osidb-mcp 0.1.0__tar.gz

osidb_mcp-0.1.0/.gitignore

@@ -0,0 +1,8 @@
+.venv/
+__pycache__/
+*.py[cod]
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+dist/
+*.egg-info/

osidb_mcp-0.1.0/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+## 0.1.0
+
+- Initial release: stdio MCP server, `readonly` / `readwrite` access mode (read tools only; mutations reserved for a later release), OSIDB session via `osidb-bindings` (Kerberos or basic auth).

osidb_mcp-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 osidb-mcp contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

osidb_mcp-0.1.0/PKG-INFO

@@ -0,0 +1,109 @@
+Metadata-Version: 2.4
+Name: osidb-mcp
+Version: 0.1.0
+Summary: Model Context Protocol (MCP) server for OSIDB using osidb-bindings
+Project-URL: Homepage, https://github.com/RedHatProductSecurity/osidb
+Project-URL: Repository, https://github.com/RedHatProductSecurity/osidb-bindings
+Author: osidb-mcp contributors
+License-Expression: MIT
+License-File: LICENSE
+Keywords: cve,kerberos,mcp,osidb,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Requires-Dist: mcp<2,>=1.0
+Requires-Dist: osidb-bindings<6,>=5.10.0
+Provides-Extra: dev
+Requires-Dist: pip-audit>=2.7; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# osidb-mcp
+
+Python [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server for [OSIDB](https://github.com/RedHatProductSecurity/osidb), built on [`osidb-bindings`](https://github.com/RedHatProductSecurity/osidb-bindings) from PyPI. Use it from Cursor, Claude Desktop, or any MCP client over **stdio**.
+
+## Install
+
+```bash
+pipx install osidb-mcp
+# or
+pip install osidb-mcp
+```
+
+## Configuration (environment)
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `OSIDB_BASE_URL` | yes | OSIDB root URL, e.g. `https://osidb.example.com` |
+| `OSIDB_AUTH` | no | `kerberos` (default) or `basic` |
+| `OSIDB_USERNAME` / `OSIDB_PASSWORD` | for `basic` | Basic auth for token obtain |
+| `OSIDB_VERIFY_SSL` | no | `true` (default) or `false` (prefer `REQUESTS_CA_BUNDLE` for custom CAs) |
+| `OSIDB_USER_AGENT` | no | Optional extra User-Agent suffix |
+| `OSIDB_MCP_ACCESS_MODE` | no | `readonly` (default) or `readwrite` (mutations reserved for a future release) |
+
+Kerberos: the process must have a valid ticket (`kinit`) for the OSIDB HTTP service.
+
+Optional keys forwarded by bindings: `BUGZILLA_API_KEY`, `JIRA_ACCESS_TOKEN`, `JIRA_API_EMAIL`.
+
+## Cursor / Claude MCP snippet
+
+```json
+{
+  "mcpServers": {
+    "osidb": {
+      "command": "osidb-mcp",
+      "env": {
+        "OSIDB_BASE_URL": "https://your-internal-osidb",
+        "OSIDB_AUTH": "kerberos",
+        "OSIDB_VERIFY_SSL": "true",
+        "OSIDB_MCP_ACCESS_MODE": "readonly"
+      }
+    }
+  }
+}
+```
+
+## Tools (read-only)
+
+- `osidb_status` — health / version style status
+- `osidb_whoami` — `/osidb/whoami`
+- `flaw_get` — single flaw with optional `include_fields` / `exclude_fields`
+- `flaws_list` / `flaws_count` — filter by `components_in`, `affects_ps_module_in`, `workflow_state_in`, `impact` / `impact_in`, `owner_isempty`, embargo flags, ISO8601 `changed_after` / `changed_before`, plus allowlisted `extra_query` keys from the OSIDB OpenAPI
+- `flaws_search` — full-text `search`
+- `affects_list` — affect-centric rows with `ps_module` / `ps_component` / `ps_update_stream` and `flaw__*` filters
+- `trackers_list` — tracker filings with CVE / module / component filters
+- `flaw_comments_list`, `flaw_references_list`, `flaw_cvss_scores_list`
+
+`limit` is capped at **100** per request.
+
+## Analyst examples
+
+- **Critical open flaws touching `httpd`:** `flaws_list` with `impact="CRITICAL"`, `workflow_state_in` set to the non-terminal states your instance uses, and `components_in=["httpd"]` or `affects_ps_component="httpd"` depending on how data is modeled.
+- **Unowned important CVEs for a RHEL major:** `flaws_list` with `owner_isempty=true`, `impact_in=["IMPORTANT"]`, and `affects_ps_module_in` / `affects_ps_update_stream_in` set to the **exact** PS strings your OSIDB uses for that major (confirm in your internal docs).
+
+## Security
+
+- Outputs may include **embargoed** content; treat transcripts and logs according to your data classification policy.
+- Prefer `readonly` (default). `readwrite` does not enable mutations yet but is reserved for explicit future write tools.
+- Never commit `OSIDB_PASSWORD`; use IDE env or secret stores.
+
+## Development
+
+```bash
+uv venv .venv && source .venv/bin/activate
+uv pip install -e ".[dev]"
+python -m osidb_mcp
+pytest
+pip-audit
+```
+
+## License
+
+MIT — see [LICENSE](LICENSE).

osidb_mcp-0.1.0/README.md

@@ -0,0 +1,82 @@
+# osidb-mcp
+
+Python [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server for [OSIDB](https://github.com/RedHatProductSecurity/osidb), built on [`osidb-bindings`](https://github.com/RedHatProductSecurity/osidb-bindings) from PyPI. Use it from Cursor, Claude Desktop, or any MCP client over **stdio**.
+
+## Install
+
+```bash
+pipx install osidb-mcp
+# or
+pip install osidb-mcp
+```
+
+## Configuration (environment)
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `OSIDB_BASE_URL` | yes | OSIDB root URL, e.g. `https://osidb.example.com` |
+| `OSIDB_AUTH` | no | `kerberos` (default) or `basic` |
+| `OSIDB_USERNAME` / `OSIDB_PASSWORD` | for `basic` | Basic auth for token obtain |
+| `OSIDB_VERIFY_SSL` | no | `true` (default) or `false` (prefer `REQUESTS_CA_BUNDLE` for custom CAs) |
+| `OSIDB_USER_AGENT` | no | Optional extra User-Agent suffix |
+| `OSIDB_MCP_ACCESS_MODE` | no | `readonly` (default) or `readwrite` (mutations reserved for a future release) |
+
+Kerberos: the process must have a valid ticket (`kinit`) for the OSIDB HTTP service.
+
+Optional keys forwarded by bindings: `BUGZILLA_API_KEY`, `JIRA_ACCESS_TOKEN`, `JIRA_API_EMAIL`.
+
+## Cursor / Claude MCP snippet
+
+```json
+{
+  "mcpServers": {
+    "osidb": {
+      "command": "osidb-mcp",
+      "env": {
+        "OSIDB_BASE_URL": "https://your-internal-osidb",
+        "OSIDB_AUTH": "kerberos",
+        "OSIDB_VERIFY_SSL": "true",
+        "OSIDB_MCP_ACCESS_MODE": "readonly"
+      }
+    }
+  }
+}
+```
+
+## Tools (read-only)
+
+- `osidb_status` — health / version style status
+- `osidb_whoami` — `/osidb/whoami`
+- `flaw_get` — single flaw with optional `include_fields` / `exclude_fields`
+- `flaws_list` / `flaws_count` — filter by `components_in`, `affects_ps_module_in`, `workflow_state_in`, `impact` / `impact_in`, `owner_isempty`, embargo flags, ISO8601 `changed_after` / `changed_before`, plus allowlisted `extra_query` keys from the OSIDB OpenAPI
+- `flaws_search` — full-text `search`
+- `affects_list` — affect-centric rows with `ps_module` / `ps_component` / `ps_update_stream` and `flaw__*` filters
+- `trackers_list` — tracker filings with CVE / module / component filters
+- `flaw_comments_list`, `flaw_references_list`, `flaw_cvss_scores_list`
+
+`limit` is capped at **100** per request.
+
+## Analyst examples
+
+- **Critical open flaws touching `httpd`:** `flaws_list` with `impact="CRITICAL"`, `workflow_state_in` set to the non-terminal states your instance uses, and `components_in=["httpd"]` or `affects_ps_component="httpd"` depending on how data is modeled.
+- **Unowned important CVEs for a RHEL major:** `flaws_list` with `owner_isempty=true`, `impact_in=["IMPORTANT"]`, and `affects_ps_module_in` / `affects_ps_update_stream_in` set to the **exact** PS strings your OSIDB uses for that major (confirm in your internal docs).
+
+## Security
+
+- Outputs may include **embargoed** content; treat transcripts and logs according to your data classification policy.
+- Prefer `readonly` (default). `readwrite` does not enable mutations yet but is reserved for explicit future write tools.
+- Never commit `OSIDB_PASSWORD`; use IDE env or secret stores.
+
+## Development
+
+```bash
+uv venv .venv && source .venv/bin/activate
+uv pip install -e ".[dev]"
+python -m osidb_mcp
+pytest
+pip-audit
+```
+
+## License
+
+MIT — see [LICENSE](LICENSE).

osidb_mcp-0.1.0/pyproject.toml

@@ -0,0 +1,45 @@
+[build-system]
+requires = ["hatchling>=1.24"]
+build-backend = "hatchling.build"
+
+[project]
+name = "osidb-mcp"
+version = "0.1.0"
+description = "Model Context Protocol (MCP) server for OSIDB using osidb-bindings"
+readme = "README.md"
+license = "MIT"
+license-files = ["LICENSE"]
+requires-python = ">=3.10"
+authors = [{ name = "osidb-mcp contributors" }]
+keywords = ["mcp", "osidb", "security", "cve", "kerberos"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Information Technology",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Topic :: Security",
+]
+dependencies = [
+  "mcp>=1.0,<2",
+  "osidb-bindings>=5.10.0,<6",
+]
+
+[project.optional-dependencies]
+dev = ["pytest>=8.0", "pip-audit>=2.7"]
+
+[project.scripts]
+osidb-mcp = "osidb_mcp.__main__:main"
+
+[project.urls]
+Homepage = "https://github.com/RedHatProductSecurity/osidb"
+Repository = "https://github.com/RedHatProductSecurity/osidb-bindings"
+
+[tool.hatch.build.targets.sdist]
+include = ["src/osidb_mcp", "README.md", "LICENSE", "CHANGELOG.md"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]

osidb_mcp-0.1.0/src/osidb_mcp/__init__.py

@@ -0,0 +1,3 @@
+"""MCP server bridging Model Context Protocol clients to OSIDB via osidb-bindings."""
+
+__version__ = "0.1.0"

osidb_mcp-0.1.0/src/osidb_mcp/__main__.py

@@ -0,0 +1,37 @@
+"""Console entrypoint: ``osidb-mcp`` and ``python -m osidb_mcp``."""
+
+from __future__ import annotations
+
+import logging
+import sys
+
+from osidb_mcp.config import AccessMode, load_settings
+from osidb_mcp.server import create_server
+from osidb_mcp.session_holder import init_session
+
+
+def main() -> None:
+    logging.basicConfig(
+        level=logging.INFO,
+        format="%(levelname)s %(name)s: %(message)s",
+        stream=sys.stderr,
+    )
+    log = logging.getLogger("osidb_mcp")
+
+    settings = load_settings()
+    init_session(settings)
+
+    if settings.access_mode == AccessMode.readwrite:
+        log.warning(
+            "OSIDB_MCP_ACCESS_MODE=readwrite — mutation MCP tools are not implemented yet; "
+            "only read tools are registered."
+        )
+    else:
+        log.info("osidb-mcp access mode: readonly")
+
+    mcp = create_server(settings)
+    mcp.run(transport="stdio")
+
+
+if __name__ == "__main__":
+    main()

osidb_mcp-0.1.0/src/osidb_mcp/config.py

@@ -0,0 +1,80 @@
+"""Load configuration from the environment (no secrets in source code)."""
+
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+from enum import Enum
+from typing import Literal
+
+
+class AccessMode(str, Enum):
+    """Server capability gate: only ``readwrite`` may register mutation tools (future)."""
+
+    readonly = "readonly"
+    readwrite = "readwrite"
+
+
+def _env_bool(name: str, default: bool) -> bool:
+    raw = os.environ.get(name)
+    if raw is None or raw == "":
+        return default
+    return raw.strip().lower() in {"1", "true", "yes", "y", "on"}
+
+
+def _parse_access_mode() -> AccessMode:
+    raw = (os.environ.get("OSIDB_MCP_ACCESS_MODE") or "readonly").strip().lower()
+    if raw == "readonly":
+        return AccessMode.readonly
+    if raw == "readwrite":
+        return AccessMode.readwrite
+    raise ValueError(
+        "OSIDB_MCP_ACCESS_MODE must be 'readonly' or 'readwrite', "
+        f"got {raw!r}"
+    )
+
+
+@dataclass(frozen=True)
+class Settings:
+    base_url: str
+    auth: Literal["kerberos", "basic"]
+    username: str | None
+    password: str | None
+    verify_ssl: bool
+    user_agent: str | None
+    access_mode: AccessMode
+
+
+def load_settings() -> Settings:
+    base = os.environ.get("OSIDB_BASE_URL", "").strip()
+    if not base:
+        raise ValueError("OSIDB_BASE_URL is required")
+
+    auth = (os.environ.get("OSIDB_AUTH") or "kerberos").strip().lower()
+    if auth not in ("kerberos", "basic"):
+        raise ValueError("OSIDB_AUTH must be 'kerberos' or 'basic'")
+
+    username = os.environ.get("OSIDB_USERNAME")
+    password = os.environ.get("OSIDB_PASSWORD")
+    if auth == "basic":
+        if not username or not password:
+            raise ValueError(
+                "OSIDB_AUTH=basic requires OSIDB_USERNAME and OSIDB_PASSWORD"
+            )
+    else:
+        username = None
+        password = None
+
+    ua = os.environ.get("OSIDB_USER_AGENT")
+    if ua == "":
+        ua = None
+
+    return Settings(
+        base_url=base,
+        auth=auth,  # type: ignore[arg-type]
+        username=username,
+        password=password,
+        verify_ssl=_env_bool("OSIDB_VERIFY_SSL", True),
+        user_agent=ua,
+        access_mode=_parse_access_mode(),
+    )

osidb_mcp-0.1.0/src/osidb_mcp/errors.py

@@ -0,0 +1,20 @@
+"""Format HTTP errors without leaking secrets."""
+
+from __future__ import annotations
+
+from typing import Any
+
+import requests
+
+
+def http_error_payload(exc: BaseException) -> dict[str, Any]:
+    if isinstance(exc, requests.HTTPError):
+        resp = exc.response
+        status = resp.status_code if resp is not None else None
+        text = (resp.text[:2000] if resp is not None else "") or ""
+        return {
+            "error": "osidb_http_error",
+            "status_code": status,
+            "detail": text,
+        }
+    return {"error": "osidb_error", "detail": str(exc)}

osidb_mcp-0.1.0/src/osidb_mcp/query_filters.py

@@ -0,0 +1,69 @@
+"""Build kwargs for flaws/affects list with allowlisted ``extra_query``."""
+
+from __future__ import annotations
+
+from typing import Any
+
+from osidb_bindings.bindings.python_client.api.osidb import (
+    osidb_api_v2_affects_list,
+    osidb_api_v2_flaws_list,
+)
+
+FLAWS_EXTRA_KEYS = frozenset(osidb_api_v2_flaws_list.QUERY_PARAMS.keys())
+AFFECTS_EXTRA_KEYS = frozenset(osidb_api_v2_affects_list.QUERY_PARAMS.keys())
+
+EXTRAS_MAX_KEYS = 30
+EXTRAS_MAX_LIST_LEN = 100
+LIST_LIMIT_MAX = 100
+DEFAULT_LIST_LIMIT = 50
+
+
+def _coerce_extra_value(value: Any) -> Any:
+    if value is None or isinstance(value, (bool, int, float, str)):
+        return value
+    if isinstance(value, list):
+        if len(value) > EXTRAS_MAX_LIST_LEN:
+            raise ValueError(
+                f"extra_query list values must have at most {EXTRAS_MAX_LIST_LEN} items"
+            )
+        out = []
+        for item in value:
+            if not isinstance(item, (str, int, float, bool)):
+                raise ValueError("extra_query list items must be primitives")
+            out.append(item)
+        return out
+    raise ValueError("extra_query values must be primitives or lists of primitives")
+
+
+def merge_extra_query(
+    base: dict[str, Any],
+    extra: dict[str, Any] | None,
+    *,
+    allowlist: frozenset[str],
+) -> dict[str, Any]:
+    if not extra:
+        return base
+    if len(extra) > EXTRAS_MAX_KEYS:
+        raise ValueError(
+            f"extra_query may contain at most {EXTRAS_MAX_KEYS} keys"
+        )
+    merged = dict(base)
+    for key, raw in extra.items():
+        if key not in allowlist:
+            raise ValueError(f"extra_query key not allowed: {key!r}")
+        merged[key] = _coerce_extra_value(raw)
+    return merged
+
+
+def clamp_limit(limit: int | None) -> int:
+    if limit is None:
+        return DEFAULT_LIST_LIMIT
+    if limit < 1:
+        return 1
+    return min(limit, LIST_LIMIT_MAX)
+
+
+def clamp_offset(offset: int | None) -> int:
+    if offset is None or offset < 0:
+        return 0
+    return offset

osidb_mcp-0.1.0/src/osidb_mcp/serialize.py

@@ -0,0 +1,49 @@
+"""JSON-friendly serialization for bindings models and responses."""
+
+from __future__ import annotations
+
+import datetime
+from enum import Enum
+from typing import Any
+from uuid import UUID
+
+
+def to_jsonable(obj: Any) -> Any:
+    if obj is None:
+        return None
+    if isinstance(obj, (str, int, float, bool)):
+        return obj
+    if isinstance(obj, UUID):
+        return str(obj)
+    if isinstance(obj, Enum):
+        return obj.value
+    if isinstance(obj, (datetime.datetime, datetime.date)):
+        return obj.isoformat()
+    if isinstance(obj, dict):
+        return {str(k): to_jsonable(v) for k, v in obj.items()}
+    if isinstance(obj, (list, tuple)):
+        return [to_jsonable(x) for x in obj]
+    if hasattr(obj, "to_dict"):
+        return to_jsonable(obj.to_dict())
+    return str(obj)
+
+
+def paginated_summary(
+    response: Any,
+    *,
+    limit: int,
+    offset: int,
+) -> dict[str, Any]:
+    """Common pagination envelope for list endpoints."""
+    results = getattr(response, "results", ()) or ()
+    out: dict[str, Any] = {
+        "count": getattr(response, "count", None),
+        "limit": limit,
+        "offset": offset,
+        "results": [to_jsonable(r) for r in results],
+    }
+    next_url = getattr(response, "next_", None)
+    if next_url:
+        out["next"] = next_url
+        out["next_offset"] = offset + len(results)
+    return out

osidb_mcp-0.1.0/src/osidb_mcp/server.py

@@ -0,0 +1,89 @@
+"""FastMCP application wiring (stdio)."""
+
+from __future__ import annotations
+
+import logging
+
+from mcp.server.fastmcp import FastMCP
+
+from osidb_mcp.config import AccessMode, Settings
+from osidb_mcp import tools_read
+
+logger = logging.getLogger(__name__)
+
+_INSTRUCTIONS = """\
+This server exposes read-only OSIDB operations (flaws/CVEs, affects, trackers, comments, references, CVSS) \
+via official osidb-bindings. Responses may include embargoed data depending on your OSIDB account.
+
+Use ``flaws_list`` / ``flaws_count`` with ``components_in``, ``affects_ps_component``, ``affects_ps_module_in``, \
+``workflow_state_in``, ``impact`` / ``impact_in``, and ``owner_isempty`` for common triage queries. \
+Use ``affects_list`` when you want rows keyed by affect (``ps_module`` / ``ps_component`` / ``ps_update_stream``) \
+with ``flaw__*`` filters. Workflow state strings are deployment-specific.
+
+Access mode is controlled only by the ``OSIDB_MCP_ACCESS_MODE`` environment variable (``readonly`` default; \
+``readwrite`` reserved for future mutation tools).
+"""
+
+
+def create_server(settings: Settings) -> FastMCP:
+    mcp = FastMCP("osidb-mcp", instructions=_INSTRUCTIONS)
+
+    mcp.tool(name="osidb_status", description="OSIDB API health / status payload.")(
+        tools_read.osidb_status
+    )
+    mcp.tool(
+        name="osidb_whoami",
+        description="Current authenticated OSIDB user / profile (from /osidb/whoami).",
+    )(tools_read.osidb_whoami)
+    mcp.tool(
+        name="flaw_get",
+        description="Retrieve a single flaw by CVE id or flaw id; optional field projection.",
+    )(tools_read.flaw_get)
+    mcp.tool(
+        name="flaws_list",
+        description=(
+            "List flaws with filters: components, affects (ps_module/ps_component/ps_update_stream), "
+            "workflow_state, impact, owner_isempty, embargoed, dates, etc. "
+            "Optional ``extra_query`` must use OSIDB v2 list query keys (allowlisted). "
+            "limit is capped at 100."
+        ),
+    )(tools_read.flaws_list)
+    mcp.tool(
+        name="flaws_count",
+        description="Count flaws matching the same filters as flaws_list (no result bodies).",
+    )(tools_read.flaws_count)
+    mcp.tool(
+        name="flaws_search",
+        description="Full-text search flaws (maps to OSIDB search parameter).",
+    )(tools_read.flaws_search)
+    mcp.tool(
+        name="affects_list",
+        description=(
+            "List affects with ps_module / ps_component / ps_update_stream and flaw__ filters "
+            "(e.g. flaw_workflow_state_in, flaw_impact_in, flaw_components_in)."
+        ),
+    )(tools_read.affects_list)
+    mcp.tool(
+        name="trackers_list",
+        description="List trackers (filings) with optional CVE / ps_module / ps_component filters.",
+    )(tools_read.trackers_list)
+    mcp.tool(
+        name="flaw_comments_list",
+        description="Paginated comments for a flaw id.",
+    )(tools_read.flaw_comments_list)
+    mcp.tool(
+        name="flaw_references_list",
+        description="Paginated external references for a flaw id.",
+    )(tools_read.flaw_references_list)
+    mcp.tool(
+        name="flaw_cvss_scores_list",
+        description="Paginated CVSS score rows for a flaw id.",
+    )(tools_read.flaw_cvss_scores_list)
+
+    if settings.access_mode == AccessMode.readwrite:
+        logger.warning(
+            "readwrite mode requested: mutation tools are not implemented in this release; "
+            "only read tools are registered."
+        )
+
+    return mcp

osidb_mcp-0.1.0/src/osidb_mcp/session_holder.py

@@ -0,0 +1,42 @@
+"""Lazy OSIDB session (JWT refresh handled by osidb-bindings)."""
+
+from __future__ import annotations
+
+import osidb_bindings
+from osidb_bindings.session import Session
+
+from osidb_mcp.config import Settings
+
+_session: Session | None = None
+_settings: Settings | None = None
+
+
+def init_session(settings: Settings) -> None:
+    global _session, _settings
+    _settings = settings
+    if settings.auth == "basic":
+        _session = osidb_bindings.new_session(
+            osidb_server_uri=settings.base_url,
+            username=settings.username,
+            password=settings.password,
+            verify_ssl=settings.verify_ssl,
+            user_agent=settings.user_agent,
+        )
+    else:
+        _session = osidb_bindings.new_session(
+            osidb_server_uri=settings.base_url,
+            verify_ssl=settings.verify_ssl,
+            user_agent=settings.user_agent,
+        )
+
+
+def get_session() -> Session:
+    if _session is None:
+        raise RuntimeError("Session not initialized")
+    return _session
+
+
+def current_settings() -> Settings:
+    if _settings is None:
+        raise RuntimeError("Session not initialized")
+    return _settings

osidb_mcp-0.1.0/src/osidb_mcp/tools_read.py

@@ -0,0 +1,622 @@
+"""MCP tool implementations (read-only OSIDB operations)."""
+
+from __future__ import annotations
+
+import datetime
+import importlib
+from typing import Any
+
+import requests
+from osidb_bindings.bindings.python_client.api.osidb import osidb_whoami_retrieve
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_affects_list_flaw_impact import (
+    OsidbApiV2AffectsListFlawImpact,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_affects_list_flaw_impact_in_item import (
+    OsidbApiV2AffectsListFlawImpactInItem,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_affects_list_flaw_workflow_state_item import (
+    OsidbApiV2AffectsListFlawWorkflowStateItem,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_flaws_list_impact import (
+    OsidbApiV2FlawsListImpact,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_flaws_list_impact_in_item import (
+    OsidbApiV2FlawsListImpactInItem,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_flaws_list_major_incident_state import (
+    OsidbApiV2FlawsListMajorIncidentState,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_flaws_list_source import (
+    OsidbApiV2FlawsListSource,
+)
+from osidb_bindings.bindings.python_client.models.osidb_api_v2_flaws_list_workflow_state_item import (
+    OsidbApiV2FlawsListWorkflowStateItem,
+)
+
+from osidb_mcp.errors import http_error_payload
+from osidb_mcp.query_filters import (
+    AFFECTS_EXTRA_KEYS,
+    DEFAULT_LIST_LIMIT,
+    FLAWS_EXTRA_KEYS,
+    clamp_limit,
+    clamp_offset,
+    merge_extra_query,
+)
+from osidb_mcp.serialize import paginated_summary, to_jsonable
+from osidb_mcp.session_holder import get_session
+
+_trackers_list = importlib.import_module(
+    "osidb_bindings.bindings.python_client.api.osidb.osidb_api_v2_trackers_list"
+)
+TRACKERS_EXTRA_KEYS = frozenset(_trackers_list.QUERY_PARAMS.keys())
+
+
+def _parse_dt(value: str | None) -> datetime.datetime | None:
+    if not value:
+        return None
+    s = value.strip()
+    if s.endswith("Z"):
+        s = s[:-1] + "+00:00:00"
+    return datetime.datetime.fromisoformat(s)
+
+
+def _impact_in(values: list[str] | None) -> list[OsidbApiV2FlawsListImpactInItem] | None:
+    if not values:
+        return None
+    return [OsidbApiV2FlawsListImpactInItem(v) for v in values]
+
+
+def _workflow_in(
+    values: list[str] | None,
+) -> list[OsidbApiV2FlawsListWorkflowStateItem] | None:
+    if not values:
+        return None
+    return [OsidbApiV2FlawsListWorkflowStateItem(v) for v in values]
+
+
+def osidb_status() -> dict[str, Any]:
+    try:
+        st = get_session().status()
+        return {"ok": True, "status": to_jsonable(st)}
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}
+
+
+def osidb_whoami() -> dict[str, Any]:
+    try:
+        s = get_session()
+        r = osidb_whoami_retrieve.sync_detailed(
+            client=s.get_client_with_new_access_token()
+        )
+        if r.parsed is None:
+            return {
+                "ok": False,
+                "error": "whoami_empty",
+                "status_code": int(r.status_code),
+            }
+        return {"ok": True, "whoami": to_jsonable(r.parsed.to_dict())}
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}
+
+
+def flaw_get(
+    flaw_id: str,
+    include_fields: list[str] | None = None,
+    exclude_fields: list[str] | None = None,
+    api_version: str | None = None,
+) -> dict[str, Any]:
+    try:
+        kw: dict[str, Any] = {}
+        if include_fields:
+            kw["include_fields"] = include_fields
+        if exclude_fields:
+            kw["exclude_fields"] = exclude_fields
+        flaw = get_session().flaws.retrieve(
+            flaw_id, api_version=api_version, **kw
+        )
+        return {"ok": True, "flaw": to_jsonable(flaw)}
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}
+
+
+def _build_flaws_kwargs(
+    *,
+    search: str | None,
+    embargoed: bool | None,
+    components: list[str] | None,
+    components_in: list[str] | None,
+    affects_ps_module: str | None,
+    affects_ps_module_in: list[str] | None,
+    affects_ps_component: str | None,
+    affects_ps_component_in: list[str] | None,
+    affects_ps_update_stream: str | None,
+    affects_ps_update_stream_in: list[str] | None,
+    workflow_state: list[str] | None,
+    workflow_state_in: list[str] | None,
+    impact: str | None,
+    impact_in: list[str] | None,
+    owner: str | None,
+    owner_in: list[str] | None,
+    owner_isempty: bool | None,
+    cve_id_in: list[str] | None,
+    changed_after: str | None,
+    changed_before: str | None,
+    major_incident_state: str | None,
+    source: str | None,
+    source_in: list[str] | None,
+    include_fields: list[str] | None,
+    exclude_fields: list[str] | None,
+    limit: int,
+    offset: int,
+) -> dict[str, Any]:
+    kw: dict[str, Any] = {"limit": limit, "offset": offset}
+    if search:
+        kw["search"] = search
+    if embargoed is not None:
+        kw["embargoed"] = embargoed
+    if components:
+        kw["components"] = components
+    if components_in:
+        kw["components__in"] = components_in
+    if affects_ps_module:
+        kw["affects__ps_module"] = affects_ps_module
+    if affects_ps_module_in:
+        kw["affects__ps_module__in"] = affects_ps_module_in
+    if affects_ps_component:
+        kw["affects__ps_component"] = affects_ps_component
+    if affects_ps_component_in:
+        kw["affects__ps_component__in"] = affects_ps_component_in
+    if affects_ps_update_stream:
+        kw["affects__ps_update_stream"] = affects_ps_update_stream
+    if affects_ps_update_stream_in:
+        kw["affects__ps_update_stream__in"] = affects_ps_update_stream_in
+    if workflow_state:
+        kw["workflow_state"] = _workflow_in(workflow_state)
+    if workflow_state_in:
+        kw["workflow_state__in"] = _workflow_in(workflow_state_in)
+    if impact:
+        kw["impact"] = OsidbApiV2FlawsListImpact(impact)
+    if impact_in:
+        kw["impact__in"] = _impact_in(impact_in)
+    if owner:
+        kw["owner"] = owner
+    if owner_in:
+        kw["owner__in"] = owner_in
+    if owner_isempty is not None:
+        kw["owner__isempty"] = owner_isempty
+    if cve_id_in:
+        kw["cve_id__in"] = cve_id_in
+    ca, cb = _parse_dt(changed_after), _parse_dt(changed_before)
+    if ca is not None:
+        kw["changed_after"] = ca
+    if cb is not None:
+        kw["changed_before"] = cb
+    if major_incident_state:
+        kw["major_incident_state"] = OsidbApiV2FlawsListMajorIncidentState(
+            major_incident_state
+        )
+    if source:
+        kw["source"] = OsidbApiV2FlawsListSource(source)
+    if source_in:
+        kw["source__in"] = [OsidbApiV2FlawsListSource(s) for s in source_in]
+    if include_fields:
+        kw["include_fields"] = include_fields
+    if exclude_fields:
+        kw["exclude_fields"] = exclude_fields
+    return kw
+
+
+def flaws_list(
+    *,
+    search: str | None = None,
+    embargoed: bool | None = None,
+    components: list[str] | None = None,
+    components_in: list[str] | None = None,
+    affects_ps_module: str | None = None,
+    affects_ps_module_in: list[str] | None = None,
+    affects_ps_component: str | None = None,
+    affects_ps_component_in: list[str] | None = None,
+    affects_ps_update_stream: str | None = None,
+    affects_ps_update_stream_in: list[str] | None = None,
+    workflow_state: list[str] | None = None,
+    workflow_state_in: list[str] | None = None,
+    impact: str | None = None,
+    impact_in: list[str] | None = None,
+    owner: str | None = None,
+    owner_in: list[str] | None = None,
+    owner_isempty: bool | None = None,
+    cve_id_in: list[str] | None = None,
+    changed_after: str | None = None,
+    changed_before: str | None = None,
+    major_incident_state: str | None = None,
+    source: str | None = None,
+    source_in: list[str] | None = None,
+    include_fields: list[str] | None = None,
+    exclude_fields: list[str] | None = None,
+    limit: int = DEFAULT_LIST_LIMIT,
+    offset: int = 0,
+    api_version: str | None = None,
+    extra_query: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    off = clamp_offset(offset)
+    try:
+        base = _build_flaws_kwargs(
+            search=search,
+            embargoed=embargoed,
+            components=components,
+            components_in=components_in,
+            affects_ps_module=affects_ps_module,
+            affects_ps_module_in=affects_ps_module_in,
+            affects_ps_component=affects_ps_component,
+            affects_ps_component_in=affects_ps_component_in,
+            affects_ps_update_stream=affects_ps_update_stream,
+            affects_ps_update_stream_in=affects_ps_update_stream_in,
+            workflow_state=workflow_state,
+            workflow_state_in=workflow_state_in,
+            impact=impact,
+            impact_in=impact_in,
+            owner=owner,
+            owner_in=owner_in,
+            owner_isempty=owner_isempty,
+            cve_id_in=cve_id_in,
+            changed_after=changed_after,
+            changed_before=changed_before,
+            major_incident_state=major_incident_state,
+            source=source,
+            source_in=source_in,
+            include_fields=include_fields,
+            exclude_fields=exclude_fields,
+            limit=lim,
+            offset=off,
+        )
+        merged = merge_extra_query(base, extra_query, allowlist=FLAWS_EXTRA_KEYS)
+        resp = get_session().flaws.retrieve_list(
+            api_version=api_version,
+            **merged,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=off),
+        }
+    except (requests.RequestException, ValueError) as e:
+        if isinstance(e, ValueError):
+            return {"ok": False, "error": "bad_request", "detail": str(e)}
+        return {"ok": False, **http_error_payload(e)}
+
+
+def flaws_count(
+    *,
+    search: str | None = None,
+    embargoed: bool | None = None,
+    components: list[str] | None = None,
+    components_in: list[str] | None = None,
+    affects_ps_module: str | None = None,
+    affects_ps_module_in: list[str] | None = None,
+    affects_ps_component: str | None = None,
+    affects_ps_component_in: list[str] | None = None,
+    affects_ps_update_stream: str | None = None,
+    affects_ps_update_stream_in: list[str] | None = None,
+    workflow_state: list[str] | None = None,
+    workflow_state_in: list[str] | None = None,
+    impact: str | None = None,
+    impact_in: list[str] | None = None,
+    owner: str | None = None,
+    owner_in: list[str] | None = None,
+    owner_isempty: bool | None = None,
+    cve_id_in: list[str] | None = None,
+    changed_after: str | None = None,
+    changed_before: str | None = None,
+    major_incident_state: str | None = None,
+    source: str | None = None,
+    source_in: list[str] | None = None,
+    api_version: str | None = None,
+    extra_query: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    try:
+        base = _build_flaws_kwargs(
+            search=search,
+            embargoed=embargoed,
+            components=components,
+            components_in=components_in,
+            affects_ps_module=affects_ps_module,
+            affects_ps_module_in=affects_ps_module_in,
+            affects_ps_component=affects_ps_component,
+            affects_ps_component_in=affects_ps_component_in,
+            affects_ps_update_stream=affects_ps_update_stream,
+            affects_ps_update_stream_in=affects_ps_update_stream_in,
+            workflow_state=workflow_state,
+            workflow_state_in=workflow_state_in,
+            impact=impact,
+            impact_in=impact_in,
+            owner=owner,
+            owner_in=owner_in,
+            owner_isempty=owner_isempty,
+            cve_id_in=cve_id_in,
+            changed_after=changed_after,
+            changed_before=changed_before,
+            major_incident_state=major_incident_state,
+            source=source,
+            source_in=source_in,
+            include_fields=None,
+            exclude_fields=None,
+            limit=50,
+            offset=0,
+        )
+        base.pop("limit", None)
+        base.pop("offset", None)
+        merged = merge_extra_query(base, extra_query, allowlist=FLAWS_EXTRA_KEYS)
+        n = get_session().flaws.count(api_version=api_version, **merged)
+        return {"ok": True, "count": n}
+    except (requests.RequestException, ValueError) as e:
+        if isinstance(e, ValueError):
+            return {"ok": False, "error": "bad_request", "detail": str(e)}
+        return {"ok": False, **http_error_payload(e)}
+
+
+def flaws_search(
+    text: str,
+    limit: int = DEFAULT_LIST_LIMIT,
+    api_version: str | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    try:
+        resp = get_session().flaws.search(
+            text,
+            api_version=api_version,
+            limit=lim,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=0),
+        }
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}
+
+
+def _affects_impact_in(
+    values: list[str] | None,
+) -> list[OsidbApiV2AffectsListFlawImpactInItem] | None:
+    if not values:
+        return None
+    return [OsidbApiV2AffectsListFlawImpactInItem(v) for v in values]
+
+
+def _affects_workflow_in(
+    values: list[str] | None,
+) -> list[OsidbApiV2AffectsListFlawWorkflowStateItem] | None:
+    if not values:
+        return None
+    return [OsidbApiV2AffectsListFlawWorkflowStateItem(v) for v in values]
+
+
+def affects_list(
+    *,
+    ps_module: str | None = None,
+    ps_module_in: list[str] | None = None,
+    ps_component: str | None = None,
+    ps_component_in: list[str] | None = None,
+    ps_update_stream: str | None = None,
+    ps_update_stream_in: list[str] | None = None,
+    flaw_cve_id: str | None = None,
+    flaw_cve_id_in: list[str] | None = None,
+    flaw_workflow_state: list[str] | None = None,
+    flaw_workflow_state_in: list[str] | None = None,
+    flaw_impact: str | None = None,
+    flaw_impact_in: list[str] | None = None,
+    flaw_components: list[str] | None = None,
+    flaw_components_in: list[str] | None = None,
+    embargoed: bool | None = None,
+    include_fields: list[str] | None = None,
+    exclude_fields: list[str] | None = None,
+    limit: int = DEFAULT_LIST_LIMIT,
+    offset: int = 0,
+    api_version: str | None = None,
+    extra_query: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    off = clamp_offset(offset)
+    try:
+        kw: dict[str, Any] = {"limit": lim, "offset": off}
+        if ps_module:
+            kw["ps_module"] = ps_module
+        if ps_module_in:
+            kw["ps_module__in"] = ps_module_in
+        if ps_component:
+            kw["ps_component"] = ps_component
+        if ps_component_in:
+            kw["ps_component__in"] = ps_component_in
+        if ps_update_stream:
+            kw["ps_update_stream"] = ps_update_stream
+        if ps_update_stream_in:
+            kw["ps_update_stream__in"] = ps_update_stream_in
+        if flaw_cve_id:
+            kw["flaw__cve_id"] = flaw_cve_id
+        if flaw_cve_id_in:
+            kw["flaw__cve_id__in"] = flaw_cve_id_in
+        if flaw_workflow_state:
+            kw["flaw__workflow_state"] = _affects_workflow_in(flaw_workflow_state)
+        if flaw_workflow_state_in:
+            kw["flaw__workflow_state__in"] = _affects_workflow_in(
+                flaw_workflow_state_in
+            )
+        if flaw_impact:
+            kw["flaw__impact"] = OsidbApiV2AffectsListFlawImpact(flaw_impact)
+        if flaw_impact_in:
+            kw["flaw__impact__in"] = _affects_impact_in(flaw_impact_in)
+        if flaw_components:
+            kw["flaw__components"] = flaw_components
+        if flaw_components_in:
+            kw["flaw__components__in"] = flaw_components_in
+        if embargoed is not None:
+            kw["embargoed"] = embargoed
+        if include_fields:
+            kw["include_fields"] = include_fields
+        if exclude_fields:
+            kw["exclude_fields"] = exclude_fields
+        merged = merge_extra_query(kw, extra_query, allowlist=AFFECTS_EXTRA_KEYS)
+        resp = get_session().affects.retrieve_list(
+            api_version=api_version,
+            **merged,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=off),
+        }
+    except (requests.RequestException, ValueError) as e:
+        if isinstance(e, ValueError):
+            return {"ok": False, "error": "bad_request", "detail": str(e)}
+        return {"ok": False, **http_error_payload(e)}
+
+
+def _finalize_trackers_kwargs(merged: dict[str, Any]) -> dict[str, Any]:
+    """Map OpenAPI ``type`` query keys to the generated client ``type_`` kwargs."""
+    from osidb_bindings.bindings.python_client.models.osidb_api_v2_trackers_list_type import (
+        OsidbApiV2TrackersListType,
+    )
+    from osidb_bindings.bindings.python_client.models.osidb_api_v2_trackers_list_type_in_item import (
+        OsidbApiV2TrackersListTypeInItem,
+    )
+
+    out = dict(merged)
+    if "type" in out:
+        v = out.pop("type")
+        out["type_"] = (
+            OsidbApiV2TrackersListType(v) if isinstance(v, str) else v
+        )
+    if "type__in" in out:
+        v = out.pop("type__in")
+        if isinstance(v, list):
+            out["type_in"] = [
+                OsidbApiV2TrackersListTypeInItem(x) if isinstance(x, str) else x
+                for x in v
+            ]
+        else:
+            out["type_in"] = v
+    return out
+
+
+def trackers_list(
+    *,
+    affects_flaw_cve_id: str | None = None,
+    affects_flaw_cve_id_in: list[str] | None = None,
+    affects_ps_module_in: list[str] | None = None,
+    affects_ps_component_in: list[str] | None = None,
+    tracker_type: str | None = None,
+    include_fields: list[str] | None = None,
+    exclude_fields: list[str] | None = None,
+    limit: int = DEFAULT_LIST_LIMIT,
+    offset: int = 0,
+    api_version: str | None = None,
+    extra_query: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    off = clamp_offset(offset)
+    try:
+        from osidb_bindings.bindings.python_client.models.osidb_api_v2_trackers_list_type import (
+            OsidbApiV2TrackersListType,
+        )
+
+        kw: dict[str, Any] = {"limit": lim, "offset": off}
+        if affects_flaw_cve_id:
+            kw["affects__flaw__cve_id"] = affects_flaw_cve_id
+        if affects_flaw_cve_id_in:
+            kw["affects__flaw__cve_id__in"] = affects_flaw_cve_id_in
+        if affects_ps_module_in:
+            kw["affects__ps_module__in"] = affects_ps_module_in
+        if affects_ps_component_in:
+            kw["affects__ps_component__in"] = affects_ps_component_in
+        if tracker_type:
+            kw["type_"] = OsidbApiV2TrackersListType(tracker_type)
+        if include_fields:
+            kw["include_fields"] = include_fields
+        if exclude_fields:
+            kw["exclude_fields"] = exclude_fields
+        merged = merge_extra_query(
+            kw, extra_query, allowlist=TRACKERS_EXTRA_KEYS
+        )
+        merged = _finalize_trackers_kwargs(merged)
+        resp = get_session().trackers.retrieve_list(
+            api_version=api_version,
+            **merged,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=off),
+        }
+    except (requests.RequestException, ValueError) as e:
+        if isinstance(e, ValueError):
+            return {"ok": False, "error": "bad_request", "detail": str(e)}
+        return {"ok": False, **http_error_payload(e)}
+
+
+def flaw_comments_list(
+    flaw_id: str,
+    *,
+    limit: int = DEFAULT_LIST_LIMIT,
+    offset: int = 0,
+    api_version: str | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    off = clamp_offset(offset)
+    try:
+        resp = get_session().flaws.comments.retrieve_list(
+            flaw_id,
+            api_version=api_version,
+            limit=lim,
+            offset=off,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=off),
+        }
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}
+
+
+def flaw_references_list(
+    flaw_id: str,
+    *,
+    limit: int = DEFAULT_LIST_LIMIT,
+    offset: int = 0,
+    api_version: str | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    off = clamp_offset(offset)
+    try:
+        resp = get_session().flaws.references.retrieve_list(
+            flaw_id,
+            api_version=api_version,
+            limit=lim,
+            offset=off,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=off),
+        }
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}
+
+
+def flaw_cvss_scores_list(
+    flaw_id: str,
+    *,
+    limit: int = DEFAULT_LIST_LIMIT,
+    offset: int = 0,
+    api_version: str | None = None,
+) -> dict[str, Any]:
+    lim = clamp_limit(limit)
+    off = clamp_offset(offset)
+    try:
+        resp = get_session().flaws.cvss_scores.retrieve_list(
+            flaw_id,
+            api_version=api_version,
+            limit=lim,
+            offset=off,
+        )
+        return {
+            "ok": True,
+            **paginated_summary(resp, limit=lim, offset=off),
+        }
+    except requests.RequestException as e:
+        return {"ok": False, **http_error_payload(e)}