Releases: mgovedarov/mcp-vcf-orchestrator
Release list
v2.2.1
This release completes and hardens scaffolded-workflow support so generated .workflow artifacts import, open in the editor, and run in live vRO 9.1, and lets the scaffolder emit native vRO action workflow items.
Added
scaffold-workflow-filecan emit native vRO action workflow items via an optionalkind: "action"task discriminator (module,actionName, orderedinputs,resultBinding), generating theactionResult = System.getModule("<module>").<actionName>(...)script and atype="task" script-module="<module>/<actionName>"item; void actions omitresultBindingand emit a bare call. Tasks withoutkindbehave exactly as before.preflight-workflow-filevalidates the<module>/<actionName>form anddiff-workflow-filesurfaces native-action item changes (VCFO-046, VCFO-059).
Fixed
- Scaffolded
.workflowartifacts now import, open in the VCF 9.x Orchestrate editor, and run in live vRO 9.1. The builder emitsworkflow-infoas a Java properties file (not XML), encodesworkflow-contentas UTF-16BE with aUTF-8XML declaration (the BOM drives decoding; the v2 editor returns 500 on a declaration sayingUTF-16), chains an explicit terminal<workflow-item type="end">(replacingend-mode="1"on the last task), writesinput_form_only when the workflow has inputs, drops the read-onlyallowed-operationsmarker that made the editor refuse to open the workflow, and gives every item a distinct<position>with bare<param>elements (VCFO-060). preflight-workflow-fileanddiff-workflow-filenow parse vRO's native repeated<attrib name type read-only>attribute shape (not just the scaffold's wrapped form), so scaffolds and real exports round-trip identically; binding type-match tolerates vRO's genericAny; and preflight parsesworkflow-infoas properties, requires UTF-16BE content, and rejects the legacyend-mode="1"pattern (VCFO-061).
v2.2.0
This release adds VCF Automation 9.1 support with automatic API version negotiation, provider/system administrator logins, and fixes workflow and configuration parameter payloads to use the canonical vRO type keys the REST API expects.
Added
- VCF Automation 9.1 support: the default
vcfaplatform now auto-negotiates the VCF Cloud API version before authenticating, probing the unauthenticatedGET /api/versionsdiscovery document and preferring9.1.0over9.0.0. A probe that fails outright falls back to9.0.0for that attempt only and discovery is retried on the next authentication; a probe that succeeds but advertises no known version caches the9.0.0fallback. Authentication is single-flighted, so concurrent requests share one probe and one session login. NewVCFA_TARGET_PLATFORMvaluesvcfa9.1andvcfa9.0pin the version explicitly and skip the probe (VCFO-057). - Provider/system administrator logins:
VCFA_ORGANIZATION=system(case-insensitive) now routes authentication to/cloudapi/1.0.0/sessions/provider; the tenant/sessionsendpoint rejects provider accounts with 401. Login 401 errors now include a hint distinguishing organization names from display names and pointing provider accounts atVCFA_ORGANIZATION=system(VCFO-057).
Fixed
- Workflow execution and configuration attribute payloads now key parameter values by the canonical lowercase/hyphenated vRO type literal (
secure-string,date,mime-attachment, …) instead of the display type from the definition (SecureString), which the vRO REST API rejects with a 400.Array/<type>inputs are serialized as{"array": {"elements": [...]}}, SDK object types (e.g.VC:VirtualMachine) as{"sdk-object": {"id", "type"}}, and plain-objectPropertiesvalues as{"properties": {"property": [...]}}(VCFO-058). run-workflowandrun-workflow-and-waitinput validation now rejects non-string values forSecureStringandEncryptedStringinputs instead of forwarding them to the vRO API (VCFO-058).
v2.1.0
This release scopes TLS relaxation to the client's own requests, hardens response parsing and artifact preflight, gates bulky tool output behind opt-in flags, adds two-phase confirmation fields for live mutations, and ships a Claude Code plugin with authoring and operations skills.
Security
VCFA_IGNORE_TLS=trueno longer disables TLS certificate verification process-wide viaNODE_TLS_REJECT_UNAUTHORIZED. TLS relaxation is now scoped to the client's own requests to the configured VCFA host through a dedicated HTTPS agent, so other HTTPS traffic in the same Node process keeps full certificate verification. The minimum supported Node.js version is now 18.17.get-configurationnow redactsSecureStringattribute values instead of returning them in plain text (VCFO-048).
Added
- Added a Claude Code plugin (
vcfa-orchestrator) and marketplace manifest under.claude-plugin/, bundling two skills inskills/:vcfa-authoring(discovery-first artifact lifecycle and package-first publishing) andvcfa-operations(running workflows and guided troubleshooting). The skills delegate to the server's existingvcfa-*prompts, resources, and tools rather than duplicating them, andnpm run validate:docsnow drift-checks the tool/prompt/resource names they reference. - Added
VroClient.close()to release the client's network resources (the TLS-relaxed dispatcher); the server now calls it during graceful shutdown. - Added a local TLS integration test that runs the client against a self-signed HTTPS server, verifying
ignoreTlscompletes a real handshake (and that strict mode still rejects) without touchingNODE_TLS_REJECT_UNAUTHORIZED. - Added optional two-phase confirmation fields to high-risk live mutation tools: when expected target fields such as
expectedName,expectedCategoryId/expectedCategoryName,expectedPackageName,expectedWorkflowName/expectedInputNames, orexpectedDeploymentName/expectedActionNameare supplied, the handler performs read-only discovery first and refuses to mutate if the live target does not match. Omitted fields keep existingconfirm: truebehavior unchanged. - Workflow tools now return
structuredContent(structured workflow, execution, and execution-log shapes) alongside their text output.
Changed
get-template,get-action, andget-subscriptionnow summarize bulky content (blueprint YAML, action script, constraints JSON) as a sha256 + length line by default, consistent with context-snapshot redaction; the newincludeContent,includeScript, andincludeConstraintsflags restore the full output (VCFO-055).- Tools that overwrite or delete live state — import, update, run, and delete tools, plus
rebuild-project-package— now advertisedestructiveHint: truein their MCP annotations so hosts can require heightened approval; additive creates andadd-*-to-project-packagetools do not (VCFO-051).
Fixed
run-workflownow validates and type-normalizes caller-supplied inputs through the same shared preamble asrun-workflow-and-waitinstead of POSTing them to the live workflow unvalidated; the two handlers' drifted input schemas (inputs[].typerequired in one, optional in the other) are reconciled (VCFO-047).- Query parameter values containing
$or~are no longer un-encoded by the pagination query serializer; the literal-$exemption now applies only to OData system query keys such as$filterand$search(VCFO-050). - Empty-body 2xx responses with a
Locationheader no longer masquerade as a running workflow execution for non-execution endpoints; the synthetic{ id, state: "running" }shape is now scoped to the explicit workflow-execution start path (startExecution), and generic empty 2xx responses return{}(VCFO-052). - A 2xx response with a non-JSON body (for example an HTML error page from a load balancer or SSO interstitial) now throws a sanitized, contextualized error naming the method, path, and correlation ID instead of a bare
SyntaxError: Unexpected token(VCFO-053). - List results that stop at the pagination request cap now carry a
truncatedflag instead of silently returning partial data with the server's full total; list tools append a visible truncation warning and context snapshots record a per-domain warning (VCFO-054). - Artifact preflight now rejects
input_form_entries that are not UTF-16BE (the documented contract) instead of silently accepting UTF-16LE, decodes UTF-16 entries fatally so corrupt bytes fail instead of passing as U+FFFD mojibake, and reports XML-looking.action/.vsoconfarchive entries with invalid byte sequences instead of skipping them (VCFO-056).
v2.0.0
Breaking Changes
- Existing live mutation and workflow execution tool calls now require
confirm: true. - Affected tools include workflow creation/execution, action creation, configuration creation/update, deployment creation, template creation, subscription creation/update, and other live import/delete operations that mutate VCFA/vRO state.
- Calls without
confirm: truenow return a confirmation message instead of changing live state.
Added
- Automatic VCFA bearer-token refresh on 401/403 responses.
- Redaction and truncation for surfaced VCFA/vRO error response bodies.
- Package validation coverage for published
LICENSEandNOTICEfiles.
Changed
- Adopted Apache License 2.0 with NOTICE attribution and clarified official package/repository branding.
- Changed local artifact export/snapshot/scaffold tools to advertise write-capable MCP annotations.
- Synced advertised MCP server version with package version.
- Updated Dependabot checks to monthly and refreshed dependencies.
Fixed
- Fixed action lookup fallback behavior for non-404 API failures.
- Fixed duplicate vRA8 compatibility guard calls in artifact import/export paths.
- Fixed OData filter escaping in subscription lookups.
v1.1.0
Changelog
1.1.0 - 2026-05-13
This release expands the MCP server from a VCFA-only operations helper into a broader vRO automation toolkit, including vRA/vRO 8 read/run compatibility, package-first publishing workflows, richer artifact validation, and more discovery-oriented prompts and resources.
Added
- Added
VCFA_TARGET_PLATFORM=vra8mode for vRA/vRO 8.12+ environments that use Basic authentication against/vco/api.- Supports read operations for vRO resources plus workflow execution and execution log retrieval.
- Rejects unsupported vRO writes in vRA8 mode with explicit compatibility errors.
- Rejects Automation-service APIs in vRA8 mode, including catalog, deployments, templates, subscriptions, and event topics.
- Added workflow execution log support.
- New
get-workflow-execution-logstool retrieves workflow execution logs. - Supports inline log formatting plus JSON and text export under the configured execution log artifact directory.
- Supports minimum log levels and normalizes multiple vRO log response shapes.
- New
- Added recursive workflow category discovery.
- New
list-workflows-by-categorytool lists workflows under a workflow category tree. - Supports category selection by exact
categoryId,categoryName, orcategoryPath. - Supports empty category inclusion and category traversal limits.
- New
- Added category-scoped configuration discovery.
list-configurationsnow accepts an optionalcategoryId.- Category-scoped listing reads category relations, returns only
ConfigurationElemententries, and preserves name filtering.
- Added package-first vRO publishing support.
- New project package workflow supports ensuring the configured project package, adding workflows, actions, configurations, and resources, rebuilding, exporting, inspecting import details, and importing the project package.
- Package import details and package preflight flows make promotion reviewable before live import.
- Package operations consistently reuse
VCFA_PROJECT_PACKAGE_NAMEinstead of creating ad hoc packages.
- Added package and artifact validation tooling.
- New package validation script checks package contents.
- Documentation validation now checks reference drift, local Markdown links, documented tool names, prompt names, and top-level example arguments.
- CI now includes package validation and documentation build coverage.
- Added richer MCP prompts for discovery-first implementation and troubleshooting workflows.
- New and expanded prompts cover capability discovery, context snapshots, workflow authoring, workflow-from-action wrappers, workflow refactors, artifact import review, template review/creation, template/subscription integration, deployment troubleshooting, and workflow execution troubleshooting.
- Added MCP resources and reusable patterns.
- Added workflow scaffold schema and workflow/template/subscription pattern resources.
- Added persisted context snapshot resources, including
vcfa://context/latestand named snapshot access. - Added dynamic resources for actions, configurations, deployments, packages, resource elements, subscriptions, and workflows.
- Added checked examples for artifact promotion, workflow artifacts, project package publishing, template/catalog/subscription workflows, and workflow execution log exports.
- Added or expanded documentation for artifact lifecycle, workflow authoring, configuration/resources, troubleshooting, safety, installation/configuration, and MCP client setup.
Changed
- Improved workflow artifact generation and preflight validation.
- Workflow artifacts now include stronger parameter, binding, input form, action reference, and archive safety validation.
- Workflow authoring guidance now emphasizes importable
.workflowartifacts, horizontal layout, safe input forms, and native action item caveats.
- Improved action, configuration, resource, package, and workflow clients to parse additional vRO attribute shapes and preserve more useful metadata.
- Improved context snapshots with safer redaction, deterministic Markdown/JSON output, optional domain coverage, and VMware built-in profiling.
- Improved README, AGENTS, CLAUDE, reference docs, examples, and how-tos to reflect the current tool surface and release workflows.
- Improved CI to test across supported Node.js versions and run the full validation gate on Node 24.
- Updated package dependencies and development dependencies through Dependabot.
Fixed
- Fixed stale tool/documentation drift around configuration listing and category-scoped configuration discovery.
- Fixed several artifact path-safety and symlink handling cases in workflow, action, configuration, resource, package, and context operations.
- Fixed documentation/example drift detection so stale tool names and arguments fail validation before release.
Compatibility Notes
- Existing VCFA behavior remains the default. Deployments without
VCFA_TARGET_PLATFORMcontinue to use VCFA Cloud API session authentication. VCFA_TARGET_PLATFORM=vra8is intentionally limited to vRO/vco/apiread operations plus workflow execution and execution logs. Automation-service APIs remain unsupported in this mode until token-auth support is added.- Live create, update, import, delete, deployment, day-2, package, template, and subscription operations still require explicit confirmation in their tool inputs and should be preceded by read-only discovery.
v1.0.1
Release v1.0.1
- Version bump for npm package release.
- Includes merged context snapshot discoverability and built-in context collection fixes.
v1.0.0
Initial stable release of @mgovedarov/mcp-vcf-orchestrator.
Includes MCP tools for VCF Automation/vRO workflows, actions, configurations, resource elements, packages, plugins, categories, catalog items, deployments, blueprint templates, extensibility subscriptions, artifact preflight/diff/import/export workflows, promotion planning, discovery-first resources and prompts, and persisted Markdown/JSON context snapshots for future agents.
Published to npm as @mgovedarov/mcp-vcf-orchestrator@1.0.0.