kubectl-mcp-server 1.14.0__py3-none-any.whl → 1.16.0__py3-none-any.whl

kubectl_mcp_tool/tools/security.py

@@ -3,6 +3,12 @@ from typing import Any, Dict, List, Optional
 
 from mcp.types import ToolAnnotations
 
+from ..k8s_config import (
+    get_k8s_client,
+    get_rbac_client,
+    get_networking_client,
+)
+
 logger = logging.getLogger("mcp-server")
 
 
@@ -15,12 +21,18 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def get_rbac_roles(namespace: Optional[str] = None) -> Dict[str, Any]:
-        """Get RBAC Roles in a namespace or cluster-wide."""
+    def get_rbac_roles(
+        namespace: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Get RBAC Roles in a namespace or cluster-wide.
+
+        Args:
+            namespace: Namespace to list roles from (all namespaces if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            rbac = client.RbacAuthorizationV1Api()
+            rbac = get_rbac_client(context)
 
             if namespace:
                 roles = rbac.list_namespaced_role(namespace)
@@ -29,6 +41,7 @@ def register_security_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "roles": [
                     {
                         "name": role.metadata.name,
@@ -55,16 +68,19 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def get_cluster_roles() -> Dict[str, Any]:
-        """Get ClusterRoles in the cluster."""
+    def get_cluster_roles(context: str = "") -> Dict[str, Any]:
+        """Get ClusterRoles in the cluster.
+
+        Args:
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            rbac = client.RbacAuthorizationV1Api()
+            rbac = get_rbac_client(context)
             roles = rbac.list_cluster_role()
 
             return {
                 "success": True,
+                "context": context or "current",
                 "clusterRoles": [
                     {
                         "name": role.metadata.name,
@@ -90,12 +106,18 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def analyze_pod_security(namespace: Optional[str] = None) -> Dict[str, Any]:
-        """Analyze pod security configurations."""
+    def analyze_pod_security(
+        namespace: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Analyze pod security configurations.
+
+        Args:
+            namespace: Namespace to analyze pods in (all namespaces if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            v1 = client.CoreV1Api()
+            v1 = get_k8s_client(context)
 
             if namespace:
                 pods = v1.list_namespaced_pod(namespace)
@@ -133,6 +155,7 @@ def register_security_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "totalPods": len(pods.items),
                 "podsWithIssues": len(issues),
                 "issues": issues[:50]
@@ -147,13 +170,19 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def analyze_network_policies(namespace: Optional[str] = None) -> Dict[str, Any]:
-        """Analyze network policies in the cluster."""
+    def analyze_network_policies(
+        namespace: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Analyze network policies in the cluster.
+
+        Args:
+            namespace: Namespace to analyze policies in (all namespaces if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            networking = client.NetworkingV1Api()
-            v1 = client.CoreV1Api()
+            networking = get_networking_client(context)
+            v1 = get_k8s_client(context)
 
             if namespace:
                 policies = networking.list_namespaced_network_policy(namespace)
@@ -174,6 +203,7 @@ def register_security_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "totalPolicies": len(policies.items),
                 "protectedNamespaces": list(protected_namespaces),
                 "unprotectedNamespaces": unprotected,
@@ -197,12 +227,20 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def audit_rbac_permissions(namespace: Optional[str] = None, subject: Optional[str] = None) -> Dict[str, Any]:
-        """Audit RBAC permissions for subjects."""
+    def audit_rbac_permissions(
+        namespace: Optional[str] = None,
+        subject: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Audit RBAC permissions for subjects.
+
+        Args:
+            namespace: Namespace to audit (cluster-wide if not specified)
+            subject: Filter by subject name
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            rbac = client.RbacAuthorizationV1Api()
+            rbac = get_rbac_client(context)
 
             cluster_bindings = rbac.list_cluster_role_binding()
             if namespace:
@@ -238,6 +276,7 @@ def register_security_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "permissions": permissions[:100]
             }
         except Exception as e:
@@ -250,12 +289,18 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def check_secrets_security(namespace: Optional[str] = None) -> Dict[str, Any]:
-        """Check security posture of secrets."""
+    def check_secrets_security(
+        namespace: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Check security posture of secrets.
+
+        Args:
+            namespace: Namespace to check secrets in (all namespaces if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            v1 = client.CoreV1Api()
+            v1 = get_k8s_client(context)
 
             if namespace:
                 secrets = v1.list_namespaced_secret(namespace)
@@ -282,6 +327,7 @@ def register_security_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "totalSecrets": len(secrets.items),
                 "secretsWithIssues": len(findings),
                 "findings": findings[:50]
@@ -296,12 +342,18 @@ def register_security_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def get_pod_security_info(namespace: Optional[str] = None) -> Dict[str, Any]:
-        """Get Pod Security Standards information for namespaces."""
+    def get_pod_security_info(
+        namespace: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Get Pod Security Standards information for namespaces.
+
+        Args:
+            namespace: Namespace to check (all namespaces if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            v1 = client.CoreV1Api()
+            v1 = get_k8s_client(context)
 
             if namespace:
                 namespaces = [v1.read_namespace(namespace)]
@@ -325,6 +377,7 @@ def register_security_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "note": "Pod Security Policies are deprecated. Using Pod Security Standards (PSS) labels.",
                 "namespacesWithPSS": result
             }

kubectl_mcp_tool/tools/storage.py

@@ -1,8 +1,10 @@
 import logging
-from typing import Any, Dict, Optional
+from typing import Any, Dict, List, Optional
 
 from mcp.types import ToolAnnotations
 
+from ..k8s_config import get_k8s_client, get_storage_client
+
 logger = logging.getLogger("mcp-server")
 
 
@@ -15,12 +17,18 @@ def register_storage_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def get_persistent_volumes(name: Optional[str] = None) -> Dict[str, Any]:
-        """Get Persistent Volumes in the cluster."""
+    def get_persistent_volumes(
+        name: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Get Persistent Volumes in the cluster.
+
+        Args:
+            name: Specific PV name to get (all PVs if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            v1 = client.CoreV1Api()
+            v1 = get_k8s_client(context)
 
             if name:
                 pv = v1.read_persistent_volume(name)
@@ -39,6 +47,7 @@ def register_storage_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "persistentVolumes": [
                     {
                         "name": pv.metadata.name,
@@ -66,12 +75,18 @@ def register_storage_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def get_pvcs(namespace: Optional[str] = None) -> Dict[str, Any]:
-        """Get Persistent Volume Claims in a namespace or cluster-wide."""
+    def get_pvcs(
+        namespace: Optional[str] = None,
+        context: str = ""
+    ) -> Dict[str, Any]:
+        """Get Persistent Volume Claims in a namespace or cluster-wide.
+
+        Args:
+            namespace: Namespace to list PVCs from (all namespaces if not specified)
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            v1 = client.CoreV1Api()
+            v1 = get_k8s_client(context)
 
             if namespace:
                 pvcs = v1.list_namespaced_persistent_volume_claim(namespace)
@@ -80,6 +95,7 @@ def register_storage_tools(server, non_destructive: bool):
 
             return {
                 "success": True,
+                "context": context or "current",
                 "pvcs": [
                     {
                         "name": pvc.metadata.name,
@@ -103,17 +119,20 @@ def register_storage_tools(server, non_destructive: bool):
             readOnlyHint=True,
         ),
     )
-    def get_storage_classes() -> Dict[str, Any]:
-        """Get Storage Classes in the cluster."""
+    def get_storage_classes(context: str = "") -> Dict[str, Any]:
+        """Get Storage Classes in the cluster.
+
+        Args:
+            context: Kubernetes context to use (uses current context if not specified)
+        """
         try:
-            from kubernetes import client, config
-            config.load_kube_config()
-            storage = client.StorageV1Api()
+            storage = get_storage_client(context)
 
             scs = storage.list_storage_class()
 
             return {
                 "success": True,
+                "context": context or "current",
                 "storageClasses": [
                     {
                         "name": sc.metadata.name,

tests/test_browser.py

@@ -501,11 +501,11 @@ class TestServerIntegration:
                         tools = asyncio.run(server.server.list_tools())
                         tool_names = [t.name for t in tools]
 
-                        # Should have browser tools (127 + 26 = 153)
+                        # Should have browser tools (224 + 26 = 250)
                         assert "browser_open" in tool_names
                         assert "browser_screenshot" in tool_names
                         assert "browser_connect_cdp" in tool_names  # v0.7 tool
-                        assert len(tools) == 153, f"Expected 153 tools (127 + 26), got {len(tools)}"
+                        assert len(tools) == 250, f"Expected 250 tools (224 + 26), got {len(tools)}"
 
 
 import asyncio

tests/test_ecosystem.py

@@ -0,0 +1,331 @@
+"""
+Unit tests for ecosystem tools (GitOps, Cert-Manager, Policy, Backup).
+
+This module tests the CRD detector and all ecosystem toolsets.
+"""
+
+import pytest
+from unittest.mock import patch, MagicMock
+import subprocess
+
+
+class TestCRDDetector:
+    """Tests for the CRD auto-discovery framework."""
+
+    @pytest.mark.unit
+    def test_crd_detector_imports(self):
+        """Test that CRD detector module can be imported."""
+        from kubectl_mcp_tool.crd_detector import (
+            CRD_GROUPS,
+            detect_crds,
+            crd_exists,
+            get_enabled_toolsets,
+            get_crd_status_summary,
+            FeatureNotInstalledError,
+            require_crd,
+            require_any_crd,
+        )
+        assert CRD_GROUPS is not None
+        assert callable(detect_crds)
+        assert callable(crd_exists)
+        assert callable(get_enabled_toolsets)
+        assert callable(get_crd_status_summary)
+        assert issubclass(FeatureNotInstalledError, Exception)
+        assert callable(require_crd)
+        assert callable(require_any_crd)
+
+    @pytest.mark.unit
+    def test_crd_groups_structure(self):
+        """Test that CRD_GROUPS has expected structure."""
+        from kubectl_mcp_tool.crd_detector import CRD_GROUPS
+
+        expected_groups = ["flux", "argocd", "certmanager", "kyverno", "gatekeeper", "velero"]
+        for group in expected_groups:
+            assert group in CRD_GROUPS, f"Expected group '{group}' in CRD_GROUPS"
+            assert isinstance(CRD_GROUPS[group], list), f"CRD_GROUPS['{group}'] should be a list"
+            assert len(CRD_GROUPS[group]) > 0, f"CRD_GROUPS['{group}'] should not be empty"
+
+    @pytest.mark.unit
+    def test_detect_crds_with_mocked_kubectl(self):
+        """Test CRD detection with mocked kubectl."""
+        from kubectl_mcp_tool.crd_detector import detect_crds, _crd_cache
+
+        # Clear cache before test
+        _crd_cache.clear()
+
+        mock_output = """NAME                                     CREATED AT
+applications.argoproj.io                 2024-01-01T00:00:00Z
+certificates.cert-manager.io             2024-01-01T00:00:00Z
+"""
+        with patch("subprocess.run") as mock_run:
+            mock_run.return_value = MagicMock(
+                returncode=0,
+                stdout=mock_output
+            )
+            result = detect_crds(force_refresh=True)
+
+            assert isinstance(result, dict)
+            assert "argocd" in result
+            assert "certmanager" in result
+
+    @pytest.mark.unit
+    def test_detect_crds_handles_kubectl_failure(self):
+        """Test CRD detection handles kubectl failure gracefully."""
+        from kubectl_mcp_tool.crd_detector import detect_crds, _crd_cache
+
+        _crd_cache.clear()
+
+        with patch("subprocess.run") as mock_run:
+            mock_run.side_effect = subprocess.SubprocessError("Command failed")
+            result = detect_crds(force_refresh=True)
+
+            assert isinstance(result, dict)
+            # All groups should be False when kubectl fails
+            for value in result.values():
+                assert value is False
+
+    @pytest.mark.unit
+    def test_feature_not_installed_error(self):
+        """Test FeatureNotInstalledError exception."""
+        from kubectl_mcp_tool.crd_detector import FeatureNotInstalledError
+
+        error = FeatureNotInstalledError("velero", ["backups.velero.io"])
+        assert "velero" in str(error)
+        assert "backups.velero.io" in str(error)
+        assert error.toolset == "velero"
+        assert "backups.velero.io" in error.required_crds
+
+    @pytest.mark.unit
+    def test_get_crd_status_summary(self):
+        """Test CRD status summary generation."""
+        from kubectl_mcp_tool.crd_detector import get_crd_status_summary, _crd_cache
+
+        _crd_cache.clear()
+
+        with patch("subprocess.run") as mock_run:
+            mock_run.return_value = MagicMock(
+                returncode=0,
+                stdout="applications.argoproj.io 2024-01-01T00:00:00Z\n"
+            )
+            summary = get_crd_status_summary()
+
+            # Summary returns a dict with crd_groups and enabled_toolsets
+            assert isinstance(summary, dict)
+            assert "crd_groups" in summary
+            assert "enabled_toolsets" in summary
+
+
+class TestGitOpsTools:
+    """Tests for GitOps toolset (Flux and ArgoCD)."""
+
+    @pytest.mark.unit
+    def test_gitops_tools_import(self):
+        """Test that GitOps tools can be imported."""
+        from kubectl_mcp_tool.tools.gitops import register_gitops_tools
+        assert callable(register_gitops_tools)
+
+    @pytest.mark.unit
+    def test_gitops_tools_register(self, mock_all_kubernetes_apis):
+        """Test that GitOps tools register correctly."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        import asyncio
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test")
+
+        async def get_tools():
+            return await server.server.list_tools()
+
+        tools = asyncio.run(get_tools())
+        tool_names = {t.name for t in tools}
+
+        gitops_tools = [
+            "gitops_apps_list_tool", "gitops_app_get_tool", "gitops_app_sync_tool",
+            "gitops_app_status_tool", "gitops_sources_list_tool", "gitops_source_get_tool",
+            "gitops_detect_engine_tool"
+        ]
+        for tool in gitops_tools:
+            assert tool in tool_names, f"GitOps tool '{tool}' not registered"
+
+    @pytest.mark.unit
+    def test_gitops_non_destructive_mode(self, mock_all_kubernetes_apis):
+        """Test that GitOps sync is blocked in non-destructive mode."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test", non_destructive=True)
+
+        # Server should initialize with non_destructive=True
+        assert server.non_destructive is True
+
+
+class TestCertManagerTools:
+    """Tests for Cert-Manager toolset."""
+
+    @pytest.mark.unit
+    def test_certs_tools_import(self):
+        """Test that Cert-Manager tools can be imported."""
+        from kubectl_mcp_tool.tools.certs import register_certs_tools
+        assert callable(register_certs_tools)
+
+    @pytest.mark.unit
+    def test_certs_tools_register(self, mock_all_kubernetes_apis):
+        """Test that Cert-Manager tools register correctly."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        import asyncio
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test")
+
+        async def get_tools():
+            return await server.server.list_tools()
+
+        tools = asyncio.run(get_tools())
+        tool_names = {t.name for t in tools}
+
+        certs_tools = [
+            "certs_list_tool", "certs_get_tool", "certs_issuers_list_tool", "certs_issuer_get_tool",
+            "certs_renew_tool", "certs_status_explain_tool", "certs_challenges_list_tool",
+            "certs_requests_list_tool", "certs_detect_tool"
+        ]
+        for tool in certs_tools:
+            assert tool in tool_names, f"Cert-Manager tool '{tool}' not registered"
+
+
+class TestPolicyTools:
+    """Tests for Policy toolset (Kyverno and Gatekeeper)."""
+
+    @pytest.mark.unit
+    def test_policy_tools_import(self):
+        """Test that Policy tools can be imported."""
+        from kubectl_mcp_tool.tools.policy import register_policy_tools
+        assert callable(register_policy_tools)
+
+    @pytest.mark.unit
+    def test_policy_tools_register(self, mock_all_kubernetes_apis):
+        """Test that Policy tools register correctly."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        import asyncio
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test")
+
+        async def get_tools():
+            return await server.server.list_tools()
+
+        tools = asyncio.run(get_tools())
+        tool_names = {t.name for t in tools}
+
+        policy_tools = [
+            "policy_list_tool", "policy_get_tool", "policy_violations_list_tool",
+            "policy_explain_denial_tool", "policy_audit_tool", "policy_detect_tool"
+        ]
+        for tool in policy_tools:
+            assert tool in tool_names, f"Policy tool '{tool}' not registered"
+
+
+class TestBackupTools:
+    """Tests for Backup toolset (Velero)."""
+
+    @pytest.mark.unit
+    def test_backup_tools_import(self):
+        """Test that Backup tools can be imported."""
+        from kubectl_mcp_tool.tools.backup import register_backup_tools
+        assert callable(register_backup_tools)
+
+    @pytest.mark.unit
+    def test_backup_tools_register(self, mock_all_kubernetes_apis):
+        """Test that Backup tools register correctly."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        import asyncio
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test")
+
+        async def get_tools():
+            return await server.server.list_tools()
+
+        tools = asyncio.run(get_tools())
+        tool_names = {t.name for t in tools}
+
+        backup_tools = [
+            "backup_list_tool", "backup_get_tool", "backup_create_tool", "backup_delete_tool",
+            "restore_list_tool", "restore_create_tool", "restore_get_tool",
+            "backup_locations_list_tool", "backup_schedules_list_tool",
+            "backup_schedule_create_tool", "backup_detect_tool"
+        ]
+        for tool in backup_tools:
+            assert tool in tool_names, f"Backup tool '{tool}' not registered"
+
+    @pytest.mark.unit
+    def test_backup_non_destructive_mode(self, mock_all_kubernetes_apis):
+        """Test that backup operations are blocked in non-destructive mode."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test", non_destructive=True)
+
+        # Server should initialize with non_destructive=True
+        assert server.non_destructive is True
+
+
+class TestEcosystemToolsIntegration:
+    """Integration tests for ecosystem tools."""
+
+    @pytest.mark.unit
+    def test_all_ecosystem_tools_have_descriptions(self, mock_all_kubernetes_apis):
+        """Test that all ecosystem tools have descriptions."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        import asyncio
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test")
+
+        async def get_tools():
+            return await server.server.list_tools()
+
+        tools = asyncio.run(get_tools())
+
+        ecosystem_prefixes = ["gitops_", "certs_", "policy_", "backup_", "restore_"]
+        ecosystem_tools = [t for t in tools if any(t.name.startswith(p) for p in ecosystem_prefixes)]
+
+        tools_without_description = [
+            t.name for t in ecosystem_tools
+            if not t.description or len(t.description.strip()) == 0
+        ]
+        assert not tools_without_description, f"Ecosystem tools without descriptions: {tools_without_description}"
+
+    @pytest.mark.unit
+    def test_ecosystem_tool_count(self, mock_all_kubernetes_apis):
+        """Test that correct number of ecosystem tools are registered."""
+        from kubectl_mcp_tool.mcp_server import MCPServer
+        import asyncio
+
+        with patch("kubectl_mcp_tool.mcp_server.MCPServer._check_dependencies", return_value=True):
+            server = MCPServer(name="test")
+
+        async def get_tools():
+            return await server.server.list_tools()
+
+        tools = asyncio.run(get_tools())
+
+        # Filter ecosystem tools, but exclude backup_resource which is in operations.py
+        ecosystem_tool_names = [
+            "gitops_apps_list_tool", "gitops_app_get_tool", "gitops_app_sync_tool",
+            "gitops_app_status_tool", "gitops_sources_list_tool", "gitops_source_get_tool",
+            "gitops_detect_engine_tool",
+            "certs_list_tool", "certs_get_tool", "certs_issuers_list_tool", "certs_issuer_get_tool",
+            "certs_renew_tool", "certs_status_explain_tool", "certs_challenges_list_tool",
+            "certs_requests_list_tool", "certs_detect_tool",
+            "policy_list_tool", "policy_get_tool", "policy_violations_list_tool",
+            "policy_explain_denial_tool", "policy_audit_tool", "policy_detect_tool",
+            "backup_list_tool", "backup_get_tool", "backup_create_tool", "backup_delete_tool",
+            "restore_list_tool", "restore_create_tool", "restore_get_tool",
+            "backup_locations_list_tool", "backup_schedules_list_tool",
+            "backup_schedule_create_tool", "backup_detect_tool"
+        ]
+        tool_names = {t.name for t in tools}
+        ecosystem_tools = [name for name in ecosystem_tool_names if name in tool_names]
+
+        # 7 GitOps + 9 Certs + 6 Policy + 11 Backup = 33 ecosystem tools
+        assert len(ecosystem_tools) == 33, f"Expected 33 ecosystem tools, got {len(ecosystem_tools)}"