collector.py uses Python's `global` keyword to mutate module-level state (_redis_client) from inside a function, which in a multi-tenant MCP server creates a cross-request data path where one caller's state affects another caller's requests. Replace the global variable with a per-request context object: pass the Redis client as a function parameter or retrieve it from a request-scoped context (e.g., using contextvars.ContextVar or a thread-local storage keyed by request ID). This ensures each request has its own isolated state. Verify by calling the tool twice concurrently with different caller IDs and confirming that each request uses its own Redis client instance.

Evidence

def _get_frontend_corpus() -> list:

    global _FRONTEND_CORPUS

    if _FRONTEND_CORPUS is None:

        try:

            with open(_CORPUS_PATH) as f:

RemediationAI

The problem is that datanexus/tools/frontend_sprint8.py uses Python's `global` keyword to mutate module-level state (_FRONTEND_CORPUS) from inside a function, which in a multi-tenant MCP server creates a cross-request data path where one caller's state affects another caller's requests. Replace the global variable with a per-request context object or a class-based approach: pass the corpus as a function parameter or retrieve it from a request-scoped context (e.g., using contextvars.ContextVar). This ensures each request has its own isolated state. Verify by calling the tool twice concurrently with different caller IDs and confirming that each request uses its own corpus instance.

Evidence

def _get_redis() -> Optional[redis_lib.Redis]:

    """Lazy Redis connection. Returns None if unavailable — never raises."""

    global _redis_client

    if _redis_client is not None:

        return _redis_client

    try:

RemediationAI

The problem is that payment/entitlement.py uses Python's `global` keyword to mutate module-level state (_redis_client) from inside a function, which in a multi-tenant MCP server creates a cross-request data path where one caller's state affects another caller's requests. Replace the global variable with a per-request context object: pass the Redis client as a function parameter or retrieve it from a request-scoped context (e.g., using contextvars.ContextVar). This ensures each request has its own isolated state. Verify by calling the tool twice concurrently with different caller IDs and confirming that each request uses its own Redis client instance.

Evidence

"""

datanexus/tools/t10.py — T10 OSS Dependency & Vulnerability Intelligence.

Spec: DataNexus_MCP_Spec_v7_3.docx  Section 11.3 / Table 140  (authoritative)

Exactly 5 data functions + 2 infrastructure stubs = 7 total.

Data sources:

  Primary:   Google OSV.dev API (api.osv.dev/v1) — Apache 2.0, no key.

  Secondary: NIST NVD CVE API (services.nvd.nist.gov) — public domain, no key.

  Supporting: deps.dev API (api.deps.dev/v3alpha) — Apache 2.0, no key.

Hard stops (Section 12.5):

  - NEVER return

RemediationAI

The problem is that datanexus/tools/t10.py holds a mutable shared container (e.g., a process-global list or cache) that is mutated from inside a tool handler with no caller-identity marker, allowing a later caller to read what an earlier caller wrote and causing cross-request data leakage. Add a caller-identity parameter to the tool input schema, thread it through the tool handler, and partition all mutable state by caller ID (e.g., use a dict keyed by caller_id instead of a single shared list). This ensures each caller's data is isolated. Verify by calling the tool twice with different caller IDs, confirming that the second caller cannot see data written by the first caller.

Evidence

def _set_redis_client(client: Optional[redis_lib.Redis]) -> None:

    """Inject a Redis client (e.g. fakeredis) for testing. Pass None to reset."""

    global _redis_client

    _redis_client = client

RemediationAI

The problem is that payment/entitlement.py uses Python's `global` keyword to mutate module-level state (_redis_client) from inside a function, which in a multi-tenant MCP server creates a cross-request data path where one caller's state affects another caller's requests. Replace the global variable with a per-request context object: pass the Redis client as a function parameter or retrieve it from a request-scoped context (e.g., using contextvars.ContextVar). This ensures each request has its own isolated state. Verify by calling the tool twice concurrently with different caller IDs and confirming that each request uses its own Redis client instance.

Evidence

"""

datanexus/tools/nonprofit_sprint7.py — Sprint 7 nonprofit depth tools.

Tools:

  search_nonprofits_by_category    — search US nonprofits by NTEE category + state

  fetch_nonprofit_financial_trends — multi-year revenue/expense/asset trends for a nonprofit

OQ1 resolved: ProPublica /api/v2/organizations/{ein}.json returns pre-computed

fields (totrevenue, totfuncexpns, totprgmrevnue, netassetsend, tax_prd_yr) in

filings_with_data. No raw 990 JSON parsing needed.

Circuit breaker: _propublica_br

RemediationAI

The problem is that datanexus/tools/nonprofit_sprint7.py holds a mutable shared container (e.g., a process-global list or cache) that is mutated from inside a tool handler with no caller-identity marker, allowing a later caller to read what an earlier caller wrote and causing cross-request data leakage. Add a caller-identity parameter to the tool input schema, thread it through the tool handler, and partition all mutable state by caller ID (e.g., use a dict keyed by caller_id instead of a single shared list). This ensures each caller's data is isolated. Verify by calling the tool twice with different caller IDs, confirming that the second caller cannot see data written by the first caller.

Evidence

"""

datanexus/tools/security_sprint6.py — Sprint 6 security tools.

Tools:

  fetch_package_maintainer_history  — maintainer health + anomaly score

  fetch_package_risk_brief          — SHIP/CAUTION/BLOCK aggregator

  detect_typosquatting              — Damerau-Levenshtein vs top-10k (added in final step)

All are thin MCP wrappers. Logic lives in _security_utils.py / _maintainer_utils.py.

HTTP self-calls are forbidden — utilities are called directly.

"""

import asyncio

import logging

import tim

RemediationAI

The problem is that datanexus/tools/security_sprint6.py holds a mutable shared container (e.g., a process-global list or cache) that is mutated from inside a tool handler with no caller-identity marker, allowing a later caller to read what an earlier caller wrote and causing cross-request data leakage. Add a caller-identity parameter to the tool input schema, thread it through the tool handler, and partition all mutable state by caller ID (e.g., use a dict keyed by caller_id instead of a single shared list). This ensures each caller's data is isolated. Verify by calling the tool twice with different caller IDs, confirming that the second caller cannot see data written by the first caller.

Evidence

connection is attempted rather than returning a broken client whose write errors

    would be silently swallowed by the outer try/except in report_feedback().

    """

    global _redis_client

    if _redis_client is not None:

        try:

            _redis_client.ping()

RemediationAI

The problem is that feedback/collector.py uses Python's `global` keyword to mutate module-level state (_redis_client) from inside a function, which in a multi-tenant MCP server creates a cross-request data path where one caller's state affects another caller's requests. Replace the global variable with a per-request context object: pass the Redis client as a function parameter or retrieve it from a request-scoped context (e.g., using contextvars.ContextVar). This ensures each request has its own isolated state. Verify by calling the tool twice concurrently with different caller IDs and confirming that each request uses its own Redis client instance.

Evidence

def _set_caller_id(caller_id: Optional[str]) -> None:

    """Inject a fixed caller_id for testing. Pass None to reset."""

    global _test_caller_id

    _test_caller_id = caller_id

RemediationAI

The problem is that payment/entitlement.py uses Python's `global` keyword to mutate module-level state (_test_caller_id) from inside a function, which in a multi-tenant MCP server creates a cross-request data path where one caller's state affects another caller's requests. Replace the global variable with a per-request context object: pass the caller_id as a function parameter or retrieve it from a request-scoped context (e.g., using contextvars.ContextVar). This ensures each request has its own isolated state. Verify by calling the tool twice concurrently with different caller IDs and confirming that each request uses its own caller_id instance.

Evidence

"""

datanexus/tools/t04.py — T04 IRS 990 / Nonprofit Data tool.

Spec: DataNexus_MCP_Spec_v7_3.docx  Section 12.4 / Phase 2 Step B

Exactly 3 data functions + 2 infrastructure stubs = 5 total.

(Section 11.3, Table 163 — authoritative signatures)

Data sources:

  Primary:   IRS EO BMF (irs.gov) — public domain

  Secondary: IRS TEOS bulk downloads (irs.gov) — public domain

  Tertiary:  UK Charity Commission public bulk extract (no auth required)

             ccewuksprdoneregsadata1.blob.core.windo

Remediation

Partition shared state by caller identity, or eliminate it. Wrong: _cache = {} @mcp.tool() def search(query: str) -> list: if query in _cache: return _cache[query] result = _expensive(query) _cache[query] = result return result Right (key by caller): _cache: dict[str, dict] = {} @mcp.tool() def search(query: str, ctx) -> list: user_cache = _cache.setdefault(ctx.user_id, {}) if query in user_cache:

Evidence

def _get_redis() -> Optional[redis_lib.Redis]:

    """Lazy Redis connection. Returns None if unavailable — never raises."""

    global _redis_client

    if _redis_client is not None:

        return _redis_client

    try:

Remediation

Partition shared state by caller identity, or eliminate it. Wrong: _cache = {} @mcp.tool() def search(query: str) -> list: if query in _cache: return _cache[query] result = _expensive(query) _cache[query] = result return result Right (key by caller): _cache: dict[str, dict] = {} @mcp.tool() def search(query: str, ctx) -> list: user_cache = _cache.setdefault(ctx.user_id, {}) if query in user_cache:

Evidence

"""

datanexus/tools/security_stateful.py — Sprint 6 stateful security tools.

Tools:

  fetch_cve_watch     — persistent CVE watchlist (create/check/delete)

  audit_sbom_continuous — continuous SBOM monitoring (register/check/deregister)

Redis key schema (dn: prefix):

  dn:cve_watch:{watch_id}    — Hash (watch data)

  dn:cve_watch_ids           — SET  (watch index)

  dn:sbom_watch:{watch_id}   — Hash (SBOM watch data)

  dn:sbom_watch_ids          — SET  (SBOM watch index)

Scheduler: see datanex

Remediation

Add a structured audit-event emit immediately after every destructive sink. Minimum schema: actor, action, target, outcome, request_id. Python: from acme.audit import audit_log @mcp.tool() def delete_record(token: str, record_id: str) -> dict: actor = verify_token(token) db.execute("DELETE FROM records WHERE id = %s", (record_id,)) audit_log( actor=actor.sub, action="delete_record", target=record_id, outcome=

Evidence

# ── Structured error response shape ──────────────────────────────────────────

# Return this dict on ANY error. Never raise. Never return str(e).

# error_code must come from ErrorCode enum below.

#

# {

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

"error":           str(exc),

            "haiku_available": False,

        }))

        return {"error": str(exc), "haiku_available": False}

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

try:

                r = await get_redis()

                if r:

                    await r.set(cache_key, tier, ex=300)

            except Exception:

                pass

            return tier

        except Exception as exc:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

# remaining allowlist domains — any path counts

        for allowed in _PATCH_ALLOWLIST:

            if host == allowed or host.endswith("." + allowed):

                return True

    except Exception:

        pass

    return False

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

raw = r.hget(key_feedback(tool_id, rid), "data")

                    if raw:

                        try:

                            records.append(json.loads(raw))

                        except Exception:

                            pass

            except Exception:

                pass

        results[tool_id] = records

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try:

        r = _get_redis()

        if r:

            r.set(LAST_ERROR_KEY, msg[:500], ex=7 * 86400)

    except Exception:

        pass

async def refresh() -> bool:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try:

                            records.append(json.loads(raw))

                        except Exception:

                            pass

            except Exception:

                pass

        results[tool_id] = records

    return JSONResponse({"feedback": results})

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.