Jiffy

Jiffy Chat

Ask natural-language questions about your Jiffy org — from Claude Desktop, Cursor, Claude Code, or Slack. Every answer is templated against a bounded intent router and scoped to the caller’s API key. No free-form LLM-generated SQL; every query is a hand-written Supabase filter against your org’s data.

Two surfaces, one engine. The MCP server plugs Jiffy into your coding agent; the Slack app puts the same answers in any channel. Both hit the same POST /api/v1/chat/query, so if the intent router learns a new question, it lights up everywhere.

Option 1 — MCP server (for coding agents)

Install

pnpm add -g @jiffylabs/jiffy-chat-mcp

Or run without installing:

pnpm dlx @jiffylabs/jiffy-chat-mcp

Configure

The server reads the same credentials as the Jiffy Intake CLI. Set the JIFFY_API_KEY env var or drop a file at ~/.jiffy/config.json:

export JIFFY_API_KEY=jtp_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
export JIFFY_API_URL=https://jiffylabs.app   # optional (default)

Wire into Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json on macOS (%APPDATA%\Claude\claude_desktop_config.json on Windows):

{
  "mcpServers": {
    "jiffy-chat": {
      "command": "jiffy-chat",
      "env": {
        "JIFFY_API_KEY": "jtp_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      }
    }
  }
}

Restart Claude Desktop. The three jiffy_* tools appear in the tool picker.

Wire into Cursor

Cursor uses the same MCP shape. Edit ~/.cursor/mcp.json:

{
  "mcpServers": {
    "jiffy-chat": { "command": "jiffy-chat" }
  }
}

Wire into Claude Code

{
  "mcpServers": {
    "jiffy-chat": {
      "command": "jiffy-chat",
      "env": { "JIFFY_API_KEY": "jtp_live_..." }
    }
  }
}

Tools exposed

jiffy_query — natural-language question, returns a templated answer + citations.

jiffy_query({
  question: "what are my riskiest artifacts in the last 24 hours",
  time_range: "24h",       // optional: "24h" | "7d" | "30d" | "all"
  tier_filter: "critical"  // optional: "all" | "trusted" | "caution" | "risky" | "critical"
})

jiffy_recommend — given an inventory item, approval, or critical-issue UUID, proposes next actions (approve / quarantine / escalate / remediate) with a deep link into the Jiffy UI. Read-only.

jiffy_recommend({ finding_id: "inv_abc123" })

jiffy_next_step — open-ended “now what?”. Maps your current UI context (page, artifact id) to the most likely next admin action.

jiffy_next_step({ context: { page: "/inventory", artifact_id: "inv_abc" } })

Option 2 — Slack app (for everyone else)

The same intent router, reachable from any Slack channel or DM via the /jiffy slash command. Mentions (@Jiffy) and direct messages work too. Every answer is scoped to the Slack workspace via OAuth install — no API key to paste, no per-user credentials.

Install

  1. Sign in to your Jiffy org at jiffylabs.app/settings/integrations/slack.
  2. Click Install Jiffy to Slack → Allow.
  3. Jiffy stores an encrypted bot token scoped to your workspace. Install once per workspace; re-install anytime to rotate.

Try it

In any Slack channel or DM after install:

/jiffy help
/jiffy digest
/jiffy top risky artifacts in the last 24 hours
/jiffy how many pending approvals
/jiffy which publishers have the lowest trust score
/jiffy who installed exploit-crafter
/jiffy recent intake denies
/jiffy compliance coverage
/jiffy what changed in the last 7 days

Answers come back with clickable artifact names and a More block for references the prose didn’t mention by name.

Home tab

Click the Jiffy app icon in your Slack sidebar to see a branded Home tab with live stats (criticals, approvals, intake denies, drift) and one-click buttons into the Jiffy console. Refreshes every time you open the tab; nothing to configure.

@mentions & DMs

Invite @Jiffy to any channel (or DM the app directly), then ask a question — same intents, no slash command needed.

Uninstalling

Settings → Integrations → Slack → Uninstallremoves the encrypted bot token and revokes the app’s workspace access. You can reinstall at any time.

Supported intents

The engine routes questions to one of seventeen bounded intents plus a help-menu fallback. Unknown questions fall through to “here are the things I can answer”. Add more by proposing a PR or opening an issue with the query shape you want.

  • daily_digest — morning briefing (criticals + approvals + denies + drift)
  • live_sim_spend — API-spend on live simulations, 7d
  • recent_scans — what got scanned in the last 24h
  • clawdbot_installed — specific “is X deployed?” lookup
  • top_risky_artifacts_last_24h
  • critical_findings_open
  • pending_approvals_count
  • endpoints_with_drift
  • publishers_with_lowest_score
  • who_installed_artifact
  • find_artifact_by_name
  • what_changed_last_7d
  • compliance_coverage_by_framework
  • recent_vet_denies
  • agents_by_tier
  • artifacts_missing_attestation
  • runtime_invocation_rate

Scope & limits

  • Every query runs as a hand-written Supabase filter. No user-text-to-SQL, no prompt injection path into your database.
  • jiffy_recommend and jiffy_execute default to dry-run. Opt in per call with dry_run: false once you trust the action.
  • Rate-limited to 20 req/min per API key (MCP) and 10 req/min per Slack workspace (publish-home).
  • Every request is audit-logged as chat.query, chat.recommend, or slack.home.published.