feat: MCP server (cloudgov mcp) + AGENTS.md#7
Merged
Merged
Conversation
fab is MCP-primary — every agent role declares its mcpServers — so a CLI with no MCP surface is a second-class citizen there. This exposes cloudgov as a Model Context Protocol server and adds the agent-facing entry point, completing the agent-readiness phase. ─── MCP server ─── - cmd/mcp.go: `cloudgov mcp` runs a stdio MCP server exposing 15 tools — audit, iam_scan, storage_audit, network_audit, secrets_scan, certs, tags, orphans, quota, inventory, cost_diff, drift, k8s_rbac, lambda_audit, and compliance. Each tool reuses the same resolve*Providers helpers, internal scanners, and output.Write* JSON writers as the CLI — no duplicated scan logic — and returns the identical JSON report. The server is read-only; a client disconnect (io.EOF) is treated as a clean shutdown. - Built on the official github.com/modelcontextprotocol/go-sdk v1.6.1 (typed AddTool[In, Out] handlers; input schemas inferred from Go structs with jsonschema tag descriptions). This is the one new dependency — implementing the protocol by hand was the alternative. - cmd/root.go: register the mcp command. ─── AGENTS.md ─── - Agent-facing entry point per the org convention: the MCP tool table with params, the CLI/JSON/SARIF/--fail-on contract and exit codes, a fab merge-gate recipe (TRANSCRIPTS + CITATIONS straight from cloudgov output), and the boundary — cloudgov audits deployed/runtime posture; it does not enforce (the operator does) or grade build-time standards (fab's curators do). Verification: go build ./..., go test ./..., go vet ./..., and golangci-lint v2.12.2 (uncapped) all pass. End-to-end: `claude mcp add --transport stdio cloudgov -- cloudgov mcp` reports "Connected", and a tools/list call returns all 15 tools. Co-authored-by: stxkxsbot <275011021+stxkxsbot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See the commit message for full detail. Completes the agent-readiness phase of the approved plan (the gate + SARIF foundation landed in #6).
Summary
cloudgov mcp— stdio Model Context Protocol server exposing 15 tools (audit, iam_scan, storage_audit, network_audit, secrets_scan, certs, tags, orphans, quota, inventory, cost_diff, drift, k8s_rbac, lambda_audit, compliance). Each reuses the CLI'sresolve*Providers+ scanners + JSON writers — no duplicated logic. Read-only; clean EOF shutdown.github.com/modelcontextprotocol/go-sdkv1.6.1 (typedAddTool[In,Out]).AGENTS.md— agent entry point: MCP tool table, the CLI/JSON/SARIF/--fail-oncontract + exit codes, a fab merge-gate recipe, and the audit-vs-enforce / runtime-vs-build-time boundary.Verification
go build,go test ./...,go vet, golangci-lint v2.12.2 (uncapped) all pass. End-to-end:claude mcp add --transport stdio cloudgov -- cloudgov mcp→ Connected, andtools/listreturns all 15 tools.Next (Phase 2)
cloudgov platform— the independent auditor that verifies live Platform/Tenant conformance (IRSA, NetworkPolicy, ResourceQuota, KMS) against the eks-agent-platform contract.