vmware-nsx-security 1.3.0__tar.gz

vmware_nsx_security-1.3.0/.gitignore

@@ -0,0 +1,13 @@
+__pycache__/
+*.pyc
+*.pyo
+*.egg-info/
+dist/
+build/
+.eggs/
+.env
+*.log
+.DS_Store
+.venv/
+.mcpregistry_*
+mcp-publisher

vmware_nsx_security-1.3.0/Dockerfile

@@ -0,0 +1,13 @@
+FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN pip install --no-cache-dir uv
+
+COPY pyproject.toml .
+COPY vmware_nsx_security/ vmware_nsx_security/
+COPY mcp_server/ mcp_server/
+
+RUN uv pip install --system .
+
+CMD ["python", "-m", "mcp_server"]

vmware_nsx_security-1.3.0/PKG-INFO

@@ -0,0 +1,124 @@
+Metadata-Version: 2.4
+Name: vmware-nsx-security
+Version: 1.3.0
+Summary: VMware NSX DFW microsegmentation and security: distributed firewall, security groups, tags, traceflow, IDPS
+Author: zw008
+License-Expression: MIT
+Keywords: ai-ops,dfw,firewall,mcp,microsegmentation,nsx,nsx-t,vmware
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Networking
+Requires-Python: >=3.10
+Requires-Dist: httpx<1.0,>=0.27
+Requires-Dist: mcp[cli]<2.0,>=1.0
+Requires-Dist: python-dotenv<2.0,>=1.0
+Requires-Dist: pyyaml<7.0,>=6.0
+Requires-Dist: rich<15.0,>=13.0
+Requires-Dist: typer<1.0,>=0.12
+Description-Content-Type: text/markdown
+
+# VMware NSX Security
+
+VMware NSX DFW microsegmentation and security MCP skill — 20 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.
+
+> **Companion skills**: [vmware-nsx](https://github.com/zw008/VMware-NSX) (networking), [vmware-aiops](https://github.com/zw008/VMware-AIops) (VM lifecycle), [vmware-monitor](https://github.com/zw008/VMware-Monitor) (monitoring)
+
+## Quick Start
+
+```bash
+uv tool install vmware-nsx-security
+
+mkdir -p ~/.vmware-nsx-security
+cp config.example.yaml ~/.vmware-nsx-security/config.yaml
+# Edit config.yaml with your NSX Manager host
+
+echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
+chmod 600 ~/.vmware-nsx-security/.env
+
+vmware-nsx-security doctor
+```
+
+## What It Does
+
+| Category | Tools |
+|----------|-------|
+| DFW Policy | list, get, create, update, delete, list rules |
+| DFW Rules | create, update, delete, stats |
+| Security Groups | list, get, create, delete |
+| VM Tags | list tags, apply tag |
+| Traceflow | run trace, get result |
+| IDPS | list profiles, engine status |
+
+**Total: 20 MCP tools** (10 read-only + 10 write)
+
+## MCP Server Setup
+
+Add to `~/.claude.json`:
+
+```json
+{
+  "mcpServers": {
+    "vmware-nsx-security": {
+      "command": "vmware-nsx-security-mcp",
+      "env": {
+        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
+      }
+    }
+  }
+}
+```
+
+## Common Workflows
+
+### Microsegment an Application
+
+```bash
+# 1. Create groups by tag
+vmware-nsx-security group create web-vms --name "Web VMs" --tag-scope tier --tag-value web
+vmware-nsx-security group create app-vms --name "App VMs" --tag-scope tier --tag-value app
+
+# 2. Create DFW policy
+vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application
+```
+
+### Tag a VM
+
+```bash
+# Find VM and its external ID
+vmware-nsx-security tag list my-vm-01
+
+# Apply tag using the external ID
+vmware-nsx-security tag apply <external-id> --scope tier --value web
+```
+
+### Trace a Packet
+
+```bash
+vmware-nsx-security traceflow run <src-lport-id> \
+  --src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443
+```
+
+## Safety
+
+- **Dependency checks**: Cannot delete a policy with active rules, or a group referenced by DFW rules
+- **Audit logging**: All write ops logged to `~/.vmware-nsx-security/audit.log`
+- **Input validation**: IDs validated; all API text sanitized against prompt injection
+- **Dry-run mode**: All CLI write commands support `--dry-run`
+- **Credential safety**: Passwords only from env vars, never in config files
+
+## Companion Skills
+
+| Skill | Purpose |
+|-------|---------|
+| **vmware-nsx** | Segments, gateways, NAT, routing, IPAM |
+| **vmware-nsx-security** | DFW, security groups, tags, traceflow, IDPS ← this |
+| **vmware-aiops** | VM lifecycle, deployment, guest ops |
+| **vmware-monitor** | vSphere monitoring, alarms, events |
+| **vmware-storage** | iSCSI, vSAN, datastores |
+| **vmware-vks** | Tanzu Kubernetes |
+
+## License
+
+MIT

vmware_nsx_security-1.3.0/README-CN.md

@@ -0,0 +1,103 @@
+# VMware NSX Security
+
+VMware NSX DFW 微分段与安全管理 MCP skill — 20 个工具，涵盖分布式防火墙策略与规则、安全组、VM 标签、Traceflow 数据包追踪和 IDPS。
+
+> **配套 skill**：[vmware-nsx](https://github.com/zw008/VMware-NSX)（网络）、[vmware-aiops](https://github.com/zw008/VMware-AIops)（VM 生命周期）、[vmware-monitor](https://github.com/zw008/VMware-Monitor)（监控）
+
+## 快速开始
+
+```bash
+uv tool install vmware-nsx-security
+
+mkdir -p ~/.vmware-nsx-security
+cp config.example.yaml ~/.vmware-nsx-security/config.yaml
+# 编辑 config.yaml，填写 NSX Manager 地址
+
+echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
+chmod 600 ~/.vmware-nsx-security/.env
+
+vmware-nsx-security doctor
+```
+
+## 功能
+
+| 类别 | 工具数 |
+|------|--------|
+| DFW 策略 | 列出、获取、创建、更新、删除、列出规则（6 个） |
+| DFW 规则 | 创建、更新、删除、统计（4 个） |
+| 安全组 | 列出、获取、创建、删除（4 个） |
+| VM 标签 | 列出标签、应用标签（2 个） |
+| Traceflow | 运行追踪、获取结果（2 个） |
+| IDPS | 列出 Profile、获取状态（2 个） |
+
+**共 20 个 MCP 工具**（10 只读 + 10 写入）
+
+## MCP 服务器配置
+
+添加到 `~/.claude.json`：
+
+```json
+{
+  "mcpServers": {
+    "vmware-nsx-security": {
+      "command": "vmware-nsx-security-mcp",
+      "env": {
+        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
+      }
+    }
+  }
+}
+```
+
+## 常见操作
+
+### 对应用进行微分段
+
+```bash
+# 1. 按标签创建安全组
+vmware-nsx-security group create web-vms --name "Web VMs" --tag-scope tier --tag-value web
+vmware-nsx-security group create app-vms --name "App VMs" --tag-scope tier --tag-value app
+
+# 2. 创建 DFW 策略
+vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application
+```
+
+### 为 VM 打标签
+
+```bash
+# 查询 VM 及其 external ID
+vmware-nsx-security tag list my-vm-01
+
+# 使用 external ID 应用标签
+vmware-nsx-security tag apply <external-id> --scope tier --value web
+```
+
+### 追踪数据包路径
+
+```bash
+vmware-nsx-security traceflow run <src-lport-id> \
+  --src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443
+```
+
+## 安全性
+
+- **依赖检查**：有活跃规则时不允许删除策略；被 DFW 规则引用的安全组不允许删除
+- **审计日志**：所有写操作记录到 `~/.vmware-nsx-security/audit.log`（JSON Lines 格式）
+- **输入验证**：ID 字符集校验；API 返回文本经过 `_sanitize()` 清洗，防止提示注入
+- **Dry-run 模式**：CLI 写命令均支持 `--dry-run` 预览
+- **凭据安全**：密码仅从环境变量读取，永不写入 config.yaml
+
+## 配套 Skill
+
+| Skill | 用途 |
+|-------|------|
+| **vmware-nsx** | 网段、网关、NAT、路由、IPAM |
+| **vmware-nsx-security** | DFW、安全组、标签、Traceflow、IDPS ← 本 skill |
+| **vmware-aiops** | VM 生命周期、部署、Guest 操作 |
+| **vmware-monitor** | vSphere 监控、告警、事件 |
+| **vmware-storage** | iSCSI、vSAN、数据存储 |
+| **vmware-vks** | Tanzu Kubernetes |
+
+## 许可证
+
+MIT

vmware_nsx_security-1.3.0/README.md

@@ -0,0 +1,103 @@
+# VMware NSX Security
+
+VMware NSX DFW microsegmentation and security MCP skill — 20 tools for distributed firewall policies/rules, security groups, VM tags, Traceflow packet tracing, and IDPS.
+
+> **Companion skills**: [vmware-nsx](https://github.com/zw008/VMware-NSX) (networking), [vmware-aiops](https://github.com/zw008/VMware-AIops) (VM lifecycle), [vmware-monitor](https://github.com/zw008/VMware-Monitor) (monitoring)
+
+## Quick Start
+
+```bash
+uv tool install vmware-nsx-security
+
+mkdir -p ~/.vmware-nsx-security
+cp config.example.yaml ~/.vmware-nsx-security/config.yaml
+# Edit config.yaml with your NSX Manager host
+
+echo "VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=your_password" > ~/.vmware-nsx-security/.env
+chmod 600 ~/.vmware-nsx-security/.env
+
+vmware-nsx-security doctor
+```
+
+## What It Does
+
+| Category | Tools |
+|----------|-------|
+| DFW Policy | list, get, create, update, delete, list rules |
+| DFW Rules | create, update, delete, stats |
+| Security Groups | list, get, create, delete |
+| VM Tags | list tags, apply tag |
+| Traceflow | run trace, get result |
+| IDPS | list profiles, engine status |
+
+**Total: 20 MCP tools** (10 read-only + 10 write)
+
+## MCP Server Setup
+
+Add to `~/.claude.json`:
+
+```json
+{
+  "mcpServers": {
+    "vmware-nsx-security": {
+      "command": "vmware-nsx-security-mcp",
+      "env": {
+        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
+      }
+    }
+  }
+}
+```
+
+## Common Workflows
+
+### Microsegment an Application
+
+```bash
+# 1. Create groups by tag
+vmware-nsx-security group create web-vms --name "Web VMs" --tag-scope tier --tag-value web
+vmware-nsx-security group create app-vms --name "App VMs" --tag-scope tier --tag-value app
+
+# 2. Create DFW policy
+vmware-nsx-security policy create web-app-policy --name "Web to App" --category Application
+```
+
+### Tag a VM
+
+```bash
+# Find VM and its external ID
+vmware-nsx-security tag list my-vm-01
+
+# Apply tag using the external ID
+vmware-nsx-security tag apply <external-id> --scope tier --value web
+```
+
+### Trace a Packet
+
+```bash
+vmware-nsx-security traceflow run <src-lport-id> \
+  --src-ip 10.0.1.5 --dst-ip 10.0.2.10 --proto TCP --dst-port 443
+```
+
+## Safety
+
+- **Dependency checks**: Cannot delete a policy with active rules, or a group referenced by DFW rules
+- **Audit logging**: All write ops logged to `~/.vmware-nsx-security/audit.log`
+- **Input validation**: IDs validated; all API text sanitized against prompt injection
+- **Dry-run mode**: All CLI write commands support `--dry-run`
+- **Credential safety**: Passwords only from env vars, never in config files
+
+## Companion Skills
+
+| Skill | Purpose |
+|-------|---------|
+| **vmware-nsx** | Segments, gateways, NAT, routing, IPAM |
+| **vmware-nsx-security** | DFW, security groups, tags, traceflow, IDPS ← this |
+| **vmware-aiops** | VM lifecycle, deployment, guest ops |
+| **vmware-monitor** | vSphere monitoring, alarms, events |
+| **vmware-storage** | iSCSI, vSAN, datastores |
+| **vmware-vks** | Tanzu Kubernetes |
+
+## License
+
+MIT

vmware_nsx_security-1.3.0/RELEASE_NOTES.md

@@ -0,0 +1,26 @@
+# Release Notes
+
+---
+
+## v1.3.0 — 2026-03-27
+
+### Initial release
+
+- 20 MCP tools: 10 read-only + 10 write operations
+- DFW: security policy CRUD (6 tools) + rule CRUD + rule stats (4 tools)
+- Security groups: list, get, create, delete with dependency checks (4 tools)
+- VM Tags: list VM tags, apply tag (2 tools)
+- Traceflow: run trace with polling + get result (2 tools)
+- IDPS: list profiles, get engine status (2 tools)
+- Safety: `delete_dfw_policy` blocks if active rules exist; `delete_group` blocks if DFW-referenced
+- SKILL.md with progressive disclosure (Anthropic best practices)
+- CLI (`vmware-nsx-security`) with typer — policy/rule/group/tag/traceflow/idps subcommands
+- MCP server (20 tools) via stdio transport
+- Docker one-command launch
+- `vmware-nsx-security doctor` — 8-check environment diagnostics
+- Audit logging (JSON Lines) for all write operations
+- `references/`: cli-reference.md, capabilities.md, setup-guide.md
+- `examples/mcp-configs/`: 3 agent config templates (Claude Code, Cursor, Goose)
+- README.md and README-CN.md with companion skills, workflows, troubleshooting
+
+**PyPI**: `uv tool install vmware-nsx-security==1.3.0`

vmware_nsx_security-1.3.0/config.example.yaml

@@ -0,0 +1,21 @@
+# VMware NSX Security Configuration
+# Copy to ~/.vmware-nsx-security/config.yaml and edit
+
+targets:
+  nsx-prod:
+    host: nsx-manager.example.com
+    username: admin
+    port: 443
+    verify_ssl: true
+  nsx-lab:
+    host: 10.0.0.50
+    username: admin
+    port: 443
+    verify_ssl: false
+
+default_target: nsx-prod
+
+# Passwords are loaded from environment variables:
+# VMWARE_NSX_SECURITY_NSX_PROD_PASSWORD=xxx
+# VMWARE_NSX_SECURITY_NSX_LAB_PASSWORD=xxx
+# Or from ~/.vmware-nsx-security/.env file

vmware_nsx_security-1.3.0/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+  vmware-nsx-security-mcp:
+    build: .
+    volumes:
+      - ~/.vmware-nsx-security:/root/.vmware-nsx-security:ro
+    environment:
+      - VMWARE_NSX_SECURITY_CONFIG=/root/.vmware-nsx-security/config.yaml
+    stdin_open: true

vmware_nsx_security-1.3.0/examples/mcp-configs/claude-code.json

@@ -0,0 +1,10 @@
+{
+  "mcpServers": {
+    "vmware-nsx-security": {
+      "command": "vmware-nsx-security-mcp",
+      "env": {
+        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
+      }
+    }
+  }
+}

vmware_nsx_security-1.3.0/examples/mcp-configs/cursor.json

@@ -0,0 +1,10 @@
+{
+  "mcpServers": {
+    "vmware-nsx-security": {
+      "command": "vmware-nsx-security-mcp",
+      "env": {
+        "VMWARE_NSX_SECURITY_CONFIG": "${HOME}/.vmware-nsx-security/config.yaml"
+      }
+    }
+  }
+}

vmware_nsx_security-1.3.0/examples/mcp-configs/goose.json

@@ -0,0 +1,10 @@
+{
+  "mcpServers": {
+    "vmware-nsx-security": {
+      "command": "vmware-nsx-security-mcp",
+      "env": {
+        "VMWARE_NSX_SECURITY_CONFIG": "~/.vmware-nsx-security/config.yaml"
+      }
+    }
+  }
+}

vmware_nsx_security-1.3.0/mcp_server/__init__.py

@@ -0,0 +1 @@
+"""VMware NSX Security MCP server."""

vmware_nsx_security-1.3.0/mcp_server/__main__.py

@@ -0,0 +1,5 @@
+"""Allow running as `python -m mcp_server`."""
+
+from mcp_server.server import main
+
+main()