mcp-cohesity 2.0.0

package/dist/tools/antivirus.js

@@ -0,0 +1,180 @@
+/**
+ * Antivirus / threat-detection tools — manage antivirus service integrations
+ * (e.g., ICAP-based scanners) and review infected/quarantined files.
+ *
+ * Notes:
+ *   - Cohesity's "anomaly detection" (ransomware behavioural analysis) is a
+ *     Helios SaaS feature and is NOT exposed on standalone on-prem clusters.
+ *     For on-prem threat detection, the cluster integrates with ICAP-compliant
+ *     antivirus servers via Antivirus Service Groups. This module exposes
+ *     those endpoints.
+ *
+ *   Endpoints (verified against cluster_v2_api.yaml):
+ *     GET    /v2/antivirus-service/groups
+ *     POST   /v2/antivirus-service/groups
+ *     GET    /v2/antivirus-service/groups/{id}
+ *     PUT    /v2/antivirus-service/groups/{id}
+ *     DELETE /v2/antivirus-service/groups/{id}
+ *     GET    /v2/antivirus-service/icap-uri-connection-status
+ *     GET    /v2/antivirus-service/infected-files
+ *     POST   /v2/antivirus-service/infected-files/actions  (quarantine/unquarantine/delete)
+ */
+import { z } from "zod";
+const reply = (text, isError = false) => ({
+    content: [{ type: "text", text }],
+    isError,
+});
+export function registerAntivirusTools(server, client) {
+    // ── List Antivirus Service Groups ──────────────────────────────────────
+    server.tool("list_antivirus_groups", "List antivirus service groups configured on the cluster. Each group bundles one or more ICAP-compliant antivirus servers.", {}, async () => {
+        try {
+            const data = await client.getV2("antivirus-service/groups");
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error listing antivirus groups: ${err}`, true);
+        }
+    });
+    // ── Create Antivirus Service Group ─────────────────────────────────────
+    // Schema: CreateAntivirusServiceGroupParams { name, antivirusServices[], description?, state? }
+    // AntivirusService { name, icapUri, scanFileSizeKBytes?, isEnabled? }
+    server.tool("create_antivirus_group", "Create a new antivirus service group. Bundles one or more ICAP servers so the cluster can route on-access scans to them.", {
+        name: z.string().describe("Group name (unique on the cluster)"),
+        description: z.string().optional().describe("Free-form description"),
+        antivirus_services: z
+            .array(z.object({
+            name: z.string().describe("Antivirus service display name"),
+            icap_uri: z.string().describe("ICAP URI of the antivirus server (e.g. icap://av.example.com:1344/respmod)"),
+            is_enabled: z.boolean().default(true).describe("Whether this service is active"),
+            scan_file_size_kbytes: z
+                .number()
+                .optional()
+                .describe("Max file size to scan in KB; larger files are skipped"),
+        }))
+            .min(1)
+            .describe("One or more ICAP antivirus services to include in the group"),
+        state: z.enum(["Enable", "Disable"]).default("Enable").describe("Initial state of the group"),
+    }, async (args) => {
+        try {
+            const body = {
+                name: args.name,
+                description: args.description,
+                state: args.state,
+                antivirusServices: args.antivirus_services.map((s) => ({
+                    name: s.name,
+                    icapUri: s.icap_uri,
+                    isEnabled: s.is_enabled,
+                    ...(s.scan_file_size_kbytes !== undefined && {
+                        scanFileSizeKBytes: s.scan_file_size_kbytes,
+                    }),
+                })),
+            };
+            const data = await client.postV2("antivirus-service/groups", body);
+            return reply(`Antivirus group '${args.name}' created.\n${JSON.stringify(data, null, 2)}`);
+        }
+        catch (err) {
+            return reply(`Error creating antivirus group: ${err}`, true);
+        }
+    });
+    // ── Get Antivirus Service Group ────────────────────────────────────────
+    server.tool("get_antivirus_group", "Get a single antivirus service group by ID", { id: z.number().describe("Antivirus group ID") }, async (args) => {
+        try {
+            const data = await client.getV2(`antivirus-service/groups/${args.id}`);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching antivirus group ${args.id}: ${err}`, true);
+        }
+    });
+    // ── Update Antivirus Service Group ─────────────────────────────────────
+    server.tool("update_antivirus_group", "Update an antivirus service group's name, services, or state", {
+        id: z.number().describe("Antivirus group ID to update"),
+        name: z.string().describe("Group name"),
+        description: z.string().optional().describe("Description"),
+        antivirus_services: z
+            .array(z.object({
+            name: z.string(),
+            icap_uri: z.string(),
+            is_enabled: z.boolean().default(true),
+            scan_file_size_kbytes: z.number().optional(),
+        }))
+            .min(1)
+            .describe("Replacement list of antivirus services"),
+        state: z.enum(["Enable", "Disable"]).describe("Group state"),
+    }, async (args) => {
+        try {
+            const body = {
+                name: args.name,
+                description: args.description,
+                state: args.state,
+                antivirusServices: args.antivirus_services.map((s) => ({
+                    name: s.name,
+                    icapUri: s.icap_uri,
+                    isEnabled: s.is_enabled,
+                    ...(s.scan_file_size_kbytes !== undefined && {
+                        scanFileSizeKBytes: s.scan_file_size_kbytes,
+                    }),
+                })),
+            };
+            const data = await client.putV2(`antivirus-service/groups/${args.id}`, body);
+            return reply(`Antivirus group ${args.id} updated.\n${JSON.stringify(data, null, 2)}`);
+        }
+        catch (err) {
+            return reply(`Error updating antivirus group: ${err}`, true);
+        }
+    });
+    // ── Delete Antivirus Service Group ─────────────────────────────────────
+    server.tool("delete_antivirus_group", "Delete an antivirus service group", { id: z.number().describe("Antivirus group ID to delete") }, async (args) => {
+        try {
+            await client.deleteV2(`antivirus-service/groups/${args.id}`);
+            return reply(`Antivirus group ${args.id} deleted.`);
+        }
+        catch (err) {
+            return reply(`Error deleting antivirus group: ${err}`, true);
+        }
+    });
+    // ── ICAP URI Connection Status ─────────────────────────────────────────
+    server.tool("check_icap_connection", "Probe an ICAP antivirus URI and return its current reachability status", {
+        icap_uri: z.string().describe("ICAP URI to test (e.g. icap://av.example.com:1344/respmod)"),
+    }, async (args) => {
+        try {
+            const data = await client.getV2("antivirus-service/icap-uri-connection-status", {
+                icapUri: args.icap_uri,
+            });
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error checking ICAP connection: ${err}`, true);
+        }
+    });
+    // ── List Infected Files ────────────────────────────────────────────────
+    server.tool("list_infected_files", "List files that an antivirus service has flagged as infected on cluster Views. Filter by view, time range, or quarantine state.", {
+        view_names: z.array(z.string()).optional().describe("Restrict to these view names"),
+        include_quarantined: z.boolean().optional().describe("Include quarantined files in results"),
+        include_unquarantined: z.boolean().optional().describe("Include un-quarantined files"),
+        start_time_usecs: z.number().optional().describe("Only files detected after this timestamp (microseconds)"),
+        end_time_usecs: z.number().optional().describe("Only files detected before this timestamp (microseconds)"),
+        max_count: z.number().optional().default(100).describe("Max records to return"),
+    }, async (args) => {
+        try {
+            const qp = {};
+            if (args.view_names?.length)
+                qp.viewNameVec = args.view_names.join(",");
+            if (args.include_quarantined !== undefined)
+                qp.includeQuarantinedFiles = String(args.include_quarantined);
+            if (args.include_unquarantined !== undefined)
+                qp.includeUnquarantinedFiles = String(args.include_unquarantined);
+            if (args.start_time_usecs !== undefined)
+                qp.startTimeUsecs = String(args.start_time_usecs);
+            if (args.end_time_usecs !== undefined)
+                qp.endTimeUsecs = String(args.end_time_usecs);
+            if (args.max_count !== undefined)
+                qp.maxCount = String(args.max_count);
+            const data = await client.getV2("antivirus-service/infected-files", qp);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error listing infected files: ${err}`, true);
+        }
+    });
+}

package/dist/tools/audit-logs.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Audit log tools — query the cluster's `CLUSTER_AUDIT` log for who-did-what
+ * forensics, and read or update the audit log retention configuration.
+ *
+ * All shapes verified against cluster_v2_api.yaml schemas:
+ *   AuditLog, AuditLogs, AuditLogConfig, GetAuditLogs operation.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerAuditLogTools(server: McpServer, client: CohesityClient): void;

package/dist/tools/audit-logs.js

@@ -0,0 +1,161 @@
+/**
+ * Audit log tools — query the cluster's `CLUSTER_AUDIT` log for who-did-what
+ * forensics, and read or update the audit log retention configuration.
+ *
+ * All shapes verified against cluster_v2_api.yaml schemas:
+ *   AuditLog, AuditLogs, AuditLogConfig, GetAuditLogs operation.
+ */
+import { z } from "zod";
+const reply = (text, isError = false) => ({
+    content: [{ type: "text", text }],
+    isError,
+});
+/**
+ * The full entity-type list from the V2 spec is ~80 items long. We expose the
+ * most operationally useful ones; callers can still pass arbitrary strings if
+ * they really need an entity not in this list.
+ */
+const COMMON_ENTITY_TYPES = [
+    "ProtectionGroup",
+    "ProtectionPolicy",
+    "ProtectionRun",
+    "RecoveryTask",
+    "Source",
+    "User",
+    "Role",
+    "Group",
+    "ApiKey",
+    "AccessToken",
+    "Alert",
+    "Resolution",
+    "AlertNotificationRule",
+    "Vault",
+    "RemoteCluster",
+    "ActiveDirectory",
+    "Cluster",
+    "Node",
+    "Disk",
+    "View",
+    "StorageDomain",
+    "EncryptionKey",
+    "CloneTask",
+    "Snapshot",
+    "Tenant",
+    "SearchJob",
+];
+const AUDIT_ACTIONS = [
+    "Login",
+    "Logout",
+    "Create",
+    "Modify",
+    "Delete",
+    "Activate",
+    "Deactivate",
+    "Pause",
+    "Resume",
+    "RunNow",
+    "Clone",
+    "Recover",
+    "Cancel",
+    "Register",
+    "Unregister",
+    "Update",
+    "Refresh",
+    "Upgrade",
+    "Upload",
+    "Download",
+    "Rename",
+    "Accept",
+    "Mark",
+    "Close",
+    "Failover",
+    "Failback",
+    "Protect",
+];
+export function registerAuditLogTools(server, client) {
+    // ── List Audit Logs ────────────────────────────────────────────────────
+    // GET /v2/audit-logs — supports rich server-side filtering.
+    server.tool("list_audit_logs", "Query the cluster audit log. Filter by user, action, entity type, time window, or free-text search. Returns who-did-what-when records for compliance and forensics.", {
+        search_string: z
+            .string()
+            .optional()
+            .describe("Free-text match against entityName or details"),
+        usernames: z.array(z.string()).optional().describe("Restrict to these usernames"),
+        domains: z.array(z.string()).optional().describe("Restrict to these auth domains"),
+        entity_types: z
+            .array(z.enum(COMMON_ENTITY_TYPES))
+            .optional()
+            .describe("Restrict to these entity types (common operational subset)"),
+        actions: z.array(z.enum(AUDIT_ACTIONS)).optional().describe("Restrict to these action types"),
+        start_time_usecs: z
+            .number()
+            .optional()
+            .describe("Only logs created after this unix microsecond timestamp"),
+        end_time_usecs: z
+            .number()
+            .optional()
+            .describe("Only logs created before this unix microsecond timestamp"),
+        tenant_ids: z.array(z.string()).optional().describe("Restrict to these tenant IDs"),
+        include_tenants: z
+            .boolean()
+            .optional()
+            .describe("Include records from all tenants the caller can see"),
+        start_index: z.number().optional().describe("Pagination cursor (skip oldest N)"),
+        count: z
+            .number()
+            .optional()
+            .default(100)
+            .describe("Maximum records to return per call"),
+    }, async (args) => {
+        try {
+            const qp = {};
+            if (args.search_string)
+                qp.searchString = args.search_string;
+            if (args.usernames?.length)
+                qp.usernames = args.usernames.join(",");
+            if (args.domains?.length)
+                qp.domains = args.domains.join(",");
+            if (args.entity_types?.length)
+                qp.entityTypes = args.entity_types.join(",");
+            if (args.actions?.length)
+                qp.actions = args.actions.join(",");
+            if (args.start_time_usecs !== undefined)
+                qp.startTimeUsecs = String(args.start_time_usecs);
+            if (args.end_time_usecs !== undefined)
+                qp.endTimeUsecs = String(args.end_time_usecs);
+            if (args.tenant_ids?.length)
+                qp.tenantIds = args.tenant_ids.join(",");
+            if (args.include_tenants !== undefined)
+                qp.includeTenants = String(args.include_tenants);
+            if (args.start_index !== undefined)
+                qp.startIndex = String(args.start_index);
+            if (args.count !== undefined)
+                qp.count = String(args.count);
+            const data = await client.getV2("audit-logs", qp);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching audit logs: ${err}`, true);
+        }
+    });
+    // ── List Audit Log Actions ─────────────────────────────────────────────
+    server.tool("list_audit_log_actions", "List all action types recognized by the audit log (for building filters)", {}, async () => {
+        try {
+            const data = await client.getV2("audit-logs/actions");
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching audit log actions: ${err}`, true);
+        }
+    });
+    // ── List Audit Log Entity Types ────────────────────────────────────────
+    server.tool("list_audit_log_entity_types", "List all entity types tracked in the audit log (for building filters)", {}, async () => {
+        try {
+            const data = await client.getV2("audit-logs/entity-types");
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching audit log entity types: ${err}`, true);
+        }
+    });
+}

package/dist/tools/clones.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Clone tools — create and manage instant-clone tasks for test/dev workflows.
+ *
+ * Two distinct clone types exist on Cohesity:
+ *
+ *   1. VIEW CLONE — Snapshots an existing file-services View into a new View.
+ *      Endpoint: POST /v2/file-services/views/{id}/clone
+ *
+ *   2. RECOVERY CLONE TASK — Created via the standard /recoveries endpoint with
+ *      a clone-specific Recovery payload (recoveryAction = "CloneVMs"); the
+ *      task lifecycle is then managed through /recoveries/clone/{id}.
+ *
+ * This module covers both. Recovery clones (VMs) use the same recover_vm
+ * tool but with cloneVmsParams instead of recoverVmsParams; we provide a
+ * thin shortcut here so the LLM can find it easily.
+ *
+ *   Endpoints (verified against cluster_v2_api.yaml):
+ *     POST   /v2/file-services/views/{id}/clone   — CloneViewParams
+ *     DELETE /v2/data-protect/recoveries/clone/{id}
+ *     GET    /v2/data-protect/recoveries          (filter by recoveryAction=CloneVMs)
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerCloneTools(server: McpServer, client: CohesityClient): void;

package/dist/tools/clones.js

@@ -0,0 +1,107 @@
+/**
+ * Clone tools — create and manage instant-clone tasks for test/dev workflows.
+ *
+ * Two distinct clone types exist on Cohesity:
+ *
+ *   1. VIEW CLONE — Snapshots an existing file-services View into a new View.
+ *      Endpoint: POST /v2/file-services/views/{id}/clone
+ *
+ *   2. RECOVERY CLONE TASK — Created via the standard /recoveries endpoint with
+ *      a clone-specific Recovery payload (recoveryAction = "CloneVMs"); the
+ *      task lifecycle is then managed through /recoveries/clone/{id}.
+ *
+ * This module covers both. Recovery clones (VMs) use the same recover_vm
+ * tool but with cloneVmsParams instead of recoverVmsParams; we provide a
+ * thin shortcut here so the LLM can find it easily.
+ *
+ *   Endpoints (verified against cluster_v2_api.yaml):
+ *     POST   /v2/file-services/views/{id}/clone   — CloneViewParams
+ *     DELETE /v2/data-protect/recoveries/clone/{id}
+ *     GET    /v2/data-protect/recoveries          (filter by recoveryAction=CloneVMs)
+ */
+import { z } from "zod";
+const reply = (text, isError = false) => ({
+    content: [{ type: "text", text }],
+    isError,
+});
+export function registerCloneTools(server, client) {
+    // ── List Clone Tasks ───────────────────────────────────────────────────
+    // Recovery clones live in /data-protect/recoveries with recoveryAction filtering.
+    server.tool("list_clone_tasks", "List active and historical clone tasks (CloneVMs, CloneView, CloneAppView). Use filters to narrow by status or time range.", {
+        status: z
+            .array(z.enum([
+            "Accepted",
+            "Running",
+            "Canceled",
+            "Canceling",
+            "Failed",
+            "Missed",
+            "Succeeded",
+            "SucceededWithWarning",
+            "OnHold",
+            "Finalizing",
+            "Skipped",
+        ]))
+            .optional()
+            .describe("Filter by status"),
+        start_time_usecs: z.number().optional().describe("Only tasks created after this timestamp (μs)"),
+        end_time_usecs: z.number().optional().describe("Only tasks created before this timestamp (μs)"),
+        max_results: z.number().default(25).describe("Maximum results"),
+    }, async (args) => {
+        try {
+            const qp = {
+                maxCount: String(args.max_results),
+                recoveryActions: "CloneVMs,CloneView,CloneAppView",
+            };
+            if (args.status?.length)
+                qp.status = args.status.join(",");
+            if (args.start_time_usecs !== undefined)
+                qp.startTimeUsecs = String(args.start_time_usecs);
+            if (args.end_time_usecs !== undefined)
+                qp.endTimeUsecs = String(args.end_time_usecs);
+            const data = await client.getV2("data-protect/recoveries", qp);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error listing clone tasks: ${err}`, true);
+        }
+    });
+    // ── Clone a View ───────────────────────────────────────────────────────
+    // POST /v2/file-services/views/{id}/clone with CloneViewParams.
+    server.tool("clone_view", "Clone a file-services View into a new View. The clone is space-efficient (snapshot-backed). Useful for spinning up read/write test copies of production data.", {
+        source_view_id: z.number().describe("ID of the View to clone"),
+        name: z.string().describe("Name for the new cloned View"),
+        description: z.string().optional().describe("Description for the cloned View"),
+        read_only: z.boolean().optional().describe("Create the clone as read-only"),
+        data_lock_expiry_usecs: z
+            .number()
+            .optional()
+            .describe("DataLock expiry as unix microseconds (makes the clone WORM-locked)"),
+    }, async (args) => {
+        try {
+            const body = { name: args.name };
+            if (args.description)
+                body.description = args.description;
+            if (args.read_only !== undefined)
+                body.isReadOnly = args.read_only;
+            if (args.data_lock_expiry_usecs !== undefined) {
+                body.dataLockExpiryUsecs = args.data_lock_expiry_usecs;
+            }
+            const data = await client.postV2(`file-services/views/${args.source_view_id}/clone`, body);
+            return reply(`View ${args.source_view_id} cloned as '${args.name}'.\n${JSON.stringify(data, null, 2)}`);
+        }
+        catch (err) {
+            return reply(`Error cloning view: ${err}`, true);
+        }
+    });
+    // ── Delete Recovery Clone Task ─────────────────────────────────────────
+    server.tool("delete_clone_task", "Delete a restore clone task by ID. This tears down the clone and releases its space.", { id: z.number().describe("Clone task ID to delete") }, async (args) => {
+        try {
+            await client.deleteV2(`data-protect/recoveries/clone/${args.id}`);
+            return reply(`Clone task ${args.id} deleted.`);
+        }
+        catch (err) {
+            return reply(`Error deleting clone task: ${err}`, true);
+        }
+    });
+}

package/dist/tools/cluster-reports.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Cluster-local report tools — synthesize backup, recovery, and capacity
+ * reports from cluster V1 + V2 endpoints. No Helios required.
+ *
+ * Most reports are derived: we combine multiple endpoints into a single
+ * tool result that an LLM (or operator) can read at a glance.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerClusterReportTools(server: McpServer, client: CohesityClient): void;