HuGR Tools
A monorepo of MCP toolkits for Cloudflare Workers, providing over 630 tools across SaaS providers and AWS, with composite tools for security, incident response, billing, and cloud cost optimization.
README
HuGR_Tools
630 tools · 37 deployable workers · one frozen kernel · 8,538 tests passing · 1,928 credential-gated integration tests skipped in CI · 0 failing.
A monorepo of MCP toolkits for Cloudflare Workers, built on a shared @hugr/kernel. Each toolkit is an independent JSON-RPC 2.0 server that plugs into any MCP host over HTTP.
What is this?
A modular monolith of MCP tool servers. Provider packages share a single kernel (@hugr/kernel) that handles HTTP, auth, rate limiting, the error taxonomy, and JSON-RPC dispatch — written once, frozen. Each toolkit deploys as a standalone Cloudflare Worker and versions independently.
The workspace holds 39 packages:
- 37 deployable Cloudflare Workers — 630 tools total:
- 6 SaaS providers: cloudflare (84), stripe (50), vercel (40), sentry (27), pagerduty (34), supabase (35)
- 26 AWS surface packages: 282 tools across the AWS API
- 5 Datadog packages: apm, core, dashboards, logs, monitors — 78 tools
@hugr/kernel— the shared contract every worker builds on- 1 internal package —
shared(Datadog family internals) — plus aci/helper directory.
Architecture: docs/ARCHITECTURE.md.
Flagship tools — 25 composite tools
Most of the 630 are focused single-purpose primitives (typed, validated, fail-closed access to one provider endpoint — the baseline an agent needs). These 25 are the composite ones: one call fans out to several provider APIs and correlates them into a named verdict — PROBABLE_CAUSE, TRUE_POSITIVE / FALSE_POSITIVE, GO / NO_GO, P1 / P2 / P3 — the output a senior analyst would produce, not a wrapped endpoint.
Each was selected by reading its handler implementation, not its description — every one below was confirmed to actually fan out and correlate. Each links to its handler and has a dedicated test suite beside it.
Security, threat & access forensics
| Tool | What one call does |
|---|---|
cf_campaign_ioc_investigation |
Extracts IOCs from a threat campaign, enriches each via domain/IP intel, then cross-references them against your own attack surface to score exposure; clusters by ASN to reveal shared campaign infrastructure |
cf_strategic_security_report |
Correlates active security insights against observed threat campaigns (a threat-alignment score) and computes intel coverage-gaps into a CISO briefing |
cf_dlp_violation_triage |
A weighted false-positive model plus a two-stage verdict that overrides TRUE_POSITIVE→INCONCLUSIVE when corroborating evidence (source device, active gateway rule) is absent |
cf_client_side_threat_analysis |
Scans a PageShield script's outbound connections for exfiltration signatures; escalates to Magecart when the script sits on a checkout/payment page |
aws_iam_role_permission_blast_radius |
Fans out ~40 IAM calls (role + inline/attached policies, every version) to score privilege-escalation exposure and flag "any principal can assume me" trust misconfig |
supabase_network_threat_view |
Real CIDR subnet arithmetic to test each active IP ban against the allowlist, surfacing ban∩allowlist overlaps as a misconfiguration signal |
Incident response, RCA & observability
| Tool | What one call does |
|---|---|
root_cause (datadog) |
Correlates 8 Datadog sources (events, metrics, spans, logs, monitors, SLOs, incidents, deps) in parallel around a timestamp; temporal RCA with graceful degradation per source |
incident_timeline (datadog) |
Merges 5 sources into one T+0 timeline, auto-detecting the incident start and deriving metric-shift / log-spike signals rather than dumping raw events |
deploy_impact (datadog) |
Equal before/after windows classify each metric REGRESSION / IMPROVEMENT / STABLE, with a confound guard that warns on other deploys inside the window |
forecast_risk (datadog) |
Extrapolates metric trend + SLO error-budget burn to project when a service breaches ("error_rate hits 5% in ~18h") — the only forward-looking tool |
pd_deployment_rca |
Ranks change events by temporal proximity to an incident and scores against an MTTR baseline into PROBABLE_CAUSE / POSSIBLE_CAUSE |
pd_performance_report |
Multi-dimensional (service / team / responder) analytics with >2×-median outlier detection and responder-burnout flags |
cf_provider_outage_diagnosis |
Builds a per-provider outage timeline through AI Gateway and computes a recovery verdict (RECOVERED / PARTIAL / STILL_DEGRADED) from pre-vs-post error rates |
aws_ec2_instance_health_triage |
Joins instance + status checks + EBS volumes + security groups into one health verdict — failed checks, unencrypted volumes, SSH/RDP open to 0.0.0.0/0 |
sentry_issue_triage_and_forensics |
Adaptive drill-down into a single event: in-app stack frames, per-frame local variables, the breadcrumb trail, request/user context |
sentry_replay_evidence_harvest |
Matches a session replay's error IDs to Issue groups and grades escalation P1 / P2 / P3 — error-to-session forensics |
Billing, fraud & tax
| Tool | What one call does |
|---|---|
stripe_quarterly_tax_reconciliation |
Reconciles a quarter of invoices against tax registrations per jurisdiction, normalizing multi-currency VAT via FX; flags unregistered-with-liability |
stripe_fraud_coverage_gap_analysis |
Joins charges × early-fraud-warnings × disputes to score "disputed-without-EFW" gaps against Visa's real 0.1% monitoring threshold |
stripe_failed_payment_recovery |
Derives recovery viability (FULL / PARTIAL / NO via credit-balance math) crossed with the dunning ladder and card-expiry detection |
stripe_transaction_dispute_evidence_chain |
Adaptive forensic walk of the Issuing dispute↔transaction↔authorization chain; flags force-capture when the authorization was declined |
Release, deploy & on-call gating
| Tool | What one call does |
|---|---|
vercel_check_gated_promotion |
Aggregates blocking CI checks + alias-swap safety into a PASS / BLOCK production-promotion verdict with a typed blocker list |
vercel_canary_health_snapshot |
Resolves the canary from the active rolling-release stage and computes an adaptive gate (SPIKE_TRIAGE / STAGE_APPROVAL) with next-stage eligibility |
pd_oncall_program_health_audit |
Models rotation burden (hours per engineer across rotation layers), flags anyone >2× median, and scores escalation-policy compliance |
Cloud cost & threat intel
| Tool | What one call does |
|---|---|
aws_rds_db_cost_optimizer |
Correlates instances × reserved instances to recommend right-sizing (Graviton r5→r6g, gp2→gp3, previous-gen) and map RI coverage gaps by class |
cf_weekly_threat_landscape |
Computes week-over-week Radar deltas client-side (doubles the window, splits the series — no prior-week API exists) and merges BGP hijack / route-leak events into one report |
The kernel itself is the other thing worth reading: a 3-tier auth verifier chain (RS256 → HMAC → fail-closed introspection, bearer tokens SHA-256-hashed before caching — hugr-auth.ts, ~1,400 lines of dedicated tests), distributed rate limiting over Durable Objects with deterministic sharding and anti-cascade fail-open (rate-limit.ts), and the full dispatch pipeline — CORS → pre-auth gate → auth → tier check → rate limit → Zod validation → provider build → format → audit (server.ts).
Auth & credentials
- Fail-closed PAT introspection. Every worker validates the caller's PAT against an external introspection endpoint on each request. If that endpoint is unreachable, auth fails closed. Scopes are derived from the caller's plan server-side — never read from the token.
- BYOK, zero stored secrets. Workers hold no provider credentials. The caller supplies provider creds via per-request headers; when they are absent, the call fails closed.
Self-hosting (no external auth service needed)
Platform auth is a pluggable IdentityProvider, and the bundled one resolves its mode from env, strongest-first: RS256 → HMAC → introspection (hugr-auth.ts). The introspection mode targets a multi-tenant deployment; a self-hoster needs none of it:
# 1. Set one secret on your worker (local HS256 verification, no network call)
wrangler secret put HUGR_INLINE_HMAC_SECRET
# 2. Mint your own tokens against it
tsx scripts/auth/mint-token.ts --alg HS256 --secret <secret> \
--sub me --plan pro --scopes hugr:tools --ttl 3600
# Or asymmetric: generate a keypair, keep the private key, give workers only the public one
tsx scripts/auth/mint-token.ts gen-keypair --out-dir ./keys # then set HUGR_INLINE_RS256_PUBLIC_KEY
Don't run a deployed worker with no auth at all: BYOK means callers bring their own provider keys, but an open worker on a public URL is a free proxy on your Cloudflare account. One HMAC secret is the floor.
Deploy
Each toolkit is a standard Cloudflare Worker. Run one locally with wrangler dev, or deploy to your own account with wrangler deploy --env <env>. Fill in account_id and your auth config (the introspect endpoint, or HUGR_INLINE_HMAC_SECRET for local HS256 verification — see below) in each packages/<pkg>/wrangler.toml; the committed values are placeholders.
Testing & evidence
The 37 workers was tested to exhaustion before release, and every claim traces to a dated record in this repo. Raw JSON for bench runs lives in scripts/load-test/results/.
| What was tested | Record |
|---|---|
| Unit + integration — 8,538 passing, 1,928 credential-gated skips, 0 failing (v1.0.0 CI) | CI run 27887641262 |
Adversarial load, 20 scenarios (bench:evil) — e.g. 100,000 requests, 0 errors |
docs/architecture/BENCHMARKS.md |
Fault injection, 8 chaos scenarios (bench:chaos) — provider chaos, state corruption, memory pressure, clock skew, slow-network, schema floods |
docs/architecture/CHAOS_BENCHMARKS.md |
MCP spec conformance, 10 scenarios incl. the official SDK Client end-to-end (bench:mcp) |
docs/architecture/MCP_CONFORMANCE.md |
Mutation testing over kernel + shared, Stryker (bench:mutation) — full kill/survive breakdown published, including the unflattering rows |
docs/architecture/MUTATION_BENCHMARKS.md |
| Also on record: security, observability, quality and supply-chain benches; Node 18 compat | docs/architecture/ |
These records are point-in-time (each is dated). Provider APIs drift; the credential-gated integration suites re-verify against live APIs whenever run with real credentials.
Quick start
# 1. Clone
git clone https://github.com/HumanGuardrail/HuGR_Tools.git
cd HuGR_Tools
# 2. Install (pnpm workspace)
pnpm install
# 3. Run all tests
pnpm -r test
# 4. Typecheck
pnpm -r typecheck
# 5. Run one package in dev mode (example: cloudflare)
pnpm -F @hugr/cloudflare dev
Requirements: Node >= 20 for development (CI runs Node 20; deploys use Node 22, required by wrangler 4). Worker code itself keeps Node 18 API compatibility, enforced by check:node18 — that is why the workspace engines floor reads >=18.17.
Per-package index
Each package has its own README.md with its full tool table, BYOK credential headers, and install snippet.
| Package | Tools | Description |
|---|---|---|
| kernel | — | Shared infrastructure: ports, http, formatter, mcp, tool, identity |
| cloudflare | 84 | Cloudflare platform — zones, DNS, WAF, Workers, R2, analytics |
| stripe | 50 | Stripe payments, subscriptions, billing, disputes, payouts |
| vercel | 40 | Vercel deployments, domains, projects, logs, analytics |
| sentry | 27 | Sentry error tracking, issues, releases, performance |
| pagerduty | 34 | PagerDuty incidents, alerts, schedules, escalations |
| supabase | 35 | Supabase projects, databases, auth (GoTrue), edge functions |
| aws-ai | 7 | Bedrock + BedrockAgent |
| aws-audit | 13 | CloudTrail + Config |
| aws-backup | 6 | Backup + FSx + Glacier |
| aws-batch | 6 | AWS Batch |
| aws-cache | 6 | ElastiCache + Redshift |
| aws-cicd-ext | 6 | CodeArtifact + CodeCommit + CodeDeploy + Proton |
| aws-cloudwatch | 14 | CloudWatch + CloudWatchLogs |
| aws-containers | 9 | ECS + EKS |
| aws-cost | 11 | CostExplorer + Organizations |
| aws-data | 10 | Athena + EMR + Glue |
| aws-devops | 18 | AutoScaling + CodeBuild + CodePipeline + ECR + SSM + X-Ray |
| aws-dynamodb | 13 | DynamoDB |
| aws-ec2 | 17 | EC2 |
| aws-iam | 11 | IAM |
| aws-lambda | 15 | Lambda |
| aws-management | 8 | CloudFormation + ServiceCatalog + Support |
| aws-messaging | 15 | EventBridge + SFN + SNS + SQS |
| aws-ml | 6 | SageMaker |
| aws-network-ext | 5 | DirectConnect + GlobalAccelerator + EC2 |
| aws-networking | 16 | APIGateway + CloudFront + ELB + Route53 |
| aws-rds | 12 | RDS |
| aws-s3 | 16 | S3 |
| aws-security | 19 | GuardDuty + Inspector + KMS + SecretsManager + SecurityHub + WAFv2 |
| aws-security-ext | 8 | Detective + FMS + Macie2 + SSO Admin |
| aws-storage | 7 | EFS |
| aws-streaming | 8 | Kafka + Kinesis + MQ |
| apm | 17 | Datadog APM |
| core | 15 | Datadog core metrics and infrastructure |
| dashboards | 12 | Datadog dashboards |
| logs | 18 | Datadog logs |
| monitors | 16 | Datadog monitors and alerts |
Status & honest assessment
As a product. This space is commoditizing — major providers now ship official MCP servers, so a third-party 630-tool suite carries a real, ongoing maintenance surface. Each worker deploys to your own Cloudflare account; how you isolate environments (separate accounts vs. name suffixes) is your call.
As an engineering artifact. The notable part is the structure: 37 independently-deployable workers sharing one frozen kernel contract (HTTP, auth, rate limiting, error taxonomy, JSON-RPC dispatch — written once); a BYOK fail-closed credential model; an OpenAPI→MCP codegen step that generated the AWS surface; and the test / mutation / chaos / leak-hunt discipline behind it.
Built by an agent fleet. This toolkit was constructed by an orchestrated fleet of AI coding agents, each working a disjoint, file-scoped slice against the frozen kernel contract — which is exactly what made a parallel, machine-driven build tractable. Stated plainly rather than passed off as hand-crafted; the interesting engineering is the structure that let it work.
Test figures are from the v1.0.0 CI run on main (GitHub Actions run 27887641262, 2026-06-20): 8,538 passing, 1,928 skipped, 0 failing (kernel alone: 514). The skips are credential-gated provider-integration suites (describe.skipIf(!HAS_CREDS)) that run only with real provider credentials.
Reference
| Document | Purpose |
|---|---|
docs/ARCHITECTURE.md |
High-level navigation hub — start here |
docs/architecture/ADR-001-modular-monolith.md |
Why modular monolith + shared kernel |
docs/architecture/KERNEL_SPEC.md |
Kernel API contracts (frozen) |
CONTRIBUTING.md |
Branching, commit format, ABORT rules, DoD |
CHANGELOG.md |
Version history |
License
MIT — Copyright 2026 Gustavo Schneiter / HuGR
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.