From 087a3db4b2933837af793ec0a5caa711e19caba1 Mon Sep 17 00:00:00 2001 From: Nathan Oyler Date: Thu, 7 May 2026 06:03:35 -0700 Subject: [PATCH] security: sanitize examples for public release --- .gitignore | 3 +++ README.md | 2 +- docs/adr/001-toolkit-architecture.md | 2 +- docs/implementation-plan.md | 2 +- knowledge/sapcc/architecture.md | 2 +- knowledge/sapcc/services.md | 2 +- plugins/sapcc/skills/credential-setup/SKILL.md | 2 +- plugins/sapcc/skills/sapcc-audit/SKILL.md | 4 ++-- .../skills/sapcc-audit/references/cadf-event-format.md | 2 +- plugins/sapcc/skills/sapcc-identity/SKILL.md | 2 +- .../sapcc-identity/references/domain-project-model.md | 2 +- plugins/sapcc/skills/sapcc-metrics/SKILL.md | 7 ++++--- .../skills/sapcc-registry/references/image-lifecycle.md | 4 ++-- 13 files changed, 20 insertions(+), 16 deletions(-) diff --git a/.gitignore b/.gitignore index c31f8c1..d9a6543 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,6 @@ __pycache__/ # Build dist/ build/ + +# Local Claude settings +.claude/settings.local.json diff --git a/README.md b/README.md index 76a3beb..3937a5c 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Copy skills to your agent's skills location: └─────────────────────────────────────────────────────────────────┘ ``` -**MCP Server** ([openstack-mcp-server](https://github.com/notque/openstack-mcp-server)) = runtime providing typed tools (28+ API operations) +**MCP Server** ([openstack-mcp-server](https://github.com/notque/openstack-mcp-server)) = runtime providing typed tools (55 API operations) **Agent Toolkit** (this repo) = intelligence layer teaching agents *when* and *how* to use those tools ## What's Included diff --git a/docs/adr/001-toolkit-architecture.md b/docs/adr/001-toolkit-architecture.md index cbf62be..4e21170 100644 --- a/docs/adr/001-toolkit-architecture.md +++ b/docs/adr/001-toolkit-architecture.md @@ -6,7 +6,7 @@ ## Context -We have a working [openstack-mcp-server](https://github.com/notque/openstack-mcp-server) that provides 28+ MCP tools across 8 SAP Converged Cloud services: +We have a working [openstack-mcp-server](https://github.com/notque/openstack-mcp-server) that provides 55 MCP tools across 8 SAP Converged Cloud services: | Service | Project | Tools | |---------|---------|-------| diff --git a/docs/implementation-plan.md b/docs/implementation-plan.md index f66c28d..a13d4c2 100644 --- a/docs/implementation-plan.md +++ b/docs/implementation-plan.md @@ -2,7 +2,7 @@ ## Goal -Build a complete agent toolkit for SAP Converged Cloud that teaches AI agents how to effectively use the openstack-mcp-server's 28+ tools across 9 services, following the AWS agent-toolkit-for-aws plugin pattern. +Build a complete agent toolkit for SAP Converged Cloud that teaches AI agents how to effectively use the openstack-mcp-server's 55 tools across 9 services, following the AWS agent-toolkit-for-aws plugin pattern. ## Phases diff --git a/knowledge/sapcc/architecture.md b/knowledge/sapcc/architecture.md index 4d37b61..35afd28 100644 --- a/knowledge/sapcc/architecture.md +++ b/knowledge/sapcc/architecture.md @@ -26,7 +26,7 @@ Format: `--` | `na-us-3` | US Central | North America | | `ap-jp-1` | Japan | Asia-Pacific | | `ap-au-1` | Australia | Asia-Pacific | -| `qa-de-1` | Germany | QA/staging environment | +| ... | Various | Non-production regions also exist | ## Domain → Project Hierarchy diff --git a/knowledge/sapcc/services.md b/knowledge/sapcc/services.md index 43f3c8c..1efca41 100644 --- a/knowledge/sapcc/services.md +++ b/knowledge/sapcc/services.md @@ -59,4 +59,4 @@ Each SAP CC region is an independent OpenStack deployment: - Separate Keystone (identity) - Separate service catalog - Separate credentials required -- Region naming: `--` (e.g., `eu-de-1`, `qa-de-1`, `na-us-1`) +- Region naming: `--` (e.g., `eu-de-1`, `na-us-1`) diff --git a/plugins/sapcc/skills/credential-setup/SKILL.md b/plugins/sapcc/skills/credential-setup/SKILL.md index d3f70f4..4ddb16e 100644 --- a/plugins/sapcc/skills/credential-setup/SKILL.md +++ b/plugins/sapcc/skills/credential-setup/SKILL.md @@ -112,7 +112,7 @@ Output the configuration block for Claude Code settings (`~/.claude/settings.jso "sapcc": { "command": "openstack-mcp-server", "env": { - "OS_AUTH_URL": "https://identity-3.{region}.cloud.sap/v3", + "OS_AUTH_URL": "https://identity-3.{region}.cloud.example.com/v3", "OS_APPLICATION_CREDENTIAL_ID": "{id}", "OS_APPCRED_SECRET_CMD": "security find-generic-password -a mcp-server-{project}-{region} -s openstack-appcred -w", "OS_REGION_NAME": "{region}" diff --git a/plugins/sapcc/skills/sapcc-audit/SKILL.md b/plugins/sapcc/skills/sapcc-audit/SKILL.md index 7f64b8f..96b020c 100644 --- a/plugins/sapcc/skills/sapcc-audit/SKILL.md +++ b/plugins/sapcc/skills/sapcc-audit/SKILL.md @@ -33,7 +33,7 @@ initiator (who) → action (what) → target (to what) → outcome (result) | Field | Description | Example | |-------|-------------|---------| -| `initiator.name` | Username who performed the action | `I810033` | +| `initiator.name` | Username who performed the action | `D012345` | | `action` | The operation performed | `update` | | `target.type_uri` | Resource type in slash format | `compute/server` | | `target.id` | UUID of the affected resource | `abc-123-def` | @@ -91,7 +91,7 @@ Events appear seconds to minutes after the action occurs. If you just performed ### 9. initiator_name is the username, not UUID -Filter by human-readable username (e.g., `I810033`, `technical_user_xyz`), not the user's Keystone UUID. This is the name that appears in Keystone token info. +Filter by human-readable username (e.g., `D012345`, `technical_user_xyz`), not the user's Keystone UUID. This is the name that appears in Keystone token info. ### 10. Full event detail includes request/response attachments diff --git a/plugins/sapcc/skills/sapcc-audit/references/cadf-event-format.md b/plugins/sapcc/skills/sapcc-audit/references/cadf-event-format.md index a472dfc..e8e9215 100644 --- a/plugins/sapcc/skills/sapcc-audit/references/cadf-event-format.md +++ b/plugins/sapcc/skills/sapcc-audit/references/cadf-event-format.md @@ -13,7 +13,7 @@ CADF (Cloud Auditing Data Federation) is the DMTF standard used by Hermes to str "outcome": "success", "initiator": { "id": "user-uuid", - "name": "I810033", + "name": "D012345", "typeURI": "service/security/account/user", "domain_id": "domain-uuid", "project_id": "project-uuid" diff --git a/plugins/sapcc/skills/sapcc-identity/SKILL.md b/plugins/sapcc/skills/sapcc-identity/SKILL.md index 4d72ab2..d48a284 100644 --- a/plugins/sapcc/skills/sapcc-identity/SKILL.md +++ b/plugins/sapcc/skills/sapcc-identity/SKILL.md @@ -86,7 +86,7 @@ For deeper explanation, see `references/domain-project-model.md`. 1. keystone_list_application_credentials → Check if one already exists with intended name 2. keystone_create_application_credential - name: "mcp-server--" (e.g., mcp-server-cc-demo-qa-de-1) + name: "mcp-server--" (e.g., mcp-server-cc-demo-eu-de-2) description: "MCP server credential for in " expires_at: "2027-05-06T00:00:00Z" (recommend 1 year dev, 90 days prod) 3. IMMEDIATELY store the secret in keychain: diff --git a/plugins/sapcc/skills/sapcc-identity/references/domain-project-model.md b/plugins/sapcc/skills/sapcc-identity/references/domain-project-model.md index 5fcd3be..bc7d0ee 100644 --- a/plugins/sapcc/skills/sapcc-identity/references/domain-project-model.md +++ b/plugins/sapcc/skills/sapcc-identity/references/domain-project-model.md @@ -32,7 +32,7 @@ An independent OpenStack deployment. Each region has: - Its own set of credentials - No resource sharing across regions -Region naming: `--` (e.g., `eu-de-1`, `qa-de-1`, `na-us-1`, `ap-jp-1`) +Region naming: `--` (e.g., `eu-de-1`, `na-us-1`, `ap-jp-1`) ### Domain diff --git a/plugins/sapcc/skills/sapcc-metrics/SKILL.md b/plugins/sapcc/skills/sapcc-metrics/SKILL.md index 2ab1674..c736c01 100644 --- a/plugins/sapcc/skills/sapcc-metrics/SKILL.md +++ b/plugins/sapcc/skills/sapcc-metrics/SKILL.md @@ -21,6 +21,7 @@ Maia is SAP CC's multi-tenant Prometheus-as-a-Service. Same PromQL query languag | `maia_metric_names` | List all available metric names for current project | (none) | | `maia_label_values` | Get values for a specific label | `label` (e.g., `__name__`, `instance`, `job`) | | `maia_query` | Execute instant PromQL query | `query` (optional: `time`) | +| `maia_query_range` | Execute range PromQL query over time window | `query`, `start`, `end`, `step` | ## Maia vs Regular Prometheus @@ -28,7 +29,7 @@ Maia is SAP CC's multi-tenant Prometheus-as-a-Service. Same PromQL query languag - **Tenant-isolated** — you only see metrics from your authenticated project - **Available metrics vary** — depends on what's instrumented in your project (not all projects have the same metrics) - **Read-only** — no recording rules, no alert configuration, no write path via MCP -- **Instant queries only** — maia_query executes point-in-time queries, not range queries +- **Instant and range queries** — maia_query executes point-in-time queries; maia_query_range returns time series over a window ## Gotchas @@ -36,9 +37,9 @@ Maia is SAP CC's multi-tenant Prometheus-as-a-Service. Same PromQL query languag Maia enforces tenant isolation via the OpenStack token. There is no way to query cross-project metrics. If you need fleet-wide data, check Limes for capacity or use cluster-level monitoring. -### 2. maia_query is INSTANT query only +### 2. maia_query is INSTANT — use maia_query_range for time series -No range queries (`query_range`) via this tool. You get a single point in time. Use the `time` parameter to query a historical point, but you cannot get a time series of values in one call. For "show me the last hour" requests — you can only sample individual points. +`maia_query` returns a single point in time. Use the `time` parameter to query a historical point. For time series data ("show me the last hour"), use `maia_query_range` with `start`, `end`, and `step` parameters instead. ### 3. Always start with maia_metric_names diff --git a/plugins/sapcc/skills/sapcc-registry/references/image-lifecycle.md b/plugins/sapcc/skills/sapcc-registry/references/image-lifecycle.md index e74b9aa..2d9ff8c 100644 --- a/plugins/sapcc/skills/sapcc-registry/references/image-lifecycle.md +++ b/plugins/sapcc/skills/sapcc-registry/references/image-lifecycle.md @@ -5,7 +5,7 @@ ### Push Flow ``` -docker push registry.region.cloud.sap/account/repo:tag +docker push registry..cloud.example.com/account/repo:tag 1. Client authenticates via OpenStack token 2. Layers uploaded to account's backing storage (Swift/S3) 3. Manifest created linking layers together @@ -17,7 +17,7 @@ docker push registry.region.cloud.sap/account/repo:tag ### Pull Flow ``` -docker pull registry.region.cloud.sap/account/repo:tag +docker pull registry..cloud.example.com/account/repo:tag 1. Client authenticates via OpenStack token 2. Tag resolved to manifest digest 3. Manifest fetched → layer list retrieved