gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-12 19:09:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(mcp): 11 audit-fix MCP tools — approvals, break-glass, bootstrap, audit-category (MED-13)

Browse Source 
Audit 2026-05-10 MED-13 closure.

WHAT.

11 new MCP tools rounding out the operator surface for workflows
that previously had GUI + CLI coverage but no MCP equivalent:

Approval workflow (4):
  certctl_approval_list      GET    /v1/approvals                  approval.read
  certctl_approval_get       GET    /v1/approvals/{id}             approval.read
  certctl_approval_approve   POST   /v1/approvals/{id}/approve     approval.approve
  certctl_approval_reject    POST   /v1/approvals/{id}/reject      approval.reject

Break-glass credential admin (4):
  certctl_breakglass_list           GET    /v1/auth/breakglass/credentials
  certctl_breakglass_set_password   POST   /v1/auth/breakglass/credentials
  certctl_breakglass_unlock         POST   /v1/auth/breakglass/credentials/{actor_id}/unlock
  certctl_breakglass_remove         DELETE /v1/auth/breakglass/credentials/{actor_id}
  All gated auth.breakglass.admin; surface invisible (404 not 403)
  when CERTCTL_BREAKGLASS_ENABLED=false.

Bootstrap (2):
  certctl_bootstrap_status     GET   /v1/auth/bootstrap   (auth-exempt; safe probe)
  certctl_bootstrap_consume    POST  /v1/auth/bootstrap   (auth-exempt; one-shot mint)

Audit category filter (1):
  certctl_audit_list_with_category   GET   /v1/audit?category=<cat>   audit.read

WHY.

certctl_bootstrap_consume is the load-bearing day-0 primitive: a
fresh server with no admin actors lets the holder of CERTCTL_BOOTSTRAP_TOKEN
mint a fresh admin API key. Exposing it via MCP without a security
gate would let a downstream caller mint admin from any chat
transcript / log surface that captured the bootstrap token. The
tool description carries an explicit cautious-wording comment:

  CAUTION: NEVER WIRE THIS TO AUTONOMOUS OPERATION. A leaked
  bootstrap token from any log, telemetry, or chat-transcript
  surface lets a downstream caller mint a fresh admin API key
  bypassing every other access-control gate. Run this manually,
  exactly once, from a trusted shell.

Similarly certctl_breakglass_set_password's description flags
that the password crosses the MCP transport in plaintext; the
server-side handler hashes with Argon2id before persisting + the
audit row redacts, but client-side logging must NEVER capture the
payload.

HOW.

internal/mcp/tools_audit_fix.go (NEW):
  registerAuditFixTools(s, c) — declares the 11 tools via
  gomcp.AddTool. Each tool routes through the existing Client.Get/
  Post/Delete helpers; the server-side rbacGate wrappers (or
  auth-exempt allowlist, for bootstrap) handle authorization.

internal/mcp/types.go:
  Adds 5 input structs:
    ApprovalIDInput              (get/approve/reject)
    BreakglassActorIDInput       (unlock/remove)
    BreakglassSetPasswordInput   (set_password — flagged plaintext)
    BootstrapConsumeInput        (token + key_name; cautious comment)
    AuditListWithCategoryInput   (category + optional limit/since/until/actor_id)
  Each tagged with jsonschema descriptions for LLM tool discovery.

internal/mcp/tools.go:
  RegisterTools now calls registerAuditFixTools after the existing
  Bundle 2 Phase 9 registrar.

internal/mcp/tools_per_tool_test.go:
  allHappyPathCases extended with 11 new entries. The existing
  TestMCP_AllTools_HappyPath dispatches each tool via the in-memory
  MCP transport against a 2xx mock backend and asserts the
  wrapper-layer fence wraps the response; TestMCP_AllTools_ErrorPath
  dispatches against a 5xx mock and asserts MCP_ERROR fence.
  TestMCP_RegisterTools_DispatchableToolCount confirms every new
  tool is dispatchable by name.

VERIFY.

- go vet ./internal/mcp/...                                       PASS
- go test -short -count=1
  -run 'TestMCP_AllTools_HappyPath|TestMCP_AllTools_ErrorPath|
        TestMCP_RegisterTools_DispatchableToolCount'
  ./internal/mcp/...                                              PASS
- go test -short -count=1 ./internal/mcp/...                      PASS (0.3s)

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-13
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 4
This commit is contained in:
shankar0123
2026-05-10 23:37:06 +00:00
parent 532cae249d
commit ca31232ad2
5 changed files with 300 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/mcp/tools.go
+7
View File
@@ -51,6 +51,13 @@ func RegisterTools(s *gomcp.Server, client *Client) {
// existing HTTP client; permission gates fire server-side via the
// Phase-5 rbacGate wrappers. See internal/mcp/tools_auth_bundle2.go.
registerAuthBundle2Tools(s, client)
// Audit 2026-05-10 MED-13 — 11 tools rounding out the operator
// surface: approvals (4) + break-glass admin (4) + bootstrap
// status/consume (2) + audit category filter (1). See
// internal/mcp/tools_audit_fix.go for the per-tool wiring + the
// security comment on certctl_bootstrap_consume (never wire to
// autonomous operation; one-shot token-minting primitive).
registerAuditFixTools(s, client)
// Phase G P1-33 (POST /api/v1/agents/{id}/discoveries) is
// intentionally NOT exposed via MCP — it is a machine-to-machine
// channel for agents to push filesystem-scan reports, not an