feat: merge Security Compass (SD Elements) tools into this server#6
Closed
etiennelunetta wants to merge 2 commits into
Closed
feat: merge Security Compass (SD Elements) tools into this server#6etiennelunetta wants to merge 2 commits into
etiennelunetta wants to merge 2 commits into
Conversation
Folds the standalone securitycompass-mcp server into zeropath-mcp-server so customers configure a single MCP server. Changes: - new trpc_client module (ported from securitycompass-mcp) for the tRPC surface the Security Compass procedures live on - seven security_compass_* tools registered on the shared FastMCP server - the upsertIntegration tool and the sdeApiToken parameter are intentionally NOT ported: per Security Compass, SD Elements credentials must be entered in the ZeroPath dashboard, never passed through an AI agent - sde_project_id accepts str|int because FastMCP JSON-pre-parses string arguments, turning numeric project ids like "8" into ints - ZEROPATH_BASE_URL is now honored for the REST v1 API too (was hardcoded to https://zeropath.com), matching the tRPC client - package import no longer requires credentials (lazy server import), so tests and tooling can import submodules without env configured - offline test suite for the new tools; README documents the new section Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Resolve conflicts from main's rewrite to a manifest-driven, low-level mcp.server.Server (the PR was written against the older FastMCP server). - trpc_client.py: keep main's REST/manifest client verbatim. - sc_trpc_client.py (new): the PR's tRPC-wire client for the internal securityCompass procedures, moved out of the trpc_client.py filename clash and adapted to share ZeropathConfig + all auth modes. - security_compass.py: repoint import to sc_trpc_client; expose SECURITY_COMPASS_TOOL_NAMES. - server.py: keep main's create_server(); bridge the FastMCP-registered Security Compass tools onto the low-level Server (lazy list_tools merge, routed call_tool) so all 7 tools are actually advertised and callable. - __init__.py: version 0.2.0; drop the obsolete lazy `mcp` export. - README.md: main's baseline + the Security Compass tools section. - tests: repoint SC import; add TestSecurityCompassIntegration covering the bridge end-to-end. uv run pytest: 42 passed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Author
|
Closing: this was built against the pre-rewrite FastMCP architecture and conflicts with the manifest-driven server now on main. The merge is happening server-side instead — ZeroPathAI/cunningham#1659 adds /api/v2/securityCompass/* endpoints and allowlists them in the MCP manifest, so this server picks the tools up automatically with no client changes (they surface as securityCompass_* after dot→underscore sanitization). Same credential posture as planned here: no upsertIntegration, no sdeApiToken parameter anywhere. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Merges the standalone
securitycompass-mcpserver intozeropath-mcp-server, so customers install and configure one MCP server with one env block. This unblocks the Security Compass integration docs going live with a single-server install flow.What moved
trpc_client.py— ported from securitycompass-mcp; the SC procedures live on ZeroPath's tRPC surface rather than the REST v1 API. Same credentials, same headers.security_compass_*tools (snake_case, matching this server's naming):get_integration,test_connection,add_project_mapping,remove_project_mapping,sync_rules,get_mapping_audit,get_sync_history.What deliberately did NOT move
securityCompass_upsertIntegrationand thesdeApiTokenparameter ontestConnection. Security Compass asked that SD Elements API keys never pass through an AI agent — the connection is created/rotated in the ZeroPath dashboard (Settings → Integrations → Security Compass), andtest_connectionprobes with the dashboard-saved token. A test (test_no_tool_accepts_sde_credentials) locks this in.Fixes picked up along the way
ZEROPATH_BASE_URLis now honored for the REST v1 API too (was hardcoded tohttps://zeropath.com), so enterprise/dedicated tenants work.sde_project_idacceptsstr | int: FastMCP JSON-pre-parses string arguments, so a numeric project id like"8"arrives as an int; a barestrannotation would reject every real SDE project id.mcpattribute) — submodules and tests are importable without env configured; the legacymain.pyentry point still works.Follow-ups after merge
securitycompass-mcprepo gets a deprecation notice pointing here.uvx --from git+…picks up the merged tools.Test plan
uv run pytest— 8 passed (new offline suite stubs the tRPC client; asserts dispatch table, org-id injection, error rendering, and the no-credentials posture), 1 skipped (pre-existing live-API suite without creds).🤖 Generated with Claude Code