Skip to content

rust-srxmcp v0.2.1 — Phase 2 AppID signature-package lifecycle

Choose a tag to compare

@fastrevmd-lab fastrevmd-lab released this 26 May 19:54
a11201a

What's new

manage_appid_signature_package — full Application Identification signature-package lifecycle on Juniper SRX, sibling of manage_idp_security_package shipped in v0.2.0:

  • check_server — query installed + latest application-package version from signatures.juniper.net
  • download_and_install — confirmation-gated, supports explicit version pinning, downloads and installs the latest (or pinned) AppID package + protocol bundle
  • uninstall — confirmation-gated removal of the currently-installed application package
  • Cluster-aware: synchronizes both nodes on chassis-cluster devices
  • Two-call confirmation protocol + per-router transfer locks (reused from v0.2.0 IDP primitives)

RPC contract (live-captured against vSRX-test3, Junos 24.4R1)

The Phase 2 design doc's AppID RPC shapes were a best-guess from CLI namespaces; v0.2.1 corrects them against the live wire format:

  • All AppID RPCs are flat single-element (no composite parent + child like IDP).
  • Names use the request-appid-application-package-* prefix (NOT request-services-application-identification-*, which does not exist as an RPC).
  • Check-server envelope is <apppack-server-status> with <apppack-server-status-detail>, distinct from the <apppack-download-status> envelope used by the download workflow.
  • Async-status responses use plain-English tokens (Downloaded/Installed/Uninstalled for success; substring failed for failure) — NOT IDP's Done;/Failed; markers.
  • get-appid-package-version reports <version-detail>0</...> post-uninstall on Junos 24.4R1 — normalize_version_text treats "0", "", and "N/A" as equivalent absence markers.

Validation

5/5 destructive live smokes pass on vSRX-test3 against LXC 601:30032:

  • appid_check_server_returns_latest_version
  • appid_download_and_install_call1_returns_plan
  • appid_uninstall_call1_returns_plan
  • appid_uninstall_call2_succeeds ✅ (real destructive uninstall — confirmed package 3910 removed)
  • appid_cluster_install_syncs_both_nodes ✅ (graceful-degrade — accepts license_inactive until lab heals)

Lab gaps (documented, not blocking)

  • vSRX-test3 cannot reach signatures.juniper.net from the homelab; check_server and the destructive download path emit signatures_server_unreachable until egress is fixed. Smokes graceful-degrade to accept that error.
  • The cluster smoke (vSRX-test19-20) requires a clustered+AppID-licensed pair the lab does not currently have; the smoke accepts a license_inactive or transport error in the interim.

Tool surface

8 srxmcp tools total (up from 7 in v0.2.0):

  • srxmcp_status, check_srx_feature_license, vpn_lifecycle_report, get_chassis_cluster_status, get_srx_security_services_status
  • manage_idp_security_package (v0.2.0)
  • manage_appid_signature_package (new in this release)

Deployed to LXC 601:30032.