feat(cloud/gcp): GCP provider for the cloud-context MCP

[sourcehawk]

Description

Towards #43

Implements the GCP provider for the read-only cloud-context MCP, plugged in behind the cloud.Provider interface from the scaffold (#45) and selected by --provider=gcp. The operator agent can now ground a Kubernetes incident in GCP context: inventory and identity through typed tools, and the long tail (reachability, IAM read, GKE config, logs, audit) through the gated run_cli against an embedded read-only allowlist. All access shells gcloud through the injected harness RunFunc; no cloud.google.com/go SDK.

Changes

• pkg/mcp/cloud/providers/gcp/ implementing all seven cloud.Provider methods over the gcloud CLI: Name, Binary (resolved via exec.LookPath, test-overridable), DefaultAllowlist, DenyFloorAdditions, EnvPassthrough, Inventory, Identity.
• Embedded default_commands.json: read-only gcloud verbs across the investigative axes (inventory, reachability/firewall/routes, IAM read, GKE describe, logs read, audit), each entry naming its axis in prose. Exact-match allowlist, so every entry is the complete invariant verb chain.
• DenyFloorAdditions contributing GCP-specific dangerous subcommands (compute ssh, compute scp, compute reset-windows-password, functions call) on top of the base floor.
• Identity as the read-only whoami over gcloud auth list --filter=status:ACTIVE --format=json; Valid requires the resolved active account to equal the pinned CLOUDSDK_AUTH_IMPERSONATE_SERVICE_ACCOUNT. Degraded auth surfaces through Valid/Hint, never a Go error.
• Inventory over gcloud projects list --format=json, projected to {id, name}.
• serve.go: --provider=gcp now constructs the provider; the aws arm is left as a separate not-built-yet case for Implement the AWS provider for the cloud-context MCP #46.

Related

• Builds on the scaffold Build the cloud-context MCP package, Provider interface, and shared tool surface #45 (cloud.Provider interface, harness, allowlist, probe).
• Sibling AWS provider: Implement the AWS provider for the cloud-context MCP #46. Launcher wiring: Wire the cloud-context MCP into the launcher with pinned-identity auth visibility #47.
• Epic: Pluggable read-only cloud-context MCP (GCP and AWS) #44.

Testing

Table tests over captured gcloud ... --format=json fixtures driving the projections, with a fake cloud.RunFunc returning fixture CLIResult — no live cloud. Coverage: binary/name/allowlist load, projects list present on the allowlist, one representative command per investigative axis, deny-floor additions, identity match/mismatch/no-active-account/no-target-pinned/run-error, the exact argv each typed tool emits, and inventory projection/empty/error. A compile-time var _ cloud.Provider = (*Provider)(nil) guards interface drift. Full make test-go (race) and make lint both green from the worktree root.

🤖 Generated with Claude Code