Merge pull request #7 from agents-oss/ci/deploy_mcp_server

feat: update mcp to list cluster agents

Author: skokaina

docs/concepts/operating-modes.md

@@ -82,11 +82,13 @@ Install the MCP server in your AI editor:
 }
 ```
 
-**Claude Code** (`.claude/settings.json` or via `claude mcp add`):
+**Claude Code** (via `claude mcp add`):
 ```bash
 claude mcp add agentspec -- npx -y @agentspec/mcp
 ```
 
+In sidecar mode no env vars are needed — tool arguments point directly at the sidecar.
+
 Tool arguments for sidecar mode:
 ```json
 // agentspec_health
@@ -158,29 +160,76 @@ port-forward.
 
 ### MCP configuration
 
-Same install as sidecar mode — `@agentspec/mcp` supports both modes via tool arguments.
+For operator mode, port-forward the control plane service to your local machine:
+
+```bash
+kubectl port-forward svc/agentspec-operator -n agentspec 8080:80
+```
+
+Then configure the MCP server with env vars so all tools automatically use the cluster:
 
-Tool arguments for operator mode:
 ```json
-// agentspec_health
 {
-  "agentName": "budget-assistant",
-  "controlPlaneUrl": "http://localhost:8080",
-  "adminKey": "sk-optional"
+  "mcpServers": {
+    "agentspec": {
+      "command": "npx",
+      "args": ["-y", "@agentspec/mcp"],
+      "env": {
+        "AGENTSPEC_CONTROL_PLANE_URL": "http://localhost:8080",
+        "AGENTSPEC_ADMIN_KEY": "your-admin-key"
+      }
+    }
+  }
 }
+```
 
-// agentspec_audit
-{
-  "file": "agent.yaml",
-  "agentName": "budget-assistant",
-  "controlPlaneUrl": "http://localhost:8080"
-}
+| Env var | Description |
+|---|---|
+| `AGENTSPEC_CONTROL_PLANE_URL` | Control plane URL (e.g. `http://localhost:8080` after port-forward) |
+| `AGENTSPEC_ADMIN_KEY` | The admin key for the control plane API. This is the same value as `controlPlane.apiKey` in the Helm chart (`values.yaml`). Empty by default — if you didn't set it during install, omit it or leave it as `""`. |
 
-// agentspec_gap
-{
-  "agentName": "budget-assistant",
-  "controlPlaneUrl": "http://localhost:8080"
-}
+This is the same key used in three places:
+
+| Where | Setting | Purpose |
+|---|---|---|
+| Control plane deployment | `AGENTSPEC_ADMIN_KEY` env var | The control plane checks this on every admin request |
+| Helm chart | `controlPlane.apiKey` in `values.yaml` | The operator uses this to poll `GET /api/v1/agents` |
+| MCP server config | `AGENTSPEC_ADMIN_KEY` env var | Your editor uses this to query the control plane |
+
+If you installed with the default Helm values (`controlPlane.apiKey: ""`), the control plane has no admin key set and returns **503** on admin endpoints. To enable them, set the key:
+
+```bash
+# Generate a key
+openssl rand -hex 32
+
+# Set it on the control plane (pick one):
+# Helm upgrade:
+helm upgrade agentspec-operator oci://ghcr.io/agents-oss/charts/agentspec-operator \
+  --set controlPlane.apiKey=<your-key> \
+  --namespace agentspec-system
+
+# Or create the secret directly:
+kubectl create secret generic agentspec-control-plane \
+  --namespace=agentspec-system \
+  --from-literal=apiKey=<your-key>
+```
+
+Then use the same key in your MCP config.
+
+With these env vars set, all cluster-aware tools (`agentspec_list_agents`, `agentspec_health`, `agentspec_audit`, `agentspec_gap`, `agentspec_proof`) automatically query the cluster. Per-call arguments still override env vars when needed.
+
+Tools that only work locally (`agentspec_validate`, `agentspec_scan`, `agentspec_generate`, `agentspec_diff`) are unaffected.
+
+You can still pass tool arguments explicitly to override the defaults:
+```json
+// agentspec_health — override to target a specific agent
+{ "agentName": "budget-assistant" }
+
+// agentspec_list_agents — no args needed, fetches all cluster agents
+{}
+
+// agentspec_audit — local manifest + cluster proofs
+{ "file": "agent.yaml", "agentName": "budget-assistant" }
 ```
 
 ---

docs/quick-start.md

@@ -171,15 +171,36 @@ kubectl apply -f ./generated/k8s/service.yaml
 
 Install `@agentspec/mcp` to use AgentSpec tools directly inside Claude Code, Cursor, or Windsurf:
 
+**Local development** (validate, health, audit, scan, generate from local files):
 ```bash
 # Claude Code
 claude mcp add agentspec -- npx -y @agentspec/mcp
-
-# Cursor / Windsurf / any MCP-compatible editor — add to mcpServers config:
-# { "mcpServers": { "agentspec": { "command": "npx", "args": ["-y", "@agentspec/mcp"] } } }
 ```
 
-See [Operating Modes](./concepts/operating-modes) for sidecar vs operator configuration.
+**Cluster mode** (list agents, health, gap, proof from the control plane):
+
+Port-forward the control plane first:
+```bash
+kubectl port-forward svc/agentspec-operator -n agentspec 8080:80
+```
+
+Then add `env` to your MCP config (`.claude/settings.json` or Cursor/Windsurf equivalent):
+```json
+{
+  "mcpServers": {
+    "agentspec": {
+      "command": "npx",
+      "args": ["-y", "@agentspec/mcp"],
+      "env": {
+        "AGENTSPEC_CONTROL_PLANE_URL": "http://localhost:8080",
+        "AGENTSPEC_ADMIN_KEY": ""
+      }
+    }
+  }
+}
+```
+
+`AGENTSPEC_ADMIN_KEY` is the same value as `controlPlane.apiKey` in the Helm chart — empty by default. See [Operating Modes](./concepts/operating-modes) for how to set it up and the full guide on sidecar vs operator configuration.
 
 ## What to do next
 

packages/mcp-server/src/__tests__/cluster-config.test.ts

@@ -0,0 +1,46 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest'
+import { resolveCluster } from '../cluster-config.js'
+
+describe('resolveCluster', () => {
+  const origEnv = { ...process.env }
+
+  afterEach(() => {
+    process.env = { ...origEnv }
+  })
+
+  it('returns explicit args when provided', () => {
+    const result = resolveCluster({ controlPlaneUrl: 'http://explicit:8080', adminKey: 'key-1' })
+    expect(result).toEqual({ controlPlaneUrl: 'http://explicit:8080', adminKey: 'key-1' })
+  })
+
+  it('falls back to env vars when args are undefined', () => {
+    process.env['AGENTSPEC_CONTROL_PLANE_URL'] = 'http://env:8080'
+    process.env['AGENTSPEC_ADMIN_KEY'] = 'env-key'
+
+    const result = resolveCluster({})
+    expect(result).toEqual({ controlPlaneUrl: 'http://env:8080', adminKey: 'env-key' })
+  })
+
+  it('explicit args override env vars', () => {
+    process.env['AGENTSPEC_CONTROL_PLANE_URL'] = 'http://env:8080'
+    process.env['AGENTSPEC_ADMIN_KEY'] = 'env-key'
+
+    const result = resolveCluster({ controlPlaneUrl: 'http://override:9090', adminKey: 'override-key' })
+    expect(result).toEqual({ controlPlaneUrl: 'http://override:9090', adminKey: 'override-key' })
+  })
+
+  it('returns undefined when neither args nor env are set', () => {
+    delete process.env['AGENTSPEC_CONTROL_PLANE_URL']
+    delete process.env['AGENTSPEC_ADMIN_KEY']
+
+    const result = resolveCluster({})
+    expect(result).toEqual({ controlPlaneUrl: undefined, adminKey: undefined })
+  })
+
+  it('partial override — controlPlaneUrl from arg, adminKey from env', () => {
+    process.env['AGENTSPEC_ADMIN_KEY'] = 'env-key'
+
+    const result = resolveCluster({ controlPlaneUrl: 'http://explicit:8080' })
+    expect(result).toEqual({ controlPlaneUrl: 'http://explicit:8080', adminKey: 'env-key' })
+  })
+})

packages/mcp-server/src/__tests__/listAgents.test.ts

@@ -0,0 +1,83 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { mkdtempSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+import { listAgents } from '../tools/listAgents.js'
+
+const fetchMock = vi.fn()
+vi.stubGlobal('fetch', fetchMock)
+
+const CLUSTER_AGENTS = JSON.stringify([
+  { agentName: 'budget-assistant', runtime: 'python', phase: 'running', grade: 'B', score: 82, lastSeen: '2026-03-08T12:00:00Z' },
+  { agentName: 'gym-coach', runtime: 'node', phase: 'running', grade: 'A', score: 95, lastSeen: '2026-03-08T12:01:00Z' },
+])
+
+describe('listAgents — cluster mode', () => {
+  beforeEach(() => {
+    fetchMock.mockReset()
+  })
+
+  it('fetches agents from control plane when controlPlaneUrl is provided', async () => {
+    fetchMock.mockResolvedValue({ ok: true, text: async () => CLUSTER_AGENTS })
+
+    const result = JSON.parse(await listAgents({ controlPlaneUrl: 'http://localhost:8080' }))
+
+    expect(fetchMock).toHaveBeenCalledOnce()
+    expect(fetchMock.mock.calls[0][0]).toBe('http://localhost:8080/api/v1/agents')
+    expect(result.agents).toHaveLength(2)
+    expect(result.agents[0].agentName).toBe('budget-assistant')
+    expect(result.source).toBe('cluster')
+  })
+
+  it('sends X-Admin-Key header when adminKey is provided', async () => {
+    fetchMock.mockResolvedValue({ ok: true, text: async () => CLUSTER_AGENTS })
+
+    await listAgents({ controlPlaneUrl: 'http://localhost:8080', adminKey: 'sk-secret' })
+
+    const headers = fetchMock.mock.calls[0][1].headers
+    expect(headers['X-Admin-Key']).toBe('sk-secret')
+  })
+
+  it('omits X-Admin-Key header when adminKey is not provided', async () => {
+    fetchMock.mockResolvedValue({ ok: true, text: async () => CLUSTER_AGENTS })
+
+    await listAgents({ controlPlaneUrl: 'http://localhost:8080' })
+
+    const headers = fetchMock.mock.calls[0][1].headers
+    expect(headers['X-Admin-Key']).toBeUndefined()
+  })
+
+  it('throws on non-ok response', async () => {
+    fetchMock.mockResolvedValue({ ok: false, status: 401, statusText: 'Unauthorized' })
+
+    await expect(
+      listAgents({ controlPlaneUrl: 'http://localhost:8080' }),
+    ).rejects.toThrow('401')
+  })
+
+  it('strips trailing slash from controlPlaneUrl', async () => {
+    fetchMock.mockResolvedValue({ ok: true, text: async () => '[]' })
+
+    await listAgents({ controlPlaneUrl: 'http://localhost:8080/' })
+
+    expect(fetchMock.mock.calls[0][0]).toBe('http://localhost:8080/api/v1/agents')
+  })
+
+  it('returns empty agents array when cluster has none', async () => {
+    fetchMock.mockResolvedValue({ ok: true, text: async () => '[]' })
+
+    const result = JSON.parse(await listAgents({ controlPlaneUrl: 'http://localhost:8080' }))
+
+    expect(result.agents).toEqual([])
+    expect(result.source).toBe('cluster')
+  })
+})
+
+describe('listAgents — local mode (no controlPlaneUrl)', () => {
+  it('falls back to filesystem scan when no controlPlaneUrl', async () => {
+    const emptyDir = mkdtempSync(join(tmpdir(), 'agentspec-test-'))
+    const result = JSON.parse(await listAgents({ dir: emptyDir }))
+
+    expect(result.source).toBe('local')
+  })
+})

packages/mcp-server/src/cluster-config.ts

@@ -0,0 +1,17 @@
+/**
+ * Resolve cluster connection config: per-call args override env vars.
+ *
+ * Priority: explicit arg > AGENTSPEC_CONTROL_PLANE_URL / AGENTSPEC_ADMIN_KEY env > undefined
+ */
+
+export interface ClusterConfig {
+  controlPlaneUrl?: string
+  adminKey?: string
+}
+
+export function resolveCluster(args: ClusterConfig): ClusterConfig {
+  return {
+    controlPlaneUrl: args.controlPlaneUrl || process.env['AGENTSPEC_CONTROL_PLANE_URL'] || undefined,
+    adminKey: args.adminKey || process.env['AGENTSPEC_ADMIN_KEY'] || undefined,
+  }
+}

packages/mcp-server/src/index.ts

@@ -20,6 +20,7 @@ import { gap } from './tools/gap.js'
 import { diff } from './tools/diff.js'
 import { listAgents } from './tools/listAgents.js'
 import { proof } from './tools/proof.js'
+import { resolveCluster } from './cluster-config.js'
 
 // ── Types ─────────────────────────────────────────────────────────────────────
 
@@ -154,11 +155,13 @@ const TOOLS: ToolDef[] = [
   },
   {
     name: 'agentspec_list_agents',
-    description: 'Find all agent.yaml files under a directory and return a summary list (name, version, model)',
+    description: 'List agents. In cluster mode (controlPlaneUrl provided or AGENTSPEC_CONTROL_PLANE_URL env set), fetches live agents from the control plane. Otherwise, scans the local filesystem for agent.yaml files.',
     inputSchema: {
       type: 'object',
       properties: {
-        dir: { type: 'string', description: 'Directory to search (default: current working directory)' },
+        dir: { type: 'string', description: 'Directory to search for agent.yaml files (local mode, default: cwd)' },
+        controlPlaneUrl: { type: 'string', description: 'Control plane URL to list cluster agents (overrides AGENTSPEC_CONTROL_PLANE_URL env)' },
+        adminKey: { type: 'string', description: 'X-Admin-Key for the control plane API (overrides AGENTSPEC_ADMIN_KEY env)' },
       },
       required: [],
     },
@@ -171,23 +174,27 @@ async function callTool(name: string, args: Record<string, unknown>): Promise<st
   switch (name) {
     case 'agentspec_validate':
       return validate(args['file'] as string)
-    case 'agentspec_health':
+    case 'agentspec_health': {
+      const cluster = resolveCluster({ controlPlaneUrl: args['controlPlaneUrl'] as string | undefined, adminKey: args['adminKey'] as string | undefined })
       return health({
         file: args['file'] as string | undefined,
         agentName: args['agentName'] as string | undefined,
-        controlPlaneUrl: args['controlPlaneUrl'] as string | undefined,
-        adminKey: args['adminKey'] as string | undefined,
+        controlPlaneUrl: cluster.controlPlaneUrl,
+        adminKey: cluster.adminKey,
         sidecarUrl: args['sidecarUrl'] as string | undefined,
       })
-    case 'agentspec_audit':
+    }
+    case 'agentspec_audit': {
+      const cluster = resolveCluster({ controlPlaneUrl: args['controlPlaneUrl'] as string | undefined, adminKey: args['adminKey'] as string | undefined })
       return audit({
         file: args['file'] as string,
         pack: args['pack'] as string | undefined,
         agentName: args['agentName'] as string | undefined,
-        controlPlaneUrl: args['controlPlaneUrl'] as string | undefined,
-        adminKey: args['adminKey'] as string | undefined,
+        controlPlaneUrl: cluster.controlPlaneUrl,
+        adminKey: cluster.adminKey,
         sidecarUrl: args['sidecarUrl'] as string | undefined,
       })
+    }
     case 'agentspec_scan':
       return scan(args['dir'] as string)
     case 'agentspec_generate':
@@ -196,24 +203,34 @@ async function callTool(name: string, args: Record<string, unknown>): Promise<st
         args['framework'] as string,
         args['out'] as string | undefined,
       )
-    case 'agentspec_proof':
+    case 'agentspec_proof': {
+      const cluster = resolveCluster({ controlPlaneUrl: args['controlPlaneUrl'] as string | undefined, adminKey: args['adminKey'] as string | undefined })
       return proof({
         agentName: args['agentName'] as string | undefined,
-        controlPlaneUrl: args['controlPlaneUrl'] as string | undefined,
-        adminKey: args['adminKey'] as string | undefined,
+        controlPlaneUrl: cluster.controlPlaneUrl,
+        adminKey: cluster.adminKey,
         sidecarUrl: args['sidecarUrl'] as string | undefined,
       })
-    case 'agentspec_gap':
+    }
+    case 'agentspec_gap': {
+      const cluster = resolveCluster({ controlPlaneUrl: args['controlPlaneUrl'] as string | undefined, adminKey: args['adminKey'] as string | undefined })
       return gap({
         agentName: args['agentName'] as string | undefined,
-        controlPlaneUrl: args['controlPlaneUrl'] as string | undefined,
-        adminKey: args['adminKey'] as string | undefined,
+        controlPlaneUrl: cluster.controlPlaneUrl,
+        adminKey: cluster.adminKey,
         sidecarUrl: args['sidecarUrl'] as string | undefined,
       })
+    }
     case 'agentspec_diff':
       return diff(args['from'] as string, args['to'] as string)
-    case 'agentspec_list_agents':
-      return listAgents(args['dir'] as string | undefined)
+    case 'agentspec_list_agents': {
+      const cluster = resolveCluster({ controlPlaneUrl: args['controlPlaneUrl'] as string | undefined, adminKey: args['adminKey'] as string | undefined })
+      return listAgents({
+        dir: args['dir'] as string | undefined,
+        controlPlaneUrl: cluster.controlPlaneUrl,
+        adminKey: cluster.adminKey,
+      })
+    }
     default:
       throw new Error(`Unknown tool: ${name}`)
   }