Inside the Engine: How 0nMCP Generates HIPAA Reports in 60 Seconds

A HIPAA report has 63 findings, each with a citation, plain-English explanation, severity tag, and remediation block. Generating that with a single Claude prompt would burn 30,000 tokens and produce hallucinated rule sections. Here is how 0nMCP makes it work in 60 seconds with zero hallucinations.

The Three-Level Execution Pattern

0nMCP ships three execution shapes (patent pending #63/990,046):

Pipeline — sequential steps, each step depends on the previous (linear)
Assembly Line — parallel steps with dependencies (DAG)
Radial Burst — one trigger fans out to N services simultaneously

HIPAA report generation uses all three:

[scanner] ─Pipeline─→ [orchestrator]
│ ┌───────────┴───────────┐    ← Radial Burst ▼           ▼           ▼ [find→cite] [find→fix] [find→nprm]    ← parallel per-finding │           │           │ └───────────┬───────────┘    ← Assembly Line merge ▼ [report writer] → JSON-LD + HTML

Tool Registration Locks the Citations

The insight that solved hallucination: don't let the model invent rules. Every passive check is registered as a tool with the rule section hard-coded as part of its tool definition.

registerTool({
name: 'check_hsts_max_age', description: 'Check that HSTS max-age >= 1 year', ruleSection: '164.312(e)(1)',         // <-- pre-bound severity: 'high', observe: async (url) => { / HTTP HEAD / }, })

When a check fails, the orchestrator hands Claude a JSON object that already contains the cited rule. Claude's job is to translate that observation into a paragraph — not to look up which CFR section applies. This eliminates ~95% of citation drift.

Stack Detection → Code Routing

For Tier 2 reports ($399), every finding ships pasteable developer code. The fix for "missing HSTS" looks different on:

Apache — Header set Strict-Transport-Security
Nginx — add_header Strict-Transport-Security
Vercel — vercel.json headers block
Next.js — next.config.js headers function
WordPress — plugin or .htaccess
Cloudflare — Workers script or Page Rules

The orchestrator detects the stack from response headers (Server, X-Powered-By, X-Vercel-Id, etc.) and routes Claude to the right code template. Vendor-agnostic curl verification commands are the universal fallback.

Parallel Generation

63 findings × ~150 tokens each = a lot of latency if done sequentially. The Radial Burst pattern fans out to 12 parallel workers, each handling a slice of findings. Total wall-clock: 8-12 seconds for the AI generation, dominated by the slowest network call rather than total token throughput.

The 2026 Engine Hooks In

When the customer attaches their attestation form (the 2026 weighted scoring engine), it runs as a separate parallel branch:

const [granular, executive] = await Promise.all([
generate63CheckReport(scanResult), score2026({ ...scanSignals, ...attestation }), ])

The granular report ships at $149-$899 tiers; the executive 5-domain weighted score is the headline number on the Tier 4 PDF.

Fallback Chains

Real world: APIs fail. The orchestrator runs three providers in fallback order:

Primary: Claude Sonnet (paragraph generation, citation locking)
Fallback: Groq Llama 3.3 70B (faster, used when Anthropic rate-limits)
Heuristic: pre-written templates by check ID (if both AI providers are down)

Reports never fail to generate. Worst case the customer gets a heuristic report and a 24-hour rebake.

What Got Easier With 0nMCP

Writing this without 0nMCP would mean:

Hand-writing 63 prompt templates and managing their drift
Writing custom HTTP retry logic for each AI provider
Building a queue and worker fleet
Wiring Stripe, Resend, Supabase, and the scanner glue manually
Managing API keys per-environment, per-service

With 0nMCP:

Each check is a tool definition (~15 lines)
Provider failover is a catalog setting
Stripe + Resend + Supabase are catalog services (one config block in ~/.0n/connections/)
The 1,554-tool registry means anything we want to add later — Slack alerts when a paid report fails, GitHub issue when a new CFR section publishes — is one config block away