mcp-cohesity 2.0.0

package/dist/tools/cluster-reports.js

@@ -0,0 +1,224 @@
+/**
+ * Cluster-local report tools — synthesize backup, recovery, and capacity
+ * reports from cluster V1 + V2 endpoints. No Helios required.
+ *
+ * Most reports are derived: we combine multiple endpoints into a single
+ * tool result that an LLM (or operator) can read at a glance.
+ */
+import { z } from "zod";
+const reply = (text, isError = false) => ({
+    content: [{ type: "text", text }],
+    isError,
+});
+/** Convert bytes to a human-readable string. */
+function fmtBytes(n) {
+    if (n == null)
+        return "—";
+    const units = ["B", "KiB", "MiB", "GiB", "TiB", "PiB"];
+    let v = n;
+    let i = 0;
+    while (v >= 1024 && i < units.length - 1) {
+        v /= 1024;
+        i++;
+    }
+    return `${v.toFixed(2)} ${units[i]}`;
+}
+/** Convert microseconds since epoch to an ISO date string. */
+function fmtUsecs(usecs) {
+    if (!usecs)
+        return "—";
+    return new Date(usecs / 1000).toISOString();
+}
+export function registerClusterReportTools(server, client) {
+    // ── Protected Objects Trend Report (V1) ────────────────────────────────
+    // /irisservices/api/v1/public/reports/protectedObjectsTrends
+    // Returns per-object backup success/fail history rolled up by day/week.
+    server.tool("get_protected_objects_trend_report", "Get a per-object backup success/failure trend report over a time window. Returns each protected object with daily or weekly rollups of total, successful, running, cancelled, and failed runs.", {
+        start_time_msecs: z
+            .number()
+            .describe("Window start in unix milliseconds (NOT microseconds — V1 endpoint uses msec)"),
+        end_time_msecs: z.number().describe("Window end in unix milliseconds"),
+        rollup_interval_days: z
+            .number()
+            .default(1)
+            .describe("Days per rollup bucket (1=daily, 7=weekly, 30=monthly)"),
+        timezone: z
+            .string()
+            .default("UTC")
+            .describe("IANA timezone for date bucketing (e.g. UTC, America/New_York)"),
+    }, async (args) => {
+        try {
+            const qp = {
+                startTimeMsecs: String(args.start_time_msecs),
+                endTimeMsecs: String(args.end_time_msecs),
+                rollupIntervalDays: String(args.rollup_interval_days),
+                timezone: args.timezone,
+            };
+            const data = await client.getV1("reports/protectedObjectsTrends", qp);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching trend report: ${err}`, true);
+        }
+    });
+    // ── Sources × Jobs Summary Report (V1) ─────────────────────────────────
+    // /irisservices/api/v1/public/reports/protectionSourcesJobsSummary
+    // Which sources are in which protection groups, with run counts.
+    server.tool("get_sources_jobs_summary_report", "Get a report mapping protection sources to the protection groups (jobs) covering them, with run counts per source.", {}, async () => {
+        try {
+            const data = await client.getV1("reports/protectionSourcesJobsSummary");
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching sources/jobs summary: ${err}`, true);
+        }
+    });
+    // ── Archival Data Transfer Report (V1) ─────────────────────────────────
+    // /irisservices/api/v1/public/reports/dataTransferToVaults
+    server.tool("get_archival_transfer_report", "Get a report of data transferred to external archival targets (vaults) in a given time window.", {
+        start_time_msecs: z.number().describe("Window start in unix milliseconds"),
+        end_time_msecs: z.number().describe("Window end in unix milliseconds"),
+        timezone: z.string().default("UTC").describe("IANA timezone for date bucketing"),
+    }, async (args) => {
+        try {
+            const qp = {
+                startTimeMsecs: String(args.start_time_msecs),
+                endTimeMsecs: String(args.end_time_msecs),
+                timezone: args.timezone,
+            };
+            const data = await client.getV1("reports/dataTransferToVaults", qp);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching archival transfer report: ${err}`, true);
+        }
+    });
+    // ── Synthesized Protection Summary Report ──────────────────────────────
+    // Combines protection-groups + last-run-info + alerts into a Markdown
+    // summary suitable for an LLM to relay to the operator.
+    server.tool("generate_protection_summary_report", "Generate a synthesized Markdown protection summary report: protection groups, their last run status, and any active alerts. Combines multiple V2 endpoints into one human-readable view.", {
+        include_resolved_alerts: z
+            .boolean()
+            .default(false)
+            .describe("Include resolved alerts (default: only open alerts)"),
+    }, async (args) => {
+        try {
+            const [groupsResp, alertsResp] = await Promise.all([
+                client.getV2("data-protect/protection-groups", {
+                    includeLastRunInfo: "true",
+                }),
+                client.getV2("alerts", {
+                    alertStates: args.include_resolved_alerts ? "kOpen,kResolved" : "kOpen",
+                    maxAlerts: "100",
+                }),
+            ]);
+            const groups = groupsResp.protectionGroups ?? [];
+            const alerts = alertsResp.alerts ?? [];
+            const lines = [];
+            lines.push("# Protection Summary Report");
+            lines.push(`Generated: ${new Date().toISOString()}`);
+            lines.push("");
+            lines.push(`## Protection Groups (${groups.length})`);
+            lines.push("");
+            lines.push("| Name | Environment | Policy | Last Run | Status | Logical |");
+            lines.push("|---|---|---|---|---|---|");
+            for (const g of groups) {
+                const lastRun = g.lastRun ?? {};
+                const localRun = lastRun.localBackupInfo ?? {};
+                lines.push(`| ${g.name ?? "—"} | ${g.environment ?? "—"} | ${g.policyId ?? "—"} ` +
+                    `| ${fmtUsecs(localRun.startTimeUsecs)} | ${localRun.status ?? "—"} ` +
+                    `| ${fmtBytes(localRun.localSnapshotStats?.logicalSizeBytes)} |`);
+            }
+            lines.push("");
+            lines.push(`## Alerts (${alerts.length})`);
+            lines.push("");
+            if (alerts.length === 0) {
+                lines.push("_No alerts in the selected window._");
+            }
+            else {
+                lines.push("| Severity | Category | Created | Message |");
+                lines.push("|---|---|---|---|");
+                for (const a of alerts.slice(0, 50)) {
+                    const created = fmtUsecs(a.firstTimestampUsecs);
+                    const msg = (a.alertDocument?.alertDescription ?? a.errorMessage ?? "—")
+                        .replace(/\|/g, "\\|")
+                        .replace(/\n/g, " ")
+                        .slice(0, 120);
+                    lines.push(`| ${a.severity ?? "—"} | ${a.alertCategory ?? "—"} | ${created} | ${msg} |`);
+                }
+            }
+            return reply(lines.join("\n"));
+        }
+        catch (err) {
+            return reply(`Error generating protection summary: ${err}`, true);
+        }
+    });
+    // ── Synthesized Failed Backups Report ──────────────────────────────────
+    // Combines protection-groups + last-run-info to surface only failed/missed runs.
+    server.tool("generate_failed_backups_report", "Generate a Markdown report listing protection groups whose most recent run failed, was missed, or finished with warnings. Useful for daily backup health triage.", {}, async () => {
+        try {
+            const groupsResp = await client.getV2("data-protect/protection-groups", {
+                includeLastRunInfo: "true",
+            });
+            const groups = groupsResp.protectionGroups ?? [];
+            const bad = groups.filter((g) => {
+                const status = g.lastRun?.localBackupInfo?.status;
+                return ["Failed", "Missed", "SucceededWithWarning", "Canceled"].includes(status);
+            });
+            const lines = [];
+            lines.push("# Failed / Missed Backups Report");
+            lines.push(`Generated: ${new Date().toISOString()}`);
+            lines.push(`Failing groups: ${bad.length} of ${groups.length}`);
+            lines.push("");
+            if (bad.length === 0) {
+                lines.push("_All protection groups' last runs completed successfully._");
+                return reply(lines.join("\n"));
+            }
+            lines.push("| Name | Environment | Status | Last Run | Run ID |");
+            lines.push("|---|---|---|---|---|");
+            for (const g of bad) {
+                const run = g.lastRun?.localBackupInfo ?? {};
+                lines.push(`| ${g.name ?? "—"} | ${g.environment ?? "—"} | ${run.status ?? "—"} ` +
+                    `| ${fmtUsecs(run.startTimeUsecs)} | ${g.lastRun?.id ?? "—"} |`);
+            }
+            return reply(lines.join("\n"));
+        }
+        catch (err) {
+            return reply(`Error generating failed-backups report: ${err}`, true);
+        }
+    });
+    // ── Synthesized Capacity Report ────────────────────────────────────────
+    // Combines /clusters + /stats/cluster-storage into a single capacity view.
+    server.tool("generate_capacity_report", "Generate a Markdown capacity report showing cluster storage usage, available capacity, deduplication ratio, and data reduction stats.", {}, async () => {
+        try {
+            const [clusterResp, storageResp] = await Promise.all([
+                client.getV2("clusters"),
+                client.getV2("stats/cluster-storage"),
+            ]);
+            const cluster = clusterResp;
+            const storage = storageResp;
+            const stats = storage.totalClusterUsage ?? storage;
+            const lines = [];
+            lines.push("# Cluster Capacity Report");
+            lines.push(`Generated: ${new Date().toISOString()}`);
+            lines.push("");
+            lines.push(`**Cluster:** ${cluster.name ?? "—"} (id ${cluster.id ?? "—"})`);
+            lines.push(`**Software:** ${cluster.softwareVersion ?? "—"}`);
+            lines.push(`**Nodes:** ${cluster.nodeCount ?? "—"}`);
+            lines.push("");
+            lines.push("## Storage");
+            lines.push("");
+            lines.push(`- **Total capacity:** ${fmtBytes(stats.totalPhysicalRawUsageBytes)}`);
+            lines.push(`- **Used:** ${fmtBytes(stats.totalPhysicalUsageBytes)}`);
+            lines.push(`- **Free:** ${fmtBytes(stats.totalCapacityBytes - stats.totalPhysicalUsageBytes)}`);
+            lines.push(`- **Logical (pre-dedup):** ${fmtBytes(stats.totalLogicalUsageBytes)}`);
+            if (stats.dataReductionRatio !== undefined) {
+                lines.push(`- **Data reduction:** ${stats.dataReductionRatio.toFixed(2)}x`);
+            }
+            return reply(lines.join("\n"));
+        }
+        catch (err) {
+            return reply(`Error generating capacity report: ${err}`, true);
+        }
+    });
+}

package/dist/tools/cluster.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Cluster information and statistics tools.
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerClusterTools(server: McpServer, client: CohesityClient): void;

package/dist/tools/cluster.js

@@ -0,0 +1,33 @@
+/**
+ * Cluster information and statistics tools.
+ */
+/** Shorthand for building MCP tool return values. */
+const reply = (text, isError = false) => ({
+    content: [{ type: "text", text }],
+    isError,
+});
+export function registerClusterTools(server, client) {
+    // ── Cluster Info ───────────────────────────────────────────────────────
+    server.tool("get_cluster_info", "Get Cohesity cluster information including name, ID, software version, and node count", {}, async () => {
+        try {
+            const info = await client.getV2("clusters");
+            return reply(JSON.stringify(info, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching cluster info: ${err}`, true);
+        }
+    });
+    // ── Cluster Stats ──────────────────────────────────────────────────────
+    server.tool("get_cluster_stats", "Get Cohesity cluster storage statistics including total capacity, used and available bytes, and data protection usage", {}, async () => {
+        try {
+            const [info, storage] = await Promise.all([
+                client.getV2("clusters"),
+                client.getV2("stats/cluster-storage"),
+            ]);
+            return reply(JSON.stringify({ cluster: info, storage }, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching cluster stats: ${err}`, true);
+        }
+    });
+}

package/dist/tools/external-targets.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerExternalTargetTools(server: McpServer, client: CohesityClient): void;

package/dist/tools/external-targets.js

@@ -0,0 +1,145 @@
+import { z } from "zod";
+function toolResult(text, isError = false) {
+    return { content: [{ type: "text", text }], isError };
+}
+export function registerExternalTargetTools(server, client) {
+    // ── List External Targets ────────────────────────────────────────────
+    server.tool("list_external_targets", "List all registered external targets (cloud vaults, tape, NAS) used for archival and tiering. Returns target IDs needed for protection policy archival configuration.", {
+        purpose_types: z
+            .array(z.enum(["Archival", "Tiering", "Rpaas", "Logbackup"]))
+            .optional()
+            .describe("Filter by purpose type"),
+        storage_types: z
+            .array(z.enum(["Azure", "Google", "AWS", "Oracle", "NAS", "QStarTape", "S3Compatible", "IBM"]))
+            .optional()
+            .describe("Filter by storage type"),
+        name: z
+            .string()
+            .optional()
+            .describe("Filter by target name"),
+    }, async ({ purpose_types, storage_types, name }) => {
+        try {
+            const params = {};
+            if (purpose_types)
+                params.purposeTypes = purpose_types.join(",");
+            if (storage_types)
+                params.storageTypes = storage_types.join(",");
+            if (name)
+                params.names = name;
+            const result = await client.getV2("data-protect/external-targets", params);
+            return toolResult(JSON.stringify(result, null, 2));
+        }
+        catch (error) {
+            return toolResult(`Error listing external targets: ${error}`, true);
+        }
+    });
+    // ── Get External Target ──────────────────────────────────────────────
+    server.tool("get_external_target", "Get details of a specific external target by ID.", {
+        id: z.number().describe("External target ID"),
+    }, async ({ id }) => {
+        try {
+            const result = await client.getV2(`data-protect/external-targets/${id}`);
+            return toolResult(JSON.stringify(result, null, 2));
+        }
+        catch (error) {
+            return toolResult(`Error fetching external target ${id}: ${error}`, true);
+        }
+    });
+    // ── Create External Target (AWS S3) ──────────────────────────────────
+    server.tool("create_external_target_aws", "Register a new AWS S3 external target for archival or tiering. Requires an existing IAM role or access key credentials.", {
+        name: z.string().describe("Name for the external target"),
+        purpose_type: z
+            .enum(["Archival", "Tiering"])
+            .describe("Purpose: Archival (long-term retention) or Tiering (automated cold data movement)"),
+        bucket_name: z.string().describe("S3 bucket name"),
+        region: z.string().describe("AWS region (e.g. us-east-1)"),
+        storage_class: z
+            .enum([
+            "AmazonS3Standard",
+            "AmazonS3StandardIA",
+            "AmazonS3OneZoneIA",
+            "AmazonS3IntelligentTiering",
+            "AmazonS3Glacier",
+            "AmazonS3GlacierDeepArchive",
+            "AmazonS3GlacierIR",
+        ])
+            .optional()
+            .default("AmazonS3Standard")
+            .describe("S3 storage class"),
+        access_key_id: z.string().optional().describe("AWS access key ID (leave blank if using IAM role)"),
+        secret_access_key: z.string().optional().describe("AWS secret access key"),
+        iam_role_arn: z.string().optional().describe("IAM role ARN (alternative to access key)"),
+    }, async ({ name, purpose_type, bucket_name, region, storage_class, access_key_id, secret_access_key, iam_role_arn }) => {
+        try {
+            const body = {
+                name,
+                purposeType: purpose_type,
+                storageType: "AWS",
+                awsParams: {
+                    bucketName: bucket_name,
+                    region,
+                    storageClass: storage_class,
+                    ...(iam_role_arn ? { iamRoleArn: iam_role_arn } : {}),
+                    ...(access_key_id ? { accessKeyId: access_key_id } : {}),
+                    ...(secret_access_key ? { secretAccessKey: secret_access_key } : {}),
+                },
+            };
+            const result = await client.postV2("data-protect/external-targets", body);
+            return toolResult(JSON.stringify(result, null, 2));
+        }
+        catch (error) {
+            return toolResult(`Error creating AWS external target: ${error}`, true);
+        }
+    });
+    // ── Create External Target (Azure) ───────────────────────────────────
+    server.tool("create_external_target_azure", "Register a new Azure Blob Storage external target for archival or tiering.", {
+        name: z.string().describe("Name for the external target"),
+        purpose_type: z
+            .enum(["Archival", "Tiering"])
+            .describe("Purpose: Archival or Tiering"),
+        container_name: z.string().describe("Azure Blob container name"),
+        storage_account_name: z.string().describe("Azure storage account name"),
+        storage_account_key: z.string().describe("Azure storage account access key"),
+        storage_class: z
+            .enum(["AzureHotBlob", "AzureCoolBlob", "AzureColdBlob", "AzureArchiveBlob"])
+            .optional()
+            .default("AzureCoolBlob")
+            .describe("Azure storage tier"),
+    }, async ({ name, purpose_type, container_name, storage_account_name, storage_account_key, storage_class }) => {
+        try {
+            const body = {
+                name,
+                purposeType: purpose_type,
+                storageType: "Azure",
+                azureParams: {
+                    containerName: container_name,
+                    storageAccountName: storage_account_name,
+                    storageAccountKey: storage_account_key,
+                    storageClass: storage_class,
+                },
+            };
+            const result = await client.postV2("data-protect/external-targets", body);
+            return toolResult(JSON.stringify(result, null, 2));
+        }
+        catch (error) {
+            return toolResult(`Error creating Azure external target: ${error}`, true);
+        }
+    });
+    // ── Delete External Target ───────────────────────────────────────────
+    server.tool("delete_external_target", "Delete a registered external target. Use force_delete=true only if the target has no active archival jobs.", {
+        id: z.number().describe("External target ID to delete"),
+        force_delete: z
+            .boolean()
+            .optional()
+            .default(false)
+            .describe("Force delete even if the target has associated data"),
+    }, async ({ id, force_delete }) => {
+        try {
+            await client.deleteV2(`data-protect/external-targets/${id}?forceDelete=${force_delete}`);
+            return toolResult(`External target ${id} deleted successfully.`);
+        }
+        catch (error) {
+            return toolResult(`Error deleting external target ${id}: ${error}`, true);
+        }
+    });
+}

package/dist/tools/kms.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Key Management System (KMS) tools — list, add, update, and delete KMS
+ * configurations on the cluster. Cohesity supports an internal KMS plus
+ * external types: AwsKms, KmipKms, IbmKms, GcpKms.
+ *
+ *   Endpoints (verified against cluster_v2_api.yaml):
+ *     GET    /v2/kms
+ *     POST   /v2/kms             — KmsConfigurationCreateParams
+ *     PUT    /v2/kms/{id}        — KmsConfigurationAddUpdateParams
+ *     DELETE /v2/kms/{id}
+ */
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerKmsTools(server: McpServer, client: CohesityClient): void;

package/dist/tools/kms.js

@@ -0,0 +1,164 @@
+/**
+ * Key Management System (KMS) tools — list, add, update, and delete KMS
+ * configurations on the cluster. Cohesity supports an internal KMS plus
+ * external types: AwsKms, KmipKms, IbmKms, GcpKms.
+ *
+ *   Endpoints (verified against cluster_v2_api.yaml):
+ *     GET    /v2/kms
+ *     POST   /v2/kms             — KmsConfigurationCreateParams
+ *     PUT    /v2/kms/{id}        — KmsConfigurationAddUpdateParams
+ *     DELETE /v2/kms/{id}
+ */
+import { z } from "zod";
+const reply = (text, isError = false) => ({
+    content: [{ type: "text", text }],
+    isError,
+});
+export function registerKmsTools(server, client) {
+    // ── List KMS Configurations ────────────────────────────────────────────
+    server.tool("list_kms_configurations", "List Key Management Systems (KMS) configured on the cluster. The InternalKms is always present; external types include AwsKms, KmipKms, IbmKms, and GcpKms.", {
+        ids: z.array(z.number()).optional().describe("Restrict to these KMS IDs"),
+        include_rpaas_kms: z
+            .boolean()
+            .optional()
+            .describe("Include KMS configured by FortKnox / RPaaS"),
+    }, async (args) => {
+        try {
+            const qp = {};
+            if (args.ids?.length)
+                qp.ids = args.ids.join(",");
+            if (args.include_rpaas_kms !== undefined)
+                qp.includeRpaasKms = String(args.include_rpaas_kms);
+            const data = await client.getV2("kms", qp);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error listing KMS configurations: ${err}`, true);
+        }
+    });
+    // ── Add AWS KMS ────────────────────────────────────────────────────────
+    // KmsConfigurationCreateParams { type: "AwsKms", awsKmsParams: { ... }, name, ownershipContext?, usageType? }
+    server.tool("add_aws_kms", "Register an AWS KMS as an encryption key source. Used to encrypt storage domains or external targets.", {
+        name: z.string().describe("Display name for this KMS configuration"),
+        access_key_id: z.string().describe("AWS access key ID"),
+        secret_access_key: z.string().describe("AWS secret access key"),
+        region: z.string().describe("AWS region (e.g., us-east-1)"),
+        cmk_arn: z
+            .string()
+            .describe("ARN of the AWS KMS Customer Master Key (CMK) to use"),
+        storage_domain_ids: z
+            .array(z.number())
+            .optional()
+            .describe("Storage domain IDs to assign this KMS to (cannot change after assignment)"),
+        external_target_ids: z
+            .array(z.number())
+            .optional()
+            .describe("External target IDs to assign this KMS to (cannot change after assignment)"),
+    }, async (args) => {
+        try {
+            const body = {
+                name: args.name,
+                type: "AwsKms",
+                awsKmsParams: {
+                    accessKeyId: args.access_key_id,
+                    secretAccessKey: args.secret_access_key,
+                    region: args.region,
+                    cmkArn: args.cmk_arn,
+                },
+                ...(args.storage_domain_ids?.length && { storageDomainIds: args.storage_domain_ids }),
+                ...(args.external_target_ids?.length && { externalTargetIds: args.external_target_ids }),
+            };
+            const data = await client.postV2("kms", body);
+            return reply(`AWS KMS '${args.name}' added.\n${JSON.stringify(data, null, 2)}`);
+        }
+        catch (err) {
+            return reply(`Error adding AWS KMS: ${err}`, true);
+        }
+    });
+    // ── Add KMIP KMS ───────────────────────────────────────────────────────
+    server.tool("add_kmip_kms", "Register a KMIP-compliant KMS (e.g., Thales, Fortanix). Provide endpoint, port, CA cert, and client certs.", {
+        name: z.string().describe("Display name for this KMS configuration"),
+        server_ip: z.string().describe("KMIP server hostname or IP"),
+        server_port: z.number().describe("KMIP server port (typically 5696)"),
+        ca_certificate: z.string().describe("CA certificate (PEM)"),
+        client_certificate: z.string().describe("Client certificate (PEM)"),
+        client_key: z.string().describe("Client private key (PEM)"),
+        kmip_protocol_version: z
+            .enum(["v_1_0", "v_1_1", "v_1_2", "v_1_3", "v_1_4"])
+            .default("v_1_2")
+            .describe("KMIP protocol version to negotiate"),
+        storage_domain_ids: z.array(z.number()).optional(),
+        external_target_ids: z.array(z.number()).optional(),
+    }, async (args) => {
+        try {
+            const body = {
+                name: args.name,
+                type: "KmipKms",
+                kmipKmsParams: {
+                    serverIp: args.server_ip,
+                    serverPort: args.server_port,
+                    caCertificate: args.ca_certificate,
+                    clientCertificate: args.client_certificate,
+                    clientKey: args.client_key,
+                    kmipProtocolVersion: args.kmip_protocol_version,
+                },
+                ...(args.storage_domain_ids?.length && { storageDomainIds: args.storage_domain_ids }),
+                ...(args.external_target_ids?.length && { externalTargetIds: args.external_target_ids }),
+            };
+            const data = await client.postV2("kms", body);
+            return reply(`KMIP KMS '${args.name}' added.\n${JSON.stringify(data, null, 2)}`);
+        }
+        catch (err) {
+            return reply(`Error adding KMIP KMS: ${err}`, true);
+        }
+    });
+    // ── Update KMS ─────────────────────────────────────────────────────────
+    // KmsConfigurationAddUpdateParams — adds/changes assignments without
+    // re-supplying type-specific provider params.
+    server.tool("update_kms", "Update an existing KMS configuration — assign additional storage domains or external targets, or rename it. Provider credentials cannot be changed via this method; delete and re-add to rotate credentials.", {
+        id: z.number().describe("KMS configuration ID"),
+        name: z.string().describe("Display name"),
+        storage_domain_ids: z
+            .array(z.number())
+            .optional()
+            .describe("Replacement list of storage domain IDs"),
+        external_target_ids: z
+            .array(z.number())
+            .optional()
+            .describe("Replacement list of external target IDs"),
+    }, async (args) => {
+        try {
+            const body = {
+                name: args.name,
+                ...(args.storage_domain_ids && { storageDomainIds: args.storage_domain_ids }),
+                ...(args.external_target_ids && { externalTargetIds: args.external_target_ids }),
+            };
+            const data = await client.putV2(`kms/${args.id}`, body);
+            return reply(`KMS ${args.id} updated.\n${JSON.stringify(data, null, 2)}`);
+        }
+        catch (err) {
+            return reply(`Error updating KMS: ${err}`, true);
+        }
+    });
+    // ── Delete KMS ─────────────────────────────────────────────────────────
+    server.tool("delete_kms", "Delete a KMS configuration. The internal KMS (id 0) cannot be deleted.", { id: z.number().describe("KMS ID to delete") }, async (args) => {
+        try {
+            await client.deleteV2(`kms/${args.id}`);
+            return reply(`KMS ${args.id} deleted.`);
+        }
+        catch (err) {
+            return reply(`Error deleting KMS: ${err}`, true);
+        }
+    });
+    // ── Get External Target Encryption Key ─────────────────────────────────
+    // GET /v2/data-protect/external-targets/{id}/encryption-key
+    server.tool("get_external_target_encryption_key", "Get the encryption key associated with an external target (e.g., AWS S3 bucket, Azure container). Used to verify which KMS is providing keys for archived data.", { external_target_id: z.number().describe("External target ID") }, async (args) => {
+        try {
+            const data = await client.getV2(`data-protect/external-targets/${args.external_target_id}/encryption-key`);
+            return reply(JSON.stringify(data, null, 2));
+        }
+        catch (err) {
+            return reply(`Error fetching external target encryption key: ${err}`, true);
+        }
+    });
+}

package/dist/tools/notifications.d.ts

@@ -0,0 +1,3 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { CohesityClient } from "../cohesity-client.js";
+export declare function registerNotificationTools(server: McpServer, client: CohesityClient): void;