{
  "name": "VibeLeak",
  "description": "Trust-surface scanner for public websites with S-F grades, VibeSignal, VibeRank, Markdown handoff reports, Score Watch, and an MCP tool surface for agents.",
  "url": "https://www.vibeleak.app",
  "contact": "hello@vibeleak.app",
  "docs": "https://www.vibeleak.app/docs",
  "caseStudies": "https://www.vibeleak.app/case-studies",
  "security": "https://www.vibeleak.app/.well-known/security.txt",
  "mcp": {
    "endpoint": "https://www.vibeleak.app/api/mcp",
    "discovery": "https://www.vibeleak.app/.well-known/mcp.json",
    "auth": "Public tools require no auth. Owner-only tools support OAuth 2.1 PKCE or Authorization: Bearer <VIBEL...KEY> using a scoped VibeLeak API key fallback.",
    "oauth": {
      "protectedResourceMetadata": "https://www.vibeleak.app/.well-known/oauth-protected-resource",
      "authorizationServerMetadata": "https://www.vibeleak.app/.well-known/oauth-authorization-server",
      "authorizationEndpoint": "https://www.vibeleak.app/oauth/authorize",
      "tokenEndpoint": "https://www.vibeleak.app/oauth/token",
      "registrationEndpoint": "https://www.vibeleak.app/oauth/register"
    },
    "signupUrl": "https://www.vibeleak.app/login?action=signup&next=/dashboard/api-keys",
    "apiKeyDashboard": "https://www.vibeleak.app/dashboard/api-keys",
    "envKey": "VIBELEAK_API_KEY"
  },
  "hermes": {
    "status": "live-wired-tested",
    "nativeMcpConfig": {
      "serverName": "vibeleak",
      "endpoint": "https://www.vibeleak.app/api/mcp",
      "auth": "oauth",
      "envKey": "VIBELEAK_API_KEY",
      "toolPrefix": "mcp_vibeleak_",
      "smokeTest": "hermes mcp test vibeleak"
    },
    "operatorBriefPath": "docs/vibeleak/hermes-operator-brief.md",
    "demoFlow": [
      "domain intake",
      "mcp_vibeleak_get_connection_status",
      "mcp_vibeleak_scan_domain_and_export",
      "risk summary",
      "mcp_vibeleak_get_remediation_actions",
      "mcp_vibeleak_create_checkout_session",
      "mcp_vibeleak_enable_score_watch",
      "mcp_vibeleak_export_markdown_report",
      "save returned Markdown locally using suggestedFilename"
    ]
  },
  "capabilities": [
    "Run authenticated website trust scans through API v1 or MCP.",
    "Report MCP connection/account capability status without exposing raw API keys.",
    "Return public redacted grade cards with copy-ready badge embed HTML and without private findings.",
    "Return private findings, remediation actions, and Markdown reports only to the scan owner.",
    "Run VibeSignal and save-ready VibeSignal Markdown exports from public tools.",
    "Run VibeRank checks and exports for Pro or Agency accounts only.",
    "Create Stripe checkout sessions and enroll owned scans in Score Watch."
  ],
  "safe_for_automation": true,
  "agentOnboarding": [
    "Read /mcp and /.well-known/mcp.json.",
    "Call get_connection_status before requesting secrets or running owner tools.",
    "If the MCP client supports OAuth, use /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server to complete PKCE login.",
    "Connect public MCP tools first; do not ask for secrets until owner-only actions are needed.",
    "If OAuth is unavailable, prompt signup/signin and create a VibeLeak API key as fallback."
  ]
}