npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@chkp/workforce-ai-mcp

v1.0.1

Published

MCP server for Workforce AI — policy management, asset visibility, and apps catalog via LLM tool calls

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

chkp-ronizchkp-ronizchkp-npmchkp-npmborisguborisgucp_shayncp_shayn

Keywords

mcpmodel-context-protocolcheckpointworkforce-aiai-securitybrowse-securitypolicysecurity

Readme

Check Point - Workforce AI MCP Server

License Latest Release npm version

Build & Test Publish Package to npmjs

An MCP (Model Context Protocol) server that exposes Check Point Workforce AI capabilities as LLM tools — enabling AI assistants to query, analyze, and manage AI & Browse security policies, assets, and applications through natural language.

Getting started

Obtaining API credentials

  1. Go to the Infinity Portal API Keys page.
  2. Click New > New Account API Key.
  3. In the Service dropdown select Workforce AI Security (and for Browse, Browse Security) and create the key.
  4. Copy the Client ID, Secret Key, and Authentication URL (gateway).

For more information, see Infinity Portal Administration Guide.

Available gateways

| Region | Gateway URL | |---|---| | Europe | https://cloudinfra-gw.portal.checkpoint.com | | United States | https://cloudinfra-gw-us.portal.checkpoint.com |

Environment variables

| Variable | Required | Description | |---|---|---| | CP_CI_CLIENT_ID | Yes | CloudInfra API key client ID | | CP_CI_ACCESS_KEY | Yes | CloudInfra API key secret | | CP_CI_GATEWAY | Yes | CloudInfra gateway URL | | MCP_MODE | Yes | Transport mode: stdio or http | | PORT | When http | HTTP server port | | WRITE_MODE | No | Set to true to enable write tools (default: false). Warning: enabling write mode allows the LLM to create, modify, and delete security policy rules. Use with caution. |

Running with stdio transport

Use stdio mode when connecting directly from an MCP client such as Claude Desktop, VS Code, or Cursor:

CP_CI_CLIENT_ID="your-client-id" \
CP_CI_ACCESS_KEY="your-access-key" \
CP_CI_GATEWAY="https://cloudinfra-gw-us.portal.checkpoint.com" \
MCP_MODE=stdio \
npx @chkp/workforce-ai-mcp

Claude Desktop configuration

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "workforce-ai": {
      "command": "npx",
      "args": ["--yes", "@chkp/workforce-ai-mcp"],
      "env": {
        "CP_CI_CLIENT_ID": "your-client-id",
        "CP_CI_ACCESS_KEY": "your-access-key",
        "CP_CI_GATEWAY": "https://cloudinfra-gw-us.portal.checkpoint.com",
        "MCP_MODE": "stdio"
      }
    }
  }
}

Running with HTTP transport

Use HTTP mode when running the server as a standalone service:

CP_CI_CLIENT_ID="your-client-id" \
CP_CI_ACCESS_KEY="your-access-key" \
CP_CI_GATEWAY="https://cloudinfra-gw-us.portal.checkpoint.com" \
MCP_MODE=http \
PORT=3000 \
npx @chkp/workforce-ai-mcp

The server exposes:

  • POST /mcp — MCP StreamableHTTP endpoint
  • GET /health — Health check

Capabilities

Read mode (default)

By default, the server starts in read-only mode, exposing tools for querying and analyzing policies without making any changes. This is safe for exploration and auditing.

Policy inspection

  • List rulebases — View all rules for Chats (GenAI DLP), AI Access, Web Access, Agents, Secure Browsing, and DLP policies
  • Analyze shadow rules — Detect rules that are shadowed (never matched) by higher-priority rules
  • Simulate policy matching — Given a user and target, resolve which rule in the rulebase would apply

Assets and users

  • Search assets — Find managed assets by name or attributes
  • Count assets — Get asset counts with optional filters
  • Search users — Look up users and groups in the organization

Applications and data types

  • Search apps — Search the GenAI application catalog by name, description, or URL
  • Get apps by ID — Retrieve application details by their IDs
  • List DLP data types — Browse predefined and custom DLP data types
  • Get tenant DLP data types — View data types configured for the tenant

Policy objects

  • List domain objects — View domain-based policy objects
  • List file protection objects — View file protection configurations

Write mode

To enable write operations, set WRITE_MODE=true. This unlocks tools that modify the policy configuration:

Rule management

  • Create rules — Create new Chats, AI Access, Agents, DLP, and Secure Browsing rules with full policy configuration including actions, services, data types, and user/group assignments
  • Edit rules — Update rule name, description, and other properties
  • Activate / deactivate rules — Toggle rules on or off
  • Reorder rules — Change rule priority in the rulebase
  • Delete rules — Permanently remove rules from the rulebase

Available tools

| Tool | Description | Mode | |---|---|---| | list_chats_rules | List all Chats (GenAI DLP) rules. | read | | list_ai_access_rules | List all AI Access rules that control which AI services and applications users are allowed to interact with. | read | | list_web_access_rules | List all Web Access rules for Browse Security. | read | | list_agents_rules | List all Agents (MCP Server) rules that govern agent interactions. | read | | list_secure_browsing_rules | List all Secure Browsing threat-prevention rules. | read | | list_dlp_rules | List all Browse DLP (Data Loss Prevention) rules for browser security. | read | | set_rule_info | Update the display name and description of a rule identified by its UUID. | write | | set_rule_active | Enable or disable a rule without deleting it. | write | | reorder_rule | Move a rule to a new position in the rulebase. | write | | delete_rule | Permanently delete a rule from the rulebase by its UUID. | write | | create_chats_rule | Create a new Chats (GenAI DLP) rule. | write | | create_ai_access_rule | Create a new AI Access rule that controls which AI services and applications users can interact with. | write | | create_agents_rule | Create a new Agents (MCP Server) rule that governs agent interactions. | write | | create_dlp_rule | Create a new Browse DLP rule for data loss prevention during web browsing. | write | | create_secure_browsing_rule | Create a new Secure Browsing threat-prevention rule. | write | | set_chats_policy | Replace the entire policy configuration of a Chats rule (also known as 'Chats' in AI Security UI — POLICY_TYPE_DLP). | write | | patch_chats_policy | Deep-merge partial changes into a Chats rule's policy. | write | | set_access_policy | Replace the entire policy configuration of an AI Access rule (POLICY_TYPE_ACCESS). | write | | patch_access_policy | Deep-merge partial changes into an AI Access rule's policy. | write | | set_agents_policy | Replace the entire policy configuration of an Agents rule (also known as 'Agents' — POLICY_TYPE_MCP_SERVER). | write | | patch_agents_policy | Deep-merge partial changes into an Agents rule's policy. | write | | set_secure_browsing_policy | Replace the entire policy configuration of a Secure Browsing rule (POLICY_TYPE_THREAT_PREVENTION). | write | | patch_secure_browsing_policy | Deep-merge partial changes into a Secure Browsing rule's policy. | write | | set_rule_source | Replace the full source (user/group assignments) list of a rule. | write | | set_rule_objects | Replace all objects attached to a rule for a specific feature. | write | | list_file_protection_objects | List all file-protection policy objects. | read | | update_file_protection_object | Update an existing file-protection object. | write | | create_file_protection_object | Create a new file-protection object. | write | | list_domains_objects | List all domains policy objects. | read | | update_domains_object | Update an existing domains object. | write | | create_domains_object | Create a new domains object containing a list of domain entries for domain-based filtering (allow/block lists). | write | | delete_object | Permanently delete a policy object (file-protection or domains) by its UUID. | write | | get_tenant_dlp_datatypes | Get the tenant-specific DLP datatype configuration showing which data types are currently enabled for detection in this tenant's policies.. | read | | search_dlp_datatypes | Search DLP data types by name or description with pagination. | read | | analyze_shadow_rules | Find unreachable (shadowed) rules in a rulebase. | read | | resolve_matching_rule | Given a user and target, determine which rule in the rulebase would apply. | read | | search_assets | Search deployed assets (endpoints/devices) with optional filtering, sorting, text search, and pagination. | read | | count_assets | Get the total count of deployed assets, optionally filtered. | read | | search_users | Search users in the organization with optional text search and pagination. | read | | search_apps | Search the GenAI apps catalog by name, description, or URL. | read | | get_apps_by_ids | Get specific GenAI apps from the catalog by their numeric IDs. | read |

Report Bug

In case of an issue or a bug found in the MCP server, please open an issue.

Contributors