@haimkastner/workforce-ai-mcp 1.0.0-rc.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Check Point Software Technologies Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,135 @@
+# Check Point - Workforce AI MCP Server
+
+[![License](https://img.shields.io/github/license/CheckPointSW/workforce-ai-mcp.svg?style=plastic)](https://github.com/CheckPointSW/workforce-ai-mcp/blob/release/LICENSE) [![npm version](https://img.shields.io/npm/v/@haimkastner/workforce-ai-mcp.svg?style=plastic)](https://www.npmjs.com/package/@haimkastner/workforce-ai-mcp)
+
+<!-- TODO: Remove this disclaimer before GA release -->
+> **Pre-release disclaimer:** This package is currently in release candidate (RC) stage and is intended for testing and evaluation purposes only. APIs and tool definitions may change before the stable release. Do not use in production environments.
+
+An [MCP (Model Context Protocol)](https://modelcontextprotocol.io/) server that exposes Check Point Workforce AI capabilities as LLM tools — enabling AI assistants to query, analyze, and manage AI & Browse security policies, assets, and applications through natural language.
+
+## Getting started
+
+### Obtaining API credentials
+
+1. Go to the [Infinity Portal API Keys page](https://portal.checkpoint.com/dashboard/settings/api-keys).
+2. Click **New** > **New Account API Key**.
+3. In the **Service** dropdown select **Workforce AI Security** (and for Browse, **Browse Security**) and create the key.
+4. Copy the **Client ID**, **Secret Key**, and **Authentication URL** (gateway).
+
+For more information, see [Infinity Portal Administration Guide](https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Infinity-Portal-Admin-Guide/Content/Topics-Infinity-Portal/API-Keys.htm?tocpath=Global%20Settings%7C_____7#API_Keys).
+
+### Available gateways
+
+| Region | Gateway URL |
+|---|---|
+| Europe | `https://cloudinfra-gw.portal.checkpoint.com` |
+| United States | `https://cloudinfra-gw-us.portal.checkpoint.com` |
+
+### Environment variables
+
+| Variable | Required | Description |
+|---|---|---|
+| `CP_CI_CLIENT_ID` | Yes | CloudInfra API key client ID |
+| `CP_CI_ACCESS_KEY` | Yes | CloudInfra API key secret |
+| `CP_CI_GATEWAY` | Yes | CloudInfra gateway URL |
+| `MCP_MODE` | Yes | Transport mode: `stdio` or `http` |
+| `PORT` | When `http` | HTTP server port |
+| `WRITE_MODE` | No | Set to `true` to enable write tools (default: `false`). <br/>**Warning:** enabling write mode allows the LLM to create, modify, and delete security policy rules. Use with caution. |
+
+### Running with stdio transport
+
+Use stdio mode when connecting directly from an MCP client such as Claude Desktop, VS Code, or Cursor:
+
+```bash
+CP_CI_CLIENT_ID="your-client-id" \
+CP_CI_ACCESS_KEY="your-access-key" \
+CP_CI_GATEWAY="https://cloudinfra-gw-us.portal.checkpoint.com" \
+MCP_MODE=stdio \
+npx @haimkastner/workforce-ai-mcp
+```
+
+#### Claude Desktop configuration
+
+Add to your `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "workforce-ai": {
+      "command": "npx",
+      "args": ["@haimkastner/workforce-ai-mcp"],
+      "env": {
+        "CP_CI_CLIENT_ID": "your-client-id",
+        "CP_CI_ACCESS_KEY": "your-access-key",
+        "CP_CI_GATEWAY": "https://cloudinfra-gw-us.portal.checkpoint.com",
+        "MCP_MODE": "stdio"
+      }
+    }
+  }
+}
+```
+
+### Running with HTTP transport
+
+Use HTTP mode when running the server as a standalone service:
+
+```bash
+CP_CI_CLIENT_ID="your-client-id" \
+CP_CI_ACCESS_KEY="your-access-key" \
+CP_CI_GATEWAY="https://cloudinfra-gw-us.portal.checkpoint.com" \
+MCP_MODE=http \
+PORT=3000 \
+npx @haimkastner/workforce-ai-mcp
+```
+
+The server exposes:
+- `POST /mcp` — MCP StreamableHTTP endpoint
+- `GET /health` — Health check
+
+## Capabilities
+
+### Read mode (default)
+
+By default, the server starts in **read-only mode**, exposing tools for querying and analyzing policies without making any changes. This is safe for exploration and auditing.
+
+#### Policy inspection
+- **List rulebases** — View all rules for Chats (GenAI DLP), AI Access, Web Access, Agents, Secure Browsing, and DLP policies
+- **Analyze shadow rules** — Detect rules that are shadowed (never matched) by higher-priority rules
+- **Simulate policy matching** — Given a user and target, resolve which rule in the rulebase would apply
+
+#### Assets and users
+- **Search assets** — Find managed assets by name or attributes
+- **Count assets** — Get asset counts with optional filters
+- **Search users** — Look up users and groups in the organization
+
+#### Applications and data types
+- **Search apps** — Search the GenAI application catalog by name, description, or URL
+- **Get apps by ID** — Retrieve application details by their IDs
+- **List DLP data types** — Browse predefined and custom DLP data types
+- **Get tenant DLP data types** — View data types configured for the tenant
+
+#### Policy objects
+- **List domain objects** — View domain-based policy objects
+- **List file protection objects** — View file protection configurations
+
+### Write mode
+
+To enable write operations, set `WRITE_MODE=true`. This unlocks tools that modify the policy configuration:
+
+#### Rule management
+- **Create rules** — Create new Chats, AI Access, Agents, DLP, and Secure Browsing rules with full policy configuration including actions, services, data types, and user/group assignments
+- **Edit rules** — Update rule name, description, and other properties
+- **Activate / deactivate rules** — Toggle rules on or off
+- **Reorder rules** — Change rule priority in the rulebase
+- **Delete rules** — Permanently remove rules from the rulebase
+
+## Available tools
+
+For a full list of all available tools with descriptions and access modes, see [TOOLS.md](TOOLS.md).
+
+## Report Bug
+
+In case of an issue or a bug found in the MCP server, please open an [issue](https://github.com/CheckPointSW/workforce-ai-mcp/issues).
+
+## Contributors
+- Haim Kastner - [haimk@checkpoint.com](mailto:haimk@checkpoint.com)

package/dist/core/consts.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Server configuration constants
+ */
+export declare const SERVER_NAME = "workforce-ai";
+export declare const SERVER_VERSION = "1.0.0";
+/** Grace period (seconds) before token expiry to trigger refresh */
+export declare const KEEP_ALIVE_GRACE_SECONDS = 30;
+/** Auth endpoint path on CloudInfra gateway */
+export declare const CI_AUTH_PATH = "/auth/external";

package/dist/core/consts.js

@@ -0,0 +1,9 @@
+/**
+ * Server configuration constants
+ */
+export const SERVER_NAME = 'workforce-ai';
+export const SERVER_VERSION = '1.0.0';
+/** Grace period (seconds) before token expiry to trigger refresh */
+export const KEEP_ALIVE_GRACE_SECONDS = 30;
+/** Auth endpoint path on CloudInfra gateway */
+export const CI_AUTH_PATH = '/auth/external';

package/dist/core/session.d.ts

@@ -0,0 +1,29 @@
+/**
+ * CloudInfra JWT session management.
+ *
+ * Handles login via /auth/external, token storage, and automatic refresh
+ * before expiry.
+ */
+export declare class SessionManager {
+    private jwtToken;
+    private tokenExpiresIn;
+    private refreshTimer;
+    private gateway;
+    private clientId;
+    private accessKey;
+    /**
+     * The gateway base URL (protocol + host only).
+     * API calls are proxied through this gateway.
+     */
+    get baseUrl(): string;
+    /** Current JWT token. */
+    get authToken(): string;
+    /** Connect and obtain initial JWT token. */
+    connect(gateway: string, clientId: string, accessKey: string): Promise<void>;
+    /** Disconnect and clear token. */
+    disconnect(): void;
+    private performLogin;
+    private scheduleRefresh;
+}
+/** Shared singleton session manager instance */
+export declare const sessionManager: SessionManager;

package/dist/core/session.js

@@ -0,0 +1,85 @@
+/**
+ * CloudInfra JWT session management.
+ *
+ * Handles login via /auth/external, token storage, and automatic refresh
+ * before expiry.
+ */
+import { CI_AUTH_PATH, KEEP_ALIVE_GRACE_SECONDS } from './consts.js';
+export class SessionManager {
+    jwtToken = '';
+    tokenExpiresIn = 0;
+    refreshTimer;
+    gateway = '';
+    clientId = '';
+    accessKey = '';
+    /**
+     * The gateway base URL (protocol + host only).
+     * API calls are proxied through this gateway.
+     */
+    get baseUrl() {
+        return this.gateway;
+    }
+    /** Current JWT token. */
+    get authToken() {
+        if (!this.jwtToken) {
+            throw new Error('JWT token is not set. Please connect first.');
+        }
+        return this.jwtToken;
+    }
+    /** Connect and obtain initial JWT token. */
+    async connect(gateway, clientId, accessKey) {
+        // Normalize gateway to protocol + host only
+        try {
+            const url = new URL(gateway);
+            this.gateway = url.origin;
+        }
+        catch {
+            this.gateway = gateway;
+        }
+        this.clientId = clientId;
+        this.accessKey = accessKey;
+        await this.performLogin();
+        this.scheduleRefresh();
+        console.error(`[auth] Connected to ${this.gateway}, token expires in ${this.tokenExpiresIn}s`);
+    }
+    /** Disconnect and clear token. */
+    disconnect() {
+        this.jwtToken = '';
+        this.tokenExpiresIn = 0;
+        if (this.refreshTimer) {
+            clearTimeout(this.refreshTimer);
+            this.refreshTimer = undefined;
+        }
+        console.error('[auth] Disconnected');
+    }
+    async performLogin() {
+        const authUrl = `${this.gateway}${CI_AUTH_PATH}`;
+        const response = await fetch(authUrl, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ clientId: this.clientId, accessKey: this.accessKey }),
+        });
+        const body = (await response.json());
+        if (!response.ok || !body.success) {
+            throw new Error(`CI login failed (${response.status}): ${JSON.stringify(body)}`);
+        }
+        this.jwtToken = body.data.token;
+        this.tokenExpiresIn = body.data.expiresIn ?? 1800;
+    }
+    scheduleRefresh() {
+        const delaySeconds = Math.max(this.tokenExpiresIn - KEEP_ALIVE_GRACE_SECONDS, 1);
+        this.refreshTimer = setTimeout(async () => {
+            try {
+                console.error('[auth] Refreshing token...');
+                await this.performLogin();
+                this.scheduleRefresh();
+                console.error(`[auth] Token refreshed, expires in ${this.tokenExpiresIn}s`);
+            }
+            catch (err) {
+                console.error(`[auth] Token refresh failed: ${err}`);
+            }
+        }, delaySeconds * 1000);
+    }
+}
+/** Shared singleton session manager instance */
+export const sessionManager = new SessionManager();

package/dist/core/streamable-http.d.ts

@@ -0,0 +1,9 @@
+/**
+ * StreamableHTTP server setup for HTTP-based MCP communication using Hono
+ */
+import { Hono } from 'hono';
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+/**
+ * Sets up a web server for the MCP server using StreamableHTTP transport
+ */
+export declare function setupStreamableHttpServer(server: Server, port?: number): Promise<Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">>;

package/dist/core/streamable-http.js

@@ -0,0 +1,107 @@
+/**
+ * StreamableHTTP server setup for HTTP-based MCP communication using Hono
+ */
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { serve } from '@hono/node-server';
+import { v4 as uuid } from 'uuid';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { InitializeRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { toReqRes, toFetchResponse } from 'fetch-to-node';
+import { SERVER_NAME, SERVER_VERSION } from './consts.js';
+const SESSION_ID_HEADER_NAME = 'mcp-session-id';
+const JSON_RPC = '2.0';
+class MCPStreamableHttpServer {
+    server;
+    transports = {};
+    constructor(server) {
+        this.server = server;
+    }
+    async handleGetRequest(c) {
+        console.error('GET request received - StreamableHTTP transport only supports POST');
+        return c.text('Method Not Allowed', 405, { Allow: 'POST' });
+    }
+    async handlePostRequest(c) {
+        const sessionId = c.req.header(SESSION_ID_HEADER_NAME);
+        console.error(`POST request received ${sessionId ? 'with session ID: ' + sessionId : 'without session ID'}`);
+        try {
+            const body = await c.req.json();
+            const { req, res } = toReqRes(c.req.raw);
+            // Reuse existing transport if we have a session ID
+            if (sessionId && this.transports[sessionId]) {
+                const transport = this.transports[sessionId];
+                await transport.handleRequest(req, res, body);
+                res.on('close', () => {
+                    console.error(`Request closed for session ${sessionId}`);
+                });
+                return toFetchResponse(res);
+            }
+            // Create new transport for initialize requests
+            if (!sessionId && this.isInitializeRequest(body)) {
+                console.error('Creating new StreamableHTTP transport for initialize request');
+                const transport = new StreamableHTTPServerTransport({
+                    sessionIdGenerator: () => uuid(),
+                });
+                transport.onerror = (err) => {
+                    console.error('StreamableHTTP transport error:', err);
+                };
+                await this.server.connect(transport);
+                await transport.handleRequest(req, res, body);
+                const newSessionId = transport.sessionId;
+                if (newSessionId) {
+                    console.error(`New session established: ${newSessionId}`);
+                    this.transports[newSessionId] = transport;
+                    transport.onclose = () => {
+                        console.error(`Session closed: ${newSessionId}`);
+                        delete this.transports[newSessionId];
+                    };
+                }
+                res.on('close', () => {
+                    console.error(`Request closed for new session`);
+                });
+                return toFetchResponse(res);
+            }
+            return c.json(this.createErrorResponse('Bad Request: invalid session ID or method.'), 400);
+        }
+        catch (error) {
+            console.error('Error handling MCP request:', error);
+            return c.json(this.createErrorResponse('Internal server error.'), 500);
+        }
+    }
+    createErrorResponse(message) {
+        return {
+            jsonrpc: JSON_RPC,
+            error: { code: -32000, message },
+            id: uuid(),
+        };
+    }
+    isInitializeRequest(body) {
+        const isInitial = (data) => InitializeRequestSchema.safeParse(data).success;
+        if (Array.isArray(body)) {
+            return body.some((request) => isInitial(request));
+        }
+        return isInitial(body);
+    }
+}
+/**
+ * Sets up a web server for the MCP server using StreamableHTTP transport
+ */
+export async function setupStreamableHttpServer(server, port = 9096) {
+    const app = new Hono();
+    app.use('*', cors());
+    const mcpHandler = new MCPStreamableHttpServer(server);
+    app.get('/health', (c) => {
+        return c.json({ status: 'OK', server: SERVER_NAME, version: SERVER_VERSION });
+    });
+    app.get('/mcp', (c) => mcpHandler.handleGetRequest(c));
+    app.post('/mcp', (c) => mcpHandler.handlePostRequest(c));
+    app.get('/*', async (c) => {
+        return c.text('Not Found', 404);
+    });
+    serve({ fetch: app.fetch, port }, (info) => {
+        console.error(`MCP StreamableHTTP Server running at http://localhost:${info.port}`);
+        console.error(`- MCP Endpoint: http://localhost:${info.port}/mcp`);
+        console.error(`- Health Check: http://localhost:${info.port}/health`);
+    });
+    return app;
+}

package/dist/core/utils.d.ts

@@ -0,0 +1,5 @@
+import { AxiosError } from 'axios';
+/**
+ * Formats API errors for better readability
+ */
+export declare function formatApiError(error: AxiosError): string;

package/dist/core/utils.js

@@ -0,0 +1,35 @@
+/**
+ * Formats API errors for better readability
+ */
+export function formatApiError(error) {
+    let message = 'API request failed.';
+    if (error.response) {
+        message = `API Error: Status ${error.response.status} (${error.response.statusText || 'Status text not available'}). `;
+        const responseData = error.response.data;
+        const MAX_LEN = 500;
+        if (typeof responseData === 'string') {
+            message += `Response: ${responseData.substring(0, MAX_LEN)}${responseData.length > MAX_LEN ? '...' : ''}`;
+        }
+        else if (responseData) {
+            try {
+                const jsonString = JSON.stringify(responseData);
+                message += `Response: ${jsonString.substring(0, MAX_LEN)}${jsonString.length > MAX_LEN ? '...' : ''}`;
+            }
+            catch {
+                message += 'Response: [Could not serialize data]';
+            }
+        }
+        else {
+            message += 'No response body received.';
+        }
+    }
+    else if (error.request) {
+        message = 'API Network Error: No response received from server.';
+        if (error.code)
+            message += ` (Code: ${error.code})`;
+    }
+    else {
+        message += `API Request Setup Error: ${error.message}`;
+    }
+    return message;
+}

package/dist/executer/executer.d.ts

@@ -0,0 +1,19 @@
+import { CallToolResult } from '@modelcontextprotocol/sdk/types.js';
+import { AxiosRequestConfig, AxiosResponse } from 'axios';
+import { JsonObject, McpToolDefinition } from '../types/types.js';
+/**
+ * Executes an API tool with the provided arguments
+ */
+export declare function executeTool(toolName: string, definition: McpToolDefinition, toolArgs: JsonObject): Promise<CallToolResult>;
+/**
+ * Builds an Axios request configuration from a tool definition and arguments
+ */
+export declare function buildRequest(definition: McpToolDefinition, toolArgs: JsonObject): AxiosRequestConfig;
+/**
+ * Builds a tool result from an API response
+ */
+export declare function buildResult(response: AxiosResponse): CallToolResult;
+/**
+ * Builds an error result from an exception
+ */
+export declare function buildErrorResult(error: unknown): CallToolResult;

package/dist/executer/executer.js

@@ -0,0 +1,104 @@
+import axios from 'axios';
+import { validateLLMArgs } from './validator.js';
+import { formatApiError } from '../core/utils.js';
+import { sessionManager } from '../core/session.js';
+/**
+ * Executes an API tool with the provided arguments
+ */
+export async function executeTool(toolName, definition, toolArgs) {
+    try {
+        const validatedArgs = await validateLLMArgs(toolName, definition, toolArgs);
+        const request = buildRequest(definition, validatedArgs);
+        const response = await axios(request);
+        return buildResult(response);
+    }
+    catch (error) {
+        const result = buildErrorResult(error);
+        const errMessage = result.content[0].text || 'Unknown error';
+        console.error(`Error during execution of tool '${toolName}':`, errMessage);
+        return result;
+    }
+}
+/**
+ * Builds an Axios request configuration from a tool definition and arguments
+ */
+export function buildRequest(definition, toolArgs) {
+    let urlPath = definition.pathTemplate;
+    const queryParams = {};
+    const headers = { Accept: 'application/json' };
+    let requestBodyData = undefined;
+    // Apply parameters to URL path, query, or headers
+    definition.executionParameters.forEach((param) => {
+        const value = toolArgs[param.name];
+        if (typeof value !== 'undefined' && value !== null) {
+            if (param.in === 'path') {
+                urlPath = urlPath.replace(`{${param.name}}`, encodeURIComponent(String(value)));
+            }
+            else if (param.in === 'query') {
+                queryParams[param.name] = value;
+            }
+            else if (param.in === 'header') {
+                headers[param.name.toLowerCase()] = String(value);
+            }
+        }
+    });
+    // Ensure all path parameters are resolved
+    if (urlPath.includes('{')) {
+        throw new Error(`Failed to resolve path parameters: ${urlPath}`);
+    }
+    // Handle request body
+    if (definition.requestBodyContentType && typeof toolArgs['requestBody'] !== 'undefined') {
+        requestBodyData = toolArgs['requestBody'];
+        headers['content-type'] = definition.requestBodyContentType;
+    }
+    const requestUrl = `${sessionManager.baseUrl}${urlPath}`;
+    headers['Authorization'] = `Bearer ${sessionManager.authToken}`;
+    return {
+        method: definition.method.toUpperCase(),
+        url: requestUrl,
+        params: queryParams,
+        headers,
+        ...(requestBodyData !== undefined && { data: requestBodyData }),
+    };
+}
+/**
+ * Builds a tool result from an API response
+ */
+export function buildResult(response) {
+    let responseText = '';
+    if (!response.data) {
+        responseText = `(Status: ${response.status} - No body content)`;
+    }
+    else {
+        try {
+            responseText = JSON.stringify(response.data, null, 2);
+        }
+        catch {
+            responseText = '[Stringify Error]';
+        }
+    }
+    return {
+        content: [
+            {
+                type: 'text',
+                text: `API Response (Status: ${response.status}):\n${responseText}`,
+            },
+        ],
+    };
+}
+/**
+ * Builds an error result from an exception
+ */
+export function buildErrorResult(error) {
+    let errorMessage;
+    if (axios.isAxiosError(error)) {
+        errorMessage = formatApiError(error);
+    }
+    else if (error instanceof Error) {
+        errorMessage = error.message;
+    }
+    else {
+        errorMessage = 'Unexpected error: ' + String(error);
+    }
+    return { content: [{ type: 'text', text: errorMessage }] };
+}

package/dist/executer/validator.d.ts

@@ -0,0 +1,5 @@
+import { JsonObject, McpToolDefinition } from '../types/types.js';
+/**
+ * Validates arguments provided to a tool against its Zod schema
+ */
+export declare function validateLLMArgs(toolName: string, definition: McpToolDefinition, toolArgs: JsonObject): Promise<JsonObject>;

package/dist/executer/validator.js

@@ -0,0 +1,19 @@
+import { ZodError } from 'zod';
+/**
+ * Validates arguments provided to a tool against its Zod schema
+ */
+export async function validateLLMArgs(toolName, definition, toolArgs) {
+    try {
+        const zodSchema = definition.zodValidationSchema;
+        const argsToParse = typeof toolArgs === 'object' && toolArgs !== null ? toolArgs : {};
+        return zodSchema.parse(argsToParse);
+    }
+    catch (error) {
+        if (error instanceof ZodError) {
+            const validationErrorMessage = `Invalid arguments for tool '${toolName}': ${error.errors.map((e) => `${e.path.join('.')} (${e.code}): ${e.message}`).join(', ')}`;
+            throw new Error(validationErrorMessage);
+        }
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        throw new Error(`Internal error during validation setup: ${errorMessage}`);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+#!/usr/bin/env node
+/**
+ * Workforce AI MCP Server
+ *
+ * MCP server that exposes Check Point Workforce AI tools for LLM consumption.
+ * Supports both stdio and HTTP (StreamableHTTP) transport modes.
+ *
+ * Environment variables:
+ *   CP_CI_CLIENT_ID     - CloudInfra API key client ID (required)
+ *   CP_CI_ACCESS_KEY    - CloudInfra API key secret (required)
+ *   CP_CI_GATEWAY       - CloudInfra gateway URL (required)
+ *   WRITE_MODE - Enable write tools (default: false)
+ *   MCP_MODE            - Transport mode: "stdio" or "http" (required)
+ *   PORT                - HTTP port (required when MCP_MODE=http)
+ */
+export {};