servers / tunnelmind-data-api

TunnelMind Data API MCP server

communitystreamable_httpremotedestructive capablehealthy

Tracker / Sigil / Cross-lens — every TunnelMind Data API operation as one MCP surface.


01Tools · 78
ToolRiskSide effectsApproval
sigil_verify_ads_txt_batch
Runs up to 100 ads.txt verifications in a single call — the endpoint an ad-buying agent uses for pre-bid checks across a whole campaign's supply. Each item is the same shape as `sigil_verify_ads_txt`. Per-item validation failures are reported inline; the batch never fails as a whole. Publisher records are fetched once per unique domain. Use this tool when: - You are evaluating many supply paths at once (campaign setup, SPO sweep). - You want one round-trip instead of N calls to `sigil_verify_ads_txt`. Inputs: - `items` (body, required): Array of 1–100 verification requests, each `{ publisher_domain, exchange_domain, seller_id, seller_type? }`. - `resolve_chain` (body, optional): Applies to every item — when true, a matched RESELLER entry is cross-checked against the exchange's sellers.json. Returns: - `count`: number of result entries (matches `items` length, in order). - `verified_count`: how many resolved to `verified: true`. - `results`: array aligned to `items`. Each entry is either a verification result with `ok: true` and `input_index`, or `{ ok: false, input_index, error, message }` for an invalid item. Cost: - Counts as one request against the daily rate limit. Latency: - Typical: <150ms. With `resolve_chain: true`, add one sellers.json fetch per unique exchange (edge-cached 12h after the first fetch).
writetrueunknown
scan_injection
Runs a curated signature corpus over a piece of untrusted text — content an agent is about to consume, a retrieved document, a tool result, an email body — and returns the matched injection patterns plus a bounded 0..1 risk score. This is a signal, never a policy decision: the caller decides what to do with a flagged input. Detected classes: instruction_override (ignore/override previous rules), role_reassignment (you are now DAN / developer mode), exfiltration (leak the system prompt or a secret to a URL), tool_smuggling (covertly invoke a tool, delete/destroy data), boundary_spoof (fake system/assistant turn delimiters). Input is normalized first to blunt cheap evasions (zero-width characters, smart quotes, whitespace padding). Use this tool when: - You are an agent about to feed retrieved or third-party text into a model and want to check it for embedded instructions first. - You are triaging why a tool description or web page looks suspicious. Do NOT use this tool when: - You want a trust verdict on a domain or entity — use `cross_lens_verify`. - You want to scan a whole MCP server's tools — use `scan_mcp`. Inputs: - `text` (body, required): the untrusted text to scan. Max 200,000 chars. Returns: - `flagged`: true if any signature matched. - `score`: bounded 0..1 risk score (saturating — one high-severity hit is already strongly flagged; many hits approach but never exceed 1). - `severity_max`: highest severity among matches (`high`/`medium`/`low`) or null. - `classes`: distinct injection classes matched. - `matches`: each matched signature `{ id, class, severity, excerpt }`. Cost: - Free. No API key required. Pure edge computation, no external calls. Latency: - Typical <20ms.
destructivetruetrue
sigil_verify_ip_type
Classifies an IPv4 or IPv6 address by network type — the high-value ad-fraud signal being datacenter traffic posing as residential or living-room (CTV) devices. IP→ASN resolution uses Team Cymru's public service; the ASN is then classified by its registered organization name. PRIVACY: the IP is used for lookup only — never logged, never stored. Inputs: - `ip` (query, required): IPv4 or IPv6 address. Returns: - `ip_type`: datacenter | residential | mobile | unknown. - `confidence`: high | medium | low. - `asn`, `asn_name`: the resolved autonomous system. - `scry_signals`: reserved for Scry corpus cross-reference (empty in v1). Latency: - Typical: 100-250ms (two live DNS lookups).
readfalseunknown
health_check
Returns a minimal status object confirming the API is alive. Use this to verify connectivity before chaining other calls, or as a liveness check in a workflow. Use this tool when: - You need to verify the API is reachable before starting a multi-step investigation. - A prior call failed with a 503 or 504 and you want to confirm the service recovered. - You are debugging connectivity from a new environment. Do NOT use this tool when: - You want actual tracker data — use `get_domain` or `search` instead. - You want to check a specific domain — this returns nothing domain-specific. Inputs: - None. Returns: - `ok`: always true if the API is up. - `ts`: ISO 8601 timestamp of the server's current time. Cost: - Free. No API key required. Not rate-limited. Latency: - Typical: <50ms, p99: <200ms.
readfalseunknown
sigil_atap_register_ait
Registers an ATAP v0.1 AIT for a media-buying agent under the `sigil:media_buyer:v1` profile. Sigil validates the capability set and constraints against the published profile, signs the AIT as the witness (`OAI-2026-0000201`), stores it, and returns the signed token. Sigil is the ATAP witness — there is no kernel observer. See https://github.com/TunnelMind/atap-profiles.
writetrueunknown
sigil_atap_roll_block
Rolls every not-yet-blocked Witness Event for an AIT into one signed ATAP Attestation Block with a profile `period_summary`, chained onto the prior block.
unknownunknownunknown
get_domain
Returns the complete surveillance intelligence record for a domain name. If the domain is in TunnelMind's tracker database (80,000+ entries), the response includes tracker category, risk score, fingerprinting data, cookie persistence, IAB TCF purposes, and the owning corporate entity. If the domain is not in the database, a live probe is automatically run: RDAP registration data, DNS records (MX, SPF, TXT verification tokens), HTTP headers, and CSP third-party actors are fetched fresh from the edge and returned. Use this tool when: - You need to know whether a specific domain tracks users, and how aggressively. - You are researching who owns a domain and what corporate entity controls it. - You want to check HTTP security headers and third-party services embedded in a site. - You are building a risk score for a domain before routing traffic through it. Do NOT use this tool when: - You want to search by keyword or category — use `search` instead. - You want all domains for an entity — use `get_entity` instead. Inputs: - `domain` (path, required): Domain name. Strip `www.` prefix — it is removed automatically. Subdomains are resolved to the parent: `ads.doubleclick.net` → `doubleclick.net`. Examples: `doubleclick.net`, `google-analytics.com`, `intercom.io`. Returns: - Full `DomainRecord`. Free tier returns the domain, category, score, prevalence, and entity name. Pro/enterprise additionally return `tcf_vendor_id`, `tcf_purposes`, `tcf_features`, and `disconnect_cats`. - If the domain is not in the tracker database, `live_lookup: true` is set and RDAP/DNS/HTTP probe results are returned instead of tracker fields. - 404 if the domain cannot be found via live probe either (unknown TLD, unreachable). Cost: - Free tier: included in 50 req/day limit. Pro/enterprise: included in plan. Latency: - Database hit: typical <100ms, p99 <300ms. - Live probe: typical 2-5s, p99 10s (external DNS/HTTP calls).
writetrueunknown
get_receipt
Returns metadata for a TunnelMind surveillance receipt — a signed document proving that a specific user's surveillance exposure was observed, measured, and recorded at a specific time. Does NOT return the receipt's signature (anti-phishing protection). To verify a receipt's content integrity, use `verify_receipt` with the hash and signature from the receipt document itself. Use this tool when: - You have a receipt ID and want to confirm it was genuinely issued by TunnelMind. - You need the issuance timestamp and signing key ID for a receipt. - You want to check whether a receipt exists before attempting content verification. Do NOT use this tool when: - You have the full receipt document and want to verify it hasn't been tampered with — use `verify_receipt` instead. Inputs: - `receipt_id` (path, required): The receipt ID from the receipt document. Alphanumeric with hyphens, max 128 characters. Returns: - `status`: `FOUND` if the receipt is in the registry. - `generated_at`: ISO 8601 timestamp of receipt issuance. - `signing_key_id`: identifier of the Ed25519 key used to sign. - `schema_version`: receipt schema version. - `message`: human-readable summary with instructions for content verification. - 404 if the receipt ID is not in the registry. Cost: - Free. No API key required. Latency: - Typical: <100ms, p99: <300ms.
readfalseunknown
get_api_key
Returns the tier, label, masked owner email, creation date, last-used timestamp, today's request count, and daily request limit for the API key used in this request. Useful for agents that need to monitor their own quota consumption. Use this tool when: - You want to check how many requests your key has used today. - You need to know your current tier or daily limit. - You want to confirm that your API key is active. Do NOT use this tool when: - You want to manage multiple keys — this endpoint only reflects the calling key. - You need tracker data — use the tracker endpoints instead. Inputs: - No body or query parameters. Auth is from the `Authorization: Bearer` header. Returns: - `tier`: free, supporter, pro, or enterprise. - `requests_today`: integer count from KV (best-effort; resets at UTC midnight). - `limit_per_day`: null for enterprise (unlimited). - `last_used`: ISO 8601 timestamp, may be null if never used. Cost: - Free. Does not count against the daily request limit. Latency: - Typical: <150ms, p99: <400ms.
readfalseunknown
cancel_task
Marks the task as `cancelled`. If the task is already in a terminal state (`complete`, `failed`, `expired`), returns 409 Conflict. Only the identity that created the task may cancel it. Use this tool when: - You submitted a probe with `?async=true` and no longer need the result. - You want to free up a pending task before it expires. Do NOT use this tool when: - The task is already complete — cancellation is not possible. Inputs: - `task_id` (path, required): 26-char ULID. Returns: - `task_id` and `status: cancelled`. Cost: - Free. Latency: - Typical: <150ms.
destructivetruetrue
list_domains
Returns a paginated list of domains from the tracker database. Results are ordered alphabetically by domain name and support cursor-based pagination for full traversal. Filtering by category and minimum score allows targeted data extraction. Use this tool when: - You want to enumerate all known ad-tech or analytics domains above a risk threshold. - You need a dataset of tracker domains for offline analysis. - You are paginating through a category to build a block list. Do NOT use this tool when: - You need data for a specific domain — use `get_domain` instead. - You are searching by keyword — use `search` instead. - You want domains belonging to a specific company — use `get_entity` instead. Inputs: - `category` (query, optional): Filter by surveillance category. One of: `ad_tech`, `analytics`, `social`, `fingerprinting`, `content`, `cdn`, `other`. - `min_score` (query, optional): Integer 0-100. Exclude domains scoring below this value. - `limit` (query, optional): Number of results per page. Max 100 (paid), 20 (free). Default 50. - `cursor` (query, optional): Pagination cursor from the previous response's `next_cursor` field. Returns: - Array of domain list items (domain, category, score, prevalence, entity summary). - `meta.has_more`: true if more pages exist. - `meta.next_cursor`: pass as `cursor` to get the next page. - `meta.count`: number of results in this page. Cost: - Free tier: up to 20 results/page, 50 req/day. Pro/enterprise: up to 100 results/page. Latency: - Typical: <200ms, p99: <500ms.
readfalseunknown
get_entity
Returns an entity record for a surveillance company or data broker, including its industry, estimated annual data value per user (in USD), categories of personal data collected, and the full list of domains it controls. Free tier returns 5 domains, paid returns up to 200. Use this tool when: - You want to understand what corporate entity owns or controls a tracker domain. - You need to assess the total surveillance footprint of a company (e.g., Alphabet, Meta, Oracle). - You are building a corporate surveillance graph and need domain-to-entity mapping. Do NOT use this tool when: - You have a domain and need its category — use `get_domain` instead. - You want to browse entities by industry — use `list_entities` instead. - You are searching for an entity by name — use `search` instead. Inputs: - `slug` (path, required): URL-safe entity identifier (lowercase, hyphens). Examples: `alphabet`, `meta`, `oracle-data-cloud`, `the-trade-desk`. Returns: - Full `EntityRecord` with data categories, estimated data cost, and associated domains. - `domains`: array of top-scoring domains (5 for free tier, 200 for paid). - Pro/enterprise additionally return `website` and `description` fields. Cost: - Free tier: included in 50 req/day limit. Pro/enterprise: included in plan. Latency: - Typical: <150ms, p99: <400ms.
readfalseunknown
list_entities
Returns a paginated list of corporate entities in the TunnelMind surveillance database. Includes data categories, estimated data value, and industry classification. Useful for enumerating the surveillance ecosystem by sector. Use this tool when: - You want to enumerate all entities in a specific industry (e.g., all ad-tech companies). - You need a dataset of surveillance entities for analysis or reporting. - You are building a comprehensive surveillance landscape map. Do NOT use this tool when: - You need the full profile of a specific entity — use `get_entity` instead. - You are searching by entity name — use `search` instead. - You need domain-level data — use `list_domains` instead. Inputs: - `industry` (query, optional): Filter by industry classification. Examples: `ad_tech`, `analytics`, `data_broker`, `social`, `crm`. - `limit` (query, optional): Results per page. Max 100 (paid), 20 (free). Default 50. - `cursor` (query, optional): Pagination cursor from previous response's `next_cursor`. Returns: - Array of entity list items (slug, name, parent_company, industry, data_categories, data_cost_usd). - `meta.has_more` and `meta.next_cursor` for pagination. Cost: - Free tier: up to 20 results/page, 50 req/day. Pro/enterprise: up to 100 results/page. Latency: - Typical: <150ms, p99: <400ms.
readfalseunknown
search
Searches both the domains table and the entities table simultaneously. Returns matching domains (by domain name) and entities (by name or slug) in a single response. Minimum 2 characters, maximum 100 characters. Use this tool when: - You have a partial name and need to identify what tracker or entity it belongs to. - You want to find all TunnelMind records related to a company name like "Google" or "Oracle". - You are resolving an ambiguous domain (e.g., does `criteo.com` appear in the tracker DB?). Do NOT use this tool when: - You know the exact domain — use `get_domain` instead (faster, more complete). - You know the exact entity slug — use `get_entity` instead. - You want to browse by category or industry — use `list_domains` or `list_entities`. Inputs: - `q` (query, required): Search string, 2-100 characters. Matched against domain names and entity names/slugs. Returns: - `domains`: array of matching domain records (list item format). - `entities`: array of matching entity records (list item format). - Both arrays may be empty if no matches found. No pagination — results are capped at 20 per type. Cost: - Free tier: included in 50 req/day. Pro/enterprise: included in plan. Latency: - Typical: <200ms, p99: <500ms.
readfalseunknown
intel_http
Makes a live HEAD request to the target domain from the Cloudflare edge, follows up to 5 redirects, and returns the full redirect chain, final HTTP status, key response headers, a security header score, and any third-party surveillance actors referenced in the Content-Security-Policy header. Use this tool when: - You want to verify whether a site enforces HTTPS and HSTS. - You need to inspect what third-party scripts a site loads via its CSP header. - You are assessing a domain's security posture before trusting it. - You want to detect surveillance actors embedded in a site's CSP. Do NOT use this tool when: - You need tracker database data (category, score, entity) — use `get_domain` instead. - You need the technology stack (CMS, framework) — use `intel_stack` instead. - You need robots.txt AI crawler policy — use `intel_robots` instead. Inputs: - `domain` (query, required): Domain to probe. Can include or omit `https://`. Examples: `nytimes.com`, `https://example.com`. Returns: - `reachable`: false if the domain did not respond within 6 seconds. - `redirect_chain`: each hop with URL, status code, and Location header. - `security_headers.score`: 0-100 based on presence of HSTS, CSP, X-Content-Type, X-Frame-Options, Referrer-Policy. - `security_headers.missing`: list of headers absent. - `csp_actors`: known surveillance actors detected in the CSP header. - `error`: set if the connection failed. Cost: - Free. No API key required. Latency: - Typical: 1-3s (outbound fetch), p99: 6s (timeout). Plan for async if chaining calls.
writetrueunknown
intel_stack
Fetches up to 32KB of the domain's HTML and response headers from the edge, then fingerprints the content for known CMS platforms, JavaScript frameworks, CDN providers, and analytics tools. Detection is based on meta generator tags, script src patterns, response headers, and cookie names. Use this tool when: - You need to know what CMS (WordPress, Drupal, Shopify) a site runs. - You are assessing a domain's infrastructure before a security review. - You want to identify analytics or marketing tools a site embeds. Do NOT use this tool when: - You want HTTP headers and security posture — use `intel_http` instead. - You want tracker database classification — use `get_domain` instead. - You need robots.txt AI policy — use `intel_robots` instead. Inputs: - `domain` (query, required): Domain to fingerprint. Returns: - `cms`: detected content management system, or null. - `frameworks`: JavaScript/backend frameworks detected. - `cdn`: CDN provider detected, or null. - `analytics`: analytics and tracking tools detected. - `meta_generators`: raw meta generator tag values. Cost: - Free. No API key required. Latency: - Typical: 2-4s (HTML fetch), p99: 7s.
readfalseunknown
intel_robots
Retrieves the target domain's `robots.txt` file and parses it for AI crawler disallow rules. Specifically detects policies for known AI crawlers (GPTBot, ClaudeBot, CCBot, Bytespider, etc.) and returns a structured summary of the crawling policy. Use this tool when: - You need to know whether a domain has opted out of AI training data collection. - You want to check if a specific AI crawler is blocked before citing the domain. - You are building a dataset of AI-accessible vs AI-blocked domains. Do NOT use this tool when: - You want training opt-out signals beyond robots.txt (TDM reservation, noai meta) — use `intel_optout` instead. - You want the full technology stack — use `intel_stack` instead. - You need tracker database data — use `get_domain` instead. Inputs: - `domain` (query, required): Domain to probe. Returns: - `robots_txt_found`: false if the domain returned 404 or the file is empty. - `ai_crawlers_blocked`: list of AI crawler user-agent names that are disallowed. - `all_blocked`: true if `User-agent: *` with `Disallow: /` is present. - `raw`: first 4096 characters of the robots.txt file. Cost: - Free. No API key required. Latency: - Typical: 1-2s, p99: 6s.
readfalseunknown
intel_agent
Probes a domain for known AI agent integration signals: `llms.txt`, `ai.txt`, `/.well-known/ai-plugin.json`, `openapi.json`, `swagger.json`, MCP manifest, MCP SSE endpoint. Returns a score based on the count of signals detected. Use this to assess whether a domain is ready for agent-to-agent interaction. Use this tool when: - You want to know whether a domain exposes an MCP server or OpenAPI spec for agents. - You are cataloguing the AI-agent-ready surface of a set of domains. - You need to decide whether to attempt programmatic API access to a domain. Do NOT use this tool when: - You need tracker/surveillance data about the domain — use `get_domain` instead. - You need the robots.txt AI crawler policy — use `intel_robots` instead. - You need HTTP security posture — use `intel_http` instead. Inputs: - `domain` (query, required): Domain to probe. Returns: - Boolean flags per signal (`llms_txt`, `ai_plugin`, `openapi`, `mcp_manifest`, `mcp_endpoint`, `mcp_sse`). - `agent_surface_score`: integer 0-8, count of signals detected. Cost: - Free. No API key required. Latency: - Typical: 2-5s (parallel probes), p99: 8s.
writetrueunknown
intel_inject
Fetches a domain's homepage and checks for content patterns that could constitute prompt injection attacks against AI agents that visit and ingest the page. Signals include hidden text, invisible divs, `<!-- AI: ignore -->` style comments, and known injection patterns. Use this tool when: - You are vetting a domain before feeding its content into an LLM context. - You want to assess the prompt injection risk of a URL before browsing it with an agent. - You are auditing a set of domains for adversarial AI content. Do NOT use this tool when: - You want tracker surveillance data — use `get_domain` instead. - You want AI training opt-out signals — use `intel_optout` instead. - You want the agent surface (MCP/OpenAPI) — use `intel_agent` instead. Inputs: - `domain` (query, required): Domain to scan. Returns: - `injection_signals`: list of signal types detected (e.g., `hidden_text`, `ai_instruction_comment`, `invisible_div`). - `risk_level`: `none`, `low`, `medium`, or `high` based on signal count and type. Cost: - Free. No API key required. Latency: - Typical: 2-4s (HTML fetch), p99: 7s.
writetrueunknown
intel_optout
Checks a domain for all known AI training data opt-out mechanisms beyond robots.txt: TDM (Text and Data Mining) reservation headers, `<meta name="ai">` tags, Creative Commons NonCommercial licenses, and other machine-readable opt-out signals. Use this tool when: - You need to determine whether a domain has opted out of AI training data collection. - You are checking compliance before using a domain's content in a training dataset. - You want a comprehensive opt-out status (robots.txt + TDM + meta tags combined). Do NOT use this tool when: - You only need robots.txt crawler policy — use `intel_robots` instead (faster). - You need tracker data — use `get_domain` instead. - You want injection risk assessment — use `intel_inject` instead. Inputs: - `domain` (query, required): Domain to probe. Returns: - `tdm_reservation`: true if the domain sends a `TDM-Reservation: 1` header. - `noai_meta`: true if the HTML contains `<meta name="robots" content="noai">`. - `license_detected`: string if a CC NonCommercial or similar license is detected, otherwise null. - `opted_out`: true if any opt-out signal is present. Cost: - Free. No API key required. Latency: - Typical: 2-4s, p99: 7s.
readfalseunknown
verify_receipt
Tamper-detection verification for TunnelMind surveillance receipts. Submit the receipt ID, the SHA-256 content hash, and the Ed25519 signature from the receipt document. The registry compares these against what was recorded at issuance time. Returns VALID if both match exactly, INVALID with a specific mismatch reason otherwise. Use this tool when: - You received a surveillance receipt document and want to verify it hasn't been altered. - You are programmatically checking receipt authenticity in an agent workflow. - You want to prove to a third party that a receipt is genuine. Do NOT use this tool when: - You only want to check existence — use `get_receipt` instead (no body required). Inputs: - `receipt_id` (body, required): The receipt's ID field from the document. - `content_hash` (body, required): SHA-256 hex hash of the receipt JSON. Max 256 chars. - `signature` (body, required): Ed25519 signature from the receipt document. Max 512 chars. Returns: - `valid`: boolean. True only if both hash and signature match exactly. - `status`: `VALID` or `INVALID`. - `message`: human-readable explanation. On INVALID, specifies whether the hash mismatched, the signature mismatched, or both. Cost: - Free. No API key required. Latency: - Typical: <100ms, p99: <300ms.
readfalseunknown
revoke_api_key
Permanently deactivates the API key used to make this request. This action is irreversible. After revocation, the key will return 401 on all subsequent calls. If you have an active Stripe subscription, you must separately cancel it at stripe.com — revoking the key does not cancel billing. Use this tool when: - You want to rotate your API key (revoke old, then provision a new one). - You believe your key has been compromised. Do NOT use this tool when: - You want to check quota — use `get_api_key` instead. - You intend to keep using the API — this is permanent. Inputs: - No body or query parameters. Auth is from the `Authorization: Bearer` header. Returns: - `revoked`: true. - `note`: reminder about Stripe subscription cancellation. Cost: - Free. Does not count against the daily request limit. Latency: - Typical: <150ms, p99: <400ms.
destructivetruetrue
get_task
Returns the current status of a task created by an `?async=true` intel request. Poll this endpoint until `status` is one of: `complete`, `failed`, `cancelled`, `expired`. On `complete`, the `result` field contains the same payload the sync endpoint would have returned. On `failed`, `error.message` explains the failure. Use this tool when: - You submitted an intel probe with `?async=true` and need to retrieve the result. - You want to check whether a background task finished without opening an SSE stream. Do NOT use this tool when: - You want real-time event streaming — use `stream_task` instead. - You have no task_id — submit a probe with `?async=true` first. Inputs: - `task_id` (path, required): 26-char ULID returned in the 202 response. Returns: - `status`: `pending` | `running` | `complete` | `failed` | `cancelled` | `expired`. - `result`: populated when status is `complete`. Null otherwise. - `error`: populated when status is `failed`. Null otherwise. - `expires_at`: tasks expire 1 hour after creation. Cost: - Free. Does not count against rate limits. Latency: - Typical: <100ms.
readfalseunknown
stream_task
Opens a persistent SSE connection that emits events as the task progresses. The stream closes automatically when the task reaches a terminal state or after ~90 seconds (timeout). Heartbeat comments are sent every ~15 seconds to keep the connection alive through proxies. Event types: - `status` — emitted when status changes (pending → running → complete/failed) - `result` — emitted on `complete` with the full result payload - `error` — emitted on `failed`, `cancelled`, or `expired` with error info - SSE comment (`: heartbeat`) — keepalive, no data Use this tool when: - You want real-time progress without polling. - You are in an environment that supports SSE (EventSource API). Do NOT use this tool when: - You want a simple one-shot status check — use `get_task` instead. - Your HTTP client doesn't support streaming responses. Inputs: - `task_id` (path, required): 26-char ULID. Returns: - SSE stream (`text/event-stream`). Each event is `event: <type>\\ndata: <json>\\n\\n`. Cost: - Free. Counts as one request against rate limits when the stream opens. Latency: - First event: <200ms. Stream duration: up to 90s.
writetrueunknown
audit_export
Returns NDJSON (one JSON object per line) of audit log entries. Each entry records the operation called, the identity, hashes of the request and response, duration, and an Ed25519 signature over the canonical entry JSON. Entries are hash-chained: each entry's `prev_entry_hash` is SHA-256 of the previous entry's signature, making deletion of any entry detectable offline. Authenticated callers receive only their own entries (`identity_sub` match). Admin key holders receive all entries. Use this tool when: - You want a tamper-evident record of your own API calls. - You are auditing a sequence of requests for compliance or debugging. - You want to verify the audit chain integrity offline. Do NOT use this tool when: - You are anonymous — authentication is required. - You want task status — use `get_task` instead. Inputs: - `from` (query, optional): ISO 8601 start datetime. Default: 7 days ago. - `to` (query, optional): ISO 8601 end datetime. Default: now. - `limit` (query, optional): Max entries. 1–5000, default 1000. Returns: - NDJSON stream, one `AuditEntry` per line. - `X-Total-Count` response header with entry count. - `X-Took-Ms` response header. Verify the chain offline: - For each consecutive pair (A, B): `SHA-256(A.signature) == B.prev_entry_hash`. - For each entry: verify Ed25519 signature against public key in `/.well-known/atap.json`. Cost: - Counts as one request against the daily limit. Latency: - Typical: <300ms for 1000 entries, p99: <1s.
readfalseunknown
generate_receipt
Looks up each submitted domain in the TunnelMind tracker database, aggregates risk metrics (avg score, max score, fingerprinters, high-risk domains, entity ownership), and issues a signed surveillance receipt. The receipt is stored in the public registry and can be verified at `/verify/{receipt_id}`. Use this tool when: - You want a verifiable record of which trackers were observed in a context (page, app, session). - You need a signed evidence artifact for a privacy audit or compliance report. - You want to know the overall surveillance exposure level for a set of domains. - You are generating a receipt to share with a user as evidence of tracker presence. Do NOT use this tool when: - You want full tracker details per domain — use `get_domain` instead. - You want to look up an existing receipt — use `get_receipt` instead. - You need live probes (HTTP headers, stack detection) — use `/v1/intel/*` instead. Inputs: - `domains` (body, required): Array of 1–50 fully qualified domain names. Duplicates are deduplicated. URLs are stripped to host component. - `domain` (body, alternative): Single domain string (shorthand for `domains: [domain]`). Returns: - `receipt_id`: Unique receipt ID (e.g. `rcpt_01JXYZ...`). - `receipt`: Full receipt document including domains submitted, tracker findings, high-risk domains, fingerprinters, unique entities, and exposure metrics. - `content_hash`: SHA-256 of the canonical receipt JSON. - `signature`: Base64 Ed25519 signature (empty string if signing key not configured). - `signed`: Boolean — true if the receipt is cryptographically signed. - `verify_url`: Path to retrieve this receipt from the public registry. Exposure levels: `minimal` / `moderate` / `high` / `critical` Based on average tracker score and proportion of high-risk domains (score ≥ 70). Cost: - Counts as one request against the daily limit regardless of domain count. Latency: - Typical: <100ms (pure D1 lookup, no outbound probing). p99: <300ms.
writetrueunknown
sigil_verify_ads_txt
Confirms whether an SSP/exchange is authorized to sell a publisher's inventory according to that publisher's ads.txt. This is a cache lookup against ads.txt files crawled daily across the top 10,000 publisher domains — it does NOT fetch the publisher's ads.txt live, so it is fast and adds no latency to a real-time bidding decision. Use this tool when: - You are an ad-buying agent and want to confirm, pre-bid, that a supply path (publisher → exchange → seller_id) is legitimate. - You are detecting domain spoofing or unauthorized resale in a bid stream. - You want to check whether a seller is listed DIRECT or RESELLER. Do NOT use this tool when: - You want a full supply-path trust score — that endpoint is Sigil P31. - You want surveillance tracker data for the domain — use `get_domain`. Inputs: - `publisher_domain` (body, required): Publisher domain, e.g. `nytimes.com`. A `www.` prefix and scheme/path are stripped automatically. - `exchange_domain` (body, required): The exchange/SSP domain as it appears in ads.txt, e.g. `google.com`, `amazon-adsystem.com`. - `seller_id` (body, required): The publisher's seller/account ID at that exchange, e.g. `pub-4177862836555934`. Matched exactly. - `seller_type` (body, optional): `DIRECT` or `RESELLER`. When supplied it is checked against the ads.txt entry; a mismatch is reported as a warning. - `resolve_chain` (body, optional): When true, a matched RESELLER entry is cross-checked against the exchange's sellers.json (one authoritative hop). Returns: - `verified`: true (entry found), false (confidently not listed), or null (ads.txt could not be retrieved — indeterminate). - `confidence`: `high` | `degraded` | `low` | `unknown`. - `seller_entry`: the matched ads.txt line (line number, raw text, parsed fields) when `verified` is true; otherwise null. - `ads_txt_parse_status`, `ads_txt_last_parsed`, `stale`: provenance of the cached crawl this answer is derived from. - `reseller_chain`: empty unless `resolve_chain: true` and the matched entry is RESELLER — then it carries the sellers.json cross-check for the seller. - `warnings`: actionable flags, e.g. `publisher_not_in_corpus`, `publisher_has_no_ads_txt`, `seller_type_mismatch`, `ads_txt_cache_stale`. Cost: - Counts as one request against the daily rate limit. Latency: - Typical: <50ms (single cache lookup, no outbound fetch). p99: <120ms.
readfalseunknown
traction
Live traction numbers computed from sources the Worker owns: the hash-chained D1 audit log (7-day call volume, distinct identified callers, top operations), the stored-receipt table, and Stripe (succeeded charges → paying customers, gross USD). Ed25519-signed with the same attestation envelope as /v1/status so the numbers can be replayed to an auditor. Use this tool when: - You are evaluating whether anyone actually uses and pays for this API. - You need a signed, re-checkable statement of usage rather than a claim. Returns: - `traction.usage`: calls_7d, identified_callers_7d, anonymous_calls_7d, top_operations_7d — or available:false with a reason. - `traction.receipts`: stored receipt counts (total / 7d). - `traction.revenue`: paying_customers, succeeded_charges, gross_usd, `truncated` flag when the Stripe page is partial. - `attestation`: Ed25519 signature over the canonicalized traction block. Cost: - Counts as one request against the daily rate limit. Cached 1h. Latency: - Typical: <100ms cached; up to ~2s on a cache miss (one Stripe read).
readfalseunknown
verify_agent
Reconciles a claimed bot User-Agent against the operator's OWN published IP-range feed (Googlebot, GPTBot, OAI-SearchBot, ChatGPT-User, PerplexityBot, Perplexity-User, Bingbot). A User-Agent is trivial to forge; membership in the operator's published CIDR ranges is not. This exposes the common attack: a scraper sending `User-Agent: Googlebot` from an IP in none of Google's ranges. Use this tool when: - A request claims to be a search/AI crawler and you must decide whether to trust that claim before serving, allowing, or logging it. - You are separating genuine declared agents from impersonators. Inputs: - `ip` (path, required): the IPv4 or IPv6 address to check. - `ua` (query, optional): the claimed User-Agent string. Omit to ask only "is this IP a known published bot range?". Returns: - `verdict`: one of - `verified` — the IP is inside the agent's published range (UA, if given, agrees). It genuinely is that bot. - `spoofed` — the UA claims a verifiable bot but the IP is in none of its published ranges. Impersonation. - `mismatch` — the IP is a real bot's range, but the UA names a different bot. - `unverifiable` — the UA names a real agent whose operator publishes no authoritative IP feed (e.g. Anthropic's ClaudeBot). Neither confirmed nor denied — never reported as spoofed. - `unknown` — no recognized bot UA and the IP is in no known range. - `is_verified_agent`, `is_spoofed`: booleans for the two actionable cases. - `agent`, `agent_label`, `matched_agent`, `claimed_agent`: the resolved identities. - `reason`: one-line explanation of the verdict. - `feeds_as_of_ms`: when the published ranges were last refreshed. Cost: - Counts as one request against the daily rate limit. Latency: - Typical: <50ms (one KV read + CIDR match). First call after a deploy may take ~1s if it has to warm the range cache.
writetrueunknown
list_subscriptions
Returns the caller's active and inactive subscriptions (signing_key redacted). Requires an API key.
unknownunknownunknown
delete_subscription
Cancel a subscription.
destructivetruetrue
create_subscription
Subscribe to a node (ip, domain, asn, or entity slug). On a recurring sweep (~20 min) TunnelMind re-runs the fused `POST /v1/verify` verdict and, when the *material* result changes — the verdict label flips, the trust score crosses a band, or the signal set changes — POSTs a signed event to your `callback_url`. Webhook authenticity: every delivery carries an `X-TunnelMind-Signature: sha256=<hex>` header, an HMAC-SHA256 over the raw request body keyed by the `signing_key` returned ONCE at creation. Recompute and compare to trust it. Delivery body: `{ subscription_id, node, event: "verdict_change", previous, current, delivered_ms }` where `previous`/`current` are compact verdict summaries `{ verdict, trust_score, signals }`. Inputs (JSON body): - `node` (required): the node to watch. - `callback_url` (required): an https URL to receive deliveries. - `events` (optional): reserved; defaults to `["verdict_change"]`. Requires an API key. The baseline verdict is captured at creation, so the first webhook fires on the first genuine change, not the initial state.
writetrueunknown
get_subscription
Read one of your subscriptions (signing_key redacted).
readfalseunknown
tracker_verify
The Tracker lens-owned verify surface: a per-node verdict over the normalized DDG Tracker Radar / IAB TCF / Disconnect.me corpus, with an optional signed TunnelMind Receipt v1.0. This is the single-lens ground truth the fused `POST /v1/verify` cites for its tracker block. Use this tool when: - You need to know whether a domain is tracking/surveillance infrastructure and which entity operates it, without the full cross-lens fusion. - You want a signed, offline-verifiable receipt for that single-lens answer. Inputs: - `node` (path, required): a domain (e.g. `doubleclick.net`) or an entity slug (e.g. `google`). IPs and ASNs are not indexable by this lens. - `receipt` (query, optional): `true` attaches a Receipt v1.0 envelope. Returns: - `tracking`: true (in the tracker corpus), false (queried, absent), or null (not answerable — ip/asn node or backend unavailable; see `reason`). - `tracker`: the lens record — domain {category, prevalence, score 0-100} plus operating entity {slug, name, parent_company, industry, sources}, or entity + top_domains when queried by slug. - `checked_at`: ISO 8601 timestamp of the corpus read. - `receipt`: TunnelMind Receipt v1.0 (Ed25519, JCS) when requested. Cost: - Counts as one request against the daily rate limit. Latency: - Typical: <100ms (one or two D1 reads at the edge).
writetrueunknown
sigil_verify_domain
Confirms a publisher controls a domain by checking for a DNS TXT record the owner publishes under `_tunnelmind.{domain}`. A DNS record can only be set by whoever controls the zone, so its presence proves control — a stronger signal than ads.txt, which is just a file anything in the request path can serve. Use this tool when: - You want proof a publisher actually owns the domain it claims. - You are distinguishing publishers who have opted into Sigil verification. Inputs: - `domain` (query, required): Publisher domain. `www.` and scheme stripped. Returns: - `verified`: true (record found), false (absent), or null (DNS lookup failed). - `expected`: the exact TXT record the owner must publish to verify. - `found_records`: TXT values currently present at `_tunnelmind.{domain}`. - `checked_at`: ISO 8601 timestamp of the live DNS lookup. Cost: - Counts as one request against the daily rate limit. Latency: - Typical: <300ms (one DNS-over-HTTPS lookup).
writetrueunknown
sigil_verify_adscert
Reports whether a domain publishes ads.cert (IAB Tech Lab Authenticated Connections) DNS records — a readiness signal showing the domain supports cryptographically authenticated ad-tech connections. This is not signature verification: ads.cert is pairwise, so verifying a signed bid request requires Sigil to be a delegated participant (a future build). DNS-only and stateless. Inputs: - `domain` (query, required): Domain to check. Returns: - `adscert_ready`: true | false | null (DNS lookup failed). - `adscert_records`: TXT values at `_adscert.{domain}`. - `delegation_records`: TXT values at `_delegated._adscert.{domain}`.
readfalseunknown
cross_lens_verify
A2 — the cross-lens join. TunnelMind owns multiple halves of the open-web graph: Scry sees who is on every IP (attacker intelligence, actor class, Augur threat-intel overlap); Sigil sees the supply graph (publishers, SSPs, DSPs, ads.txt + sellers.json + SupplyChain Object); GhostRoute sees routing integrity & sovereignty (RPKI origin validity, BGP prefix, claimed sovereign zone, sanctions, AI-infrastructure ownership, certificate CA). This endpoint fuses them into one verdict on a single node key. The response leads with a base record, then the lens views: - `ip_intel` — the BASE: the commodity IP-intelligence + WHOIS record (geo/ASN/company/WHOIS/routing/cert), every field provenance-tagged `{value, tier, source}` (verified/derived/trusted) with a behaviour axis from Scry. The lens blocks below are augmentation beside it. Committed in the receipt payload. See `docs/IP-INTEL-RECORD.md`. - `scry` — the single-lens Scry view (transparency). - `sigil` — the single-lens Sigil view (transparency). - `ghostroute` — the single-lens GhostRoute view (transparency). - `cross_lens` — the fused verdict (the moat). Fusion math: weighted-mean over evaluated components plus a `co_observation_bonus` when both lenses independently flag the node. GhostRoute adds a routing-integrity component with two hard safety floors that cannot be averaged away: an RPKI-INVALID origin (a BGP hijack signal) caps its trust at 0.15, and a sanctions match zeroes it. Weights and thresholds are per-request overridable. Lens unavailability is reported in-band: each lens fails independently and the cross_lens block reflects degraded confidence when fewer lenses have data (0.55 one lens / 0.80 two / 0.94 three). GhostRoute has no routing surface for a bare entity_slug, so it drops out and the remaining weights re-normalise. Returns 503 only when ALL lenses are unavailable. v1 lens coverage matrix: - IP node — Scry: full; Sigil: not_indexed (v2 will reverse-DNS); GhostRoute: full. - Domain node — Scry: deferred; Sigil: full (publisher/ssp/dsp + entity); GhostRoute: full (resolves to IP). - entity_slug node — Scry: n/a; Sigil: full (entity + sell/buy presence); GhostRoute: n/a (no routing surface). - ASN node — Scry: deferred (v2); Sigil: not_indexed; GhostRoute: origin-AS lookup.
readfalseunknown
verdict_lookup
The reconciliation layer in one call. Where `cross_lens_verify` answers "what is this network destination," `verdict_lookup` answers a different, sharper question about a key-addressed ACTOR: **does what this key claims about itself match what the network has seen it do?** It fuses two sides: - **claim** — what the key can prove about itself: its `attestation_tier` across roots of trust (bare Ed25519 self-attestation → a RATS/EAT hardware/platform attestation). TunnelMind owns no silicon and reads every root; the tier is always *measured/anchored*, never self-asserted (a token claiming a higher tier than its trust anchor is trusted to assert is capped down). - **conduct** — what the graph has seen the key's subject do (Scry × Sigil × GhostRoute), supplied via the optional `subject` parameter. The response carries `reconciliation.contradictions` (e.g. a key that attests `silicon-root` but behaves as a low-trust node → `claim_exceeds_conduct`; a presented claim that fails to verify → `unverified_claim`; claims presented with no proof of key control → `key_control_unproven`), a `claim_vs_conduct_delta`, and a `verdict {tier, reputation, flags, confidence}`. Keys are linked to an identity ONLY when the actor cryptographically proves control — never inferred from behavioral correlation. An EAT that attests a *different* subject key is rejected, not silently merged. The verdict is published as a self-verifying receipt: given the receipt bytes + the witness public keys carried inline, anyone re-derives the verdict and checks log inclusion OFFLINE with `scripts/verify-verdict.mjs` — no call back to TunnelMind. A bare, unattested key still gets a verdict (at `self-asserted` tier); attestation is never required to participate.
unknownunknownunknown
sigil_verify_app_bundle
Verifies that a mobile or CTV app bundle ID actually exists in the relevant app store — used to detect bundle spoofing in bid requests. Platform support (v1): - `ios`: verified live via Apple's iTunes Lookup API. - `android`: verified live via the Google Play store listing page. - `ctv_*` / `web`: no public store API — returns verified=null. Inputs: - `bundle_id` (body, required): e.g. `com.nytimes.NYTimes`. - `platform` (body, required): ios | android | ctv_roku | ctv_fire | ctv_samsung | ctv_lg | ctv_vizio | web. - `claimed_developer` (body, optional): checked against the store listing. Returns: - `verified`: true | false | null (not checkable on this platform). - `store_listing`: name, developer, developer_match, store_url.
readfalseunknown
cross_lens_lookup
Returns all three lens views for a single node key without computing a fused verdict. Use this when you want raw transparency — the Tracker catalog presence, Scry attacker observations, and Sigil supply-graph position — and intend to make your own decision. For an opinionated verdict, call `cross_lens_verify` instead. For an agent-side allow/caution/deny gate plus signed consultation receipt, call `preflight_should_i_act`. Coverage block exposes which lenses responded so agents can reason about partial-data verdicts. `issued_by` carries the OAI of the answering witness so the response is attributable.
unknownunknownunknown
preflight_should_i_act
The single call an agent makes before transacting with a destination on the open web. Composes the cross-lens verdict with a bounded Tracker-presence bonus, maps the adjusted trust score to a tri-state decision (`allow` / `caution` / `deny`), and returns a 5-minute signed consultation receipt (`sigil_token` with `sub: preflight:consulted`). The receipt is the load-bearing artifact: the agent attaches it to its action log as cryptographic proof that the destination was consulted before action. The decision itself is commodity-shaped; the *receipt of having asked* is what accountability requires. When `ait` is supplied, the consultation additionally chains a witness-tier `preflight:consulted` event onto the ATAP AIT, signed by OAI-2026-0000201 — turning the consultation into a hash-chained, replayable artifact. Tracker presence applies a bounded `+0.05` trust bonus before decision mapping (capped at 1.0). Absence is never a penalty — most of the open web is not in the tracker corpus and that's expected. Defaults: `allow >= 0.70`, `caution >= 0.40`, else `deny`. Thresholds are overridable per request; weights are inherited from cross_lens_verify.
unknownunknownunknown
sigil_verify_token
Verifies the authenticity and expiry of a `sigil_token` returned by `sigil_verify_supply_path`. Anyone can call this — no key needed; Sigil verifies the Ed25519 signature server-side. Tokens live 5 minutes. Returns `valid` (boolean), `reason` (when invalid: malformed / expired / bad_signature / unsigned), and the decoded `payload`.
unknownunknownunknown
explain_verdict
Call this when you need to ACT ON a verdict and prove why. It returns the exact verdict `/v1/verify/{node}` computes (same fusion, same weights) PLUS a traced evidence chain: every claim is attributed to where it came from — the attested sensor fleet (with attestation tier), a named Augur threat feed, sellers.json/ads.txt supply-graph presence, the cross-lens co-observation join, the DDG/IAB tracker corpus — and how much each item moved the verdict (`weight`; null = supplementary, not scored). The response is committed to by a P38 signed receipt via `evidence_digest` (a hash of the exact evidence array), so an agent can act on the verdict and leave behind a cryptographically verifiable trail of the reasoning in the same request. Empty/`none` evidence is the honest "no corpus presence", never a fabricated reason. `node` is an IPv4/IPv6, ASN, domain, or entity_slug — the same key space as `/v1/verify`.
unknownunknownunknown
signal_tracker_density
Observed component counts first, a labelled derived roll-up second. The components — `data_categories`, supply-surface counts (ssp + publisher + dsp + owns_seat + buys_through), and corroborating `sources` — are facts. `derived.tracker_density` (0–100) is a weighted blend of those counts, not a measurement; `data_cost_usd` is deliberately excluded (non-zero only for a curated seed, so weighting by it would fabricate precision). Anchors the `surveillance_bigtech` adversary class for the cross-lens classifier.
unknownunknownunknown
signal_halo_score
Scores an entity by the trust character of its neighbours — the SSPs its publishers sell through and the DSPs it buys through. Reports neighbour counts, mean/min neighbour trust, and how many neighbours are adversary-classified (P46). `derived.halo_score` (0–100, or null when no neighbour has a computed trust) is mean neighbour trust dragged down by adversary-neighbour share. Evidence about an entity's company, not a persisted verdict — no profile poisoning.
unknownunknownunknown
sigil_verify_supply_path
The core Sigil pre-bid call. Submit a supply path; Sigil composes its individual checks into one trust verdict and returns a signed `sigil_token` the agent can attach to its bid as proof of verification. Checks composed: - `ads_txt` — exchange authorized in the publisher's ads.txt. - `datacenter_ip` — is the IP a datacenter posing as a real user. - `fraud_signals` — is the IP in Scry's attacker-intelligence corpus. - `bundle_verified` — does the app bundle exist in its store. - `domain_authenticity` / `entity_reputation` — reserved, not evaluated in v1. Each evaluated check yields pass/warn/fail; `trust_score` is their weighted mean (override `weights` per request); `verdict` is pass/warn/fail/unknown (override `thresholds`). PRIVACY: `ip_address` is used for lookup only — never logged, never stored, never placed in the sigil_token. `geo` is accepted but unused. Returns: `trust_score` (0-1 or null), `verdict`, `checks`, `recommendations`, `sigil_token` (signed, 5-minute lifetime).
readfalseunknown
profile_entity
Call this before routing traffic, bidding on inventory, or trusting a counterparty. It fuses ALL THREE TunnelMind lenses for one subject — Scry (attacker intelligence + threat feeds + open ports), Sigil (ad-supply-chain position + trust score + ATAP witness count), and Tracker (DDG/IAB catalog + prevalence + categories) — into a single confidence-scored profile plus a signed P38 receipt. The `cross_lens.hits` field tells you if the same infrastructure appears in attack data AND supply-chain data — that's your highest-confidence signal, and the one no siloed competitor can give you. `cross_lens.flags` surfaces the actionable highlights (`cross_lens_overlap:scry+sigil`, `in_threat_intel:...`, `high_prevalence_tracker`, `corroborated_by_N_lenses`). Confidence weighting: each lens contributes a base score; a 1.5× multiplier applies when ≥2 lenses corroborate the same subject; and the Scry contribution is weighted by the attestation tier of the sensors that observed it (silicon_root 1.0 → self_asserted 0.5). Bounded [0,1] and carried into the receipt. Unlike `cross_lens_verify` (one node → one verdict) and `cross_lens_lookup` (one node → raw three-lens view), profile_entity takes the SUBJECT as any combination of ip / domain / entity and returns the richest fused detail for a pre-transaction decision. At least one of ip / domain / entity is required.
readfalseunknown
signal_dark_pool_risk
Reconciles every sell path a publisher declares (`sells_through`) against each SSP's own sellers.json (`exchange_seat`) and keeps three classes strictly separate: `corroborated` (seat present), `contradicted` (SSP crawled but seller_id absent — real risk), and `unchecked` (SSP not yet crawled — excluded from risk, lowers confidence). Combined with publisher-side ads.txt opacity. Two-sided corroboration is the cross-lens moat — it catches unauthorized resale a one-sided ads.txt read cannot.
readfalseunknown
signal_team_signal
Surfaces other entities that operate as a coordinated team with this one: they share a NARROWLY-held direct seller account (2–8 entities — network house accounts shared by hundreds are separated into `house_accounts_excluded`, not counted) or co-own an exchange seat. `derived.team_signal` (0–100) is a coordination magnitude over teammate count, shared-account breadth, and co-owned seats.
readfalseunknown
sigil_verify_supply_chain
The bid-time contract. Pass the SupplyChain object from an OpenRTB bid request (`source.ext.schain`) verbatim, plus the originating site domain or app bundle. Sigil verifies, per node and in aggregate: - origin ads.txt — the publisher's ads.txt authorizes node[0] (asi + sid). - per node — the node's `asi` sellers.json declares the node's `sid`. - owner-domain — node[0]'s sellers.json seller `domain` matches the publisher's ads.txt OWNERDOMAIN / MANAGERDOMAIN (spec §3.5.1). - `schain.complete` — an incomplete chain caps the verdict at `warn`. OpenRTB field mapping: `site.domain` → `site_domain`; `app.bundle` → `app_bundle`; `source.ext.schain` → `schain`. An app_bundle origin's ads.txt check is `not_evaluated` pending app-ads.txt resolution. Returns a per-node result array, an aggregate `verdict` (pass/warn/fail/unknown), `recommendations`, and a signed `sigil_token`.
unknownunknownunknown
get_stats
One public "state of the corpus" readout — the whole graph in a single call. Distinct from the Scry-only sensor stats at api.tunnelmind.ai/v1/stats (which this reuses for the `scry` block): this spans Scry, Sigil, and Tracker plus the attestation and routing layers. Use it to cite live coverage — how many publishers / SSPs / DSPs / sell paths / sellers.json seats are in the Sigil supply graph, how many tracker entities and domains Tracker holds, how many ATAP witness events and OAIs the attestation layer carries, and how many BGP watchlist resources and routing events the monitor has recorded. Every count is independent and null-tolerant: a momentarily-unavailable lens reports `null`, never a silent zero. Cacheable for ~10 minutes.
readfalseunknown
ghostroute_verify
Retrieves a previously-issued, signed GhostRoute receipt by its GR-YYYY-NNNNNNN id, for independent audit of a past sovereignty verdict. Use this tool when: - You hold a GhostRoute receipt id and want to confirm its contents/signature. - You are reconciling an agent's action log against the attestation layer. Inputs: - `receipt_id` (path, required): GR-YYYY-NNNNNNN. Returns: - The full persisted receipt row (routing, cert, sovereignty fields + signature). Latency: - Typical <200ms (single indexed read).
readfalseunknown
ghostroute_ai_lookup
Checks whether a domain or ASN belongs to a known AI company's infrastructure and what sovereignty it CLAIMS (program, zone, HQ), the baseline GhostRoute scores routing reality against. Use this tool when: - You want to know "whose AI infrastructure is this, and what does it claim?" - You are enriching an endpoint before deciding whether to send it inference. Inputs: - `entity` (path, required): a domain or ASN (AS####). Returns: - `matched`, `match_basis` (domain|asn), `ai_company`, `ai_product`, `sovereign_ai_program`, `claimed_sovereign_zone`, `hq_country`, `verified_sovereign`. Latency: - Typical <300ms (cached corpus read).
writetrueunknown
sigil_traverse
Reconstructs the supply paths for a publisher domain from Sigil's own crawl and returns them ITEMIZED — distinct from `sigil_verify_supply_chain` (which verifies a schain the caller brings) and from `signal_dark_pool_risk` (which returns only aggregate counts). Every SSP the publisher declares it sells through is joined to that SSP's identity and classified two-sided against the SSP's sellers.json: `corroborated` (seat present), `contradicted` (SSP crawled but seller_id absent — real risk), `unchecked` (SSP not yet crawled — not risk). Each returned path also carries `resells_to`, one level of downstream reseller expansion. The list is ordered riskiest-first (contradicted, then reseller) so a truncated page is still the most useful; the `supply_paths` counts are always over the FULL set. `in_supply_graph:false` when the domain is not a known publisher.
writetrueunknown
ghostroute_check
GhostRoute is TunnelMind's fourth lens: routing-integrity / sovereignty verification. It answers "is this infrastructure where it claims to be, owned by who it claims, routing where it says — and does that match the sovereign jurisdiction it asserts?" It resolves the originating ASN owner, RPKI validity, the certificate-issuing CA's jurisdiction, and matches the subject against a curated AI-infrastructure corpus to recover any sovereignty CLAIM (e.g. an "EU-sovereign" AI service), then scores reality against claim. Use this tool when: - An agent is about to route data/inference to an endpoint that claims a jurisdiction (e.g. EU data residency, FedRAMP, sovereign-AI). - You want to detect a US-fronted (Cloudflare/AWS/GCP) endpoint masquerading as sovereign-EU infrastructure, an RPKI-invalid origin (possible hijack), or a sanctioned operator. Inputs: - `entity` (path, required): an IPv4/IPv6, domain, ASN (AS####), or cert SHA-1/256. - `receipt` (query, optional): when `true`, issues a signed, persisted GhostRoute receipt (GR-YYYY-NNNNNNN) instead of an ephemeral verdict. Returns: - `sovereign_tier`: VERIFIED | PLAUSIBLE | MISMATCH | CRITICAL_MISMATCH (or null if no claim). - `sovereign_integrity`: [0,1] score; `origin_as`, `rpki_status`, `cert_ca`, `claimed_sovereign_zone`, `is_ai_infrastructure`, `ai_owner`, `sanctions_match`. - `_meta.caveats` / `_meta.penalties`: what was and wasn't determinable. Latency: - Typical 300-900ms on a cold subject (live BGP/RPKI/cert lookups), faster when cached.
readfalseunknown
ghostroute_asn_lookup
Returns GhostRoute's ownership-graph record for an autonomous system: the registrant/parent organisation, its HQ country and sovereign zone, RIR, and cloud/AI-infrastructure flags. The long-term moat — who actually owns the network a route originates from. Use this tool when: - You have an origin ASN and need its corporate owner + jurisdiction. - You are assessing whether an ASN belongs to a cloud front or the real operator. Inputs: - `asn` (path, required): AS#### or a bare AS number. Returns: - `registrant_org`, `parent_org`, `parent_org_country`, `sovereign_zone`, `rir`, `is_cloud_provider`, `is_ai_infrastructure`, or `{matched:false}`. Latency: - Typical <300ms (cached corpus read, RDAP fallback on a miss).
readfalseunknown
ghostroute_ct_witness
Returns GhostRoute's first-party Certificate-Transparency witness state: the latest signature-verified Signed Tree Head (STH) for every trusted, non-Google CT log TunnelMind independently witnesses, plus a regression scan over our own append-only history. Proof the platform holds its own signature-checked roots rather than reselling crt.sh/certspotter. Use this tool when: - You want corpus-wide CT witness health, not one cert. - You need to know whether any CT log misbehaved (rewound, forked, or served an STH whose signature did not verify) — a serious trust event. Inputs: - none. Returns: - `summary`: `logs_witnessed`, `verified_logs`, `unverified_logs`, `all_verified`, `total_snapshots`, `regressions`, `last_observed_at`. - `logs[]`: per-log latest STH (`log_url`, `log_operator`, `tree_size`, `sth_timestamp`, `root_hash`, `signature_verified`, `snapshots`). - `regressions[]`: detected violations — `kind` is `tree_size_rewind`, `root_fork`, or `sth_signature_invalid` (empty array = healthy). Latency: - Typical <300ms (KV-cached 5m; the witness worker updates twice a day).
readfalseunknown
ghostroute_ct_alerts
Returns the durable, deduplicated ledger of CT equivocation events the GhostRoute witness worker detects and pushes — a tree_size_rewind (an append-only log shrank), a root_fork (one tree_size witnessed with two different Merkle roots = a split-view log), or an sth_signature_invalid (a log's latest Signed Tree Head failed signature verification). Where `/v1/ghostroute/witness` shows live computed health, this is the immutable first-detection log: each entry's `detected_at` is when TunnelMind first raised the alarm. A healthy CT ecosystem returns an empty feed — any row here is a serious trust event. Use this tool when: - You want a chronological record of CT trust violations, not live state. - You're polling for new equivocation events (check `summary.last_detected_at`). Inputs: - `limit` (query, optional): max recent alerts, 1–200, default 50. Returns: - `summary`: `total`, `undelivered`, `rewinds`, `forks`, `bad_signatures`, `last_detected_at`. - `alerts[]`: each `kind`, `severity`, `log_url`, `log_operator`, `from_tree_size`, `to_tree_size`, `distinct_roots`, `event_observed_at`, `detected_at`, `delivered`. Latency: - Typical <200ms (KV-cached 1m).
readfalseunknown
sigil_ads_txt_history
Returns a publisher's ads.txt change log — one entry per crawl in which its authorized-seller set changed. A publisher quietly adding a reseller line is a real fraud signal; this is how a buyer audits supply over time. Inputs: - `domain` (path, required): publisher domain. - `since` (query, optional): ISO date / date-time lower bound on `observed_at`. - `limit` (query, optional): max entries — default 50, max 200. Returns `changes[]`, newest first — each with `observed_at`, `added_count`, `removed_count`, `additions`, `removals`, `directive_changes`.
writetrueunknown
sigil_score_entity
Returns the pre-computed 0.0–1.0 trust score for one entity, its component breakdown, and the 14-day trend. Scores are refreshed daily by a database job — this endpoint never recomputes from raw data, so it is fast and deterministic. `entity_id` is `{entity_type}:{key}` — e.g. `publisher:nytimes.com` or `ssp:pubmatic.com`. Entity types: `publisher`, `ssp`, `dsp`, `app_bundle` (publishers and SSPs are scored today). v1 evaluates structural components only (`ads_txt_health`, `supply_chain_directness`, `historical_stability` for publishers; `supply_reach`, `directness` for SSPs). The `not_evaluated` list names spec components without an enrichment path yet. Optional `weights` query param (URL-encoded JSON) re-weights the stored components for this call.
readfalseunknown
sigil_score_batch
Scores up to 200 entities in one round-trip — built for agents evaluating many supply sources during campaign setup. Per-item parse failures are returned inline; the batch never fails as a whole. An optional `weights` object re-weights every entity in the call.
unknownunknownunknown
ghostroute_ct_proofs
Returns GhostRoute's per-cert inclusion proofs: each is a cryptographic demonstration that the exact certificate a host serves is included in an append-only CT log whose root TunnelMind signature-verified — upgrading "a monitor said this cert exists" to "proven in a log we witness". Failed attempts are included with a `reason`; a cert that suddenly cannot be proven is itself a signal. Use this tool when: - You want to know whether a specific AI host's live cert is provably logged (pass `domain`), or - You want the corpus-wide proof rollup across watched hosts (omit `domain`). Inputs: - `domain` (query, optional): a hostname to filter to; omit for corpus-wide. - `limit` (query, optional): max recent rows, 1–200, default 50. Returns: - `domain` (echo, null when corpus-wide). - `summary`: `total_attempts`, `proven`, `unproven`, `domains`, `last_observed_at`. - `recent[]`: recent attempts (`log_operator`, `leaf_index`, `tree_size`, `sth_root_hash`, `inclusion_proven`, `reason`, ...). - `by_domain[]`: per-host `attempts` / `proven` rollup. Latency: - Typical <300ms (KV-cached 5m).
readfalseunknown
get_bgp_events
Returns the routing anomalies the bgp-monitor has observed against TunnelMind's BGP watchlist — the witnessability layer's routing dimension. The monitor polls RIPEstat (RIPE NCC) on a cron, self-baselines each watched prefix's origin set on first sight, then records an event whenever a later poll deviates from that baseline. Use this to check whether a prefix or ASN you depend on (an SSP's egress, a publisher's network, your own infrastructure) has shown a hijack-shaped routing event. `event_type` is one of: - `origin_change` — an origin AS not in the baseline is announcing the prefix (severity `critical` if that announcement also fails RPKI, else `high`). - `rpki_invalid` — a current announcement fails RPKI ROA validation. - `withdrawn` — a previously-announced prefix is no longer visible. - `new_more_specific` / `visibility_drop` — reserved for a later monitor pass. `prev_origins` is the baseline the event deviated from. `count` is the full filtered set; `events` is bounded by `limit`, newest first. An empty `events` array means no anomalies in the window — the honest "all clear".
writetrueunknown
sigil_score_weights
Returns the active, versioned default weights used to combine an entity's trust-score components, plus the list of spec components that are not yet evaluated. Pass a custom `weights` object to `sigil_score_batch` to re-weight without changing the defaults.
readfalseunknown
compliance_ledger
Returns your hash-chained decision records — one per verdict-bearing call (/v1/verify, /v1/explain, /v1/preflight, /v1/profile) made while compliance is enabled. Each entry carries its node, verdict, scores, receipt_id, the full decision record, and the chain hashes (prev_hash, entry_hash). Filter with from/to (ISO8601) and page with cursor (a seq) + limit (≤1000).
unknownunknownunknown
sigil_atap_witness
Ingests one agent-reported event (`bid:submitted`, `bid:won`, `bid:lost`, `budget:decremented`) into an AIT's hash-chained attestation log. Sigil validates the payload (rejecting any PII per ATAP §7.6), classifies the evidence tier — `anchored` if a `bid:submitted` cites a valid Sigil token issued for this AIT and matching the bid's supply path, otherwise `asserted` — derives any `constraint:violated` events, then chains and signs each event. `supply:verified` / `supply:rejected` are witness-emitted by `sigil_verify_supply_path`, never accepted here — that is what makes the `witnessed` tier non-bypassable.
unknownunknownunknown
sigil_atap_ait_status
Returns an AIT's status, chain head hash, event count, pending-event count, per-tier event counts, and the anchored-bid coverage ratio.
readfalseunknown
sigil_receipt_generate
Assembles the ATAP v0.1 §7.5 Receipt ZIP for an AIT — the signed Receipt (`manifest.json`), the AIT, the Attestation Block chain, the witness public key, a tier-graded `summary.json`, the bundled `verify.sh` reference verifier, and the witness events + sigil_tokens as profile artifacts. Any pending events are rolled into a final block first. The ZIP verifies offline — unpack it and run `verify.sh`; keys are at https://tunnelmind.ai/atap/keys. The summary grades every event as `witnessed`, `anchored`, or `asserted` and reports the anchored-bid coverage ratio.
writetrueunknown
compliance_profile
Returns your current compliance configuration (regime, retention_days, export_formats, enabled) and the catalog of supported regimes (EU AI Act Art.12, DORA, NYDFS 500, HIPAA, PCI DSS, SOC 2, generic) and export formats (signed_json, csv, eat, stix). Authenticated. The compliance ledger is a tamper-evident, retained record of every verdict you make — configure it once, then it self-maintains.
unknownunknownunknown
compliance_configure
Set the customizable knob: which regulatory regime your auditor maps to, how long to retain decision content, and which export formats to offer. Body: { enabled?, regime?, retention_days?, export_formats? }. retention_days is 1..3650; regime is one of the catalog ids; export_formats is a non-empty subset of [signed_json, csv, eat, stix]. No bespoke engineering — you pick, the ledger adapts.
writetrueunknown
compliance_export
Generates a signed export bundle of your ledger over an optional time window, mapped to your regime's field names and citation, with a manifest + chain-integrity proof + the latest signed checkpoint. Choose the format with ?format= (signed_json | csv | eat | stix; defaults to your profile's first) and override the regime with ?regime=. The response is a downloadable artifact your auditor can verify independently against the spec.
unknownunknownunknown
compliance_verify
Recomputes your entire hash chain server-side and reports integrity ({ intact, entry_count, chain_head_hash } — plus reason + first_break_seq if a record was altered or deleted), alongside the most recent Ed25519 checkpoint signed with the TunnelMind receipt key. This is the auditor's "prove it" button — and even TunnelMind cannot rewrite history before a signed checkpoint without detection.
unknownunknownunknown
get_analyst_config
Returns the TunnelMind analyst config bundle. Configures any LLM (Claude, GPT, Gemini, local) to behave as a TunnelMind analyst that knows the data graph, follows the 5-call golden path, and surfaces attestation_tier on every claim. The bundle is signed inline (Ed25519, key_id from /.well-known/receipt-signing-key.json). Add `?receipt=true` to wrap the response in a Receipt v1.0 envelope for end-to-end audit. Use this tool when: - You want to configure a new LLM runtime to act as a TunnelMind analyst - You want to verify the system prompt you're running matches what TunnelMind serves - You're building a BYOM (bring-your-own-model) deployment and need the canonical config Do NOT use this tool when: - You want to call individual TunnelMind data tools — use the tools directly - You want to verify a specific receipt — use check_receipt_revoked or @tunnelmindai/receipt-verify Inputs (all optional): - `surface` (query): "data" (default, full surface), "scry", or "sigil" - `version` (query): pin a specific bundle version (e.g. "1.0.0" or "1" for latest 1.x.y) - `receipt` (query): "true" to wrap the response in a signed Receipt v1.0 envelope Content negotiation (via Accept header): - `application/json` (default) — full bundle JSON - `text/markdown` — system prompt only (Anthropic flavor) - `application/vnd.anthropic.config+json` — Anthropic-shaped subset - `application/vnd.openai.config+json` — OpenAI-shaped subset Returns: - `version`, `schema`, `issuer`, `surface`, `surface_label` - `system_prompts.{anthropic,openai,generic}` — three encodings of the same semantic prompt - `tools.surface_subset` — array of operationIds for this surface (null = all) - `response_format` — JSON Schema the analyst's verdicts must conform to - `attestation_tiers` — the 4-tier vocabulary (self_asserted → silicon_root) - `graph_state` — live corpus counts at serve time - `references` — URLs to the rest of the open-protocol layer - `bundle_signature` — inline Ed25519 signature for offline verification - `pin_recommended` — stable supply-chain identifier (survives hourly graph_state updates) Headers: `X-Bundle-Version`, `X-Pin-Recommended`, `ETag`, `X-RateLimit-*`. Cost: - Free, anonymous-accessible. Rate-limited on a SEPARATE counter from data-API calls (`cfg:ip:<ip>` identity) so a config refetch loop can't burn your data quota. Latency: - Typical <100ms (cached); cold fetch <500ms (live Supabase counts).
writetrueunknown
check_receipt_revoked
Single-item revocation lookup per Receipt Format v1.0 §8.2. Verifiers that do not want to maintain a local mirror of `/.well-known/receipt-revocations.json` call this endpoint instead. The response includes `feed_version` for cache coherence. Use this tool when: - You are verifying a receipt and need to confirm its `signature.key_id` is still trusted. - You are verifying a receipt and need to confirm the specific `receipt_id` was not retracted by its issuer. - You hold receipts long-term and want to recheck trust before acting on them. Do NOT use this tool when: - You want the full revocation set — fetch `/.well-known/receipt-revocations.json` directly. - You want to *publish* a revocation — that is operator-controlled and not exposed via this API. Inputs: - `key_id` (query, optional): Receipt-format key_id (e.g., `tm-receipt-2026-05`). Provide one of `key_id` or `id`. - `id` (query, optional): UUIDv7 of a specific receipt. Provide one of `key_id` or `id`. Returns: - `revoked`: boolean. - When revoked: `revoked_at` (ISO 8601), `reason` (human-readable), `replacement_key_id` (for keys). - Always: `checked_at` (ISO 8601), `feed_version` (integer). Cost: - Free; rate-limited like the rest of the data API. Edge-cached 60s. Latency: - Typical <100ms (warm cache); p99 <500ms (cold fetch from well-known).
writetrueunknown
scan_mcp
Connect to a caller-supplied MCP server (Streamable-HTTP transport), read its advertised tools, and run the injection corpus over every tool name / description / input schema — plus a capability heuristic that flags broad, dangerous powers (shell execution, filesystem write, credential access, arbitrary network, destructive DB ops). Returns a per-tool safety report. A caution to review, never a verdict. This is a single-target, caller-initiated scan. It is NOT a crawler and does not follow links or enumerate other servers. Loopback / private / internal hosts are rejected. Use this tool when: - You are about to connect an agent to a third-party MCP server and want to inspect its tools for embedded instructions or excessive powers first. Do NOT use this tool when: - You only have a blob of text — use `scan_injection`. - You want a trust verdict on a domain or entity — use `cross_lens_verify`. Inputs: - `url` (body, required): the MCP server endpoint (http/https). Returns: - `server`: `{ name, version }` reported by the server, if any. - `tools_scanned`: number of tools inspected. - `flagged_count`: tools with an injection hit or a flagged capability. - `risk`: worst per-tool risk across the server (`high`/`medium`/`low`/`none`). - `score`: max injection score across tools (0..1). - `tools`: per tool `{ name, risk, injection{...}, capabilities[] }`. Cost: - Free. No API key required. Latency: - Bounded by the target server's handshake; typically <2s.
writetrueunknown
get_feedback
Public read of the crowd-sourced outcome aggregate for a node — how callers reported their real-world results after acting on its verdict. Advisory signal, not a trust verdict. An empty aggregate returns cleanly with `total: 0` and `signal: none`. `signal` is derived: `none` (no reports), `insufficient` (<3), `positive` / `negative` (score past ±0.3), or `mixed`.
readfalseunknown
submit_feedback
Close the loop: after you acted on a TunnelMind verdict, tell us how it went. Reports aggregate per node into an advisory second opinion that any caller can read back via `GET /v1/feedback/{node}`. Advisory only. In v0 a negative aggregate does NOT silently lower the fused trust score — it's a human-weighable signal beside the verdict, not an automatic reweight. Use this tool when: - You acted on a verdict and want to record the real-world outcome (honored, defrauded, no issue) to help future callers. Inputs: - `node` (body, required): the subject — ip, domain, asn, or entity slug. - `outcome` (body, required): one of `positive`, `negative`, `neutral`. - `receipt_id` (body, optional): the verdict receipt this outcome refers to. - `note` (body, optional): free-text context, max 500 chars. Returns the updated advisory aggregate `{ node, counts, total, score, signal }`. Cost: - Free. Requires an API key (authenticated callers only).
readfalseunknown
x402_echo
Validates an agent's x402 v1 client implementation against a TunnelMind surface end-to-end. Two operating modes: - `mode: "demo"` — HMAC over a nonce against a publicly-published secret. Does not move USDC. Smoke proves the WIRE works, not money movement. - `mode: "x402"` — real Coinbase facilitator dispatch (gated on operator wallet provisioning; currently returns "facilitator not configured"). Without an `X-PAYMENT` header, the endpoint returns HTTP 402 with a standards- compliant `accepts[]` array (USDC on Base, $0.001). With a valid `X-PAYMENT` header (base64-encoded payment payload), echoes the request body and returns an `X-PAYMENT-RESPONSE` settlement header. Use this tool when: - You are validating your agent's x402 v1 client implementation against a real public endpoint. - You want to demonstrate the full 402 → retry → settle wire end-to-end. Do NOT use this tool when: - You need a real paid operation — no TunnelMind production endpoint is gated behind x402 yet. Inputs: - `X-PAYMENT` (header, optional): base64(JSON) per the x402 v1 spec. Without it, a 402 challenge is returned. - Request body (optional): any JSON object to be echoed back on successful payment. Returns: - On no header: HTTP 402 + `{ x402Version, accepts: [...] }`. - On valid payment: HTTP 200 + `{ ok: true, data: { echoed, paid_micro_usdc, x402 } }` and an `X-PAYMENT-RESPONSE` header carrying the settlement record. - On invalid payment: HTTP 402 + `{ error: "invalid payment", reason }`. Discovery: - `https://tunnelmind.ai/.well-known/x402.json` carries the public demo secret and the HMAC construction recipe. Cost: - Free in demo mode (no USDC moved). $0.001 USDC in real-mode (when activated). Latency: - Typical <100ms (demo mode); real mode is bounded by facilitator latency.
writetrueunknown

02Install & source
https://mcp-data.tunnelmind.ai/mcp
remote_url

03Access granted
Manage GitHub · writeQuery a database · writeScrape a website · writeManage cloud infra · writeProcess payments · destructiveWorkflow automation · writeMaps & location · writeRead & write files · writeFinancial data · write

The access this server can exercise, inferred from its verified tools — not a declared OAuth scope.


05Provenance & freshness
sourcesOfficial MCP Registry [p1]
last_checked2026-07-06 20:51Z
next_check2026-07-08 20:41Z
cadenceevery 48h
verifiedtools_list:passed handshake:passed metadata:failed
index_statusindex6 unique facts >= 5

06Badge

Add the “as seen on MCPExplorer” badge to your README. TunnelMind Data API MCP — as seen on mcpexplorer.com

[![TunnelMind Data API MCP — as seen on mcpexplorer.com](https://mcpexplorer.com/badge/tunnelmind-data-api.svg)](https://mcpexplorer.com/servers/tunnelmind-data-api)

Next step

This is one server. A loadout combines the right servers, governance, and proven plays for a whole job — assembled deliberately, not tool-dumped.

Explore loadouts →
TunnelMind Data API MCP server — MCPExplorer