@raghulm/aegis-mcp 1.0.4 → 1.0.7

package/audit/audit_logger.py

@@ -1,62 +1,62 @@
-from __future__ import annotations
-
-from functools import wraps
-from time import perf_counter
-from typing import Any, Callable
-
-from server.logging import get_logger
-
-logger = get_logger("mcp.aegis.audit")
-
-
-
-def audit_tool_call(tool_name: str) -> Callable[[Callable[..., Any]], Callable[..., Any]]:
-    """Decorator that emits structured audit records for every tool invocation."""
-
-    def decorator(func: Callable[..., Any]) -> Callable[..., Any]:
-        @wraps(func)
-        def wrapper(*args: Any, **kwargs: Any) -> Any:
-            started = perf_counter()
-            logger.info(
-                "tool_call_started",
-                extra={
-                    "extra_payload": {
-                        "event": "tool_call_started",
-                        "tool": tool_name,
-                        "args": str(args),
-                        "kwargs": kwargs,
-                    }
-                },
-            )
-            try:
-                result = func(*args, **kwargs)
-                duration_ms = int((perf_counter() - started) * 1000)
-                logger.info(
-                    "tool_call_succeeded",
-                    extra={
-                        "extra_payload": {
-                            "event": "tool_call_succeeded",
-                            "tool": tool_name,
-                            "duration_ms": duration_ms,
-                        }
-                    },
-                )
-                return result
-            except Exception as exc:  # noqa: BLE001
-                duration_ms = int((perf_counter() - started) * 1000)
-                logger.error(
-                    "tool_call_failed",
-                    extra={
-                        "extra_payload": {
-                            "event": "tool_call_failed",
-                            "tool": tool_name,
-                            "duration_ms": duration_ms,
-                            "error": str(exc),
-                        }
-                    },
-                )
-                raise
-
-        return wrapper
-
-    return decorator
+from __future__ import annotations
+
+from functools import wraps
+from time import perf_counter
+from typing import Any, Callable
+
+from server.logging import get_logger
+
+logger = get_logger("mcp.aegis.audit")
+
+
+
+def audit_tool_call(tool_name: str) -> Callable[[Callable[..., Any]], Callable[..., Any]]:
+    """Decorator that emits structured audit records for every tool invocation."""
+
+    def decorator(func: Callable[..., Any]) -> Callable[..., Any]:
+        @wraps(func)
+        def wrapper(*args: Any, **kwargs: Any) -> Any:
+            started = perf_counter()
+            logger.info(
+                "tool_call_started",
+                extra={
+                    "extra_payload": {
+                        "event": "tool_call_started",
+                        "tool": tool_name,
+                        "args": str(args),
+                        "kwargs": kwargs,
+                    }
+                },
+            )
+            try:
+                result = func(*args, **kwargs)
+                duration_ms = int((perf_counter() - started) * 1000)
+                logger.info(
+                    "tool_call_succeeded",
+                    extra={
+                        "extra_payload": {
+                            "event": "tool_call_succeeded",
+                            "tool": tool_name,
+                            "duration_ms": duration_ms,
+                        }
+                    },
+                )
+                return result
+            except Exception as exc:  # noqa: BLE001
+                duration_ms = int((perf_counter() - started) * 1000)
+                logger.error(
+                    "tool_call_failed",
+                    extra={
+                        "extra_payload": {
+                            "event": "tool_call_failed",
+                            "tool": tool_name,
+                            "duration_ms": duration_ms,
+                            "error": str(exc),
+                        }
+                    },
+                )
+                raise
+
+        return wrapper
+
+    return decorator

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@raghulm/aegis-mcp",
-  "version": "1.0.4",
+  "version": "1.0.7",
   "description": "DevSecOps-focused MCP server for AWS, Kubernetes, CI/CD, and security tooling.",
   "license": "MIT",
   "author": "Raghul M",
@@ -39,15 +39,14 @@
     "security",
     "aws",
     "kubernetes",
-    "claude"
+    "claude",
+    "jenkins"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "registry": "https://npm.pkg.github.com"
   },
   "engines": {
     "node": ">=18"
-  },
-  "dependencies": {
-    "@raghulm/aegis-mcp": "^1.0.3"
   }
 }

package/policies/roles.yaml

@@ -1,34 +1,34 @@
-roles:
-  viewer:
-    - aws_list_ec2_instances
-    - k8s_list_pods
-    - git_recent_commits
-    - security_check_ssl_certificate
-    - security_check_http_headers
-    - network_port_scan
-    - security_semgrep_scan
-  security:
-    - k8s_security_audit
-    - security_run_trivy_scan
-    - git_recent_commits
-    - security_scan_secrets
-    - security_check_ssl_certificate
-    - security_check_dependencies
-    - security_check_http_headers
-    - security_semgrep_scan
-    - aws_check_s3_public_access
-    - network_port_scan
-  admin:
-    - aws_list_ec2_instances
-    - k8s_list_pods
-    - k8s_security_audit
-    - security_run_trivy_scan
-    - git_recent_commits
-    - cicd_pipeline_status
-    - security_scan_secrets
-    - security_check_ssl_certificate
-    - security_check_dependencies
-    - security_check_http_headers
-    - security_semgrep_scan
-    - aws_check_s3_public_access
-    - network_port_scan
+roles:
+  viewer:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - git_recent_commits
+    - security_check_ssl_certificate
+    - security_check_http_headers
+    - network_port_scan
+    - security_semgrep_scan
+  security:
+    - k8s_security_audit
+    - security_run_trivy_scan
+    - git_recent_commits
+    - security_scan_secrets
+    - security_check_ssl_certificate
+    - security_check_dependencies
+    - security_check_http_headers
+    - security_semgrep_scan
+    - aws_check_s3_public_access
+    - network_port_scan
+  admin:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - k8s_security_audit
+    - security_run_trivy_scan
+    - git_recent_commits
+    - cicd_pipeline_status
+    - security_scan_secrets
+    - security_check_ssl_certificate
+    - security_check_dependencies
+    - security_check_http_headers
+    - security_semgrep_scan
+    - aws_check_s3_public_access
+    - network_port_scan

package/policies/scope_rules.yaml

@@ -1,16 +1,16 @@
-scopes:
-  aegis.read:
-    - aws_list_ec2_instances
-    - k8s_list_pods
-    - git_recent_commits
-    - cicd_pipeline_status
-    - security_check_ssl_certificate
-    - security_check_http_headers
-    - network_port_scan
-    - aws_check_s3_public_access
-    - security_semgrep_scan
-  aegis.security:
-    - security_run_trivy_scan
-    - security_scan_secrets
-    - security_check_dependencies
-    - security_semgrep_scan
+scopes:
+  aegis.read:
+    - aws_list_ec2_instances
+    - k8s_list_pods
+    - git_recent_commits
+    - cicd_pipeline_status
+    - security_check_ssl_certificate
+    - security_check_http_headers
+    - network_port_scan
+    - aws_check_s3_public_access
+    - security_semgrep_scan
+  aegis.security:
+    - security_run_trivy_scan
+    - security_scan_secrets
+    - security_check_dependencies
+    - security_semgrep_scan

package/requirements.txt

@@ -1,7 +1,8 @@
-mcp>=1.0.0
-boto3>=1.34.0
-requests>=2.32.0
-fastapi>=0.111.0
-uvicorn>=0.30.0
-pyyaml>=6.0.1
-semgrep>=1.60.0
+mcp>=1.0.0
+boto3>=1.34.0
+requests>=2.32.0
+fastapi>=0.111.0
+uvicorn>=0.30.0
+pyyaml>=6.0.1
+semgrep>=1.60.0
+python-jenkins>=1.8.0

package/run_stdio.py

@@ -1,22 +1,22 @@
-"""Launcher script for Claude Desktop — ensures the project root is on sys.path."""
-import sys
-import os
-
-# Set working directory and sys.path to the project root so that
-# relative policy file paths (policies/roles.yaml etc.) resolve correctly
-PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
-os.chdir(PROJECT_ROOT)
-sys.path.insert(0, PROJECT_ROOT)
-
-# Disable JWT auth for local stdio sessions (Claude Desktop cannot supply tokens)
-os.environ.setdefault("MCP_AUTH_DISABLED", "true")
-
-# Ensure the venv Scripts dir is on PATH so pysemgrep / semgrep-core are found
-venv_scripts = os.path.join(PROJECT_ROOT, ".venv", "Scripts")
-if os.path.isdir(venv_scripts) and venv_scripts not in os.environ.get("PATH", ""):
-    os.environ["PATH"] = venv_scripts + os.pathsep + os.environ.get("PATH", "")
-
-from server.main import mcp
-
-if __name__ == "__main__":
-    mcp.run(transport="stdio")
+"""Launcher script for Claude Desktop — ensures the project root is on sys.path."""
+import sys
+import os
+
+# Set working directory and sys.path to the project root so that
+# relative policy file paths (policies/roles.yaml etc.) resolve correctly
+PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
+os.chdir(PROJECT_ROOT)
+sys.path.insert(0, PROJECT_ROOT)
+
+# Disable JWT auth for local stdio sessions (Claude Desktop cannot supply tokens)
+os.environ.setdefault("MCP_AUTH_DISABLED", "true")
+
+# Ensure the venv Scripts dir is on PATH so pysemgrep / semgrep-core are found
+venv_scripts = os.path.join(PROJECT_ROOT, ".venv", "Scripts")
+if os.path.isdir(venv_scripts) and venv_scripts not in os.environ.get("PATH", ""):
+    os.environ["PATH"] = venv_scripts + os.pathsep + os.environ.get("PATH", "")
+
+from server.main import mcp
+
+if __name__ == "__main__":
+    mcp.run(transport="stdio")

package/server/auth.py

@@ -1,69 +1,69 @@
-from __future__ import annotations
-
-import base64
-import json
-from dataclasses import dataclass
-
-from server.config import Settings
-
-
-@dataclass(frozen=True)
-class Principal:
-    subject: str
-    role: str
-    scopes: list[str]
-
-
-class AuthorizationError(PermissionError):
-    pass
-
-
-
-def _decode_jwt_payload(token: str) -> dict:
-    parts = token.split(".")
-    if len(parts) < 2:
-        return {}
-    payload = parts[1]
-    padding = "=" * ((4 - len(payload) % 4) % 4)
-    decoded = base64.urlsafe_b64decode(payload + padding)
-    return json.loads(decoded.decode("utf-8"))
-
-
-
-def decode_bearer_token(token: str, settings: Settings) -> Principal:
-    """Decode claims from a bearer token payload.
-
-    This implementation parses JWT payload claims and is intended as a scaffold.
-    Replace with strict signature/JWKS validation in production.
-    """
-    claims = _decode_jwt_payload(token)
-
-    if settings.oidc_issuer and claims.get("iss") != settings.oidc_issuer:
-        raise AuthorizationError("token issuer mismatch")
-    if settings.oidc_audience and settings.oidc_audience not in str(claims.get("aud", "")):
-        raise AuthorizationError("token audience mismatch")
-
-    role = str(claims.get("role", "viewer"))
-    scope_claim = claims.get("scope", "")
-    scopes = scope_claim.split() if isinstance(scope_claim, str) else []
-    return Principal(subject=str(claims.get("sub", "unknown")), role=role, scopes=scopes)
-
-
-
-def authorize_tool(
-    principal: Principal,
-    tool_name: str,
-    role_policies: dict[str, list[str]],
-    scope_policies: dict[str, list[str]],
-) -> None:
-    allowed_by_role = set(role_policies.get(principal.role, []))
-    allowed_by_scope: set[str] = set()
-    for scope in principal.scopes:
-        allowed_by_scope.update(scope_policies.get(scope, []))
-
-    if tool_name in allowed_by_role or tool_name in allowed_by_scope:
-        return
-
-    raise AuthorizationError(
-        f"principal '{principal.subject}' with role '{principal.role}' is not allowed to call '{tool_name}'"
-    )
+from __future__ import annotations
+
+import base64
+import json
+from dataclasses import dataclass
+
+from server.config import Settings
+
+
+@dataclass(frozen=True)
+class Principal:
+    subject: str
+    role: str
+    scopes: list[str]
+
+
+class AuthorizationError(PermissionError):
+    pass
+
+
+
+def _decode_jwt_payload(token: str) -> dict:
+    parts = token.split(".")
+    if len(parts) < 2:
+        return {}
+    payload = parts[1]
+    padding = "=" * ((4 - len(payload) % 4) % 4)
+    decoded = base64.urlsafe_b64decode(payload + padding)
+    return json.loads(decoded.decode("utf-8"))
+
+
+
+def decode_bearer_token(token: str, settings: Settings) -> Principal:
+    """Decode claims from a bearer token payload.
+
+    This implementation parses JWT payload claims and is intended as a scaffold.
+    Replace with strict signature/JWKS validation in production.
+    """
+    claims = _decode_jwt_payload(token)
+
+    if settings.oidc_issuer and claims.get("iss") != settings.oidc_issuer:
+        raise AuthorizationError("token issuer mismatch")
+    if settings.oidc_audience and settings.oidc_audience not in str(claims.get("aud", "")):
+        raise AuthorizationError("token audience mismatch")
+
+    role = str(claims.get("role", "viewer"))
+    scope_claim = claims.get("scope", "")
+    scopes = scope_claim.split() if isinstance(scope_claim, str) else []
+    return Principal(subject=str(claims.get("sub", "unknown")), role=role, scopes=scopes)
+
+
+
+def authorize_tool(
+    principal: Principal,
+    tool_name: str,
+    role_policies: dict[str, list[str]],
+    scope_policies: dict[str, list[str]],
+) -> None:
+    allowed_by_role = set(role_policies.get(principal.role, []))
+    allowed_by_scope: set[str] = set()
+    for scope in principal.scopes:
+        allowed_by_scope.update(scope_policies.get(scope, []))
+
+    if tool_name in allowed_by_role or tool_name in allowed_by_scope:
+        return
+
+    raise AuthorizationError(
+        f"principal '{principal.subject}' with role '{principal.role}' is not allowed to call '{tool_name}'"
+    )

package/server/config.py

@@ -1,82 +1,82 @@
-from __future__ import annotations
-
-import json
-import os
-from dataclasses import dataclass
-from pathlib import Path
-from typing import Any
-
-
-@dataclass(frozen=True)
-class Settings:
-    """Runtime configuration for the MCP service."""
-
-    service_name: str = "aegis"
-    environment: str = "dev"
-    policy_roles_path: Path = Path("policies/roles.yaml")
-    policy_scopes_path: Path = Path("policies/scope_rules.yaml")
-    oidc_issuer: str | None = None
-    oidc_audience: str | None = None
-
-
-
-def _parse_simple_yaml(raw: str) -> dict[str, Any]:
-    """Very small YAML subset parser for key/list policy files."""
-    root: dict[str, Any] = {}
-    current_section: dict[str, list[str]] | None = None
-    current_key: str | None = None
-    for line in raw.splitlines():
-        stripped = line.rstrip()
-        if not stripped or stripped.lstrip().startswith("#"):
-            continue
-        if not line.startswith(" ") and stripped.endswith(":"):
-            section = stripped[:-1]
-            root[section] = {}
-            current_section = root[section]
-            current_key = None
-        elif current_section is not None and line.startswith("  ") and stripped.endswith(":"):
-            current_key = stripped[:-1]
-            current_section[current_key] = []
-        elif current_section is not None and current_key and line.strip().startswith("-"):
-            value = line.split("-", maxsplit=1)[1].strip().strip('"')
-            current_section[current_key].append(value)
-    return root
-
-
-
-def _load_yaml(path: Path) -> dict[str, Any]:
-    if not path.exists():
-        return {}
-    content = path.read_text(encoding="utf-8")
-    try:
-        import yaml  # type: ignore
-
-        return yaml.safe_load(content) or {}
-    except Exception:
-        return _parse_simple_yaml(content)
-
-
-
-def load_settings() -> Settings:
-    return Settings(
-        service_name=os.getenv("MCP_SERVICE_NAME", "aegis"),
-        environment=os.getenv("MCP_ENV", "dev"),
-        policy_roles_path=Path(os.getenv("MCP_ROLES_FILE", "policies/roles.yaml")),
-        policy_scopes_path=Path(os.getenv("MCP_SCOPES_FILE", "policies/scope_rules.yaml")),
-        oidc_issuer=os.getenv("OIDC_ISSUER"),
-        oidc_audience=os.getenv("OIDC_AUDIENCE"),
-    )
-
-
-
-def load_role_policies(settings: Settings) -> dict[str, list[str]]:
-    raw = _load_yaml(settings.policy_roles_path)
-    roles = raw.get("roles", {})
-    return {str(k): [str(v) for v in values] for k, values in roles.items()}
-
-
-
-def load_scope_policies(settings: Settings) -> dict[str, list[str]]:
-    raw = _load_yaml(settings.policy_scopes_path)
-    scopes = raw.get("scopes", {})
-    return {str(k): [str(v) for v in values] for k, values in scopes.items()}
+from __future__ import annotations
+
+import json
+import os
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+
+@dataclass(frozen=True)
+class Settings:
+    """Runtime configuration for the MCP service."""
+
+    service_name: str = "aegis"
+    environment: str = "dev"
+    policy_roles_path: Path = Path("policies/roles.yaml")
+    policy_scopes_path: Path = Path("policies/scope_rules.yaml")
+    oidc_issuer: str | None = None
+    oidc_audience: str | None = None
+
+
+
+def _parse_simple_yaml(raw: str) -> dict[str, Any]:
+    """Very small YAML subset parser for key/list policy files."""
+    root: dict[str, Any] = {}
+    current_section: dict[str, list[str]] | None = None
+    current_key: str | None = None
+    for line in raw.splitlines():
+        stripped = line.rstrip()
+        if not stripped or stripped.lstrip().startswith("#"):
+            continue
+        if not line.startswith(" ") and stripped.endswith(":"):
+            section = stripped[:-1]
+            root[section] = {}
+            current_section = root[section]
+            current_key = None
+        elif current_section is not None and line.startswith("  ") and stripped.endswith(":"):
+            current_key = stripped[:-1]
+            current_section[current_key] = []
+        elif current_section is not None and current_key and line.strip().startswith("-"):
+            value = line.split("-", maxsplit=1)[1].strip().strip('"')
+            current_section[current_key].append(value)
+    return root
+
+
+
+def _load_yaml(path: Path) -> dict[str, Any]:
+    if not path.exists():
+        return {}
+    content = path.read_text(encoding="utf-8")
+    try:
+        import yaml  # type: ignore
+
+        return yaml.safe_load(content) or {}
+    except Exception:
+        return _parse_simple_yaml(content)
+
+
+
+def load_settings() -> Settings:
+    return Settings(
+        service_name=os.getenv("MCP_SERVICE_NAME", "aegis"),
+        environment=os.getenv("MCP_ENV", "dev"),
+        policy_roles_path=Path(os.getenv("MCP_ROLES_FILE", "policies/roles.yaml")),
+        policy_scopes_path=Path(os.getenv("MCP_SCOPES_FILE", "policies/scope_rules.yaml")),
+        oidc_issuer=os.getenv("OIDC_ISSUER"),
+        oidc_audience=os.getenv("OIDC_AUDIENCE"),
+    )
+
+
+
+def load_role_policies(settings: Settings) -> dict[str, list[str]]:
+    raw = _load_yaml(settings.policy_roles_path)
+    roles = raw.get("roles", {})
+    return {str(k): [str(v) for v in values] for k, values in roles.items()}
+
+
+
+def load_scope_policies(settings: Settings) -> dict[str, list[str]]:
+    raw = _load_yaml(settings.policy_scopes_path)
+    scopes = raw.get("scopes", {})
+    return {str(k): [str(v) for v in values] for k, values in scopes.items()}

package/server/health.py

@@ -1,19 +1,19 @@
-from __future__ import annotations
-
-from fastapi import FastAPI
-from fastapi.responses import JSONResponse
-from mcp.server.fastmcp import FastMCP
-
-from server.config import load_settings
-
-settings = load_settings()
-mcp = FastMCP(settings.service_name, json_response=True)
-app = FastAPI(title="aegis-mcp")
-
-
-@app.get("/health")
-def health() -> JSONResponse:
-    return JSONResponse({"status": "ok", "service": settings.service_name})
-
-
-app.mount("/mcp", mcp.streamable_http_app())
+from __future__ import annotations
+
+from fastapi import FastAPI
+from fastapi.responses import JSONResponse
+from mcp.server.fastmcp import FastMCP
+
+from server.config import load_settings
+
+settings = load_settings()
+mcp = FastMCP(settings.service_name, json_response=True)
+app = FastAPI(title="aegis-mcp")
+
+
+@app.get("/health")
+def health() -> JSONResponse:
+    return JSONResponse({"status": "ok", "service": settings.service_name})
+
+
+app.mount("/mcp", mcp.streamable_http_app())