mcp(coverage): add 34 tools across 7 domains to close 2026-05-05 parity audit P1 findings

Closes findings P1-1..P1-35 from the 2026-05-05 CLI/API/MCP↔GUI parity audit (cowork/cli-gui-parity-audit-2026-05-05/RESULTS.md). Before this bundle, 35 operator-facing API endpoints had GUI surfaces but no MCP counterpart — operators using AI assistants for cert lifecycle work in regulated environments had to drop to curl for approve/reject, health-check acknowledgement, renewal-policy CRUD, network-scan triggering, discovery triage, intermediate-CA management, and job verification. Tool count: 87→121 in tools.go (+34), 6 unchanged in tools_est.go. Re-derive via grep -cE 'gomcp\\.AddTool\\(' internal/mcp/tools.go internal/mcp/tools_est.go. The 7 phases (matching the bundle prompt at cowork/mcp-coverage-expansion-prompt.md): Phase A — Approvals (P1-28..P1-31, 4 tools) list_approvals, get_approval, approve_request, reject_request. Two-person-integrity contract (ErrApproveBySameActor → HTTP 403) is preserved automatically: the decided_by actor is derived server-side from middleware.UserKey, NOT from request body, so the MCP server's authenticated API-key identity becomes the audit-trail actor. The MCP input schema deliberately omits any actor_id field to prevent client-side spoofing. Phase B — Health Checks (P1-20..P1-27, 8 tools) list, summary, get, create, update, delete, history, acknowledge. Mirrors the existing target-resource shape; acknowledge takes optional 'actor' string captured in the audit row (handler defaults to 'unknown' if absent). Phase C — Renewal Policies (P1-1..P1-5, 5 tools) Standard CRUD against /api/v1/renewal-policies. Distinct from the legacy 'policy' tools that point at the same path — these expose the renewal-policy domain explicitly with full alert_channels + alert_severity_map field shape. Phase D — Network Scan Targets (P1-14..P1-19, 6 tools) CRUD + trigger_scan. trigger_network_scan returns the discovery- scan body so the AI can chain into list_discovered_certificates filtered by agent_id. Phase E — Discovery read-side (P1-10..P1-13, 4 tools) list_discovered_certificates, get_discovered_certificate, list_discovery_scans, discovery_summary. Complements the pre-existing claim/dismiss tools (registered alongside Health historically per the I-2 closure). Phase F — Intermediate CAs (P1-6..P1-9, 4 tools) list, create (root + child via discriminator on body shape), get, retire. The handler is admin-gated via middleware.IsAdmin; the least-privilege boundary is enforced at the API layer (HTTP 403 for non-admin Bearer callers) — not by transport carve-out. Phase G — Verification + deployments (P1-32, P1-34, P1-35, 3 tools) list_certificate_deployments, verify_job, get_job_verification. P1-33 (POST /api/v1/agents/{id}/discoveries) is intentionally excluded — machine-to-machine push channel for agents reporting filesystem-scan results, not an operator-driven flow. Documented inline in the RegisterTools dispatch. Implementation: - 14 new input types in internal/mcp/types.go with jsonschema struct tags driving LLM tool discovery. - 7 register* functions in internal/mcp/tools.go each handling one phase, wired into RegisterTools dispatch in declaration order. - 34 new entries in tools_per_tool_test.go::allHappyPathCases — the existing in-process MCP harness (TestMCP_AllTools_HappyPath + TestMCP_AllTools_ErrorPath + TestMCP_RegisterTools_DispatchableToolCount) auto-extends coverage to cover every new tool: happy-path round- trip with fence-shape assertion, 5xx error-path with MCP_ERROR fence propagation, and 'every registered tool is dispatchable' guard. - docs/reference/mcp.md 'Available Tools' table expanded from 16 to 22 resource domains with current per-domain tool counts. Acceptance gate (verified): - go build ./cmd/server/... ./cmd/agent/... ./cmd/cli/... ./cmd/mcp-server/... clean across all four production binaries. - go vet ./... clean. - go test -short -count=1 ./internal/mcp/... pass (TestMCP_AllTools_* expanded to 127 tool round-trips). - go test -short -count=1 ./... pass repo-wide. - bash scripts/ci-guards/openapi-handler-parity.sh clean (router 178, OpenAPI 144, exceptions 36 — unchanged; we add MCP wrappers, not routes). - gofmt -l clean across the four touched files.
2026-06-07 12:21:31 +00:00 · 2026-05-05 19:29:57 +00:00
parent e0aaa967c9
commit ff75361553
4 changed files with 824 additions and 7 deletions
@@ -66,26 +66,35 @@ After saving, restart your MCP client. You should see "certctl" appear in its to

 ## Available Tools

-The MCP server exposes the full REST API organized across 16 resource domains:
+The MCP server exposes the full REST API organized across 22 resource domains. Re-derive the live count via `grep -cE 'gomcp\.AddTool\(' internal/mcp/tools.go internal/mcp/tools_est.go` (the per-domain numbers below decay between releases — treat them as approximate at point of writing):

 | Domain | Tools | Examples |
 |--------|-------|---------|
-| Certificates | 9 | List, get, create, update, archive, versions, renew, deploy, revoke |
-| CRL & OCSP | 3 | Get JSON CRL, get DER CRL by issuer, check OCSP status |
+| Certificates | 14 | List, get, create, update, archive, versions, renew, deploy, revoke, bulk-revoke / -renew / -reassign, claim/dismiss discovered |
+| CRL & OCSP | 2 | Get DER CRL by issuer, check OCSP status |
 | Issuers | 6 | List, get, create, update, delete, test connection |
 | Targets | 5 | List, get, create, update, delete |
-| Agents | 8 | List, get, register, heartbeat, CSR submit, certificate pickup, get work, report job status |
-| Jobs | 5 | List, get, cancel, approve, reject |
+| Agents | 9 | List, list retired, get, register, retire, heartbeat, get work, submit CSR, report job status |
+| Jobs | 5 | List, get, approve, reject, cancel |
 | Policies | 6 | List, get, create, update, delete, list violations |
 | Profiles | 5 | List, get, create, update, delete |
 | Teams | 5 | List, get, create, update, delete |
 | Owners | 5 | List, get, create, update, delete |
 | Agent Groups | 6 | List, get, create, update, delete, list members |
 | Audit | 2 | List events (with filters), get event by ID |
-| Notifications | 3 | List, get, mark as read |
+| Notifications | 4 | List, get, mark as read, requeue dead-letter |
 | Stats | 5 | Summary, certs by status, expiration timeline, job trends, issuance rate |
 | Metrics | 1 | System metrics (gauges, counters, uptime) |
+| Digest | 2 | Preview digest, send digest |
 | Health | 4 | Health check, readiness probe, auth info, auth check |
+| Approvals | 4 | List, get, approve, reject (issuance approval workflow) |
+| Health Checks | 8 | List, summary, get, create, update, delete, history, acknowledge |
+| Renewal Policies | 5 | List, get, create, update, delete |
+| Network Scan Targets | 6 | List, get, create, update, delete, trigger scan |
+| Discovery | 4 | List discovered certs, get, list scans, summary |
+| Intermediate CAs | 4 | List, create, get, retire (admin-gated) |
+| Verification | 3 | List cert deployments, verify job, get job verification |
+| EST | 6 | List/admin profiles, get cacerts, csrattrs, simpleenroll, simplereenroll |

 Every tool has typed input parameters with `jsonschema` descriptions, so the AI knows exactly what arguments to provide and what each field means.

@@ -125,7 +134,7 @@ flowchart LR
    AI <-->|"stdio"| MCP
    MCP -->|"HTTP + Bearer token"| SERVER

-    MCP ~~~ TOOLS["REST API via MCP · 16 domains\nTyped input structs"]
+    MCP ~~~ TOOLS["REST API via MCP · 22 domains\nTyped input structs"]
 ```

 The MCP server is intentionally thin: