@purplesquirrel/ibmz-mcp-server 1.0.0

package/linkedin-post.md

@@ -0,0 +1,90 @@
+# LinkedIn Post - IBM Z MCP Server
+
+---
+
+## Post Option 1 (Technical Focus)
+
+**Just shipped: IBM Z MCP Server** 🔐
+
+I built an MCP server that brings IBM Z mainframe capabilities to Claude Code.
+
+The result? Claude can now manage HSM-backed encryption keys and call mainframe APIs directly.
+
+**Key Protect Integration:**
+• Create/manage encryption keys in FIPS 140-2 Level 3 HSMs
+• Envelope encryption for securing data at rest
+• Key rotation and lifecycle management
+
+**z/OS Connect Integration:**
+• REST APIs to CICS, IMS, and batch programs
+• OpenAPI spec discovery
+• Bridge modern AI agents to legacy systems
+
+This pairs with my watsonx MCP server for a complete IBM Cloud + AI integration:
+- Claude orchestrates complex tasks
+- watsonx.ai handles foundation model workloads
+- Key Protect secures sensitive data
+- z/OS Connect bridges to enterprise systems
+
+📖 Demo: https://purplesquirrelmedia.github.io/ibmz-mcp-server/
+💻 Source: https://github.com/PurpleSquirrelMedia/ibmz-mcp-server
+
+#IBM #IBMz #Mainframe #Claude #MCP #Anthropic #Security #EnterpriseAI
+
+---
+
+## Post Option 2 (Enterprise Value Focus)
+
+**Connecting AI Agents to Enterprise Mainframes** 🏢
+
+Just released an open-source integration that lets Claude Code interact with IBM Z infrastructure.
+
+Why this matters:
+→ 70% of Fortune 500 companies run mission-critical workloads on IBM Z
+→ AI agents need access to enterprise data and systems
+→ Security can't be compromised
+
+What I built:
+1. **Key Protect MCP Tools** - Claude can create and manage encryption keys stored in hardware security modules
+2. **z/OS Connect Tools** - Claude can discover and call mainframe APIs
+
+The security model:
+- Keys never leave the HSM
+- All operations are audited
+- Claude handles orchestration, not secrets
+
+Real use case: An AI agent analyzing financial data can request a wrapped DEK, decrypt locally, process, then discard - the root key stays in the HSM the entire time.
+
+Links:
+🔗 https://github.com/PurpleSquirrelMedia/ibmz-mcp-server
+📖 https://purplesquirrelmedia.github.io/ibmz-mcp-server/
+
+#EnterpriseAI #IBMz #Security #CloudSecurity #MCP
+
+---
+
+## Post Option 3 (Short & Punchy)
+
+Two new MCP servers for IBM Cloud:
+
+**watsonx-mcp-server**
+→ Claude delegates to Granite, Llama, Mistral models
+→ Two-agent AI architecture
+
+**ibmz-mcp-server**
+→ HSM-backed key management
+→ z/OS Connect mainframe APIs
+
+The stack:
+☁️ IBM Cloud free tier
+🔐 Key Protect HSM
+🤖 watsonx.ai foundation models
+🏢 z/OS Connect (optional)
+🧠 Claude Code orchestration
+
+All tested. All working. All open source.
+
+🔗 watsonx: https://github.com/PurpleSquirrelMedia/watsonx-mcp-server
+🔗 IBM Z: https://github.com/PurpleSquirrelMedia/ibmz-mcp-server
+
+#MCP #IBM #Claude #OpenSource

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@purplesquirrel/ibmz-mcp-server",
+  "version": "1.0.0",
+  "description": "MCP server for IBM Z mainframe integration - Key Protect HSM and z/OS Connect",
+  "main": "index.js",
+  "type": "module",
+  "scripts": {
+    "start": "node index.js"
+  },
+  "keywords": [
+    "mcp",
+    "ibm",
+    "ibm-z",
+    "mainframe",
+    "key-protect",
+    "hsm",
+    "zos-connect",
+    "claude",
+    "anthropic"
+  ],
+  "author": "Matthew Karsten",
+  "license": "MIT",
+  "dependencies": {
+    "@ibm-cloud/ibm-key-protect": "^0.4.1",
+    "@ibm-cloud/watsonx-ai": "^1.7.5",
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "ibm-cloud-sdk-core": "^5.1.0"
+  }
+}

package/test-keyprotect.js

@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+import IbmKeyProtectApiV2 from '@ibm-cloud/ibm-key-protect/ibm-key-protect-api/v2.js';
+import { IamAuthenticator } from 'ibm-cloud-sdk-core';
+import crypto from 'crypto';
+
+const client = new IbmKeyProtectApiV2({
+  authenticator: new IamAuthenticator({
+    apikey: process.env.IBM_CLOUD_API_KEY,
+  }),
+  serviceUrl: process.env.KEY_PROTECT_URL,
+});
+
+const instanceId = process.env.KEY_PROTECT_INSTANCE_ID;
+const rootKeyId = 'dcd74ed6-5e33-45db-a25c-38f668f2f664';
+
+// Generate a random data encryption key (DEK) - 32 bytes for AES-256
+const dek = crypto.randomBytes(32);
+const dekBase64 = dek.toString('base64');
+console.log('Original DEK:', dekBase64);
+
+// Wrap the DEK with our root key (envelope encryption)
+console.log('\nWrapping DEK with root key...');
+const wrapResult = await client.wrapKey({
+  bluemixInstance: instanceId,
+  id: rootKeyId,
+  keyActionWrapBody: {
+    plaintext: dekBase64
+  }
+});
+
+const wrappedDek = wrapResult.result.ciphertext;
+console.log('Wrapped DEK:', wrappedDek.substring(0, 50) + '...');
+
+// Unwrap the DEK to verify it works
+console.log('\nUnwrapping DEK...');
+const unwrapResult = await client.unwrapKey({
+  bluemixInstance: instanceId,
+  id: rootKeyId,
+  keyActionUnwrapBody: {
+    ciphertext: wrappedDek
+  }
+});
+
+const unwrappedDek = unwrapResult.result.plaintext;
+console.log('Unwrapped DEK:', unwrappedDek);
+console.log('\n✅ Envelope encryption test:', dekBase64 === unwrappedDek ? 'SUCCESS!' : 'FAILED');

package/test-watsonx-generation.js

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+/**
+ * Test watsonx.ai text generation
+ * Requires either a project_id or space_id
+ */
+
+import { WatsonXAI } from '@ibm-cloud/watsonx-ai';
+import { IamAuthenticator } from 'ibm-cloud-sdk-core';
+
+const apiKey = process.env.WATSONX_API_KEY || 'YveH06g9T_XKZoKapGJsjm9q9xCz6WJ6z4GBRM_LJ9R5';
+const projectId = process.env.WATSONX_PROJECT_ID;
+
+const client = WatsonXAI.newInstance({
+  version: '2024-05-31',
+  serviceUrl: 'https://us-south.ml.cloud.ibm.com',
+  authenticator: new IamAuthenticator({ apikey: apiKey }),
+});
+
+console.log('=== watsonx.ai Text Generation Test ===\n');
+
+// First, list models to confirm connection
+console.log('1. Checking available models...');
+const modelsResp = await client.listFoundationModelSpecs({ limit: 20 });
+const models = modelsResp.result.resources || [];
+
+// Find text generation capable models
+const textGenModels = models.filter(m =>
+  m.model_id?.includes('granite') ||
+  m.model_id?.includes('llama') ||
+  m.model_id?.includes('mistral')
+);
+
+console.log(`   Found ${textGenModels.length} text generation models:`);
+textGenModels.slice(0, 5).forEach(m => console.log(`   • ${m.model_id}`));
+
+if (!projectId) {
+  console.log('\n⚠️  No WATSONX_PROJECT_ID set.');
+  console.log('\nTo enable text generation:');
+  console.log('1. Go to https://dataplatform.cloud.ibm.com');
+  console.log('2. Create a new project');
+  console.log('3. Copy the Project ID from Settings → General');
+  console.log('4. Add to ~/.claude.json under mcpServers.watsonx.env:');
+  console.log('   "WATSONX_PROJECT_ID": "your-project-id"');
+  console.log('\nOr set environment variable:');
+  console.log('   export WATSONX_PROJECT_ID=your-project-id');
+  process.exit(0);
+}
+
+// Test generation if project ID is available
+console.log('\n2. Testing text generation...');
+console.log(`   Using project: ${projectId}`);
+
+try {
+  const response = await client.generateText({
+    input: 'Explain envelope encryption in one sentence:',
+    modelId: 'ibm/granite-3-8b-instruct',
+    projectId: projectId,
+    parameters: {
+      max_new_tokens: 100,
+      temperature: 0.7,
+    }
+  });
+
+  console.log('\n   Generated response:');
+  console.log(`   "${response.result.results[0].generated_text.trim()}"`);
+  console.log('\n✅ Text generation working!');
+} catch (error) {
+  console.log('\n❌ Generation failed:', error.message);
+  if (error.message.includes('project_id')) {
+    console.log('\n   The project ID may be invalid or not properly configured.');
+  }
+}