{
  "$schema": "https://developer.microsoft.com/json-schemas/copilot/plugin/v2.3/schema.json",
  "schema_version": "v2.3",
  "name_for_human": "TATER Compliance",
  "description_for_human": "Compliance posture, risk register, change control, evidence capture, and living configuration documentation.",
  "description_for_model": "Use this plugin to query and manage compliance posture in TATER. The plugin exposes 61 tools via Model Context Protocol (MCP). The first tool every conversation MUST call is `get_org_context` to confirm the active TATER organization. Tools cover: scans (list_scans, get_scan_results, get_failing_controls), controls (get_control_info, get_all_controls_with_status, get_control_grc_context, verify_manual_control), risk register (list_risks, create_risk, create_risk_acceptance), people and assignments (list_people, assign_control), GRC (list_pending_changes, create_change_request, list_overrides, list_exceptions, list_remediations, trigger_remediation), policies (list_policies, create_policy, approve_policy, get_policy_detail, get_policy_sign_status), framework narratives (get_framework_narratives, set_framework_narrative), conversations (add_thread_post, add_evidence_comment), config docs (upsert_config_doc, get_config_doc, search_config_docs), identity (identity_start, identity_confirm, verify_identity), search (search_catalog), org / community (get_compliance_summary, list_community_stats), and ADO issues (create_issue). Audit log records every action with 'via copilot' attribution.",
  "namespace": "tater",
  "logo_url": "https://www.tatersecurity.com/TATER.png",
  "contact_email": "support@tatersecurity.com",
  "legal_info_url": "https://www.tatersecurity.com/terms.html",
  "auth": {
    "type": "OAuthPluginAuth",
    "client_url": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
    "scope": "api://45afb90d-c5de-439d-8b09-8fbfed28b321/access",
    "authorization_url": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
    "authorization_content_type": "application/x-www-form-urlencoded",
    "verification_tokens": {
      "openai": "REPLACE_WITH_VERIFICATION_TOKEN_FROM_COPILOT_ADMIN_CENTER"
    }
  },
  "api": {
    "type": "openapi",
    "url": "https://www.tatersecurity.com/Docs/copilot-mcp/openapi.yaml"
  },
  "runtimes": [
    {
      "type": "OpenApi",
      "auth": {
        "type": "OAuthPluginAuth",
        "reference_id": "tater-oauth"
      },
      "spec": {
        "url": "https://www.tatersecurity.com/Docs/copilot-mcp/openapi.yaml"
      },
      "run_for_functions": ["mcp_invoke"]
    }
  ],
  "functions": [
    {
      "name": "mcp_invoke",
      "description": "Invoke any TATER MCP tool. Pass tool name and arguments as a JSON-RPC 2.0 request body. Always call get_org_context first.",
      "states": {
        "reasoning": {
          "description": "Calling TATER MCP server: tool={name}",
          "instructions": [
            "First call get_org_context to confirm the active org.",
            "Use tools/list to see all 42 available tools and their argument schemas.",
            "Use tools/call with {name, arguments} to invoke a specific tool.",
            "All actions are audited under the user's TATER identity with via='copilot'."
          ]
        }
      }
    }
  ]
}