rust-srxmcp v0.2.1 — Phase 2 AppID signature-package lifecycle
What's new
manage_appid_signature_package — full Application Identification signature-package lifecycle on Juniper SRX, sibling of manage_idp_security_package shipped in v0.2.0:
check_server— query installed + latest application-package version fromsignatures.juniper.netdownload_and_install— confirmation-gated, supports explicit version pinning, downloads and installs the latest (or pinned) AppID package + protocol bundleuninstall— confirmation-gated removal of the currently-installed application package- Cluster-aware: synchronizes both nodes on chassis-cluster devices
- Two-call confirmation protocol + per-router transfer locks (reused from v0.2.0 IDP primitives)
RPC contract (live-captured against vSRX-test3, Junos 24.4R1)
The Phase 2 design doc's AppID RPC shapes were a best-guess from CLI namespaces; v0.2.1 corrects them against the live wire format:
- All AppID RPCs are flat single-element (no composite
parent + childlike IDP). - Names use the
request-appid-application-package-*prefix (NOTrequest-services-application-identification-*, which does not exist as an RPC). - Check-server envelope is
<apppack-server-status>with<apppack-server-status-detail>, distinct from the<apppack-download-status>envelope used by the download workflow. - Async-status responses use plain-English tokens (
Downloaded/Installed/Uninstalledfor success; substringfailedfor failure) — NOT IDP'sDone;/Failed;markers. get-appid-package-versionreports<version-detail>0</...>post-uninstall on Junos 24.4R1 —normalize_version_texttreats"0","", and"N/A"as equivalent absence markers.
Validation
5/5 destructive live smokes pass on vSRX-test3 against LXC 601:30032:
appid_check_server_returns_latest_version✅appid_download_and_install_call1_returns_plan✅appid_uninstall_call1_returns_plan✅appid_uninstall_call2_succeeds✅ (real destructive uninstall — confirmed package 3910 removed)appid_cluster_install_syncs_both_nodes✅ (graceful-degrade — acceptslicense_inactiveuntil lab heals)
Lab gaps (documented, not blocking)
vSRX-test3cannot reachsignatures.juniper.netfrom the homelab;check_serverand the destructive download path emitsignatures_server_unreachableuntil egress is fixed. Smokes graceful-degrade to accept that error.- The cluster smoke (
vSRX-test19-20) requires a clustered+AppID-licensed pair the lab does not currently have; the smoke accepts alicense_inactiveor transport error in the interim.
Tool surface
8 srxmcp tools total (up from 7 in v0.2.0):
srxmcp_status,check_srx_feature_license,vpn_lifecycle_report,get_chassis_cluster_status,get_srx_security_services_statusmanage_idp_security_package(v0.2.0)manage_appid_signature_package(new in this release)
Deployed to LXC 601:30032.