node804-mcp-toolkit 0.1.0__tar.gz

node804_mcp_toolkit-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,28 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13", "3.14"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+      - name: Lint
+        run: ruff check .
+      - name: Type check
+        run: mypy src
+      - name: Test
+        run: pytest -v

node804_mcp_toolkit-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,35 @@
+name: Publish to PyPI
+
+on:
+  push:
+    tags: ["v*"]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Build sdist and wheel
+        run: |
+          python -m pip install --upgrade pip build
+          python -m build
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write  # required for PyPI Trusted Publishing (OIDC)
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+      - uses: pypa/gh-action-pypi-publish@release/v1

node804_mcp_toolkit-0.1.0/.gitignore

@@ -0,0 +1,12 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.venv/
+dist/
+build/
+*.log
+.coverage
+htmlcov/

node804_mcp_toolkit-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Michael Pope
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

node804_mcp_toolkit-0.1.0/PKG-INFO

@@ -0,0 +1,129 @@
+Metadata-Version: 2.4
+Name: node804-mcp-toolkit
+Version: 0.1.0
+Summary: Shared utilities for token-efficient MCP servers — RBAC, audit logging, lean response shaping, TLS config
+Project-URL: Homepage, https://github.com/Node804/node804-mcp-toolkit
+Project-URL: Repository, https://github.com/Node804/node804-mcp-toolkit
+Project-URL: Issues, https://github.com/Node804/node804-mcp-toolkit/issues
+Author-email: Michael Pope <me@michaelpope.cv>
+License-Expression: MIT
+License-File: LICENSE
+Keywords: audit,mcp,model-context-protocol,rbac,tls
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Requires-Dist: pydantic>=2.10.6
+Provides-Extra: dev
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.6; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# node804-mcp-toolkit
+
+[![CI](https://github.com/Node804/node804-mcp-toolkit/actions/workflows/ci.yml/badge.svg)](https://github.com/Node804/node804-mcp-toolkit/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/node804-mcp-toolkit)](https://pypi.org/project/node804-mcp-toolkit/)
+[![Python](https://img.shields.io/pypi/pyversions/node804-mcp-toolkit)](https://pypi.org/project/node804-mcp-toolkit/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+Shared utilities for building token-efficient, security-conscious [MCP](https://modelcontextprotocol.io) servers for IT operations. Provides the cross-cutting concerns every ops MCP needs — permission gating, audit logging, response shaping, TLS config — so each server in a suite implements them the same way.
+
+## Installation
+
+```bash
+pip install node804-mcp-toolkit
+```
+
+## What's in here
+
+| Module | Purpose |
+|---|---|
+| `rbac` | Hierarchical permission modes (`read` / `standard` / `full` / `admin`); a gate decorator that only registers tools with the MCP server when the active mode qualifies — ungated tools are invisible to the AI client, not just blocked |
+| `audit` | JSON-lines audit logging of every tool call with timing, success/error state, sensitive-key redaction, and long-value truncation |
+| `lean` | Pure response-shaping helpers: field whitelisting, internal-key stripping, pagination, server-side pattern filtering |
+| `tls` | Verify-by-default TLS config from env vars, with custom CA bundle support for internal PKI |
+| `params` | Shared Pydantic parameter types (`VerboseFlag`, `FieldsList`, `Pagination`, `Pattern`) so every tool uses the same names, defaults, and descriptions |
+
+## Quick start
+
+Gate tools by permission mode, with audit logging composed in:
+
+```python
+from mcp.server.fastmcp import FastMCP
+from node804_mcp_toolkit import Mode, ModeGate, open_sink
+
+mcp = FastMCP("panos-mcp")
+
+# Audit sink: writes JSONL when PANOS_AUDIT_LOG is set, no-op otherwise.
+sink = open_sink(env_var="PANOS_AUDIT_LOG")
+
+# Mode comes from env. Missing or invalid values fail safe to read-only.
+gate = ModeGate.from_env(env_var="PANOS_MODE", audit_sink=sink)
+
+@gate.tool(mcp, required=Mode.READ)
+async def get_security_rules(...): ...
+
+@gate.tool(mcp, required=Mode.ADMIN)
+async def commit(...): ...  # not registered at all unless PANOS_MODE=admin
+```
+
+Shape responses for token efficiency:
+
+```python
+from node804_mcp_toolkit import filter_by_pattern, paginate, strip_keys, whitelist
+
+rules = strip_keys(raw_rules, ["@uuid", "@loc"])          # drop SDK internals
+rules = filter_by_pattern(rules, pattern, name_field="name")
+rules = paginate(rules, limit=100, offset=0)
+rules = whitelist(rules, ["name", "action", "source", "destination"])
+```
+
+Resolve TLS settings from environment (verify-by-default):
+
+```python
+from node804_mcp_toolkit import resolve_tls_config
+import httpx, os
+
+tls = resolve_tls_config(dict(os.environ), prefix="PRTG")
+# PRTG_TLS_VERIFY=false  → verify off, with a loud stderr warning
+# PRTG_TLS_CA=/path.pem  → custom CA bundle for internal PKI
+client = httpx.Client(verify=str(tls.ca_path) if tls.ca_bundle else tls.verify)
+```
+
+## Design philosophy
+
+- **One toolkit, one set of patterns.** A user who learns the parameter conventions in any one MCP — `verbose`, `fields`, `limit`, `offset`, `pattern` — gets the same conventions in all of them.
+- **Default deny.** Unset or misconfigured mode env vars fall back to read-only. Tools above the active mode are never registered, so the AI client can't even see them.
+- **Token-lean by default.** Responses expose the fields the AI actually reasons over; `verbose=true` opts into the full payload.
+- **Best-effort observability.** Audit logging never breaks a tool call — sink failures warn once to stderr and move on.
+
+## Used by
+
+- [`node804-panos-mcp`](https://github.com/Node804) — Palo Alto firewall management
+- [`node804-freshservice-mcp`](https://github.com/Node804) — Freshservice ticketing
+- Planned: PRTG and Veeam MCPs
+
+## Development
+
+```bash
+pip install -e ".[dev]"
+pytest
+ruff check .
+mypy src
+```
+
+Requires Python 3.11+. Fully typed (`py.typed` included), `mypy --strict` clean.
+
+## License
+
+[MIT](LICENSE)

node804_mcp_toolkit-0.1.0/README.md

@@ -0,0 +1,98 @@
+# node804-mcp-toolkit
+
+[![CI](https://github.com/Node804/node804-mcp-toolkit/actions/workflows/ci.yml/badge.svg)](https://github.com/Node804/node804-mcp-toolkit/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/node804-mcp-toolkit)](https://pypi.org/project/node804-mcp-toolkit/)
+[![Python](https://img.shields.io/pypi/pyversions/node804-mcp-toolkit)](https://pypi.org/project/node804-mcp-toolkit/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+Shared utilities for building token-efficient, security-conscious [MCP](https://modelcontextprotocol.io) servers for IT operations. Provides the cross-cutting concerns every ops MCP needs — permission gating, audit logging, response shaping, TLS config — so each server in a suite implements them the same way.
+
+## Installation
+
+```bash
+pip install node804-mcp-toolkit
+```
+
+## What's in here
+
+| Module | Purpose |
+|---|---|
+| `rbac` | Hierarchical permission modes (`read` / `standard` / `full` / `admin`); a gate decorator that only registers tools with the MCP server when the active mode qualifies — ungated tools are invisible to the AI client, not just blocked |
+| `audit` | JSON-lines audit logging of every tool call with timing, success/error state, sensitive-key redaction, and long-value truncation |
+| `lean` | Pure response-shaping helpers: field whitelisting, internal-key stripping, pagination, server-side pattern filtering |
+| `tls` | Verify-by-default TLS config from env vars, with custom CA bundle support for internal PKI |
+| `params` | Shared Pydantic parameter types (`VerboseFlag`, `FieldsList`, `Pagination`, `Pattern`) so every tool uses the same names, defaults, and descriptions |
+
+## Quick start
+
+Gate tools by permission mode, with audit logging composed in:
+
+```python
+from mcp.server.fastmcp import FastMCP
+from node804_mcp_toolkit import Mode, ModeGate, open_sink
+
+mcp = FastMCP("panos-mcp")
+
+# Audit sink: writes JSONL when PANOS_AUDIT_LOG is set, no-op otherwise.
+sink = open_sink(env_var="PANOS_AUDIT_LOG")
+
+# Mode comes from env. Missing or invalid values fail safe to read-only.
+gate = ModeGate.from_env(env_var="PANOS_MODE", audit_sink=sink)
+
+@gate.tool(mcp, required=Mode.READ)
+async def get_security_rules(...): ...
+
+@gate.tool(mcp, required=Mode.ADMIN)
+async def commit(...): ...  # not registered at all unless PANOS_MODE=admin
+```
+
+Shape responses for token efficiency:
+
+```python
+from node804_mcp_toolkit import filter_by_pattern, paginate, strip_keys, whitelist
+
+rules = strip_keys(raw_rules, ["@uuid", "@loc"])          # drop SDK internals
+rules = filter_by_pattern(rules, pattern, name_field="name")
+rules = paginate(rules, limit=100, offset=0)
+rules = whitelist(rules, ["name", "action", "source", "destination"])
+```
+
+Resolve TLS settings from environment (verify-by-default):
+
+```python
+from node804_mcp_toolkit import resolve_tls_config
+import httpx, os
+
+tls = resolve_tls_config(dict(os.environ), prefix="PRTG")
+# PRTG_TLS_VERIFY=false  → verify off, with a loud stderr warning
+# PRTG_TLS_CA=/path.pem  → custom CA bundle for internal PKI
+client = httpx.Client(verify=str(tls.ca_path) if tls.ca_bundle else tls.verify)
+```
+
+## Design philosophy
+
+- **One toolkit, one set of patterns.** A user who learns the parameter conventions in any one MCP — `verbose`, `fields`, `limit`, `offset`, `pattern` — gets the same conventions in all of them.
+- **Default deny.** Unset or misconfigured mode env vars fall back to read-only. Tools above the active mode are never registered, so the AI client can't even see them.
+- **Token-lean by default.** Responses expose the fields the AI actually reasons over; `verbose=true` opts into the full payload.
+- **Best-effort observability.** Audit logging never breaks a tool call — sink failures warn once to stderr and move on.
+
+## Used by
+
+- [`node804-panos-mcp`](https://github.com/Node804) — Palo Alto firewall management
+- [`node804-freshservice-mcp`](https://github.com/Node804) — Freshservice ticketing
+- Planned: PRTG and Veeam MCPs
+
+## Development
+
+```bash
+pip install -e ".[dev]"
+pytest
+ruff check .
+mypy src
+```
+
+Requires Python 3.11+. Fully typed (`py.typed` included), `mypy --strict` clean.
+
+## License
+
+[MIT](LICENSE)

node804_mcp_toolkit-0.1.0/pyproject.toml

@@ -0,0 +1,77 @@
+[project]
+name = "node804-mcp-toolkit"
+dynamic = ["version"]
+description = "Shared utilities for token-efficient MCP servers — RBAC, audit logging, lean response shaping, TLS config"
+readme = "README.md"
+requires-python = ">=3.11"
+license = "MIT"
+license-files = ["LICENSE"]
+keywords = ["mcp", "model-context-protocol", "rbac", "audit", "tls"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: System Administrators",
+    "Intended Audience :: Developers",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+    "Typing :: Typed",
+]
+dependencies = [
+    "pydantic>=2.10.6",
+]
+
+[[project.authors]]
+name = "Michael Pope"
+email = "me@michaelpope.cv"
+
+[project.urls]
+Homepage = "https://github.com/Node804/node804-mcp-toolkit"
+Repository = "https://github.com/Node804/node804-mcp-toolkit"
+Issues = "https://github.com/Node804/node804-mcp-toolkit/issues"
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0",
+    "pytest-asyncio>=0.23",
+    "pytest-cov>=5.0",
+    "ruff>=0.6",
+    "mypy>=1.10",
+]
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+# Single source of truth for the version: __version__ in __init__.py.
+[tool.hatch.version]
+path = "src/node804_mcp_toolkit/__init__.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/node804_mcp_toolkit"]
+
+# Include py.typed marker so type checkers (mypy, pyright) consume the
+# inline annotations. Without this, downstream MCPs see "missing library
+# stubs" errors when they import from node804_mcp_toolkit.
+[tool.hatch.build.targets.wheel.force-include]
+"src/node804_mcp_toolkit/py.typed" = "node804_mcp_toolkit/py.typed"
+
+[tool.ruff]
+line-length = 100
+target-version = "py311"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "B", "UP", "SIM", "RUF"]
+ignore = ["E501"]  # long lines handled by formatter
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+warn_unused_ignores = true
+disallow_untyped_defs = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"

node804_mcp_toolkit-0.1.0/src/node804_mcp_toolkit/__init__.py

@@ -0,0 +1,45 @@
+"""Shared utilities for token-efficient MCP servers.
+
+Public API re-exported here for convenience::
+
+    from node804_mcp_toolkit import Mode, ModeGate, audit, open_sink, whitelist, ...
+"""
+
+from .audit import (
+    AuditCategory,
+    AuditEvent,
+    AuditSink,
+    JsonlSink,
+    audit,
+    open_sink,
+    sanitize_args,
+)
+from .lean import filter_by_pattern, paginate, strip_keys, whitelist
+from .params import FieldsList, Pagination, Pattern, VerboseFlag
+from .rbac import Mode, ModeGate
+from .tls import TlsConfig, describe_tls, resolve_tls_config
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "AuditCategory",
+    "AuditEvent",
+    "AuditSink",
+    "FieldsList",
+    "JsonlSink",
+    "Mode",
+    "ModeGate",
+    "Pagination",
+    "Pattern",
+    "TlsConfig",
+    "VerboseFlag",
+    "audit",
+    "describe_tls",
+    "filter_by_pattern",
+    "open_sink",
+    "paginate",
+    "resolve_tls_config",
+    "sanitize_args",
+    "strip_keys",
+    "whitelist",
+]