mcp-caddy 0.1.0__tar.gz

mcp_caddy-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,44 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  publish-pypi:
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v3
+        with:
+          python-version: "3.12"
+      - run: uv build
+      - uses: pypa/gh-action-pypi-publish@release/v1
+
+  publish-docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract tag name
+        id: tag
+        run: echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/aaronckj/mcp-caddy:latest
+            ghcr.io/aaronckj/mcp-caddy:${{ steps.tag.outputs.version }}

mcp_caddy-0.1.0/.github/workflows/test.yml

@@ -0,0 +1,16 @@
+name: Test
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v3
+        with:
+          python-version: "3.12"
+      - run: uv sync --extra dev
+      - run: uv run pytest -v

mcp_caddy-0.1.0/.gitignore

@@ -0,0 +1,8 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+.venv/
+.pytest_cache/
+.coverage
+htmlcov/

mcp_caddy-0.1.0/Dockerfile

@@ -0,0 +1,12 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN pip install uv
+
+COPY pyproject.toml README.md ./
+COPY src/ ./src/
+
+RUN uv pip install --system .
+
+ENTRYPOINT ["mcp-caddy"]

mcp_caddy-0.1.0/PKG-INFO

@@ -0,0 +1,83 @@
+Metadata-Version: 2.4
+Name: mcp-caddy
+Version: 0.1.0
+Summary: MCP server for Caddy web server management — routes, upstreams, certificates, reload
+License: MIT
+Keywords: caddy,homelab,mcp,reverse-proxy
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Internet :: WWW/HTTP :: HTTP Servers
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.12
+Requires-Dist: httpx>=0.27
+Requires-Dist: mcp>=1.0
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest-cov>=4.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# mcp-caddy
+
+MCP server for [Caddy](https://caddyserver.com/) web server management. Exposes 7 tools for inspecting routes, upstream health, certificates, and reloading configuration via the Caddy admin API.
+
+## Quick Start
+
+**With uvx (recommended):**
+```bash
+CADDY_HOST=http://10.0.0.31:2019 uvx mcp-caddy
+```
+
+**With Docker:**
+```bash
+docker run -i \
+  -e CADDY_HOST=http://10.0.0.31:2019 \
+  ghcr.io/aaronckj/mcp-caddy:latest
+```
+
+**Add to Claude Code:**
+```bash
+claude mcp add caddy -s user -e CADDY_HOST=http://10.0.0.31:2019 -- uvx mcp-caddy
+```
+
+## Configuration
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `CADDY_HOST` | No | `http://localhost:2019` | Caddy admin API URL |
+| `CADDY_TIMEOUT` | No | `30` | HTTP timeout in seconds |
+
+## Finding Your CADDY_HOST
+
+The Caddy admin API binds to `localhost:2019` by default. Depending on your setup:
+
+1. **MCP server on same host as Caddy** → use the default `http://localhost:2019`
+2. **Caddy in Docker, MCP server on the same Docker host** → add `ports: ["127.0.0.1:2019:2019"]` to your Caddy compose service, then use `http://localhost:2019`
+3. **Remote Caddy host** → SSH tunnel: `ssh -L 2019:localhost:2019 user@caddy-host`, then use `http://localhost:2019`
+4. **Caddy exposes admin via reverse proxy** → set `CADDY_HOST=https://caddy-admin.example.com`
+
+The Caddy admin API has no authentication by default. If you expose it beyond localhost, add Caddy basic auth to that route.
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `server_info` | Caddy version and loaded modules |
+| `get_config` | Full configuration as JSON |
+| `list_routes` | All virtual hosts with upstream targets |
+| `list_upstreams` | Upstream proxy health status |
+| `get_certificates` | TLS automation policies and ACME issuers |
+| `adapt_config` | Convert a Caddyfile snippet to JSON |
+| `reload` | Reload config from a JSON string or file path |
+
+## Development
+
+```bash
+git clone https://github.com/aaronckj/mcp-caddy
+cd mcp-caddy
+uv sync --extra dev
+uv run pytest -v
+```

mcp_caddy-0.1.0/README.md

@@ -0,0 +1,61 @@
+# mcp-caddy
+
+MCP server for [Caddy](https://caddyserver.com/) web server management. Exposes 7 tools for inspecting routes, upstream health, certificates, and reloading configuration via the Caddy admin API.
+
+## Quick Start
+
+**With uvx (recommended):**
+```bash
+CADDY_HOST=http://10.0.0.31:2019 uvx mcp-caddy
+```
+
+**With Docker:**
+```bash
+docker run -i \
+  -e CADDY_HOST=http://10.0.0.31:2019 \
+  ghcr.io/aaronckj/mcp-caddy:latest
+```
+
+**Add to Claude Code:**
+```bash
+claude mcp add caddy -s user -e CADDY_HOST=http://10.0.0.31:2019 -- uvx mcp-caddy
+```
+
+## Configuration
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `CADDY_HOST` | No | `http://localhost:2019` | Caddy admin API URL |
+| `CADDY_TIMEOUT` | No | `30` | HTTP timeout in seconds |
+
+## Finding Your CADDY_HOST
+
+The Caddy admin API binds to `localhost:2019` by default. Depending on your setup:
+
+1. **MCP server on same host as Caddy** → use the default `http://localhost:2019`
+2. **Caddy in Docker, MCP server on the same Docker host** → add `ports: ["127.0.0.1:2019:2019"]` to your Caddy compose service, then use `http://localhost:2019`
+3. **Remote Caddy host** → SSH tunnel: `ssh -L 2019:localhost:2019 user@caddy-host`, then use `http://localhost:2019`
+4. **Caddy exposes admin via reverse proxy** → set `CADDY_HOST=https://caddy-admin.example.com`
+
+The Caddy admin API has no authentication by default. If you expose it beyond localhost, add Caddy basic auth to that route.
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `server_info` | Caddy version and loaded modules |
+| `get_config` | Full configuration as JSON |
+| `list_routes` | All virtual hosts with upstream targets |
+| `list_upstreams` | Upstream proxy health status |
+| `get_certificates` | TLS automation policies and ACME issuers |
+| `adapt_config` | Convert a Caddyfile snippet to JSON |
+| `reload` | Reload config from a JSON string or file path |
+
+## Development
+
+```bash
+git clone https://github.com/aaronckj/mcp-caddy
+cd mcp-caddy
+uv sync --extra dev
+uv run pytest -v
+```

mcp_caddy-0.1.0/pyproject.toml

@@ -0,0 +1,38 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "mcp-caddy"
+version = "0.1.0"
+description = "MCP server for Caddy web server management — routes, upstreams, certificates, reload"
+readme = "README.md"
+requires-python = ">=3.12"
+license = {text = "MIT"}
+keywords = ["mcp", "caddy", "homelab", "reverse-proxy"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.12",
+    "License :: OSI Approved :: MIT License",
+    "Topic :: Internet :: WWW/HTTP :: HTTP Servers",
+    "Topic :: System :: Systems Administration",
+]
+dependencies = [
+    "mcp>=1.0",
+    "httpx>=0.27",
+]
+
+[project.scripts]
+mcp-caddy = "mcp_caddy.server:main"
+
+[project.optional-dependencies]
+dev = ["pytest>=8.0", "pytest-asyncio>=0.23", "pytest-cov>=4.0"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/mcp_caddy"]

mcp_caddy-0.1.0/src/mcp_caddy/server.py

@@ -0,0 +1,191 @@
+"""mcp-caddy: Caddy web server management MCP server."""
+
+from __future__ import annotations
+
+import os
+
+import httpx
+from mcp.server.fastmcp import FastMCP
+
+mcp = FastMCP("caddy")
+
+_DEFAULT_HOST = "http://localhost:2019"
+_DEFAULT_TIMEOUT = 30.0
+
+
+async def _request(method: str, path: str, **kwargs) -> httpx.Response:
+    """Make an HTTP request to Caddy admin API.
+
+    Args:
+        method: HTTP method (GET, POST, PUT, DELETE, etc.)
+        path: API path (e.g., "/config/")
+        **kwargs: Additional arguments to pass to httpx.AsyncClient.request()
+
+    Returns:
+        httpx.Response object
+
+    Environment variables:
+        CADDY_HOST: Caddy admin API host (default: http://localhost:2019)
+        CADDY_TIMEOUT: Request timeout in seconds (default: 30.0)
+    """
+    host = os.environ.get("CADDY_HOST", _DEFAULT_HOST)
+    timeout = float(os.environ.get("CADDY_TIMEOUT", str(_DEFAULT_TIMEOUT)))
+    async with httpx.AsyncClient(timeout=timeout) as client:
+        return await client.request(method, f"{host}{path}", **kwargs)
+
+
+@mcp.tool()
+async def server_info() -> dict:
+    """Get Caddy server version and list of loaded modules."""
+    try:
+        resp = await _request("GET", "/")
+        resp.raise_for_status()
+        return {"result": resp.json()}
+    except Exception as e:
+        return {"error": str(e), "tool": "server_info", "detail": type(e).__name__}
+
+
+@mcp.tool()
+async def get_config() -> dict:
+    """Get the full Caddy configuration as JSON."""
+    try:
+        resp = await _request("GET", "/config/")
+        resp.raise_for_status()
+        return {"result": resp.json()}
+    except Exception as e:
+        return {"error": str(e), "tool": "get_config", "detail": type(e).__name__}
+
+
+def _extract_upstreams(handles: list) -> list[str]:
+    """Extract upstream dial addresses, recursing into subroute handlers."""
+    upstreams = []
+    for handle in handles:
+        if handle.get("handler") == "reverse_proxy":
+            for up in handle.get("upstreams", []):
+                if "dial" in up:
+                    upstreams.append(up["dial"])
+        elif handle.get("handler") == "subroute":
+            for sub_route in handle.get("routes", []):
+                upstreams.extend(_extract_upstreams(sub_route.get("handle", [])))
+    return upstreams
+
+
+@mcp.tool()
+async def list_routes() -> dict:
+    """List all configured routes (virtual hosts) parsed from Caddy's HTTP app config."""
+    try:
+        resp = await _request("GET", "/config/")
+        resp.raise_for_status()
+        config = resp.json()
+
+        servers = config.get("apps", {}).get("http", {}).get("servers", {})
+        routes_out = []
+
+        for server_name, server in servers.items():
+            for route in server.get("routes", []):
+                hosts = []
+                for match in route.get("match", []):
+                    hosts.extend(match.get("host", []))
+
+                handles = route.get("handle", [])
+                handler_type = handles[0].get("handler") if handles else None
+                upstreams = _extract_upstreams(handles)
+
+                routes_out.append({
+                    "server": server_name,
+                    "hosts": hosts,
+                    "handler": handler_type,
+                    "upstreams": upstreams,
+                })
+
+        return {"result": routes_out}
+    except Exception as e:
+        return {"error": str(e), "tool": "list_routes", "detail": type(e).__name__}
+
+
+@mcp.tool()
+async def list_upstreams() -> dict:
+    """List all reverse proxy upstreams with their health status and request counts."""
+    try:
+        resp = await _request("GET", "/reverse_proxy/upstreams")
+        resp.raise_for_status()
+        return {"result": resp.json()}
+    except Exception as e:
+        return {"error": str(e), "tool": "list_upstreams", "detail": type(e).__name__}
+
+
+@mcp.tool()
+async def get_certificates() -> dict:
+    """List TLS certificate automation policies: subjects, ACME issuers, and CAs."""
+    try:
+        resp = await _request("GET", "/config/")
+        resp.raise_for_status()
+        config = resp.json()
+
+        policies = (
+            config.get("apps", {})
+            .get("tls", {})
+            .get("automation", {})
+            .get("policies", [])
+        )
+
+        certs = []
+        for policy in policies:
+            issuers = []
+            for issuer in policy.get("issuers", []):
+                issuer_info: dict = {"module": issuer.get("module")}
+                if "ca" in issuer:
+                    issuer_info["ca"] = issuer["ca"]
+                if "email" in issuer:
+                    issuer_info["email"] = issuer["email"]
+                issuers.append(issuer_info)
+
+            certs.append({
+                "subjects": policy.get("subjects", []),
+                "issuers": issuers,
+            })
+
+        return {"result": certs}
+    except Exception as e:
+        return {"error": str(e), "tool": "get_certificates", "detail": type(e).__name__}
+
+
+@mcp.tool()
+async def adapt_config(caddyfile: str) -> dict:
+    """Convert a Caddyfile snippet to JSON config using Caddy's built-in adapter."""
+    try:
+        resp = await _request(
+            "POST",
+            "/adapt",
+            json={"adapter": "caddyfile", "body": caddyfile},
+        )
+        resp.raise_for_status()
+        return {"result": resp.json()}
+    except Exception as e:
+        return {"error": str(e), "tool": "adapt_config", "detail": type(e).__name__}
+
+
+@mcp.tool()
+async def reload(source: str) -> dict:
+    """Reload Caddy config. source: raw JSON string (starts with '{') or path to a JSON config file."""
+    try:
+        import json as _json
+        if source.lstrip().startswith("{"):
+            config_data = _json.loads(source)
+        else:
+            with open(source) as f:
+                config_data = _json.load(f)
+
+        resp = await _request("POST", "/load", json=config_data)
+        resp.raise_for_status()
+        return {"result": {"reloaded": True}}
+    except Exception as e:
+        return {"error": str(e), "tool": "reload", "detail": type(e).__name__}
+
+
+def main() -> None:
+    mcp.run()
+
+
+if __name__ == "__main__":
+    main()

mcp_caddy-0.1.0/tests/test_tools.py

@@ -0,0 +1,482 @@
+"""Tests for mcp-caddy tools. All HTTP calls are mocked."""
+
+from __future__ import annotations
+
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import httpx
+import pytest
+
+
+# ---------------------------------------------------------------------------
+# HTTP client layer tests
+# ---------------------------------------------------------------------------
+
+async def test_request_uses_caddy_host_env(monkeypatch):
+    """_request() builds URL from CADDY_HOST env var."""
+    monkeypatch.setenv("CADDY_HOST", "http://10.0.0.31:2019")
+
+    mock_resp = MagicMock()
+    mock_resp.status_code = 200
+
+    mock_client = AsyncMock()
+    mock_client.__aenter__ = AsyncMock(return_value=mock_client)
+    mock_client.__aexit__ = AsyncMock(return_value=None)
+    mock_client.request = AsyncMock(return_value=mock_resp)
+
+    with patch("mcp_caddy.server.httpx.AsyncClient", return_value=mock_client):
+        import mcp_caddy.server as srv
+        resp = await srv._request("GET", "/config/")
+
+    assert resp.status_code == 200
+    mock_client.request.assert_called_once_with(
+        "GET",
+        "http://10.0.0.31:2019/config/",
+    )
+
+
+async def test_request_uses_default_host(monkeypatch):
+    """_request() falls back to http://localhost:2019 when CADDY_HOST is not set."""
+    monkeypatch.delenv("CADDY_HOST", raising=False)
+
+    mock_resp = MagicMock()
+    mock_resp.status_code = 200
+
+    mock_client = AsyncMock()
+    mock_client.__aenter__ = AsyncMock(return_value=mock_client)
+    mock_client.__aexit__ = AsyncMock(return_value=None)
+    mock_client.request = AsyncMock(return_value=mock_resp)
+
+    with patch("mcp_caddy.server.httpx.AsyncClient", return_value=mock_client):
+        import mcp_caddy.server as srv
+        resp = await srv._request("GET", "/")
+
+    mock_client.request.assert_called_once_with("GET", "http://localhost:2019/")
+
+
+# ---------------------------------------------------------------------------
+# Tool tests — helpers
+# ---------------------------------------------------------------------------
+
+def make_response(status: int, data) -> httpx.Response:
+    """Build a real httpx.Response with JSON body (no live HTTP needed)."""
+    import json
+    mock_req = MagicMock()
+    resp = httpx.Response(
+        status,
+        content=json.dumps(data).encode(),
+        headers={"content-type": "application/json"},
+    )
+    resp._request = mock_req
+    return resp
+
+
+# ---------------------------------------------------------------------------
+# server_info
+# ---------------------------------------------------------------------------
+
+async def test_server_info_success(monkeypatch):
+    payload = {"version": "v2.7.6", "modules": ["admin", "http", "tls"]}
+
+    async def fake_request(method, path, **kw):
+        assert method == "GET"
+        assert path == "/"
+        return make_response(200, payload)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.server_info()
+
+    assert result["result"]["version"] == "v2.7.6"
+    assert "modules" in result["result"]
+
+
+async def test_server_info_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.server_info()
+
+    assert "error" in result
+    assert result["tool"] == "server_info"
+
+
+# ---------------------------------------------------------------------------
+# get_config
+# ---------------------------------------------------------------------------
+
+async def test_get_config_success(monkeypatch):
+    payload = {
+        "admin": {"listen": "localhost:2019"},
+        "apps": {"http": {"servers": {}}, "tls": {}},
+    }
+
+    async def fake_request(method, path, **kw):
+        assert method == "GET"
+        assert path == "/config/"
+        return make_response(200, payload)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.get_config()
+
+    assert "admin" in result["result"]
+    assert "apps" in result["result"]
+
+
+async def test_get_config_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.get_config()
+
+    assert "error" in result
+    assert result["tool"] == "get_config"
+
+
+# ---------------------------------------------------------------------------
+# list_routes
+# ---------------------------------------------------------------------------
+
+_ROUTES_CONFIG = {
+    "apps": {
+        "http": {
+            "servers": {
+                "srv0": {
+                    "listen": [":443"],
+                    "routes": [
+                        {
+                            "match": [{"host": ["example.com"]}],
+                            "handle": [
+                                {
+                                    "handler": "reverse_proxy",
+                                    "upstreams": [{"dial": "10.0.0.5:8080"}],
+                                }
+                            ],
+                        },
+                        {
+                            "match": [{"host": ["api.example.com"]}],
+                            "handle": [
+                                {
+                                    "handler": "subroute",
+                                    "routes": [
+                                        {
+                                            "handle": [
+                                                {
+                                                    "handler": "reverse_proxy",
+                                                    "upstreams": [{"dial": "10.0.0.6:9000"}],
+                                                }
+                                            ]
+                                        }
+                                    ],
+                                }
+                            ],
+                        },
+                    ],
+                }
+            }
+        }
+    }
+}
+
+
+async def test_list_routes_success(monkeypatch):
+    async def fake_request(method, path, **kw):
+        return make_response(200, _ROUTES_CONFIG)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_routes()
+
+    routes = result["result"]
+    assert isinstance(routes, list)
+    assert len(routes) == 2
+
+    first = routes[0]
+    assert first["hosts"] == ["example.com"]
+    assert first["upstreams"] == ["10.0.0.5:8080"]
+    assert first["handler"] == "reverse_proxy"
+    assert first["server"] == "srv0"
+
+
+async def test_list_routes_subroute_upstreams(monkeypatch):
+    """Upstreams inside subroute handlers are extracted."""
+    async def fake_request(method, path, **kw):
+        return make_response(200, _ROUTES_CONFIG)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_routes()
+
+    second = result["result"][1]
+    assert second["hosts"] == ["api.example.com"]
+    assert second["upstreams"] == ["10.0.0.6:9000"]
+    assert second["handler"] == "subroute"
+
+
+async def test_list_routes_no_http_app(monkeypatch):
+    """Returns empty list when config has no http app."""
+    async def fake_request(method, path, **kw):
+        return make_response(200, {"apps": {}})
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_routes()
+
+    assert result["result"] == []
+
+
+async def test_list_routes_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_routes()
+
+    assert "error" in result
+    assert result["tool"] == "list_routes"
+
+
+# ---------------------------------------------------------------------------
+# list_upstreams
+# ---------------------------------------------------------------------------
+
+async def test_list_upstreams_success(monkeypatch):
+    payload = [
+        {"address": "10.0.0.5:8080", "num_requests": 3, "fails": 0},
+        {"address": "10.0.0.6:9000", "num_requests": 0, "fails": 1},
+    ]
+
+    async def fake_request(method, path, **kw):
+        assert method == "GET"
+        assert path == "/reverse_proxy/upstreams"
+        return make_response(200, payload)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_upstreams()
+
+    upstreams = result["result"]
+    assert isinstance(upstreams, list)
+    assert len(upstreams) == 2
+    assert upstreams[0]["address"] == "10.0.0.5:8080"
+    assert upstreams[1]["fails"] == 1
+
+
+async def test_list_upstreams_empty(monkeypatch):
+    async def fake_request(method, path, **kw):
+        return make_response(200, [])
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_upstreams()
+
+    assert result["result"] == []
+
+
+async def test_list_upstreams_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.list_upstreams()
+
+    assert "error" in result
+    assert result["tool"] == "list_upstreams"
+
+
+# ---------------------------------------------------------------------------
+# get_certificates
+# ---------------------------------------------------------------------------
+
+_TLS_CONFIG = {
+    "apps": {
+        "tls": {
+            "automation": {
+                "policies": [
+                    {
+                        "subjects": ["example.com", "www.example.com"],
+                        "issuers": [
+                            {
+                                "module": "acme",
+                                "ca": "https://acme-v02.api.letsencrypt.org/directory",
+                                "email": "admin@example.com",
+                            }
+                        ],
+                    },
+                    {
+                        "subjects": ["internal.example.com"],
+                        "issuers": [{"module": "acme", "ca": "https://acme.zerossl.com/v2/DV90"}],
+                    },
+                ]
+            }
+        }
+    }
+}
+
+
+async def test_get_certificates_success(monkeypatch):
+    async def fake_request(method, path, **kw):
+        return make_response(200, _TLS_CONFIG)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.get_certificates()
+
+    certs = result["result"]
+    assert isinstance(certs, list)
+    assert len(certs) == 2
+    assert certs[0]["subjects"] == ["example.com", "www.example.com"]
+    assert certs[0]["issuers"][0]["module"] == "acme"
+    assert certs[0]["issuers"][0]["ca"] == "https://acme-v02.api.letsencrypt.org/directory"
+    assert certs[0]["issuers"][0]["email"] == "admin@example.com"
+
+
+async def test_get_certificates_no_tls_app(monkeypatch):
+    """Returns empty list when config has no tls app."""
+    async def fake_request(method, path, **kw):
+        return make_response(200, {"apps": {"http": {}}})
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.get_certificates()
+
+    assert result["result"] == []
+
+
+async def test_get_certificates_no_policies(monkeypatch):
+    """Returns empty list when tls app has no automation policies."""
+    async def fake_request(method, path, **kw):
+        return make_response(200, {"apps": {"tls": {"automation": {}}}})
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.get_certificates()
+
+    assert result["result"] == []
+
+
+async def test_get_certificates_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.get_certificates()
+
+    assert "error" in result
+    assert result["tool"] == "get_certificates"
+
+
+# ---------------------------------------------------------------------------
+# adapt_config
+# ---------------------------------------------------------------------------
+
+async def test_adapt_config_success(monkeypatch):
+    caddyfile = "example.com { reverse_proxy localhost:8080 }"
+    adapted = {"apps": {"http": {"servers": {"srv0": {"routes": []}}}}}
+
+    async def fake_request(method, path, **kw):
+        assert method == "POST"
+        assert path == "/adapt"
+        assert kw.get("json") == {"adapter": "caddyfile", "body": caddyfile}
+        return make_response(200, adapted)
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.adapt_config(caddyfile=caddyfile)
+
+    assert "apps" in result["result"]
+
+
+async def test_adapt_config_syntax_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        return make_response(400, {"error": "Caddyfile syntax error"})
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.adapt_config(caddyfile="invalid {{{")
+
+    assert "error" in result
+    assert result["tool"] == "adapt_config"
+
+
+async def test_adapt_config_network_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.adapt_config(caddyfile="example.com {}")
+
+    assert "error" in result
+    assert result["tool"] == "adapt_config"
+
+
+# ---------------------------------------------------------------------------
+# reload
+# ---------------------------------------------------------------------------
+
+async def test_reload_json_string(monkeypatch):
+    """reload() with a JSON string POSTs directly without file I/O."""
+    config = {"apps": {}}
+    config_str = '{"apps": {}}'
+
+    async def fake_request(method, path, **kw):
+        assert method == "POST"
+        assert path == "/load"
+        assert kw.get("json") == config
+        return make_response(200, {})
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.reload(source=config_str)
+
+    assert result["result"]["reloaded"] is True
+
+
+async def test_reload_file_path(monkeypatch, tmp_path):
+    """reload() with a file path reads the file and POSTs its contents."""
+    import json
+    config = {"apps": {"http": {}}}
+    config_file = tmp_path / "caddy.json"
+    config_file.write_text(json.dumps(config))
+
+    async def fake_request(method, path, **kw):
+        assert method == "POST"
+        assert path == "/load"
+        assert kw.get("json") == config
+        return make_response(200, {})
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.reload(source=str(config_file))
+
+    assert result["result"]["reloaded"] is True
+
+
+async def test_reload_invalid_json(monkeypatch):
+    """reload() returns error dict when source is not valid JSON and not a valid file."""
+    import mcp_caddy.server as srv
+    result = await srv.reload(source="not json at all")
+
+    assert "error" in result
+    assert result["tool"] == "reload"
+
+
+async def test_reload_network_error(monkeypatch):
+    async def fake_request(method, path, **kw):
+        raise httpx.ConnectError("Connection refused")
+
+    import mcp_caddy.server as srv
+    monkeypatch.setattr(srv, "_request", fake_request)
+    result = await srv.reload(source='{"apps": {}}')
+
+    assert "error" in result
+    assert result["tool"] == "reload"