feat: implement VAPT agent application with a Gradio UI, AI tutor, and dashboard, and update README.

README.md

@@ -9,6 +9,406 @@ app_file: app.py
 pinned: false
 license: apache-2.0
 short_description: AI-powered VAPT agent built with Claude, MCP, and Gradio.
+tags:
+  - mcp-in-action-track-enterprise
+  - mcp-in-action-track-consumer
+  - mcp-in-action-track-creative
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+
+# 🏆 VAPT Agent - Intelligent API Security Testing
+
+> **MCP's 1st Birthday Hackathon Submission** 🎉  
+> *Hosted by Anthropic & Gradio on Hugging Face*  
+> [🔗 Hackathon Page](https://huggingface.co/MCP-1st-Birthday)
+
+LinkedIn post - [Refer HERE](https://www.linkedin.com/posts/chsubhasis_vapt-agent-activity-7399454144895467520-yR6I?utm_source=share&utm_medium=member_desktop&rcm=ACoAABIj1NcBQpSiJ5ZDC9YQBBsmL4fDfy7D0LU) || Demo Video - [Refer HERE](https://youtu.be/wFgW_o48pw8?si=2lpag5I4zsUz8J2d)
+---
+
+## 📋 Project Overview
+
+**VAPT Agent** is an autonomous, AI-powered **Vulnerability Assessment and Penetration Testing (VAPT)** platform that revolutionizes API security testing. By combining **Anthropic's Claude Agent SDK**, **Postman MCP Server**, **Gradio Web Interface**, and **RAG-based security education**, this project showcases the power of Model Context Protocol (MCP) for building intelligent, context-aware security tools.
+
+### 🎯 What Makes This Special?
+
+This project demonstrates **three powerful MCP integrations**:
+
+1. **🤖 Anthropic Claude SDK** - Powers the core VAPT reasoning agent with Claude Haiku 4.5
+2. **📮 Postman MCP Server** - Enables automatic API discovery and OpenAPI specification generation
+3. **🛠️ Custom VAPT MCP Server** - Provides specialized security testing tools (SQL injection, XSS, auth testing, etc.)
+
+Combined with a **modern Gradio interface** and **RAG-powered AI tutor** using Chroma vector search, VAPT Agent bridges the gap between automated security testing and developer education.
+
+---
+
+## 🏗️ Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    Gradio Web Interface                         │
+│  (Real-time Progress, Visual Dashboard, AI Security Tutor)      │
+└────────────────────┬────────────────────────────────────────────┘
+                     │
+                     ▼
+┌─────────────────────────────────────────────────────────────────┐
+│              VAPT Agent Orchestrator                            │
+│              (vapt_agent.py)                                    │
+└─────┬──────────────────────────────┬────────────────────────────┘
+      │                              │
+      ▼                              ▼
+┌─────────────────────┐    ┌──────────────────────────────────────┐
+│  Claude Agent SDK   │    │     MCP Servers (via Claude SDK)     │
+│  (Haiku 4.5 Model)  │◄───┤  ┌────────────┐  ┌────────────────┐ │
+│                     │    │  │ Postman    │  │ Custom VAPT    │ │
+│ • Reasoning         │    │  │ MCP Server │  │ MCP Tools      │ │
+│ • Test Planning     │    │  │ (SSE)      │  │ (Local Server) │ │
+│ • Report Gen        │    │  └────────────┘  └────────────────┘ │
+└─────────────────────┘    └──────────────────────────────────────┘
+                                     │
+                     ┌───────────────┴───────────────┐
+                     ▼                               ▼
+              ┌──────────────┐            ┌─────────────────────┐
+              │ Postman API  │            │ Target API Endpoint │
+              │ • Discovery  │            │ • Security Testing  │
+              │ • Schema Gen │            │ • Vuln Detection    │
+              └──────────────┘            └─────────────────────┘
+
+┌─────────────────────────────────────���───────────────────────────┐
+│                    AI Security Tutor (RAG)                      │
+│  ┌──────────────┐  ┌──────────────┐  ┌────────────────────┐   │
+│  │ Nebius LLM   │  │ Chroma DB    │  │ Nebius Embeddings  │   │
+│  │ (gpt-oss-20b)│◄─┤ Vector Store │◄─┤ (Qwen3-Embed-8B)   │   │
+│  └──────────────┘  └──────────────┘  └────────────────────┘   │
+│         ▲                   ▲                                   │
+│         │                   │                                   │
+│         └───────────────────┴─── VAPT Report Context           │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### 🔄 How It Works
+
+1. **User Input** → User provides API endpoint via Gradio interface
+2. **Discovery** → Claude agent uses **Postman MCP** to discover endpoints and generate OpenAPI spec
+3. **Testing** → Agent invokes **Custom VAPT MCP tools** to test for vulnerabilities
+4. **Reasoning** → **Claude Haiku 4.5** analyzes results and generates comprehensive security report
+5. **Visualization** → Gradio dashboard displays risk scores and severity charts
+6. **Education** → User asks questions → **AI Tutor** uses **RAG (Chroma + Nebius embeddings)** to retrieve relevant report sections → **Nebius LLM** generates educational explanations
+
+---
+
+## ✨ Key Features
+
+### 🔒 Comprehensive Security Testing
+
+Automated vulnerability detection powered by Claude's reasoning and custom MCP tools:
+
+- **Injection Attacks**: SQL injection, XSS, path traversal
+- **Authentication & Authorization**: Broken auth detection, token validation
+- **Rate Limiting**: DoS vulnerability assessment, burst testing (50 requests)
+- **CORS Policy**: Origin validation, wildcard detection
+- **Security Headers**: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, etc.
+
+### 🎨 Modern Gradio Web Interface
+
+Beautiful, responsive UI built with Gradio featuring:
+
+- **Real-time Progress Streaming** from Claude agent
+- **Downloadable Markdown Reports** for audit trails
+- **Visual Risk Dashboard** with interactive charts (risk gauge + severity pie chart)
+- **Tabbed Interface** for organized information flow
+- **Custom CSS Styling** for professional appearance
+
+### 🧠 RAG-Powered AI Security Tutor
+
+**Context Engineering & Retrieval-Augmented Generation (RAG)** implementation:
+
+#### How RAG Works in VAPT Agent:
+
+1. **Document Chunking** (`ai_tutor.py`):
+   - Report split into logical sections based on markdown headers (`##`)
+   - Large sections auto-chunked to ~2000 characters for optimal retrieval
+   - Preserves context boundaries for coherent answers
+
+2. **Vector Embedding** (Nebius + Chroma):
+   - Each chunk embedded using **Qwen3-Embedding-8B** (Nebius)
+   - Vectors stored in **Chroma** ephemeral in-memory database
+   - Index automatically rebuilt when report changes (SHA-256 content hashing)
+   - Never reuses old vectors for new reports
+
+3. **Semantic Search**:
+   - User question embedded with same model
+   - Top-K (default: 4) relevant chunks retrieved via cosine similarity
+   - Context passed to LLM for grounded responses
+
+4. **Context Engineering**:
+   - System prompt instructs LLM to prioritize retrieved VAPT report context
+   - Combines report snippets + optional web search (Tavily)
+   - Prevents hallucination by grounding answers in actual findings
+
+**Benefits**:
+- ✅ Accurate answers specific to YOUR security report
+- ✅ No generic security advice - tailored to actual findings
+- ✅ Efficient: Only relevant context sent to LLM (cost-effective)
+- ✅ Educational: Explains vulnerabilities in your specific API
+
+### 📮 Postman MCP Integration
+
+Leverages **Postman's official MCP server** (SSE protocol):
+
+- Automatic API endpoint discovery
+- OpenAPI/Swagger specification generation
+- Request/response schema analysis
+- Collection management for organized testing
+- Seamless integration via Claude Agent SDK
+
+### 🤖 Anthropic Claude SDK
+
+Core agent powered by **Claude Agent SDK**:
+
+- **Model**: Claude Haiku 4.5 (fast, cost-efficient, high-quality reasoning)
+- **Multi-turn Reasoning**: Agent conversations up to 100 turns
+- **Tool Orchestration**: Coordinates Postman MCP + Custom VAPT MCP tools
+- **Flexible Deployment**: Anthropic API or AWS Bedrock
+- **Permission Mode**: Bypass permissions for automated testing
+
+---
+
+## 🎁 Benefits & Impact
+
+### For Security Professionals
+- ⚡ **Save Time**: Automate repetitive VAPT tasks
+- 📊 **Visual Insights**: Instantly understand risk posture with charts
+- 🎓 **Learn On-the-Go**: AI tutor explains findings while you work
+- 📄 **Audit-Ready Reports**: Comprehensive markdown reports with evidence
+
+### For Developers
+- 🛡️ **Shift-Left Security**: Test APIs during development
+- 📚 **Security Education**: Learn secure coding through AI tutor
+- 🔧 **Easy Integration**: Simple API endpoint input
+- 🚀 **Fast Feedback**: Get results in minutes, not days
+
+### For Organizations
+- 💰 **Cost-Effective**: Reduce manual penetration testing costs
+- 📈 **Scalable**: Test multiple APIs rapidly
+- 📋 **Compliance**: Generate audit-ready security reports
+- 🔄 **Continuous Testing**: Integrate into CI/CD pipelines
+
+### Technical Innovation
+- 🧩 **MCP Showcase**: Demonstrates multiple MCP server integration
+- 🔬 **RAG Best Practices**: Production-ready context engineering
+- 🎨 **UX Excellence**: Beautiful, intuitive Gradio interface
+- 🔓 **Open Source**: Extensible architecture for custom tools
+
+---
+
+## 🚀 Prerequisites
+
+- **Python 3.10+**
+- **[Postman API Key](https://postman.com/settings/api-keys)** - For MCP server access
+- **[Anthropic API Key](https://console.anthropic.com/) OR AWS Bedrock** - For Claude Haiku 4.5
+- **[Nebius API Key](https://nebius.com/)** - For AI Tutor (optional but recommended)
+
+---
+
+## 📦 Installation
+
+1. **Clone the repository**:
+   ```bash
+   git clone <repository-url>
+   cd vapt-agent
+   ```
+
+2. **Create virtual environment**:
+   ```bash
+   python -m venv venv
+   source venv/bin/activate  # On Windows: venv\Scripts\activate
+   ```
+
+3. **Install dependencies**:
+   ```bash
+   pip install -r requirements.txt
+   ```
+
+4. **Configure environment**:
+   ```bash
+   cp .env.template .env
+   # Edit .env with your credentials
+   ```
+
+---
+
+## ⚙️ Configuration
+
+Create a `.env` file with the following variables:
+
+```properties
+# --- Core VAPT Agent Configuration ---
+
+# AWS Bedrock (set to 1 to use Bedrock, 0 for Anthropic API)
+CLAUDE_CODE_USE_BEDROCK=1
+
+# AWS Credentials (if using Bedrock)
+AWS_ACCESS_KEY_ID=your_access_key
+AWS_SECRET_ACCESS_KEY=your_secret_key
+AWS_REGION=us-east-1
+
+# Model selection for VAPT Agent (Haiku 4.5 recommended)
+ANTHROPIC_MODEL=global.anthropic.claude-haiku-4-5-20251001-v1:0
+# If using Anthropic API directly:
+# ANTHROPIC_API_KEY=sk-ant-...
+
+# Postman API key (get from https://postman.com/settings/api-keys)
+POSTMAN_API_KEY=your_postman_api_key
+
+# --- AI Tutor Configuration (Nebius) ---
+
+# Nebius API Key for Tutor and Embeddings
+NEBIUS_API_KEY=your_nebius_api_key
+
+# Nebius Base URL (optional, defaults to standard endpoint)
+# NEBIUS_BASE_URL=https://api.tokenfactory.nebius.com/v1
+
+# AI Tutor Chat Model
+NEBIUS_TUTOR_MODEL=gpt-oss-20b
+
+# Embedding Model for Vector Search (REQUIRED for RAG)
+NEBIUS_EMBEDDING_MODEL=Qwen3-Embedding-8B
+
+# --- Optional Web Search ---
+# TAVILY_API_KEY=tvly-...
+```
+
+---
+
+## 🎮 Usage
+
+### 1. Web Interface (Recommended)
+
+Launch the **Gradio dashboard** for an interactive experience:
+
+```bash
+python app.py
+```
+
+- Open your browser at `http://localhost:7861`
+- Enter the API endpoint and HTTP method
+- Watch the real-time progress log
+- View the generated report, risk dashboard, and chat with the AI Security Tutor
+
+### 2. Command Line Interface
+
+Run the agent directly from the terminal:
+
+```bash
+python vapt_agent.py
+```
+
+(Ensure `TEST_API_ENDPOINT` and `TEST_API_METHOD` are set in your `.env` file for CLI usage)
+
+---
+
+## 🔍 Security Tests Performed
+
+The agent uses custom MCP tools (`vapt_tools.py`) to perform:
+
+### 1. **Injection Testing**
+- SQL Injection with various payloads (e.g., `' OR '1'='1`)
+- XSS (Cross-Site Scripting) detection
+- Path traversal attempts (`../../../etc/passwd`)
+
+### 2. **Authentication Testing**
+- Endpoint access without credentials
+- Authentication bypass attempts
+- Token validation and expiration checks
+
+### 3. **Rate Limiting**
+- Burst request testing (50 rapid requests)
+- 429 status code detection
+- DoS vulnerability assessment
+
+### 4. **CORS Policy**
+- Origin validation testing
+- Wildcard (`*`) detection
+- Cross-origin request testing
+
+### 5. **Security Headers**
+- `Strict-Transport-Security` (HSTS)
+- `X-Content-Type-Options`
+- `X-Frame-Options`
+- `Content-Security-Policy`
+- `X-XSS-Protection`
+
+---
+
+## 📊 Output
+
+The agent generates a comprehensive **Markdown report** saved as `vapt_report_YYYYMMDD_HHMMSS.md` containing:
+
+- **Executive Summary** with risk score
+- **Vulnerability Details** (Severity, Description, Evidence, Remediation)
+- **Security Headers Analysis**
+- **CORS Policy Review**
+- **Rate Limiting Assessment**
+- **Recommendations** for fixes
+
+---
+
+## 🛠️ Troubleshooting
+
+### Postman API Key Issues
+- Get your API key from: https://postman.com/settings/api-keys
+- Ensure the key has necessary permissions for collections and environments
+
+### AWS Bedrock Issues
+- Verify AWS credentials are correct
+- Ensure you have access to Claude models in your region
+- Check IAM permissions for Bedrock
+
+### AI Tutor Not Working
+- Check `NEBIUS_API_KEY` is set
+- Ensure `NEBIUS_EMBEDDING_MODEL` is set to `Qwen3-Embedding-8B` for vector search to work
+- Verify `chromadb` is installed: `pip install chromadb`
+
+### Gradio Interface Issues
+- Ensure port 7861 is not blocked
+- Try clearing browser cache
+- Check console logs for errors
+
+---
+
+## 🤝 Contributing
+
+Contributions are welcome! Please follow the existing code structure:
+
+- Keep tools modular in `vapt_tools.py`
+- Add configuration in `config.py`
+- Update `.env.template` for new variables
+- Follow Python best practices (PEP 8)
+- Add docstrings for new functions
+
+---
+
+## 📜 License
+
+MIT License - See LICENSE file for details
+
+---
+
+## ⚠️ Disclaimer
+
+This tool is for **authorized security testing only**. Always obtain proper authorization before testing any API endpoints. Unauthorized testing may be illegal and unethical.
+
+---
+
+## 🙏 Acknowledgments
+
+Built for **MCP's 1st Birthday Hackathon** hosted by **Anthropic** and **Gradio**.
+
+**Technologies Used**:
+- [Anthropic Claude Agent SDK](https://github.com/anthropics/anthropic-sdk-python)
+- [Gradio](https://gradio.app/)
+- [Postman MCP Server](https://mcp.postman.com/)
+- [Chroma](https://www.trychroma.com/)
+- [Nebius Token Factory](https://nebius.com/)
+
+---

ai_tutor.py

@@ -0,0 +1,466 @@
+"""
+AI Security Tutor for VAPT Agent.
+
+Now powered by Nebius Token Factory (OpenAI-compatible API) with Chroma vector search.
+
+Key behaviours:
+- Uses a Nebius-hosted model for chat.
+- Uses a Nebius embedding model + Chroma to build a vector index over the
+  VAPT Markdown report.
+- The index is built ONCE per report (per process) and automatically rebuilt
+  if the report content changes.
+- Ensures that vectors from one report are never reused for another report
+  by hashing the report content and recreating the index when it changes.
+- Optionally enriches answers with web search via Tavily.
+
+Environment variables:
+
+# Nebius (required)
+- NEBIUS_API_KEY            : Nebius Token Factory API key
+- NEBIUS_BASE_URL           : (optional) e.g. "https://api.tokenfactory.nebius.com/v1"
+- NEBIUS_TUTOR_MODEL        : (optional) chat model id for tutor
+- NEBIUS_EMBEDDING_MODEL    : embedding model id for vector search (REQUIRED to enable Chroma search)
+
+# Optional web search
+- TAVILY_API_KEY            : enables web search if set
+"""
+
+import os
+import hashlib
+from typing import List, Tuple, Dict
+from dataclasses import dataclass
+
+import requests
+from openai import OpenAI
+
+from prompt import get_tutor_system_prompt
+
+# Try to import Chroma, but degrade gracefully if not installed
+try:
+    import chromadb
+
+    CHROMA_AVAILABLE = True
+except ImportError:
+    chromadb = None
+    CHROMA_AVAILABLE = False
+
+
+# ---------------------------------------------------------------------------
+# Simple helpers
+# ---------------------------------------------------------------------------
+
+
+def _normalize(text: str) -> str:
+    return text.lower()
+
+
+def _extract_report_sections(
+    report_md: str, max_section_chars: int = 2000
+) -> List[str]:
+    """
+    Split the markdown report into logical sections based on '## ' headings.
+
+    If sections are very large, they are further split into smaller chunks.
+    """
+    if not report_md:
+        return []
+
+    sections: List[str] = []
+    current: List[str] = []
+
+    lines = report_md.splitlines()
+    for line in lines:
+        if line.startswith("## "):
+            if current:
+                sections.append("\n".join(current).strip())
+                current = []
+        current.append(line)
+
+    if current:
+        sections.append("\n".join(current).strip())
+
+    if not sections:
+        sections = [report_md]
+
+    # Further split oversized sections into smaller chunks
+    final_chunks: List[str] = []
+    for sec in sections:
+        if len(sec) <= max_section_chars:
+            final_chunks.append(sec)
+        else:
+            # naive split by paragraphs
+            paras = sec.split("\n\n")
+            chunk: List[str] = []
+            size = 0
+            for p in paras:
+                p_len = len(p) + 2
+                if size + p_len > max_section_chars and chunk:
+                    final_chunks.append("\n\n".join(chunk))
+                    chunk = [p]
+                    size = p_len
+                else:
+                    chunk.append(p)
+                    size += p_len
+            if chunk:
+                final_chunks.append("\n\n".join(chunk))
+
+    return final_chunks
+
+
+def _web_search_tavily(query: str, max_results: int = 3) -> str:
+    """
+    Optional: perform web search via Tavily Search API.
+
+    Requires TAVILY_API_KEY in env. If not present or call fails,
+    returns an empty string and the tutor will just rely on the report.
+    """
+    api_key = os.getenv("TAVILY_API_KEY")
+    if not api_key:
+        return ""
+
+    try:
+        payload = {
+            "api_key": api_key,
+            "query": query,
+            "max_results": max_results,
+            "include_answer": True,
+            "search_depth": "basic",
+        }
+        resp = requests.post(
+            "https://api.tavily.com/search",
+            json=payload,
+            timeout=15,
+        )
+        resp.raise_for_status()
+        data = resp.json()
+
+        parts: List[str] = []
+        answer = data.get("answer")
+        if answer:
+            parts.append(f"Direct answer: {answer}")
+
+        results = data.get("results") or []
+        for r in results[:max_results]:
+            title = r.get("title") or "Untitled"
+            url = r.get("url") or ""
+            content = r.get("content") or ""
+            parts.append(f"- {title}\n  {content[:300]}...\n  Source: {url}")
+
+        return "\n".join(parts) if parts else ""
+    except Exception:
+        # Fail silently – we don't want the tutor to break if search fails
+        return ""
+
+
+# ---------------------------------------------------------------------------
+# Security Tutor with Nebius + Chroma
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class TutorConfig:
+    base_url: str
+    api_key: str
+    model: str
+    embedding_model: str | None
+
+
+class SecurityTutor:
+    """AI-powered security education assistant backed by Nebius + Chroma."""
+
+    def __init__(self):
+        """
+        Initialize the Security Tutor with Nebius OpenAI-compatible client.
+
+        Required:
+          - NEBIUS_API_KEY
+
+        Optional:
+          - NEBIUS_BASE_URL (defaults to Nebius Token Factory base URL)
+          - NEBIUS_TUTOR_MODEL
+          - NEBIUS_EMBEDDING_MODEL (required to enable Chroma vector search)
+        """
+        api_key = os.getenv("NEBIUS_API_KEY")
+
+        if not api_key:
+            self.client = None
+            self.available = False
+            self.config = None
+            self.chroma_client = None
+            self.vector_enabled = False
+            self._raw_report = ""
+            self._report_hash = None
+            self._collection = None
+            return
+
+        base_url = os.getenv(
+            "NEBIUS_BASE_URL",
+            "https://api.tokenfactory.nebius.com/v1",  # Nebius OpenAI-compatible base URL
+        )
+        model = os.getenv(
+            "NEBIUS_TUTOR_MODEL",
+            "meta-llama/Meta-Llama-3.1-70B-Instruct",  # example; override with your chosen model
+        )
+        embedding_model = os.getenv(
+            "NEBIUS_EMBEDDING_MODEL",  # REQUIRED for vector search
+            None,
+        )
+
+        self.config = TutorConfig(
+            base_url=base_url,
+            api_key=api_key,
+            model=model,
+            embedding_model=embedding_model,
+        )
+        self.client = OpenAI(base_url=self.config.base_url, api_key=self.config.api_key)
+        self.available = True
+
+        # Chroma setup
+        if CHROMA_AVAILABLE and self.config.embedding_model:
+            # Ephemeral in-memory store is fine for a single process
+            self.chroma_client = chromadb.EphemeralClient()
+            self.vector_enabled = True
+        else:
+            self.chroma_client = None
+            self.vector_enabled = False
+
+        # Per-report state
+        self._raw_report: str = ""
+        self._report_hash: str | None = None
+        self._collection = None  # Chroma collection holding current report vectors
+
+    # ------------------------------------------------------------------ #
+    # Public entry point
+    # ------------------------------------------------------------------ #
+
+    def chat(
+        self,
+        message: str,
+        report_context: str,
+        history: List[Tuple[str, str]],
+    ) -> str:
+        """
+        Handle a chat message from the user.
+
+        Args:
+            message: User's question
+            report_context: Full VAPT report markdown for THIS user/run
+            history: Previous chat messages [(user_msg, assistant_msg), ...]
+
+        Behaviour:
+            - If the report content has changed since last call, rebuild the
+              vector index just once and store it.
+            - Then run vector search on the stored index for this question.
+            - Never reuse vectors from a previous report for the new report.
+        """
+        if not self.available or not self.client:
+            return (
+                "🔧 AI Tutor is not configured yet.\n\n"
+                "Please set NEBIUS_API_KEY (and optionally NEBIUS_TUTOR_MODEL) "
+                "in your environment to enable the tutor."
+            )
+
+        # 1) Ensure the index is up-to-date for THIS report
+        self._ensure_report_index(report_context)
+
+        # 2) Retrieve relevant snippets from the currently indexed report
+        report_snippets = self._search_report_with_vectors(message)
+
+        # 3) Optional web search (if Tavily API key is configured)
+        web_snippets = _web_search_tavily(message)
+        web_note = (
+            "\n\n---\n\nWeb search snippets:\n" + web_snippets
+            if web_snippets
+            else "\n\n(Web search not configured or returned no results.)"
+        )
+
+        # 4) Build system prompt with clear grounding instructions
+        system_prompt = self._build_system_prompt(
+            report_snippets=report_snippets,
+            include_web=bool(web_snippets),
+        )
+
+        # 5) Build messages (system + history + current question)
+        messages: List[Dict[str, str]] = [{"role": "system", "content": system_prompt}]
+
+        for user_msg, assistant_msg in history:
+            if user_msg:
+                messages.append({"role": "user", "content": user_msg})
+            if assistant_msg:
+                messages.append({"role": "assistant", "content": assistant_msg})
+
+        user_content = (
+            f"{message}\n\n"
+            "-----\n\n"
+            "Use the following VAPT report excerpts as your primary source of truth:\n\n"
+            f"{report_snippets}\n"
+            f"{web_note}"
+        )
+        messages.append({"role": "user", "content": user_content})
+
+        try:
+            completion = self.client.chat.completions.create(
+                model=self.config.model,
+                messages=messages,
+                temperature=0.4,
+                max_tokens=800,
+            )
+            return completion.choices[0].message.content
+        except Exception as e:
+            return f"❌ Error communicating with Security Tutor (Nebius): {str(e)}"
+
+    # ------------------------------------------------------------------ #
+    # Report index management (build once per report)
+    # ------------------------------------------------------------------ #
+
+    def _ensure_report_index(self, report_md: str) -> None:
+        """
+        Ensure that the vector index reflects the given report.
+
+        - If no report or same report as before -> do nothing.
+        - If a different report -> rebuild vectors so we NEVER reuse old vectors
+          for a new report.
+        """
+        report_md = report_md or ""
+
+        # If we never had a report and still don't, nothing to do
+        if not report_md and not self._raw_report:
+            return
+
+        new_hash = hashlib.sha256(report_md.encode("utf-8")).hexdigest()
+
+        # If hash matches, it's the same report -> keep existing vectors
+        if self._report_hash == new_hash:
+            return
+
+        # Report changed: update internal state and rebuild index
+        self._raw_report = report_md
+        self._report_hash = new_hash
+
+        if (
+            not self.vector_enabled
+            or not self.chroma_client
+            or not self.config.embedding_model
+        ):
+            # We still store the report, so fallback search can use it
+            self._collection = None
+            return
+
+        # Build a fresh collection just for this report
+        sections = _extract_report_sections(self._raw_report)
+        if not sections:
+            self._collection = None
+            return
+
+        # Collection name derived from hash to avoid mixing
+        coll_name = f"vapt_report_{self._report_hash[:8]}"
+
+        # Create or get collection; then clear any previous contents
+        self._collection = self.chroma_client.get_or_create_collection(name=coll_name)
+        try:
+            self._collection.delete(where={})
+        except Exception:
+            # Older Chroma versions might not like empty filters; safely ignore
+            pass
+
+        # Embed and add sections
+        ids = [f"chunk-{i}" for i in range(len(sections))]
+        embeddings = self._embed_texts(sections)
+
+        self._collection.add(ids=ids, documents=sections, embeddings=embeddings)
+
+    # ------------------------------------------------------------------ #
+    # Vector search over report using Chroma + Nebius embeddings
+    # ------------------------------------------------------------------ #
+
+    def _embed_texts(self, texts: List[str]) -> List[List[float]]:
+        """
+        Create embeddings for a list of texts using Nebius embedding model.
+        """
+        if not self.config.embedding_model:
+            raise RuntimeError(
+                "NEBIUS_EMBEDDING_MODEL is not set; cannot perform vector search."
+            )
+
+        resp = self.client.embeddings.create(
+            model=self.config.embedding_model,
+            input=texts,
+        )
+        return [item.embedding for item in resp.data]
+
+    def _search_report_with_vectors(self, question: str, top_k: int = 4) -> str:
+        """
+        Use the current Chroma collection (for the current report) to retrieve
+        the most relevant chunks. Falls back to simple truncation of the report
+        if vector search is not available.
+        """
+        if not self._raw_report:
+            return "No VAPT report is currently available."
+
+        # If vector search is not enabled or we have no collection, fallback
+        if not self.vector_enabled or not self._collection:
+            # Cheap fallback: Executive Summary + Key Findings, or first 2000 chars
+            sections = _extract_report_sections(self._raw_report)
+            fallback = [
+                s
+                for s in sections
+                if "executive summary" in _normalize(s)
+                or "key findings" in _normalize(s)
+            ]
+            if fallback:
+                return "\n\n---\n\n".join(fallback)[:2000]
+            return self._raw_report[:2000]
+
+        try:
+            # Embed the question and query the collection
+            q_embedding = self._embed_texts([question])[0]
+
+            results = self._collection.query(
+                query_embeddings=[q_embedding],
+                n_results=top_k,
+            )
+
+            docs = results.get("documents", [[]])[0] if results else []
+            if not docs:
+                return self._raw_report[:2000]
+
+            joined = "\n\n---\n\n".join(docs)
+            return joined[:2000]
+        except Exception:
+            # Any failure -> fall back to raw report
+            return self._raw_report[:2000]
+
+    # ------------------------------------------------------------------ #
+    # System prompt builder
+    # ------------------------------------------------------------------ #
+
+    def _build_system_prompt(self, report_snippets: str, include_web: bool) -> str:
+        """
+        Build the system prompt for the AI tutor.
+
+        Args:
+            report_snippets: Text retrieved from the VAPT report
+            include_web: Whether web search snippets are available
+
+        Returns:
+            System prompt string
+        """
+        return get_tutor_system_prompt(report_snippets, include_web)
+
+
+# Global tutor instance (shared within the process)
+_tutor_instance: SecurityTutor | None = None
+
+
+def get_tutor() -> SecurityTutor:
+    """
+    Get or create the global SecurityTutor instance.
+
+    Note: Vectors are tied to the report markdown passed into `chat()`.
+    Whenever a new report is used, the tutor automatically rebuilds its
+    index so that vectors from a previous report are never reused.
+    """
+    global _tutor_instance
+    if _tutor_instance is None:
+        _tutor_instance = SecurityTutor()
+    return _tutor_instance

app.py

@@ -0,0 +1,476 @@
+# Gradio Web Interface for VAPT Agent
+
+"""
+Modern Gradio UI for the VAPT (Vulnerability Assessment and Penetration Testing) agent.
+
+Features:
+- Input API endpoint, HTTP method, and optional API key
+- Real-time progress streaming
+- Downloadable Markdown report
+- Visual Dashboard (risk gauge & severity pie chart)
+- AI Security Tutor (interactive Q&A about the report)
+"""
+
+import asyncio
+import gradio as gr
+from datetime import datetime
+import threading
+import time
+from typing import Optional, Generator, List, Tuple
+
+from vapt_agent import run_vapt_agent_with_callback
+from config import VAPTConfig
+from dashboard_utils import (
+    parse_vapt_report,
+    calculate_risk_score,
+    create_severity_chart,
+    create_risk_gauge,
+)
+from ai_tutor import get_tutor
+
+import os
+
+CSS_PATH = os.path.join(os.path.dirname(__file__), "vapt_styles.css")
+
+
+def load_custom_css(path: str = CSS_PATH) -> str:
+    try:
+        with open(path, "r", encoding="utf-8") as f:
+            return f.read()
+    except FileNotFoundError:
+        # Fail silently; app will still run without custom CSS
+        return ""
+
+
+# ---------------------------------------------------------------------------
+# Helper: run the VAPT agent and stream updates to Gradio
+# ---------------------------------------------------------------------------
+
+
+def run_security_test(
+    api_endpoint: str,
+    http_method: str,
+    api_key: Optional[str] = None,
+) -> Generator[Tuple[str, str, str], None, None]:
+    """Yield progress, report markdown and report file path for Gradio.
+
+    The function validates inputs, starts the VAPT agent in a background thread,
+    and periodically yields any new progress messages.
+    """
+    # ---------- Validation ----------
+    if not api_endpoint or not api_endpoint.strip():
+        yield (
+            "❌ Error: API endpoint is required",
+            "## Error\n\nPlease provide a valid API endpoint URL.",
+            None,
+        )
+        return
+    if not api_endpoint.startswith(("http://", "https://")):
+        yield (
+            "❌ Error: Invalid URL format",
+            "## Error\n\nAPI endpoint must start with `http://` or `https://`.",
+            None,
+        )
+        return
+
+    # ---------- Progress handling ----------
+    progress_messages: List[str] = []
+    lock = threading.Lock()
+
+    def add_progress(msg: str) -> str:
+        with lock:
+            progress_messages.append(f"[{datetime.now().strftime('%H:%M:%S')}] {msg}")
+            return "\n".join(progress_messages)
+
+    def progress_callback(msg: str):
+        with lock:
+            progress_messages.append(f"[{datetime.now().strftime('%H:%M:%S')}] {msg}")
+
+    # Initial message
+    yield (
+        add_progress("🚀 Initializing VAPT Agent..."),
+        "## Starting Security Test\n\nPlease wait while we assess your API endpoint...",
+        None,
+    )
+
+    # Prepare request headers
+    headers = {"Content-Type": "application/json", "User-Agent": "VAPT-Agent/1.0"}
+    if api_key and api_key.strip():
+        headers["Authorization"] = f"Bearer {api_key.strip()}"
+        yield (
+            add_progress("🔑 API key provided – will test authenticated endpoints"),
+            "## Starting Security Test\n\nPreparing to test with authentication...",
+            None,
+        )
+
+    # ---------- Run agent in background thread ----------
+    result = {
+        "report_content": None,
+        "report_file_path": None,
+        "error": None,
+        "done": False,
+    }
+
+    def agent_worker():
+        try:
+            loop = asyncio.new_event_loop()
+            asyncio.set_event_loop(loop)
+            content, path = loop.run_until_complete(
+                run_vapt_agent_with_callback(
+                    api_endpoint=api_endpoint,
+                    method=http_method,
+                    headers=headers,
+                    progress_callback=progress_callback,
+                )
+            )
+            loop.close()
+            result["report_content"] = content
+            result["report_file_path"] = path
+        except asyncio.TimeoutError:
+            result["error"] = "Timeout: Security test took too long"
+        except Exception as e:
+            result["error"] = str(e)
+        finally:
+            result["done"] = True
+
+    # Connect to LLM backend – just a placeholder progress update
+    yield (
+        add_progress("🔌 Connecting to security engine..."),
+        "## Starting Security Test\n\nConnecting...",
+        None,
+    )
+    threading.Thread(target=agent_worker, daemon=True).start()
+
+    # ---------- Poll for updates ----------
+    last_len = 0
+    while not result["done"]:
+        time.sleep(0.5)
+        with lock:
+            if len(progress_messages) > last_len:
+                yield (
+                    "\n".join(progress_messages),
+                    "## Security Test in Progress\n\nPlease wait while the agent performs testing...",
+                    None,
+                )
+                last_len = len(progress_messages)
+
+    # ---------- Final handling ----------
+    if result["error"]:
+        err = result["error"]
+        if "Timeout" in err:
+            yield (
+                add_progress(f"⏱️ {err}"),
+                "## Error\n\n**Timeout Error**\n\nThe assessment exceeded the allowed time.",
+                None,
+            )
+        else:
+            yield (
+                add_progress(f"❌ Error: {err}"),
+                f"## Error\n\n**Exception Occurred**\n\n```\n{err}\n```\n\nPlease check configuration and retry.",
+                None,
+            )
+    else:
+        # Success – return report and file path
+        yield (
+            add_progress("✅ Security assessment completed successfully!"),
+            result["report_content"] or "## Error\n\nNo report was generated.",
+            result["report_file_path"],
+        )
+
+
+# ---------------------------------------------------------------------------
+# Gradio UI construction
+# ---------------------------------------------------------------------------
+
+
+def create_gradio_interface() -> gr.Blocks:
+    with gr.Blocks(title="VAPT Agent") as iface:
+
+        # Inject custom CSS – light theme, white cards, improved readability
+        custom_css = load_custom_css()
+        if custom_css:
+            gr.HTML(f"<style>{custom_css}</style>")
+
+        # --- Header ---
+        with gr.Row(elem_id="app-header"):
+            with gr.Column(scale=6):
+                gr.Markdown(
+                    """
+                    <div>
+                      <div class="badge-pill">
+                        <span class="dot"></span>
+                        <span>Agentic VAPT • API Security</span>
+                      </div>
+                      <h1>VAPT Agent Dashboard</h1>
+                      <p>
+                     Generate API specs, run automated vulnerability tests, and explore results with an AI security tutor. Gain clear insights into API risks, misconfigurations, and recommended remediation steps in dashboard.
+                      </p>
+                    </div>
+                    """,
+                    elem_id="header-title",
+                )
+            with gr.Column(scale=4):
+                gr.Markdown(
+                    """
+                    **Workflow Overview**
+                    
+                    1. Provide an API endpoint and method  
+                    2. Agent discovers endpoints and builds the API spec using Postman MCP 
+                    3. Customized VAPT MCP tools run automated security tests  
+                    4. Dashboard + Tutor help you interpret and fix issues  
+                    """,
+                )
+
+        # --- Main two-column layout ---
+        with gr.Row():
+            # Left: API configuration
+            with gr.Column(scale=5):
+                with gr.Group(elem_id="config-card", elem_classes=["section-card"]):
+                    gr.Markdown("### 📋 API Configuration")
+
+                    api_endpoint = gr.Textbox(
+                        label="API Endpoint URL",
+                        placeholder="https://sandbox.api.sap.com/SAPCALM/calm-tasks/v1/tasks?projectId=111",
+                        value="https://sandbox.api.sap.com/SAPCALM/calm-tasks/v1/tasks?projectId=111",
+                        info="Full URL of the API endpoint to test",
+                    )
+                    http_method = gr.Dropdown(
+                        label="HTTP Method",
+                        choices=["GET", "POST", "PUT", "DELETE", "PATCH"],
+                        value="GET",
+                        info="Select the HTTP method for the endpoint",
+                    )
+                    api_key = gr.Textbox(
+                        label="API Key (Optional)",
+                        placeholder="Enter your API key or Bearer token",
+                        type="password",
+                        value="Ww9aGPGeGoDGCFetcBtsaEtGOpGSUNXp",
+                        info="If the API requires authentication, provide the key here",
+                    )
+                    with gr.Row():
+                        submit_btn = gr.Button(
+                            "🚀 Start Security Test", variant="primary", size="lg"
+                        )
+                        clear_btn = gr.Button(
+                            "🔄 Reset", variant="secondary", elem_id="reset-btn"
+                        )
+
+                    gr.HTML(
+                        """
+                        <div id="disclaimer-box">
+                          ⚠️ <strong>Authorized use only:</strong> Run this tool only against systems and APIs you are explicitly allowed to test.
+                        </div>
+                        """
+                    )
+
+            # Right: Results area
+            with gr.Column(scale=7):
+                with gr.Group(elem_id="results-card", elem_classes=["section-card"]):
+                    gr.Markdown("### 📊 Security Assessment Results")
+
+                    with gr.Tab("Live Progress"):
+                        progress_output = gr.Textbox(
+                            label="Agent Activity Log",
+                            lines=15,
+                            max_lines=20,
+                            interactive=False,
+                            show_label=False,
+                            placeholder="Agent activity will appear here...",
+                        )
+
+                    with gr.Tab("Security Report"):
+                        report_file = gr.File(
+                            label="📥 Download Report (.md)",
+                            interactive=False,
+                            visible=True,
+                        )
+                        report_output = gr.Markdown(
+                            value="Security report will appear here after the test completes...",
+                            label="VAPT Report",
+                            elem_id="security-report-md",
+                        )
+
+                    with gr.Tab("Dashboard"):
+                        # Row that we'll center via CSS
+                        with gr.Row(elem_id="dashboard-row"):
+                            with gr.Column(scale=1, elem_id="risk-col"):
+                                risk_gauge = gr.Plot(label="Risk Score")
+                            with gr.Column(scale=1, elem_id="severity-col"):
+                                severity_pie = gr.Plot(
+                                    label="Vulnerability Distribution"
+                                )
+
+                        top_findings = gr.Markdown(
+                            "Run a security test to see summarized key findings..."
+                        )
+
+                    with gr.Tab("Security Tutor"):
+                        with gr.Column(elem_id="tutor-section"):
+                            gr.Markdown(
+                            """
+                            <div style="font-size: 0.95rem; line-height: 1.5; margin-bottom: 0.4rem;">
+                            <strong>Ask questions about your security report.</strong><br/>
+                            Get clear explanations, remediation guidance, and best-practice advice.
+                            </div>
+                            """
+                            )   
+                            chatbot = gr.Chatbot(
+                                label="Security Tutor",
+                                height=380,
+                                elem_id="tutor-chat",
+                            )
+
+                            with gr.Row(elem_id="tutor-input-row"):
+                                tutor_input = gr.Textbox(
+                                    label="Your Question",
+                                    placeholder="e.g., What is SQL injection and how do I fix it?",
+                                    lines=2,
+                                    scale=4,
+                                    show_label=True,
+                                )
+                                tutor_btn = gr.Button("Ask", variant="primary", scale=1)
+
+                            gr.HTML(
+                                """
+                                <div id="tutor-examples">
+                                  <strong>Example questions you can ask:</strong>
+                                  <ul>
+                                    <li>What is the most critical issue in my report?</li>
+                                    <li>How do I fix CORS policy issues?</li>
+                                    <li>Explain SQL injection in simple terms.</li>
+                                    <li>What should I fix first to reduce risk quickly?</li>
+                                  </ul>
+                                </div>
+                                """
+                            )
+
+        # -------------------------------------------------------------------
+        # Event bindings
+        # -------------------------------------------------------------------
+
+        # VAPT run
+        submit_btn.click(
+            fn=run_security_test,
+            inputs=[api_endpoint, http_method, api_key],
+            outputs=[progress_output, report_output, report_file],
+            show_progress=True,
+        )
+
+        # Reset
+        clear_btn.click(
+            fn=lambda: (
+                "https://sandbox.api.sap.com/SAPCALM/calm-tasks/v1/tasks?projectId=111",
+                "GET",
+                "",
+                "",
+                "Security report will appear here after the test completes...",
+                None,
+            ),
+            inputs=[],
+            outputs=[
+                api_endpoint,
+                http_method,
+                api_key,
+                progress_output,
+                report_output,
+                report_file,
+            ],
+        )
+
+        # Dashboard updates – triggered after a successful report
+        def update_dashboard(report_md: str):
+            data = parse_vapt_report(report_md)
+            sev = data["severities"]
+            risk = calculate_risk_score(sev)
+            return (
+                create_risk_gauge(risk),
+                create_severity_chart(sev),
+                (
+                    "\n".join(data.get("findings", [])[:5])
+                    if data.get("findings")
+                    else "No findings detected."
+                ),
+            )
+
+        report_output.change(
+            fn=update_dashboard,
+            inputs=[report_output],
+            outputs=[risk_gauge, severity_pie, top_findings],
+        )
+
+        # AI Tutor interaction
+        # Gradio Chatbot (v6) uses "messages" format: list of {"role": ..., "content": ...}
+        # We convert that to (user, assistant) pairs for the tutor, then convert back.
+        def tutor_respond(question, history, report_md: str):
+            # 1) Convert Gradio "messages" history -> list of (user, assistant) pairs
+            pairs: List[Tuple[str, str]] = []
+            current_user = None
+
+            for msg in history or []:
+                if isinstance(msg, dict):
+                    role = msg.get("role")
+                    content = msg.get("content", "")
+                elif isinstance(msg, (list, tuple)) and len(msg) == 2:
+                    # Backward compatibility: skip old tuple-style entries
+                    continue
+                else:
+                    continue
+
+                if role == "user":
+                    current_user = content
+                elif role == "assistant":
+                    if current_user is None:
+                        current_user = ""
+                    pairs.append((current_user, content))
+                    current_user = None
+
+            # 2) Call the tutor with pairs
+            tutor = get_tutor()
+            answer = tutor.chat(question, report_md, pairs)
+
+            # 3) Append new user + assistant messages in Gradio's messages format
+            new_history = list(history or [])
+            new_history.append({"role": "user", "content": question})
+            new_history.append({"role": "assistant", "content": answer})
+
+            # Clear the input textbox
+            return new_history, ""
+
+        tutor_btn.click(
+            fn=tutor_respond,
+            inputs=[tutor_input, chatbot, report_output],
+            outputs=[chatbot, tutor_input],
+        )
+
+    return iface
+
+
+# ---------------------------------------------------------------------------
+# Main entry point
+# ---------------------------------------------------------------------------
+
+
+def main():
+    print("=" * 80)
+    print("VAPT Agent - Gradio Web Interface")
+    print("=" * 80)
+    try:
+        cfg = VAPTConfig()
+        print(f"✓ Configuration loaded successfully")
+        print(f"  Provider: {'AWS Bedrock' if cfg.use_bedrock else 'Anthropic API'}")
+        if cfg.use_bedrock:
+            print(f"  Region: {cfg.aws_region}")
+        print()
+    except Exception as exc:
+        print(f"❌ Configuration error: {exc}")
+        print("Please check your .env file and ensure all required variables are set.")
+        return
+
+    iface = create_gradio_interface()
+    print("Starting Gradio server...")
+    print("=" * 80)
+    iface.launch(server_name="0.0.0.0", server_port=7861, share=True, inbrowser=True)
+
+
+if __name__ == "__main__":
+    main()

config.py

@@ -0,0 +1,99 @@
+"""
+Configuration module for VAPT Agent.
+
+This module handles all configuration loading from environment variables
+and provides a centralized config object.
+"""
+
+import os
+from typing import Optional
+from dotenv import load_dotenv
+
+load_dotenv(override=True)
+
+
+class VAPTConfig:
+    """Configuration class for VAPT Agent."""
+
+    def __init__(self):
+        """Initialize configuration from environment variables."""
+
+        # ====================================================================
+        # AWS Configuration
+        # ====================================================================
+        self.use_bedrock = os.getenv("CLAUDE_CODE_USE_BEDROCK", "0") == "1"
+        self.aws_access_key_id = os.getenv("AWS_ACCESS_KEY_ID", "")
+        self.aws_secret_access_key = os.getenv("AWS_SECRET_ACCESS_KEY", "")
+        self.aws_region = os.getenv("AWS_REGION", "us-east-1")
+
+        # ====================================================================
+        # Model Configuration
+        # ====================================================================
+        if self.use_bedrock:
+            # Default to Bedrock model identifier
+            default_model = "global.anthropic.claude-haiku-4-5-20251001-v1:0"
+        else:
+            # Default to Anthropic API model
+            default_model = "claude-sonnet-4-20250514"
+
+        self.model_name = os.getenv("ANTHROPIC_MODEL", default_model)
+
+        # ====================================================================
+        # Postman Configuration
+        # ====================================================================
+        self.postman_api_key = os.getenv("POSTMAN_API_KEY", "")
+
+        # ====================================================================
+        # Test API Configuration
+        # ====================================================================
+        self.test_api_endpoint = os.getenv(
+            "TEST_API_ENDPOINT", "https://sandbox.api.sap.com/SAPCALM/calm-tasks/v1/tasks?projectId=111"
+        )
+        self.test_api_method = os.getenv("TEST_API_METHOD", "GET")
+        self.test_api_key = os.getenv("TEST_API_KEY", "")
+
+        # ====================================================================
+        # Agent Configuration
+        # ====================================================================
+        self.max_turns = int(os.getenv("MAX_TURNS", "100"))
+        self.timeout_seconds = int(os.getenv("TIMEOUT_SECONDS", "600"))
+        self.max_retries = int(os.getenv("MAX_RETRIES", "3"))
+
+        # Validate required configuration
+        self._validate()
+
+    def _validate(self):
+        """Validate required configuration values."""
+        errors = []
+
+        if not self.postman_api_key:
+            errors.append("POSTMAN_API_KEY is required")
+
+        if self.use_bedrock:
+            if not self.aws_access_key_id:
+                errors.append("AWS_ACCESS_KEY_ID is required when using Bedrock")
+            if not self.aws_secret_access_key:
+                errors.append("AWS_SECRET_ACCESS_KEY is required when using Bedrock")
+
+        if errors:
+            raise ValueError(
+                "Configuration validation failed:\n"
+                + "\n".join(f"  - {e}" for e in errors)
+            )
+
+    def to_dict(self):
+        """Return configuration as dictionary (excluding sensitive data)."""
+        return {
+            "use_bedrock": self.use_bedrock,
+            "aws_region": self.aws_region,
+            "model_name": self.model_name,
+            "test_api_endpoint": self.test_api_endpoint,
+            "test_api_method": self.test_api_method,
+            "max_turns": self.max_turns,
+            "timeout_seconds": self.timeout_seconds,
+            "max_retries": self.max_retries,
+        }
+
+    def __repr__(self):
+        """String representation of configuration."""
+        return f"VAPTConfig({self.to_dict()})"

dashboard_utils.py

@@ -0,0 +1,317 @@
+"""
+Dashboard utilities for VAPT Agent.
+
+Provides functions to parse VAPT reports, calculate risk scores,
+and generate visualizations for the dashboard.
+"""
+
+import re
+from typing import Dict, List, Tuple
+import plotly.graph_objects as go
+
+
+def parse_vapt_report(report_md: str) -> Dict:
+    """Parse VAPT report markdown to extract vulnerability data.
+
+    Args:
+        report_md: Markdown content of VAPT report
+
+    Returns:
+        Dictionary with vulnerability counts by severity and list of findings
+    """
+    if not report_md or "Error" in report_md[:100]:
+        return {
+            "severities": {
+                "critical": 0,
+                "high": 0,
+                "medium": 0,
+                "low": 0,
+                "info": 0,
+            },
+            "total": 0,
+            "findings": [],
+        }
+
+    severities = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
+    findings: List[str] = []
+
+    # ------------------------------------------------------------------
+    # 1. Parse the "Key Findings / Key Findings Summary" section
+    #    This is the most reliable source of the counts.
+    #    We support:
+    #      - "### Key Findings Summary:"
+    #      - "Key Findings Summary:"
+    #      - bullets with or without bold, e.g.
+    #          - **Critical Vulnerabilities:** 0
+    #          - Critical Vulnerabilities: 0
+    #      - list bullets "-", "*", "•"
+    # ------------------------------------------------------------------
+    summary_pattern = (
+        r"(?:^|\n)#{0,3}\s*Key Findings(?: Summary)?\s*:?(.*?)(?:\n#{1,6}\s|\Z)"
+    )
+    summary_match = re.search(summary_pattern, report_md, re.DOTALL | re.IGNORECASE)
+
+    if summary_match:
+        summary_text = summary_match.group(1)
+
+        # Primary patterns (compatible with old bolded markdown + tables)
+        primary_patterns = {
+            "critical": r"(?:-|\*|•|\|)\s*\*{0,2}Critical(?: Vulnerabilities)?\s*:?\*{0,2}\s*(?::|\|)?\s*(\d+)",
+            "high": r"(?:-|\*|•|\|)\s*\*{0,2}High(?: Severity(?: Issues| Vulnerabilities)?)?\s*:?\*{0,2}\s*(?::|\|)?\s*(\d+)",
+            "medium": r"(?:-|\*|•|\|)\s*\*{0,2}Medium(?: Severity(?: Issues| Vulnerabilities)?)?\s*:?\*{0,2}\s*(?::|\|)?\s*(\d+)",
+            "low": r"(?:-|\*|•|\|)\s*\*{0,2}Low(?: Severity(?: Issues| Vulnerabilities)?)?\s*:?\*{0,2}\s*(?::|\|)?\s*(\d+)",
+            "info": r"(?:-|\*|•|\|)\s*\*{0,2}Informational(?: Issues)?\s*:?\*{0,2}\s*(?::|\|)?\s*(\d+)",
+        }
+
+        for severity, pattern in primary_patterns.items():
+            match = re.search(pattern, summary_text, re.IGNORECASE)
+            if match:
+                severities[severity] = int(match.group(1))
+
+        # Fallback: simple "Label: N" lines (no bullets, no bold)
+        if sum(severities.values()) == 0:
+            fallback_patterns = {
+                "critical": r"Critical Vulnerabilities:\s*(\d+)",
+                "high": r"High Severity Vulnerabilities:\s*(\d+)",
+                "medium": r"Medium Severity Vulnerabilities:\s*(\d+)",
+                "low": r"Low Severity Vulnerabilities:\s*(\d+)",
+                "info": r"Informational Issues:\s*(\d+)",
+            }
+            for severity, pattern in fallback_patterns.items():
+                match = re.search(pattern, summary_text, re.IGNORECASE)
+                if match:
+                    severities[severity] = int(match.group(1))
+
+    # ------------------------------------------------------------------
+    # 2. Extract specific findings (titles) from headings
+    # ------------------------------------------------------------------
+
+    # Pattern A: "### Finding X: Title" or "### 4.1 Finding X: Title"
+    pattern_a = r"###\s+(?:\d+\.\d+\s+)?Finding\s+\d+\s*:\s*(.+?)(?:\n|$)"
+    matches_a = re.findall(pattern_a, report_md, re.IGNORECASE)
+
+    finding_headers: List[str] = []
+    for title in matches_a:
+        finding_headers.append(title.strip())
+
+    # Pattern B: "### X.X SEVERITY: Title"
+    pattern_b = (
+        r"###\s+(?:\d+\.\d+\s+)?(CRITICAL|HIGH|MEDIUM|LOW|INFO)\s*:\s*(.+?)(?:\n|$)"
+    )
+    matches_b = re.findall(pattern_b, report_md, re.IGNORECASE)
+    for severity, title in matches_b:
+        finding_headers.append(f"[{severity.upper()}] {title.strip()}")
+
+    # Deduplicate and clean up
+    seen = set()
+    for f in finding_headers:
+        if f not in seen:
+            findings.append(f)
+            seen.add(f)
+
+    # If still no findings, use a loose heading-based heuristic
+    if not findings:
+        loose_pattern = r"####?\s+(.+?)(?:\n|$)"
+        potential_loose = re.findall(loose_pattern, report_md)
+        ignore_terms = [
+            "summary",
+            "methodology",
+            "specification",
+            "recommendation",
+            "conclusion",
+            "table of contents",
+            "risk matrix",
+            "description",
+            "impact",
+            "evidence",
+            "steps to reproduce",
+            "affected endpoints",
+            "related cwe",
+            "missing headers",
+            "test execution",
+            "compliance",
+            "appendix",
+            "additional endpoints",
+            "response codes",
+        ]
+        for finding in potential_loose:
+            if not any(x in finding.lower() for x in ignore_terms):
+                findings.append(finding.strip())
+
+    total = sum(severities.values())
+
+    return {
+        "severities": severities,
+        "total": total,
+        "findings": findings[:10],  # Top 10 findings
+    }
+
+
+def calculate_risk_score(severities: Dict[str, int]) -> int:
+    """Calculate overall risk score based on vulnerability severities.
+
+    Args:
+        severities: Dictionary with counts per severity level
+
+    Returns:
+        Risk score from 0-100
+    """
+    weights = {
+        "critical": 25,
+        "high": 15,
+        "medium": 8,
+        "low": 3,
+        "info": 1,
+    }
+
+    score = sum(
+        count * weights.get(sev.lower(), 0) for sev, count in severities.items()
+    )
+
+    # Cap at 100
+    return min(score, 100)
+
+
+def create_severity_chart(severities: Dict[str, int]) -> go.Figure:
+    """Create a pie chart showing vulnerability distribution by severity.
+
+    Args:
+        severities: Dictionary with counts per severity level
+
+    Returns:
+        Plotly figure object
+    """
+    # Filter out zero counts
+    filtered_sev = {k: v for k, v in severities.items() if v > 0}
+
+    if not filtered_sev:
+        # No vulnerabilities found - show placeholder
+        fig = go.Figure(
+            data=[
+                go.Pie(
+                    labels=["No Vulnerabilities"],
+                    values=[1],
+                    marker=dict(colors=["#28a745"]),
+                    hole=0.4,
+                )
+            ]
+        )
+        fig.update_layout(
+            title="Vulnerability Distribution",
+            annotations=[
+                dict(
+                    text="All Clear!",
+                    x=0.5,
+                    y=0.5,
+                    font_size=20,
+                    showarrow=False,
+                )
+            ],
+        )
+        return fig
+
+    # Define colors for each severity
+    colors = {
+        "critical": "#dc3545",  # Red
+        "high": "#fd7e14",  # Orange
+        "medium": "#ffc107",  # Yellow
+        "low": "#17a2b8",  # Blue
+        "info": "#6c757d",  # Gray
+    }
+
+    labels = [k.capitalize() for k in filtered_sev.keys()]
+    values = list(filtered_sev.values())
+    pie_colors = [colors.get(k, "#6c757d") for k in filtered_sev.keys()]
+
+    fig = go.Figure(
+        data=[
+            go.Pie(
+                labels=labels,
+                values=values,
+                marker=dict(colors=pie_colors),
+                hole=0.4,
+                textinfo="label+value",
+                textfont_size=14,
+            )
+        ]
+    )
+
+    fig.update_layout(
+        title={
+            "text": "Vulnerability Distribution by Severity",
+            "x": 0.5,
+            "xanchor": "center",
+        },
+        height=400,
+        showlegend=True,
+        legend=dict(
+            orientation="v",
+            yanchor="middle",
+            y=0.5,
+            xanchor="left",
+            x=1.02,
+        ),
+    )
+
+    return fig
+
+
+def create_risk_gauge(risk_score: int) -> go.Figure:
+    """Create a gauge chart showing the risk score.
+
+    Args:
+        risk_score: Risk score from 0-100
+
+    Returns:
+        Plotly figure object
+    """
+    # Determine color based on risk level
+    if risk_score < 20:
+        color = "#28a745"  # Green
+        level = "Low"
+    elif risk_score < 40:
+        color = "#17a2b8"  # Blue
+        level = "Moderate"
+    elif risk_score < 60:
+        color = "#ffc107"  # Yellow
+        level = "Elevated"
+    elif risk_score < 80:
+        color = "#fd7e14"  # Orange
+        level = "High"
+    else:
+        color = "#dc3545"  # Red
+        level = "Critical"
+
+    fig = go.Figure(
+        go.Indicator(
+            mode="gauge+number+delta",
+            value=risk_score,
+            title={"text": f"Risk Score: {level}"},
+            delta={"reference": 50},
+            gauge={
+                "axis": {"range": [0, 100]},
+                "bar": {"color": color},
+                "steps": [
+                    {"range": [0, 20], "color": "rgba(40, 167, 69, 0.2)"},
+                    {"range": [20, 40], "color": "rgba(23, 162, 184, 0.2)"},
+                    {"range": [40, 60], "color": "rgba(255, 193, 7, 0.2)"},
+                    {"range": [60, 80], "color": "rgba(253, 126, 20, 0.2)"},
+                    {"range": [80, 100], "color": "rgba(220, 53, 69, 0.2)"},
+                ],
+                "threshold": {
+                    "line": {"color": "red", "width": 4},
+                    "thickness": 0.75,
+                    "value": 80,
+                },
+            },
+        )
+    )
+
+    # Give the figure some breathing room so nothing hugs the edges / looks clipped
+    fig.update_layout(
+        height=300,
+        margin=dict(l=40, r=40, t=80, b=30),
+        autosize=True,
+    )
+
+    return fig

prompt.py

@@ -0,0 +1,213 @@
+"""
+Prompt definitions for the VAPT Agent.
+"""
+
+SYSTEM_PROMPT = """
+You are a security testing expert specializing in API vulnerability assessment and penetration testing (VAPT).
+
+Your responsibilities:
+1. Use the Postman MCP server to automatically create API specifications and test the API.
+2. Use the vapt_security_test tool to perform comprehensive security testing.
+3. Analyze vulnerabilities and provide detailed remediation guidance.
+4. Generate comprehensive security reports in Markdown format within MAX 2500 words.
+
+Testing approach:
+- Start by fully understanding the API endpoint structure.
+- Use Postman MCP tools to discover endpoints, parameters, request/response bodies, authentication schemes, and error responses.
+- Generate an API specification (OpenAPI-like or detailed endpoint table) using Postman MCP tools.
+- Run VAPT security tests covering injection, authentication/authorization, rate limiting, CORS, security headers, and SSL/TLS.
+
+Reporting rules (very important):
+- All results must be written into a single Markdown file using the Write tool.
+- The report MUST be self-contained: a reader must understand the API and its risks without opening Postman or any external tool.
+- Never say "I created an API spec in Postman" without also documenting it in the report.
+
+When you are given an endpoint and headers, you MUST:
+
+1. Create API Specification (via Postman MCP)
+   - Use Postman MCP tools to:
+     - Explore the given endpoint.
+     - Discover available methods, paths, query parameters, headers, and auth schemes.
+     - Identify typical request and response bodies, including error responses.
+   - Build a structured specification (OpenAPI-like or a detailed endpoint table).
+   - When writing the report, include a dedicated section:
+
+     ## 2. API Specification
+
+     - Overview of the API.
+     - For each endpoint:
+       - Method and URL
+       - Description
+       - Path/query parameters (name, type, required, description)
+       - Headers (especially auth-related)
+       - Request body schema (if applicable)
+       - Response codes and example bodies
+
+   - Paste the actual specification details into this section; do NOT just describe that a spec exists.
+
+2. Run VAPT Tests (via vapt_security_test tool)
+   - Call the vapt_security_test MCP tool with appropriate test types:
+     - SQL injection
+     - XSS
+     - Authentication/authorization issues
+     - Rate limiting
+     - CORS policy
+     - Security headers
+     - SSL/TLS configuration (as applicable)
+   - Carefully review the JSON results returned by the tool.
+
+3. Write the Markdown Report to File
+   - Use the Write tool to create a file named `vapt_report_{timestamp}.md`.
+   - The report MUST follow this structure:
+
+     # VAPT Report
+
+     ## 1. Executive Summary
+     - High-level overview and key risks.
+     
+     ### Key Findings Summary:
+     - **Critical Vulnerabilities:** [Count]
+     - **High Severity Vulnerabilities:** [Count]
+     - **Medium Severity Vulnerabilities:** [Count]
+     - **Low Severity Vulnerabilities:** [Count]
+     - **Informational Issues:** [Count]
+
+     ## 2. API Specification
+     - (Paste the full spec you built using Postman MCP, as described above.)
+
+     ## 3. Test Methodology
+     - Which tools were used (Postman MCP, vapt_security_test).
+     - What types of tests were run.
+
+     ## 4. Detailed Findings
+     - One subsection per vulnerability, including:
+       - Title
+       - Severity (Critical/High/Medium/Low/Info)
+       - Impact
+       - Evidence (requests/responses, payloads, headers)
+       - Steps to reproduce
+       - Affected endpoints
+
+     ## 5. Recommendations
+     - Concrete remediation steps for each issue.
+     - Hardening / best-practice guidance.
+
+     ## 6. Conclusion
+
+   - Ensure that the **API Specification** section is non-empty and accurately reflects what you discovered using Postman MCP.
+
+4. Summarize Critical/High Issues
+   - After writing the report file, provide a short summary in the chat focusing only on Critical and High severity issues.
+""".strip()
+
+
+def get_vapt_query(
+    api_endpoint: str, method: str, headers_str: str, timestamp: str
+) -> str:
+    """
+    Generate the VAPT assessment query.
+
+    Args:
+        api_endpoint: The API endpoint to test
+        method: HTTP method
+        headers_str: JSON string of headers
+        timestamp: Timestamp string for the report filename
+
+    Returns:
+        The formatted query string
+    """
+    return f"""Please perform a comprehensive security assessment of the following API endpoint:
+
+Endpoint: {api_endpoint}
+Method: {method}
+Headers: {headers_str}
+
+Tasks:
+1. First, use Postman MCP tools to create an API specification for this endpoint
+2. Then, use the vapt_security_test tool to perform security testing
+3. Test for: SQL injection, XSS, authentication issues, rate limiting, CORS policy, security headers, and SSL configuration
+4. Analyze all findings and create a detailed security report
+5. Save the report to a file named './vapt_report_{timestamp}.md' in the current working directory (use ./ prefix)
+6. The report MUST be in Markdown format and include:
+   - The full API specification generated in step 1
+   - Detailed security assessment findings from step 2
+   - Vulnerability analysis and recommendations
+
+Provide a summary of critical and high-severity vulnerabilities found."""
+
+
+def get_tutor_system_prompt(report_snippets: str, include_web: bool) -> str:
+    """
+    Build the system prompt for the AI tutor.
+
+    Args:
+        report_snippets: Text retrieved from the VAPT report
+        include_web: Whether web search snippets are available
+
+    Returns:
+        System prompt string
+    """
+    web_text = (
+        "You may also see a section titled 'Web search snippets'. "
+        "Use these only for general security best practices or background, "
+        "not for details specific to this particular API implementation.\n\n"
+        if include_web
+        else "You do NOT have web search snippets for this question; "
+        "answer using the VAPT report and your general security knowledge.\n\n"
+    )
+
+    return f"""You are a friendly and knowledgeable security tutor helping developers
+understand API vulnerabilities and security best practices.
+
+Your goals:
+- Explain concepts in simple, beginner-friendly terms.
+- Use analogies and real-world examples when helpful.
+- Provide concrete remediation steps and best practices.
+- Stay encouraging and educational.
+
+Primary knowledge source:
+- The VAPT report excerpts that will be included in the conversation context.
+  Treat these as ground truth for anything specific to THIS API or system.
+
+Additional knowledge source:
+- General security knowledge you already have as a model.
+- {web_text.strip()}
+
+Formatting rules (CRITICAL):
+- **NEVER use Markdown tables** - they are difficult to read in the chat UI.
+- Instead of tables, use:
+  * Short paragraphs with clear topic sentences
+  * Bulleted lists for multiple items
+  * Numbered lists for sequential steps
+  * Section headings (##, ###) to organize content
+- Write in a conversational, flowing style with natural paragraphs.
+- Keep responses skimmable: avoid long walls of text.
+- If you need to present multiple related pieces of information, use 
+  descriptive bullet points rather than table rows.
+
+Answering rules:
+1. When explaining a vulnerability, break it down into:
+   - What it is (short definition)
+   - Why it's dangerous (impact)
+   - How to fix it (practical remediation steps)
+   - How to prevent it (best practices going forward)
+
+2. When the question clearly refers to something in the VAPT report,
+   ground your explanation directly in that report content (quote or
+   paraphrase the relevant finding where helpful).
+
+3. When the user asks general security questions, you may rely on your
+   general knowledge, and (if provided) the web search snippets.
+
+4. Keep responses concise but comprehensive (roughly 150–300 words),
+   unless the question explicitly asks for more detail.
+
+5. Include simple code or configuration examples where genuinely helpful 
+   (e.g., secure headers, parameterized queries, CSP examples).
+
+6. Always be supportive – security is complex, and the user is learning.
+
+Current VAPT report focus (excerpt preview, for your reference only):
+\"\"\"
+{report_snippets[:1000]}
+\"\"\""""

requirements.txt

@@ -0,0 +1,38 @@
+# VAPT Agent Requirements
+
+# Core dependencies
+python-dotenv
+
+# Claude Agent SDK
+claude-agent-sdk
+
+# HTTP client for security testing
+aiohttp
+aiofiles
+
+# Data validation
+pydantic
+
+# AWS SDK (for Bedrock support)
+boto3
+botocore
+
+# Optional: Logging and monitoring
+colorlog
+
+# Optional: For enhanced security testing
+requests
+urllib3
+
+# Optional: For report generation
+jinja2
+
+gradio
+
+# Dashboard and AI Tutor features
+plotly
+anthropic
+
+openai
+chromadb 
+requests

vapt_agent.py

@@ -0,0 +1,343 @@
+"""
+VAPT Agent - Main module for API security testing.
+
+This module orchestrates the vulnerability assessment and penetration testing
+of APIs using Claude Agent SDK with Postman MCP server and custom VAPT tools.
+"""
+
+import asyncio
+import os
+import json
+from dotenv import load_dotenv
+from pathlib import Path
+from typing import Dict, Optional, Callable, Tuple
+from datetime import datetime
+
+load_dotenv(override=True)
+
+from claude_agent_sdk import ClaudeSDKClient, ClaudeAgentOptions
+from vapt_tools import create_vapt_mcp_server
+from config import VAPTConfig
+from prompt import SYSTEM_PROMPT, get_vapt_query
+
+
+async def run_vapt_agent_with_callback(
+    api_endpoint: str,
+    method: str = "GET",
+    headers: Dict[str, str] = None,
+    working_directory: str = None,
+    progress_callback: Optional[Callable[[str], None]] = None,
+) -> Tuple[str, Optional[str]]:
+    """
+    Execute VAPT agent with progress callbacks for UI integration.
+
+    Args:
+        api_endpoint: The API endpoint to test
+        method: HTTP method for the endpoint
+        headers: Optional headers for API requests
+        working_directory: Working directory for the agent
+        progress_callback: Optional callback function to receive progress updates
+
+    Returns:
+        Tuple of (report_content, report_file_path)
+    """
+
+    config = VAPTConfig()
+
+    # Progress update helper
+    def update_progress(message: str):
+        if progress_callback:
+            progress_callback(message)
+        else:
+            print(message)
+
+    # Set up AWS Bedrock configuration if enabled
+    if config.use_bedrock:
+        update_progress("🔧 Using AWS Bedrock for Claude")
+        os.environ["CLAUDE_CODE_USE_BEDROCK"] = "1"
+    else:
+        update_progress("🔧 Using Anthropic API for Claude")
+
+    # Set up Postman MCP server configuration (SSE-based)
+    update_progress("🔌 Connecting to Postman MCP server...")
+    postman_api_key = config.postman_api_key
+    if not postman_api_key:
+        raise ValueError("POSTMAN_API_KEY not found in environment variables")
+
+    postman_mcp_config = {
+        "type": "sse",
+        "url": "https://mcp.postman.com/mcp",
+        "headers": {"Authorization": f"Bearer {postman_api_key}"},
+    }
+
+    # Create custom VAPT MCP server
+    update_progress("🛠️ Initializing VAPT security tools...")
+    vapt_tool_server = create_vapt_mcp_server()
+
+    # Configure Claude Agent options
+    model_name = config.model_name
+
+    options = ClaudeAgentOptions(
+        system_prompt=SYSTEM_PROMPT,
+        mcp_servers={
+            "postman": postman_mcp_config,
+            "VAPTToolServer": vapt_tool_server,
+        },
+        allowed_tools=[
+            "Read",
+            "Write",
+            "Bash",
+            "Edit",
+            "Glob",
+            "Grep",
+            "WebFetch",
+            "WebSearch",
+            "mcp__postman__*",  # All Postman MCP tools
+            "mcp__VAPTToolServer__vapt_security_test",
+        ],
+        max_turns=100,
+        model=model_name,
+        permission_mode="bypassPermissions",
+        cwd=Path(working_directory) if working_directory else Path.cwd(),
+    )
+
+    report_content = ""
+    report_file_path = None
+
+    async with ClaudeSDKClient(options=options) as client:
+        update_progress(f"✅ Connected to Claude Agent SDK ")
+        update_progress(f"🎯 Testing endpoint: {api_endpoint}")
+
+        # Construct the query for the agent
+        headers_str = json.dumps(headers, indent=2) if headers else "None"
+        timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+
+        query = get_vapt_query(api_endpoint, method, headers_str, timestamp)
+
+        # Execute the query
+        timeout_sec = 600  # 10 minutes for security testing
+
+        update_progress("🔍 Starting security assessment...")
+
+        try:
+            await asyncio.wait_for(client.query(query), timeout=timeout_sec)
+        except asyncio.TimeoutError:
+            update_progress(f"⏱️ Query timed out after {timeout_sec}s")
+            raise
+        except Exception as e:
+            update_progress(f"❌ Query failed: {str(e)}")
+            raise
+
+        # Stream and collect responses
+        update_progress("📊 Collecting security test results...")
+
+        response_texts = []
+        async for message in client.receive_response():
+            if hasattr(message, "content"):
+                for block in message.content:
+                    if hasattr(block, "text") and block.text:
+                        response_texts.append(block.text)
+                        # Stream progress for tool usage messages
+                        if "SQL injection" in block.text.lower():
+                            update_progress(
+                                "🛡️ Testing SQL injection vulnerabilities..."
+                            )
+                        elif "xss" in block.text.lower():
+                            update_progress("🛡️ Testing XSS vulnerabilities...")
+                        elif (
+                            "authentication" in block.text.lower()
+                            or "authorization" in block.text.lower()
+                        ):
+                            update_progress(
+                                "🔐 Testing authentication/authorization..."
+                            )
+                        elif "rate limit" in block.text.lower():
+                            update_progress("⚡ Testing rate limiting...")
+                        elif "cors" in block.text.lower():
+                            update_progress("🌐 Testing CORS policy...")
+                        elif "headers" in block.text.lower():
+                            update_progress("🔒 Checking security headers...")
+
+        report_content = "\n".join(response_texts)
+
+        # Try to find the generated report file
+        update_progress("📄 Locating generated report file...")
+        reports_dir = Path.cwd() / "reports"
+        if reports_dir.exists():
+            # Find the most recent report file
+            report_files = list(reports_dir.glob(f"vapt_report_{timestamp[:8]}*.md"))
+            if report_files:
+                report_file_path = str(
+                    max(report_files, key=lambda p: p.stat().st_mtime)
+                )
+                update_progress(f"✅ Report saved: {Path(report_file_path).name}")
+                # Read the report content
+                with open(report_file_path, "r", encoding="utf-8") as f:
+                    report_content = f.read()
+
+        if not report_file_path:
+            # Check current directory
+            report_files = list(Path.cwd().glob(f"vapt_report_{timestamp}*.md"))
+            if report_files:
+                report_file_path = str(report_files[0])
+                update_progress(f"✅ Report saved: {Path(report_file_path).name}")
+                with open(report_file_path, "r", encoding="utf-8") as f:
+                    report_content = f.read()
+
+        update_progress("🎉 Security assessment completed!")
+
+    return report_content, report_file_path
+
+
+async def run_vapt_agent(
+    api_endpoint: str,
+    method: str = "GET",
+    headers: Dict[str, str] = None,
+    working_directory: str = None,
+) -> None:
+    """
+    Execute VAPT agent with Postman MCP server and custom security testing tools.
+
+    Args:
+        api_endpoint: The API endpoint to test
+        method: HTTP method for the endpoint
+        headers: Optional headers for API requests
+        working_directory: Working directory for the agent
+    """
+
+    config = VAPTConfig()
+
+    # Set up AWS Bedrock configuration if enabled
+    if config.use_bedrock:
+        print("[VAPT Agent] Using AWS Bedrock for Claude")
+        os.environ["CLAUDE_CODE_USE_BEDROCK"] = "1"
+
+    # Set up Postman MCP server configuration (SSE-based)
+    postman_api_key = config.postman_api_key
+    if not postman_api_key:
+        raise ValueError("POSTMAN_API_KEY not found in environment variables")
+
+    postman_mcp_config = {
+        "type": "sse",
+        "url": "https://mcp.postman.com/mcp",
+        "headers": {"Authorization": f"Bearer {postman_api_key}"},
+    }
+
+    # Create custom VAPT MCP server
+    vapt_tool_server = create_vapt_mcp_server()
+
+    # Configure Claude Agent options
+    model_name = config.model_name
+
+    options = ClaudeAgentOptions(
+        system_prompt=SYSTEM_PROMPT,
+        mcp_servers={
+            "postman": postman_mcp_config,
+            "VAPTToolServer": vapt_tool_server,
+        },
+        allowed_tools=[
+            "Read",
+            "Write",
+            "Bash",
+            "Edit",
+            "Glob",
+            "Grep",
+            "WebFetch",
+            "WebSearch",
+            "mcp__postman__*",  # All Postman MCP tools
+            "mcp__VAPTToolServer__vapt_security_test",
+        ],
+        max_turns=100,
+        model=model_name,
+        permission_mode="bypassPermissions",
+        cwd=Path(working_directory) if working_directory else Path.cwd(),
+    )
+
+    async with ClaudeSDKClient(options=options) as client:
+        print(f"[VAPT Agent] Connected to Claude Agent SDK")
+        if config.use_bedrock:
+            print(f"[VAPT Agent] Using AWS Bedrock with model: {model_name}")
+            print(f"[VAPT Agent] AWS Region: {config.aws_region}")
+        else:
+            print(f"[VAPT Agent] Using Anthropic API with model: {model_name}")
+        print(f"[VAPT Agent] Testing endpoint: {api_endpoint}")
+
+        # Construct the query for the agent
+        headers_str = json.dumps(headers, indent=2) if headers else "None"
+        timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+
+        query = get_vapt_query(api_endpoint, method, headers_str, timestamp)
+
+        # Execute the query
+        timeout_sec = 600  # 10 minutes for security testing
+
+        try:
+            await asyncio.wait_for(client.query(query), timeout=timeout_sec)
+        except asyncio.TimeoutError:
+            print(f"[VAPT Agent] Query timed out after {timeout_sec}s")
+            raise
+        except Exception as e:
+            print(f"[VAPT Agent] Query failed: {str(e)}")
+            raise
+
+        # Stream and print responses
+        print("\n[VAPT Agent] Security Testing Results:\n")
+        print("=" * 80)
+
+        async for message in client.receive_response():
+            if hasattr(message, "content"):
+                for block in message.content:
+                    if hasattr(block, "text") and block.text:
+                        print(block.text)
+
+        print("\n" + "=" * 80)
+        print("[VAPT Agent] Security assessment completed")
+
+
+def main():
+    """Main entry point for VAPT agent."""
+
+    config = VAPTConfig()
+
+    # Get test configuration
+    api_endpoint = config.test_api_endpoint
+    method = config.test_api_method
+
+    headers = {"Content-Type": "application/json", "User-Agent": "VAPT-Agent/1.0"}
+
+    # Add authentication header if provided
+    if config.test_api_key:
+        headers["Authorization"] = f"Bearer {config.test_api_key}"
+
+    print("=" * 80)
+    print("VAPT Agent - API Security Testing")
+    print("=" * 80)
+    if config.use_bedrock:
+        print(f"Provider: AWS Bedrock")
+        print(f"Region: {config.aws_region}")
+        print(f"Model: {config.model_name}")
+    else:
+        print(f"Provider: Anthropic API")
+        print(f"Model: {config.model_name}")
+    print(f"Endpoint: {api_endpoint}")
+    print(f"Method: {method}")
+    print("=" * 80)
+    print()
+
+    try:
+        asyncio.run(
+            run_vapt_agent(
+                api_endpoint=api_endpoint,
+                method=method,
+                headers=headers,
+            )
+        )
+    except KeyboardInterrupt:
+        print("\n[VAPT Agent] Interrupted by user")
+    except Exception as e:
+        print(f"\n[VAPT Agent] Error: {e}")
+        raise
+
+
+if __name__ == "__main__":
+    main()

vapt_styles.css

@@ -0,0 +1,270 @@
+/* Global background + text color */
+:root {
+    --color-background-primary: #f5f5fb;
+    --color-background-secondary: #ffffff;
+    --background-fill-primary: #f5f5fb;
+    --background-fill-secondary: #ffffff;
+    --block-background-fill: #ffffff;
+}
+
+html,
+body {
+    background: #f5f5fb;
+    color: #111827;
+    margin: 0;
+}
+
+.gradio-container {
+    max-width: 1200px !important;
+    /* change to 100% for full-width */
+    margin: 0 auto !important;
+    padding-inline: 24px;
+    background: transparent !important;
+    font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+}
+
+/* Kill default grey on generic panels/boxes */
+.gr-block,
+.gr-box,
+.gr-panel {
+    background: transparent !important;
+}
+
+/* Main section cards (API Config + Results) */
+.section-card,
+#config-card,
+#results-card {
+    background: #ffffff !important;
+    /* force white, remove grey header */
+    border-radius: 12px;
+    padding: 16px 18px;
+    box-shadow: 0 10px 25px rgba(15, 23, 42, 0.08);
+    border: 1px solid #e5e7eb;
+}
+
+.section-card h3,
+.section-card h4 {
+    margin-top: 0;
+    color: #111827;
+}
+
+#app-header {
+    margin-bottom: 1.25rem;
+}
+
+#app-header h1 {
+    font-size: 2.2rem;
+    margin-bottom: 0.25rem;
+    color: #0f172a;
+}
+
+#app-header p {
+    color: #4b5563;
+    /* darker, more readable */
+    font-size: 0.95rem;
+    margin-top: 0.25rem;
+}
+
+.badge-pill {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.4rem;
+    padding: 0.25rem 0.85rem;
+    border-radius: 999px;
+    font-size: 0.9rem;
+    /* bigger badge text */
+    font-weight: 600;
+    background: #ecfdf3;
+    color: #15803d;
+    border: 1px solid #bbf7d0;
+}
+
+.badge-pill .dot {
+    width: 9px;
+    height: 9px;
+    border-radius: 999px;
+    background: #22c55e;
+    box-shadow: 0 0 0 4px rgba(34, 197, 94, 0.25);
+}
+
+#disclaimer-box {
+    background: #fefce8;
+    border-left: 4px solid #f59e0b;
+    padding: 10px 12px;
+    border-radius: 10px;
+    font-size: 0.86rem;
+    margin-top: 0.5rem;
+    color: #92400e;
+}
+
+#disclaimer-box strong {
+    color: #b45309;
+}
+
+#config-card>div>label span,
+#results-card>div>label span {
+    font-weight: 500;
+    color: #111827;
+}
+
+/* Reduce font size inside the Security Tutor chatbot */
+#tutor-chat * {
+    font-size: 0.80rem !important;
+}
+
+#tutor-chat .message {
+    padding-top: 4px;
+    padding-bottom: 4px;
+}
+
+/* Reset button styling – elem_id is on the button itself */
+#reset-btn {
+    background-color: #e0f2fe !important;
+    /* light blue */
+    color: #0369a1 !important;
+    border-color: #bae6fd !important;
+}
+
+#reset-btn:hover {
+    background-color: #bfdbfe !important;
+}
+
+/* --- Professional full-width tabs for Security Assessment Results --- */
+
+/* Tab bar container */
+#results-card [role="tablist"] {
+    background: #ffffff !important;
+    /* ensure no grey behind tabs */
+    border-radius: 8px;
+    border: 1px solid #e5e7eb;
+    display: flex;
+    padding: 0;
+    margin-top: 4px;
+    overflow: hidden;
+}
+
+/* Each tab button */
+#results-card [role="tablist"] button {
+    flex: 1 1 0;
+    justify-content: center;
+    background: #ffffff !important;
+    color: #374151;
+    border-radius: 0;
+    border: none;
+    box-shadow: none;
+    font-size: 0.9rem;
+    padding-block: 0.4rem;
+    padding-inline: 0.75rem;
+}
+
+/* Hover state for inactive tabs */
+#results-card [role="tablist"] button:hover:not([aria-selected="true"]) {
+    background: #f3f4f6;
+}
+
+/* Active tab (selected) */
+#results-card [role="tablist"] button[aria-selected="true"] {
+    background: #ffffff !important;
+    color: #ea580c !important;
+    /* orange accent */
+    font-weight: 600;
+    box-shadow: inset 0 -3px 0 #ea580c;
+    /* bottom border highlight */
+}
+
+/* Ensure tab content area is white */
+#results-card .tabitem {
+    background: #ffffff !important;
+}
+
+/* --- Security Tutor panel styling --- */
+
+#tutor-section {
+    margin-top: 6px;
+    gap: 10px;
+}
+
+/* Input row card */
+#tutor-input-row {
+    background: #f9fafb;
+    border-radius: 12px;
+    padding: 10px 12px;
+    border: 1px solid #e5e7eb;
+    align-items: stretch;
+}
+
+/* Text area inside tutor row */
+#tutor-input-row textarea {
+    min-height: 64px;
+    border-radius: 8px 0 0 8px !important;
+}
+
+/* Ask button styled as attached to textbox */
+#tutor-input-row button {
+    height: 100%;
+    border-radius: 0 8px 8px 0 !important;
+    padding-inline: 1.6rem;
+    font-weight: 600;
+}
+
+/* Example box */
+#tutor-examples {
+    margin-top: 10px;
+    background: #f9fafb;
+    border-radius: 10px;
+    padding: 10px 12px;
+    border: 1px solid #e5e7eb;
+    font-size: 0.86rem;
+}
+
+#tutor-examples strong {
+    display: block;
+    margin-bottom: 4px;
+    color: #111827;
+}
+
+#tutor-examples ul {
+    margin: 0;
+    padding-left: 1.1rem;
+}
+
+/* Security Report markdown container */
+#security-report-md {
+    background: #ffffff !important;
+    border-radius: 8px;
+    padding: 16px 20px;
+    border: 1px solid #e5e7eb;
+    max-height: 520px;
+    /* adjust as you like */
+    overflow-y: auto;
+    /* vertical scroll when content exceeds height */
+    overflow-x: hidden;
+    /* avoid horizontal bar unless you need it */
+}
+
+/* Inner markdown/prose should be transparent, no extra padding/border */
+#security-report-md .gr-markdown,
+#security-report-md .prose {
+    background: transparent !important;
+    border: none !important;
+    box-shadow: none !important;
+    padding: 0 !important;
+}
+
+/* Center the two dashboard charts horizontally */
+#dashboard-row {
+    justify-content: center;
+    gap: 24px;
+}
+
+#risk-col,
+#severity-col {
+    display: flex;
+    justify-content: center;
+}
+
+#risk-col .gr-plot,
+#severity-col .gr-plot {
+    max-width: 480px;
+    width: 100%;
+}