docs: Update README to highlight hackathon submission, detail covered tracks, and revise the 'MCP in Action' architecture and workflow.

README.md

@@ -21,76 +21,79 @@ thumbnail: >-
 ---
 
 
-# 🏆 VAPT Agent - Intelligent API Security Testing
+# 🏆 VAPT Agent - Intelligent API Security Testing  
+### *(Submission for MCP’s 1st Birthday Hackathon)*  
+**Both the Tracks Covered:**  
+- **MCP in Action**  
+- **Building MCP**
 
 > **MCP's 1st Birthday Hackathon Submission** 🎉  
 > *Hosted by Anthropic & Gradio on Hugging Face*  
 > [🔗 Hackathon Page](https://huggingface.co/MCP-1st-Birthday)
 
-LinkedIn post - [Refer HERE](https://www.linkedin.com/posts/chsubhasis_vapt-agent-activity-7399454144895467520-yR6I?utm_source=share&utm_medium=member_desktop&rcm=ACoAABIj1NcBQpSiJ5ZDC9YQBBsmL4fDfy7D0LU) || Demo Video - [Refer HERE](https://youtu.be/wFgW_o48pw8?si=2lpag5I4zsUz8J2d)
----
+**LinkedIn Post** → **http://bit.ly/4p98LHy**   
+**Demo Video – MCP in Action** → **https://youtu.be/wFgW_o48pw8?si=2lpag5I4zsUz8J2d**  
+**Demo Video – Building MCP** → **[YouTube link placeholder – to be added]**
 
-## 📋 Project Overview
+---
 
-**VAPT Agent** is an autonomous, AI-powered **Vulnerability Assessment and Penetration Testing (VAPT)** platform that revolutionizes API security testing. By combining **Anthropic's Claude Agent SDK**, **Postman MCP Server**, **Gradio Web Interface**, and **RAG-based security education**, this project showcases the power of Model Context Protocol (MCP) for building intelligent, context-aware security tools.
+# 🎯 MCP in Action  
+### Building an AI-powered VAPT workflow using multiple MCP servers
 
-### 🎯 What Makes This Special?
+This part of the project demonstrates how a single agent orchestrates multiple MCP servers to plan, execute, and explain a complete API security assessment.
 
-This project demonstrates **three powerful MCP integrations**:
+The Gradio application acts as an MCP client, coordinating:
 
-1. **🤖 Anthropic Claude Agent SDK** - Powers the core VAPT reasoning agent with Claude Haiku 4.5 from AWS Bedrock.
-2. **📮 Postman MCP Server** - Enables automatic API discovery and OpenAPI specification generation
-3. **🛠️ Custom VAPT MCP Server** - Provides specialized security testing tools (SQL injection, XSS, auth testing, etc.)
-4. **🧩 Gradio Web Interface** – Provides an interactive, real-time UI for the VAPT workflow, enabling progress streaming, report visualization, dashboard analytics, and an integrated AI Security Tutor.
+- Postman MCP Server  
+  Endpoint discovery, schema generation  
+- Custom VAPT MCP Tools  
+  SQLi, XSS, authentication, CORS, headers, rate limits  
+- Claude Agent SDK (MCP-compatible)  
+  Reasoning + tool invocation  
+- RAG Security Tutor (Nebius + Chroma)  
+  Report-specific education using embeddings
 
-Combined with a **modern Gradio interface** and **RAG-powered AI tutor** using Chroma vector search, VAPT Agent bridges the gap between automated security testing and developer education.
+This produces a fully automated end-to-end VAPT workflow.
 
 ---
 
-## 🏗️ Architecture Overview
+## 📋 Project Overview
 
-```
-┌─────────────────────────────────────────────────────────────────┐
-│                    Gradio Web Interface                         │
-│  (Real-time Progress, Visual Dashboard, AI Security Tutor)      │
-└────────────────────┬────────────────────────────────────────────┘
-                     │
-                     ▼
-┌─────────────────────────────────────────────────────────────────┐
-│              VAPT Agent Orchestrator                            │
-│              (vapt_agent.py)                                    │
-└─────┬──────────────────────────────┬────────────────────────────┘
-      │                              │
-      ▼                              ▼
-┌─────────────────────┐    ┌──────────────────────────────────────┐
-│  Claude Agent SDK   │    │     MCP Servers (via Claude SDK)     │
-│  (Haiku 4.5 Model)  │◄───┤  ┌────────────┐  ┌────────────────┐ │
-│                     │    │  │ Postman    │  │ Custom VAPT    │ │
-│ • Reasoning         │    │  │ MCP Server │  │ MCP Tools      │ │
-│ • Test Planning     │    │  │ (SSE)      │  │ (Local Server) │ │
-│ • Report Gen        │    │  └────────────┘  └────────────────┘ │
-└─────���───────────────┘    └──────────────────────────────────────┘
-                                     │
-                     ┌───────────────┴───────────────┐
-                     ▼                               ▼
-              ┌──────────────┐            ┌─────────────────────┐
-              │ Postman API  │            │ Target API Endpoint │
-              │ • Discovery  │            │ • Security Testing  │
-              │ • Schema Gen │            │ • Vuln Detection    │
-              └──────────────┘            └─────────────────────┘
+The VAPT Agent is an autonomous system that performs API security testing and generates detailed audit-ready reports using:
+
+- **Anthropic Claude Agent SDK** - Powers the core VAPT reasoning agent with Claude Haiku 4.5 from AWS Bedrock.
+- **Postman MCP Server** - Enables automatic API discovery and OpenAPI specification generation
+- **Custom VAPT MCP Tools** - Provides specialized security testing tools (SQL injection, XSS, auth testing, etc.)
+- **Gradio Interface** - Provides an interactive, real-time UI for the VAPT workflow, enabling progress streaming, report visualization, dashboard analytics, and an integrated AI Security Tutor.
+- **RAG tutor (Nebius LLM + Chroma DB)** - Provides context-aware education and analysis using embeddings.
+
+The system is designed to execute full vulnerability assessments while also explaining findings in simple language.
+
+---
+
+## 🏗️ Architecture (MCP in Action)
 
+```text
 ┌─────────────────────────────────────────────────────────────────┐
-│                    AI Security Tutor (RAG)                      │
-│  ┌──────────────┐  ┌──────────────┐  ┌────────────────────┐   │
-│  │ Nebius LLM   │  │ Chroma DB    │  │ Nebius Embeddings  │   │
-│  │ (gpt-oss-20b)│◄─┤ Vector Store │◄─┤ (Qwen3-Embed-8B)   │   │
-│  └──────────────┘  └──────────────┘  └────────────────────┘   │
-│         ▲                   ▲                                   │
-│         │                   │                                   │
-│         └───────────────────┴─── VAPT Report Context           │
-└─────────────────────────────────────────────────────────────────┘
+│                       Gradio Web Interface                      │
+│       (Progress Stream • Dashboard • AI Security Tutor)         │
+└──────────────────────────────┬──────────────────────────────────┘
+                               │
+                      Claude Agent SDK
+                     (MCP-aware Reasoning)
+                               │
+      ┌─────────────────────────────────────────────────────────┐
+      │                 External MCP Servers                    │
+      │                                                         │
+      │  ┌───────────────┐      ┌───────────────────────────┐  │
+      │  │ Postman MCP   │      │ Custom VAPT MCP Tools     │  │
+      │  │ (Discovery)   │─────▶│ (Security Testing Suite)  │  │
+      │  └───────────────┘      └───────────────────────────┘  │
+      └─────────────────────────────────────────────────────────┘
+                               │
+                               ▼
+                      Target API Under Test
 ```
-
 ### 🔄 How It Works
 
 1. **User Input** → User provides API endpoint via Gradio interface
@@ -98,87 +101,58 @@ Combined with a **modern Gradio interface** and **RAG-powered AI tutor** using C
 3. **Testing** → Agent invokes **Custom VAPT MCP tools** to test for vulnerabilities
 4. **Reasoning** → **Claude Haiku 4.5** through AWS Bedrock analyzes results and generates comprehensive security report
 5. **Visualization** → Gradio dashboard displays risk scores and severity charts
-6. **Education** → User asks questions → **AI Tutor** uses **RAG (Chroma + Nebius embeddings)** to retrieve relevant report sections → **Nebius LLM** generates educational explanations
-
----
-
-## ✨ Key Features
-
-### 🔒 Comprehensive Security Testing
-
-Automated vulnerability detection powered by Claude's reasoning and custom MCP tools:
-
-- **Injection Attacks**: SQL injection, XSS, path traversal
-- **Authentication & Authorization**: Broken auth detection, token validation
-- **Rate Limiting**: DoS vulnerability assessment, burst testing (50 requests)
-- **CORS Policy**: Origin validation, wildcard detection
-- **Security Headers**: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, etc.
-
-### 🎨 Modern Gradio Web Interface
+6. **Education** → User asks questions
 
-Beautiful, responsive UI built with Gradio featuring:
+### 📊 Output
 
-- **Real-time Progress Streaming** from Claude agent
-- **Downloadable Markdown Reports** for audit trails
-- **Visual Risk Dashboard** with interactive charts (risk gauge + severity pie chart)
-- **Tabbed Interface** for organized information flow
-- **Custom CSS Styling** for professional appearance
-
-### 🧠 RAG-Powered AI Security Tutor
-
-**Context Engineering & Retrieval-Augmented Generation (RAG)** implementation:
-
-#### How RAG Works in VAPT Agent:
-
-1. **Document Chunking** (`ai_tutor.py`):
-   - Report split into logical sections based on markdown headers (`##`)
-   - Large sections auto-chunked to ~2000 characters for optimal retrieval
-   - Preserves context boundaries for coherent answers
-
-2. **Vector Embedding** (Nebius + Chroma):
-   - Each chunk embedded using **Qwen3-Embedding-8B** (Nebius)
-   - Vectors stored in **Chroma** ephemeral in-memory database
-   - Index automatically rebuilt when report changes (SHA-256 content hashing)
-   - Never reuses old vectors for new reports
-
-3. **Semantic Search**:
-   - User question embedded with same model
-   - Top-K (default: 4) relevant chunks retrieved via cosine similarity
-   - Context passed to LLM for grounded responses
-
-4. **Context Engineering**:
-   - System prompt instructs LLM to prioritize retrieved VAPT report context
-   - Combines report snippets + optional web search (Tavily)
-   - Prevents hallucination by grounding answers in actual findings
-
-**Benefits**:
-- ✅ Accurate answers specific to YOUR security report
-- ✅ No generic security advice - tailored to actual findings
-- ✅ Efficient: Only relevant context sent to LLM (cost-effective)
-- ✅ Educational: Explains vulnerabilities in your specific API
+The agent generates a comprehensive **Markdown report** saved as `vapt_report_YYYYMMDD_HHMMSS.md` containing:
 
-### 📮 Postman MCP Integration
+- **Executive Summary** with risk score
+- **API Specification** (OpenAPI spec)
+- **Vulnerability Details** (Severity, Description, Evidence, Remediation)
+- **Security Headers Analysis**
+- **CORS Policy Review**
+- **Rate Limiting Assessment**
+- **Recommendations** for fixes
+---
 
-Leverages **Postman's official MCP server** (SSE protocol):
+## ✨ Key Capabilities (MCP in Action)
+Automated Security Assessment:
+- SQL Injection  
+- XSS  
+- Auth/Token checks  
+- Path traversal  
+- Rate limiting / DoS tests  
+- CORS misconfigurations  
+- Security headers audit  
+
+Interactive Gradio UI:
+- Real-time streaming logs  
+- Downloadable markdown report  
+- Visual risk dashboard (gauge + pie chart)  
+- Tabbed layout  
+- Styled UI  
+
+RAG Security Tutor:
+- Markdown-aware chunking  
+- Embeddings via Nebius (Qwen3-Embedding-8B)  
+- Chroma vector search  
+- Context-grounded answers  
+- Optional web search fallback  
 
-- Automatic API endpoint discovery
-- OpenAPI/Swagger specification generation
-- Request/response schema analysis
-- Collection management for organized testing
-- Seamless integration via Claude Agent SDK
+---
 
-### 🤖 Anthropic Claude SDK
+## 🧩 MCP Integrations Demonstrated (MCP in Action)
+Postman MCP Server  
+Used for endpoint discovery and dynamic request generation.
 
-Core agent powered by **Claude Agent SDK**:
+Custom VAPT MCP Tools  
+Implements targeted security tests.
 
-- **Model**: Claude Haiku 4.5 (fast, cost-efficient, high-quality reasoning)
-- **Multi-turn Reasoning**: Agent conversations up to 100 turns
-- **Tool Orchestration**: Coordinates Postman MCP + Custom VAPT MCP tools
-- **Flexible Deployment**: Anthropic API or AWS Bedrock
-- **Permission Mode**: Bypass permissions for automated testing
+Claude Agent SDK  
+Provides reasoning and tool orchestration across multiple MCP servers.
 
 ---
-
 ## 🎁 Benefits & Impact
 
 ### For Security Professionals
@@ -206,349 +180,103 @@ Core agent powered by **Claude Agent SDK**:
 - 🔓 **Open Source**: Extensible architecture for custom tools
 
 ---
+# 🟧 Building MCP  
+### Converting the entire VAPT Agent into its own MCP server
 
-## 🚀 Prerequisites
-
-- **Python 3.10+**
-- **[Postman API Key](https://postman.com/settings/api-keys)** - For MCP server access
-- **[Anthropic API Key](https://console.anthropic.com/) OR AWS Bedrock** - For Claude Haiku 4.5
-- **[Nebius API Key](https://nebius.com/)** - For AI Tutor (optional but recommended)
-
----
-
-## 📦 Installation
-
-1. **Clone the repository**:
-   ```bash
-   git clone <repository-url>
-   cd vapt-agent
-   ```
-
-2. **Create virtual environment**:
-   ```bash
-   python -m venv venv
-   source venv/bin/activate  # On Windows: venv\Scripts\activate
-   ```
-
-3. **Install dependencies**:
-   ```bash
-   pip install -r requirements.txt
-   ```
+For the Building MCP track, the same Gradio application was extended to expose an MCP server interface, allowing external AI tools, automation systems, and CI/CD pipelines to call the VAPT engine programmatically.
 
-4. **Configure environment**:
-   ```bash
-   cp .env.template .env
-   # Edit .env with your credentials
-   ```
+Following the guidelines from the **[Hugging Face blog on building MCP servers with Gradio](https://huggingface.co/blog/gradio-mcp)**, we transformed our application to support both web-based and programmatic access.
 
 ---
+## 🔌 VAPT Agent as an MCP Server (Building MCP)
 
-## ⚙️ Configuration
-
-Create a `.env` file with the following variables:
-
-```properties
-# --- Core VAPT Agent Configuration ---
-
-# AWS Bedrock (set to 1 to use Bedrock, 0 for Anthropic API)
-CLAUDE_CODE_USE_BEDROCK=1
-
-# AWS Credentials (if using Bedrock)
-AWS_ACCESS_KEY_ID=your_access_key
-AWS_SECRET_ACCESS_KEY=your_secret_key
-AWS_REGION=us-east-1
-
-# Model selection for VAPT Agent (Haiku 4.5 recommended)
-ANTHROPIC_MODEL=global.anthropic.claude-haiku-4-5-20251001-v1:0
-# If using Anthropic API directly:
-# ANTHROPIC_API_KEY=sk-ant-...
+MCP Server URL (Streamable HTTP):
 
-# Postman API key (get from https://postman.com/settings/api-keys)
-POSTMAN_API_KEY=your_postman_api_key
+https://mcp-1st-birthday-vapt-agent.hf.space/gradio_api/mcp/
 
-# --- AI Tutor Configuration (Nebius) ---
-
-# Nebius API Key for Tutor and Embeddings
-NEBIUS_API_KEY=your_nebius_api_key
-
-# Nebius Base URL (optional, defaults to standard endpoint)
-# NEBIUS_BASE_URL=https://api.tokenfactory.nebius.com/v1
-
-# AI Tutor Chat Model
-NEBIUS_TUTOR_MODEL=gpt-oss-20b
-
-# Embedding Model for Vector Search (REQUIRED for RAG)
-NEBIUS_EMBEDDING_MODEL=Qwen3-Embedding-8B
-
-# --- Optional Web Search ---
-# TAVILY_API_KEY=tvly-...
-```
+Supports:
+- Streamable HTTP  
+- STDIO  
+- Claude Desktop  
+- Scripts  
+- CI/CD  
 
 ---
+## 🛠️ Tools Exposed by VAPT Agent MCP Server
 
-## 🎮 Usage
-
-### 1. Web Interface (Recommended)
-
-Launch the **Gradio dashboard** for an interactive experience:
-
-```bash
-python app.py
-```
-
-- Open your browser at `http://localhost:7861`
-- Enter the API endpoint and HTTP method
-- Watch the real-time progress log
-- View the generated report, risk dashboard, and chat with the AI Security Tutor
-
-### 2. Command Line Interface
-
-Run the agent directly from the terminal:
-
-```bash
-python vapt_agent.py
-```
-
-(Ensure `TEST_API_ENDPOINT` and `TEST_API_METHOD` are set in your `.env` file for CLI usage)
+Below is the tool documentation used in the “Building MCP” track.
 
 ---
 
-## 🔍 Security Tests Performed
-
-The agent uses custom MCP tools (`vapt_tools.py`) to perform:
-
-### 1. **Injection Testing**
-- SQL Injection with various payloads (e.g., `' OR '1'='1`)
-- XSS (Cross-Site Scripting) detection
-- Path traversal attempts (`../../../etc/passwd`)
-
-### 2. **Authentication Testing**
-- Endpoint access without credentials
-- Authentication bypass attempts
-- Token validation and expiration checks
-
-### 3. **Rate Limiting**
-- Burst request testing (50 rapid requests)
-- 429 status code detection
-- DoS vulnerability assessment
+### 1. vapt_agent_run_security_test  
+Primary tool exposed by the MCP server.
 
-### 4. **CORS Policy**
-- Origin validation testing
-- Wildcard (`*`) detection
-- Cross-origin request testing
+Purpose:
+- Validates inputs  
+- Discovers endpoints via Postman MCP  
+- Executes internal security tests  
+- Generates full markdown report  
+- Streams progress in real time  
+- Updates dashboard  
 
-### 5. **Security Headers**
-- `Strict-Transport-Security` (HSTS)
-- `X-Content-Type-Options`
-- `X-Frame-Options`
-- `Content-Security-Policy`
-- `X-XSS-Protection`
+Parameters:
+- api_endpoint (string): API target  
+- http_method (string): GET / POST / PUT / DELETE  
+- api_key (string): token  
 
----
-
-## 📊 Output
+Example (Python MCP client):
 
-The agent generates a comprehensive **Markdown report** saved as `vapt_report_YYYYMMDD_HHMMSS.md` containing:
-
-- **Executive Summary** with risk score
-- **Vulnerability Details** (Severity, Description, Evidence, Remediation)
-- **Security Headers Analysis**
-- **CORS Policy Review**
-- **Rate Limiting Assessment**
-- **Recommendations** for fixes
-
----
-
-## 🛠️ Troubleshooting
-
-### Postman API Key Issues
-- Get your API key from: https://postman.com/settings/api-keys
-- Ensure the key has necessary permissions for collections and environments
-
-### AWS Bedrock Issues
-- Verify AWS credentials are correct
-- Ensure you have access to Claude models in your region
-- Check IAM permissions for Bedrock
-
-### AI Tutor Not Working
-- Check `NEBIUS_API_KEY` is set
-- Ensure `NEBIUS_EMBEDDING_MODEL` is set to `Qwen3-Embedding-8B` for vector search to work
-- Verify `chromadb` is installed: `pip install chromadb`
-
-### Gradio Interface Issues
-- Ensure port 7861 is not blocked
-- Try clearing browser cache
-- Check console logs for errors
-
----
-
-## 🤝 Contributing
-
-Contributions are welcome! Please follow the existing code structure:
-
-- Keep tools modular in `vapt_tools.py`
-- Add configuration in `config.py`
-- Update `.env.template` for new variables
-- Follow Python best practices (PEP 8)
-- Add docstrings for new functions
-
----
-
-## 📜 License
-
-MIT License
-
----
-
-## ⚠️ Disclaimer
-
-This tool is for **authorized security testing only**. Always obtain proper authorization before testing any API endpoints. Unauthorized testing may be illegal and unethical.
-
----
-
-## 🙏 Acknowledgments
-
-Built for **MCP's 1st Birthday Hackathon** hosted by **Anthropic** and **Gradio**.
-
-**Technologies Used**:
-- [Anthropic Claude Agent SDK](https://github.com/anthropics/anthropic-sdk-python)
-- [Gradio](https://gradio.app/)
-- [Postman MCP Server](https://mcp.postman.com/)
-- [Chroma](https://www.trychroma.com/)
-- [Nebius Token Factory](https://nebius.com/)
-
----
-
-# VAPT Agent MCP Server
-
-## 🔌 From Gradio App to MCP Server
-
-This VAPT Agent started as an **interactive Gradio web application** designed to provide an intuitive UI for vulnerability assessment and penetration testing. To extend its capabilities and make it accessible to AI assistants and automation tools, **we additionally converted it into a Model Context Protocol (MCP) server** using Gradio's built-in MCP support.
-
-Following the guidelines from the **[Hugging Face blog on building MCP servers with Gradio](https://huggingface.co/blog/gradio-mcp)**, we transformed our application to support both web-based and programmatic access. This conversion allows the same powerful security testing features to be available through:
-
-- ✅ AI assistants like Claude Desktop
-- ✅ Automation scripts and CI/CD pipelines  
-- ✅ Other MCP-compatible tools and workflows
-- ✅ Remote clients via both Streamable HTTP and STDIO transports
-
-**MCP Server URL**: `https://mcp-1st-birthday-vapt-agent.hf.space/gradio_api/mcp/`
-
----
-
-## 🎯 Primary Tool: `vapt_agent_run_security_test`
-
-The core functionality of the VAPT Agent is exposed through the **`vapt_agent_run_security_test`** MCP tool, which allows external clients to programmatically trigger comprehensive security assessments.
-
-### 📋 Tool Details
-
-**Name**: `vapt_agent_run_security_test`  
-**Type**: Tool  
-**Description**: Execute a complete VAPT security test on an API endpoint. The function validates inputs, starts the VAPT agent in a background thread, and streams real-time progress updates. The test button is disabled during execution and re-enabled when complete.
-
-### 📥 Parameters
-
-| Parameter | Type | Required | Description |
-|-----------|------|----------|-------------|
-| `api_endpoint` | string | ✅ Yes | The target API endpoint URL to test (e.g., `https://api.example.com/users`) |
-| `http_method` | string | ✅ Yes | HTTP method for the endpoint (e.g., `GET`, `POST`, `PUT`, `DELETE`) |
-| `api_key` | string | ✅ Yes | API authentication key/token for authorized testing |
-
-### 📤 Returns
-
-The tool yields progressive updates and final results:
-
-1. **Progress Updates**: Real-time streaming of agent activities (endpoint discovery, vulnerability testing, report generation)
-2. **Report Markdown**: Complete vulnerability assessment report in markdown format
-3. **Report File Path**: Path to the downloadable report file
-4. **Button State**: UI state management (disabled during test, enabled on completion)
-
-### 🔍 What the Tool Does
-
-When invoked, `vapt_agent_run_security_test`:
-
-1. **Validates Inputs**: Ensures all required parameters are provided
-2. **Initiates VAPT Agent**: Starts the Claude-powered security testing agent in a background thread
-3. **Performs Discovery**: Uses Postman MCP to discover API endpoints and generate OpenAPI specs
-4. **Executes Security Tests**: Runs custom VAPT MCP tools for:
-   - Injection attacks (SQL, XSS, path traversal)
-   - Authentication/authorization bypass
-   - Rate limiting and DoS vulnerabilities
-   - CORS policy validation
-   - Security headers analysis
-5. **Streams Progress**: Yields real-time progress messages for client visibility
-6. **Generates Report**: Creates comprehensive markdown report with:
-   - Executive summary with risk score
-   - Detailed vulnerability findings with severity levels
-   - Evidence and remediation recommendations
-   - Security headers and CORS analysis
-7. **Updates Dashboard**: Automatically refreshes the visual risk dashboard with charts
-
-### 💡 Example Usage
-
-```python
-# Example MCP client call
-result = client.call_tool(
+result = await session.call_tool(
     "vapt_agent_run_security_test",
     {
-        "api_endpoint": "https://api.example.com/v1/users",
+        "api_endpoint": "https://api.example.com/users",
         "http_method": "GET",
-        "api_key": "Bearer your-api-key-here"
+        "api_key": "Bearer xyz"
     }
 )
 
-# The tool will stream progress like:
-# "🔍 Starting API security assessment..."
-# "📮 Discovering endpoints using Postman MCP..."
-# "🛡️ Testing for SQL injection vulnerabilities..."
-# "📊 Generating vulnerability report..."
-# "✅ Security test completed!"
-```
-
 ---
+### 2. vapt_agent_update_dashboard
 
-## 🛠️ Additional Tools
+Purpose:
+Updates the visual dashboard with the latest report.
 
-While the primary focus is on `vapt_agent_run_security_test`, the MCP server also exposes supporting tools for enhanced functionality:
+Parameter:
+- report_md (string): Full markdown report
 
-- **`vapt_agent_update_dashboard`**: Updates the visual security dashboard with new report data
-- **`vapt_agent_tutor_respond`**: Provides AI-powered security guidance and answers questions about the generated report using RAG (Retrieval-Augmented Generation)
-- **`vapt_agent__lambda_`**: Internal utility function
+---
 
-> **Note**: For most use cases, you'll primarily interact with `vapt_agent_run_security_test` to perform security assessments.
+### 3. vapt_agent_tutor_respond
 
----
+Purpose:
+Provides contextual security explanations based on the VAPT report using RAG.
 
-## ⚙️ MCP Configuration
+Inputs:
+- question (string)  
+- history (array)  
+- report_md (string)
 
-### Streamable HTTP Transport
+Capabilities:
+- Handles file uploads  
+- Performs vector search  
+- Generates grounded answers  
+
+---
+## ⚙️ MCP Client Configuration Examples
 
-For MCP clients that support Streamable HTTP (recommended), add this configuration:
+Streamable HTTP:
 
 ```json
 {
   "mcpServers": {
     "vapt_agent": {
       "url": "https://mcp-1st-birthday-vapt-agent.hf.space/gradio_api/mcp/"
-    },
-    "upload_files_to_gradio": {
-      "command": "uvx",
-      "args": [
-        "--from",
-        "gradio[mcp]",
-        "gradio",
-        "upload-mcp",
-        "https://mcp-1st-birthday-vapt-agent.hf.space/",
-        "<UPLOAD_DIRECTORY>"
-      ]
     }
   }
 }
 ```
 
-### STDIO Transport
-
-For clients like **Claude Desktop** that only support STDIO, first [install Node.js](https://nodejs.org/en/download/), then use:
+STDIO (Claude Desktop):
 
 ```json
 {
@@ -561,66 +289,17 @@ For clients like **Claude Desktop** that only support STDIO, first [install Node
         "--transport",
         "streamable-http"
       ]
-    },
-    "upload_files_to_gradio": {
-      "command": "uvx",
-      "args": [
-        "--from",
-        "gradio[mcp]",
-        "gradio",
-        "upload-mcp",
-        "https://mcp-1st-birthday-vapt-agent.hf.space/",
-        "<UPLOAD_DIRECTORY>"
-      ]
     }
   }
 }
 ```
 
-### 📁 File Upload Support
+File upload support:
 
-The `upload_files_to_gradio` tool uploads files from your local `<UPLOAD_DIRECTORY>` (or any subdirectories) to the Gradio app. This is needed because MCP servers require files to be provided as URLs. You can omit this tool if you prefer to upload files manually.
-
-**Requirements**: [uv](https://docs.astral.sh/uv/getting-started/installation/) must be installed.
-
----
-
-## 🎓 Use Cases
-
-### For AI Assistants (Claude Desktop)
-```
-User: "Test the API at https://api.myapp.com/v1/products (GET method) 
-       with API key Bearer abc123"
-
-Claude: *Invokes vapt_agent_run_security_test* 
-        "I've initiated a security test. The VAPT agent is now scanning 
-        for vulnerabilities including injection attacks, authentication 
-        issues, and security misconfigurations..."
-```
-
-### For CI/CD Pipelines
-```bash
-# Automated security testing in deployment pipeline
-mcp-client call vapt_agent_run_security_test \
-  --api_endpoint "https://staging.api.com/auth/login" \
-  --http_method "POST" \
-  --api_key "$STAGING_API_KEY"
-```
-
-### For Security Teams
-```
-# Remote security assessment without opening the web interface
-# Get comprehensive reports programmatically
-# Integrate with existing security workflow tools
+```json
+"upload_files_to_gradio": {
+  "command": "uvx",
+  "args": ["--from", "gradio[mcp]", "gradio", "upload-mcp", "https://mcp-1st-birthday-vapt-agent.hf.space/", "<UPLOAD_DIRECTORY>"]
+}
 ```
-
----
-
-## 📚 Resources
-
-- **[Building MCP Servers with Gradio](https://huggingface.co/blog/gradio-mcp)** - The guide we followed to convert our Gradio app to an MCP server
-- **[Gradio MCP Documentation](https://www.gradio.app/guides/building-mcp-server-with-gradio)** - Official Gradio MCP documentation
-- **[Model Context Protocol Specification](https://modelcontextprotocol.io/)** - Understanding MCP architecture
-- **[Hugging Face Spaces Configuration](https://huggingface.co/docs/hub/spaces-config-reference)** - Deploy your own MCP-enabled Gradio apps
-
 ---