Skip to content

feat: merge Security Compass (SD Elements) tools into this server#6

Closed
etiennelunetta wants to merge 2 commits into
mainfrom
feat/security-compass-tools
Closed

feat: merge Security Compass (SD Elements) tools into this server#6
etiennelunetta wants to merge 2 commits into
mainfrom
feat/security-compass-tools

Conversation

@etiennelunetta

Copy link
Copy Markdown

Summary

Merges the standalone securitycompass-mcp server into zeropath-mcp-server, so customers install and configure one MCP server with one env block. This unblocks the Security Compass integration docs going live with a single-server install flow.

What moved

  • trpc_client.py — ported from securitycompass-mcp; the SC procedures live on ZeroPath's tRPC surface rather than the REST v1 API. Same credentials, same headers.
  • Seven security_compass_* tools (snake_case, matching this server's naming): get_integration, test_connection, add_project_mapping, remove_project_mapping, sync_rules, get_mapping_audit, get_sync_history.

What deliberately did NOT move

  • securityCompass_upsertIntegration and the sdeApiToken parameter on testConnection. Security Compass asked that SD Elements API keys never pass through an AI agent — the connection is created/rotated in the ZeroPath dashboard (Settings → Integrations → Security Compass), and test_connection probes with the dashboard-saved token. A test (test_no_tool_accepts_sde_credentials) locks this in.

Fixes picked up along the way

  • ZEROPATH_BASE_URL is now honored for the REST v1 API too (was hardcoded to https://zeropath.com), so enterprise/dedicated tenants work.
  • sde_project_id accepts str | int: FastMCP JSON-pre-parses string arguments, so a numeric project id like "8" arrives as an int; a bare str annotation would reject every real SDE project id.
  • Importing the package no longer requires credentials (lazy mcp attribute) — submodules and tests are importable without env configured; the legacy main.py entry point still works.
  • Version bumped to 0.2.0.

Follow-ups after merge

  • securitycompass-mcp repo gets a deprecation notice pointing here.
  • Docs PR ZeroPathAI/cunningham#1658 (Security Compass integration guide) describes the single-server install; it should land after this PR so uvx --from git+… picks up the merged tools.

Test plan

  • uv run pytest — 8 passed (new offline suite stubs the tRPC client; asserts dispatch table, org-id injection, error rendering, and the no-credentials posture), 1 skipped (pre-existing live-API suite without creds).
  • Booted the server with dummy env and verified all 24 tools (17 REST + 7 Security Compass) are advertised.

🤖 Generated with Claude Code

etiennelunetta and others added 2 commits July 8, 2026 12:29
Folds the standalone securitycompass-mcp server into zeropath-mcp-server so
customers configure a single MCP server. Changes:

- new trpc_client module (ported from securitycompass-mcp) for the tRPC
  surface the Security Compass procedures live on
- seven security_compass_* tools registered on the shared FastMCP server
- the upsertIntegration tool and the sdeApiToken parameter are intentionally
  NOT ported: per Security Compass, SD Elements credentials must be entered
  in the ZeroPath dashboard, never passed through an AI agent
- sde_project_id accepts str|int because FastMCP JSON-pre-parses string
  arguments, turning numeric project ids like "8" into ints
- ZEROPATH_BASE_URL is now honored for the REST v1 API too (was hardcoded
  to https://zeropath.com), matching the tRPC client
- package import no longer requires credentials (lazy server import), so
  tests and tooling can import submodules without env configured
- offline test suite for the new tools; README documents the new section

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Resolve conflicts from main's rewrite to a manifest-driven, low-level
mcp.server.Server (the PR was written against the older FastMCP server).

- trpc_client.py: keep main's REST/manifest client verbatim.
- sc_trpc_client.py (new): the PR's tRPC-wire client for the internal
  securityCompass procedures, moved out of the trpc_client.py filename
  clash and adapted to share ZeropathConfig + all auth modes.
- security_compass.py: repoint import to sc_trpc_client; expose
  SECURITY_COMPASS_TOOL_NAMES.
- server.py: keep main's create_server(); bridge the FastMCP-registered
  Security Compass tools onto the low-level Server (lazy list_tools merge,
  routed call_tool) so all 7 tools are actually advertised and callable.
- __init__.py: version 0.2.0; drop the obsolete lazy `mcp` export.
- README.md: main's baseline + the Security Compass tools section.
- tests: repoint SC import; add TestSecurityCompassIntegration covering
  the bridge end-to-end.

uv run pytest: 42 passed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@etiennelunetta

Copy link
Copy Markdown
Author

Closing: this was built against the pre-rewrite FastMCP architecture and conflicts with the manifest-driven server now on main. The merge is happening server-side instead — ZeroPathAI/cunningham#1659 adds /api/v2/securityCompass/* endpoints and allowlists them in the MCP manifest, so this server picks the tools up automatically with no client changes (they surface as securityCompass_* after dot→underscore sanitization). Same credential posture as planned here: no upsertIntegration, no sdeApiToken parameter anywhere.

@etiennelunetta etiennelunetta deleted the feat/security-compass-tools branch July 8, 2026 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants