Skip to content

Go Package Reference

This page renders go doc output for the main contributor-facing Go packages in a pkg.go.dev-style shape. Regenerate it from the repository root with:

python3 docs/scripts/generate_go_package_reference.py

Packages

API types

Package: v1alpha1 Import path: mcp-runtime/api/v1alpha1

Source command:

go doc -all ./api/v1alpha1

Overview

Package v1alpha1 contains API Schema definitions for the MCP server resource.

Jump To

Index

Constants

const (
    // Group is the Kubernetes API group for MCP Runtime resources.
    Group = "mcpruntime.org"
    // Version is the Kubernetes API version for MCP Runtime resources.
    Version = "v1alpha1"

    // MCPServerResource is the plural resource name for MCPServer objects.
    MCPServerResource = "mcpservers"
    // MCPAccessGrantResource is the plural resource name for MCPAccessGrant objects.
    MCPAccessGrantResource = "mcpaccessgrants"
    // MCPAgentSessionResource is the plural resource name for MCPAgentSession objects.
    MCPAgentSessionResource = "mcpagentsessions"
)

Variables

var (
    // GroupVersion is group version used to register these objects
    GroupVersion = schema.GroupVersion{Group: Group, Version: Version}

    // SchemeBuilder is used to add go types to the GroupVersionKind scheme
    SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)

    // AddToScheme adds the types in this group-version to the given scheme.
    AddToScheme = SchemeBuilder.AddToScheme
)

Types

type AnalyticsConfig struct {
    // Disabled suppresses analytics emission from the gateway sidecar for this
    // server. Analytics is on by default whenever the operator has an analytics
    // ingest URL configured (via Spec.Analytics.IngestURL or the operator's
    // MCP_SENTINEL_INGEST_URL env). Set Disabled to true to opt out per server.
    Disabled bool `json:"disabled,omitempty"`

    // IngestURL is the analytics ingest endpoint.
    IngestURL string `json:"ingestURL,omitempty"`

    // Source is the event source label attached to emitted analytics events.
    Source string `json:"source,omitempty"`

    // EventType is the event type label attached to emitted analytics events.
    EventType string `json:"eventType,omitempty"`

    // APIKeySecretRef points to a secret key containing the analytics API key.
    APIKeySecretRef *SecretKeyRef `json:"apiKeySecretRef,omitempty"`
}
    AnalyticsConfig configures analytics emission from the gateway sidecar.
    +kubebuilder:object:generate=true


func (in *AnalyticsConfig) DeepCopy() *AnalyticsConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new AnalyticsConfig.


func (in *AnalyticsConfig) DeepCopyInto(out *AnalyticsConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type AuthConfig struct {
    Mode            AuthMode `json:"mode,omitempty"`
    HumanIDHeader   string   `json:"humanIDHeader,omitempty"`
    AgentIDHeader   string   `json:"agentIDHeader,omitempty"`
    TeamIDHeader    string   `json:"teamIDHeader,omitempty"`
    SessionIDHeader string   `json:"sessionIDHeader,omitempty"`
    TokenHeader     string   `json:"tokenHeader,omitempty"`
    IssuerURL       string   `json:"issuerURL,omitempty"`
    Audience        string   `json:"audience,omitempty"`
}
    AuthConfig configures how identities are extracted at the gateway.
    +kubebuilder:object:generate=true


func (in *AuthConfig) DeepCopy() *AuthConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new AuthConfig.


func (in *AuthConfig) DeepCopyInto(out *AuthConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type AuthMode string
    +kubebuilder:validation:Enum=none;header;oauth

const (
    AuthModeNone   AuthMode = "none"
    AuthModeHeader AuthMode = "header"
    AuthModeOAuth  AuthMode = "oauth"
)


type EnvVar struct {
    Name  string `json:"name"`
    Value string `json:"value"`
}
    EnvVar represents a literal environment variable.
    +kubebuilder:object:generate=true


func (in *EnvVar) DeepCopy() *EnvVar
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new EnvVar.


func (in *EnvVar) DeepCopyInto(out *EnvVar)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type GatewayConfig struct {
    // Enabled turns on the gateway sidecar for this server.
    Enabled bool `json:"enabled,omitempty"`

    // Image overrides the proxy container image for this server.
    Image string `json:"image,omitempty"`

    // Port is the port the gateway listens on inside the pod (defaults to 8091).
    Port int32 `json:"port,omitempty"`

    // UpstreamURL is the upstream URL the gateway proxies to.
    // Defaults to http://127.0.0.1:<spec.port>.
    UpstreamURL string `json:"upstreamURL,omitempty"`

    // StripPrefix removes a path prefix before forwarding to the upstream server.
    StripPrefix string `json:"stripPrefix,omitempty"`

    // Resources defines resource limits and requests for the gateway sidecar.
    Resources *ResourceRequirements `json:"resources,omitempty"`
}
    GatewayConfig configures an optional MCP proxy sidecar for a server.
    +kubebuilder:object:generate=true


func (in *GatewayConfig) DeepCopy() *GatewayConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new GatewayConfig.


func (in *GatewayConfig) DeepCopyInto(out *GatewayConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type InventoryItem struct {
    Name        string            `json:"name"`
    Description string            `json:"description,omitempty"`
    Labels      map[string]string `json:"labels,omitempty"`
}
    InventoryItem describes a named MCP prompt, resource, or task.
    +kubebuilder:object:generate=true


func (in *InventoryItem) DeepCopy() *InventoryItem
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new InventoryItem.


func (in *InventoryItem) DeepCopyInto(out *InventoryItem)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type MCPAccessGrant struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    Spec   MCPAccessGrantSpec   `json:"spec,omitempty"`
    Status MCPAccessGrantStatus `json:"status,omitempty"`
}
    MCPAccessGrant grants a human or agent access to an MCPServer.


func (in *MCPAccessGrant) DeepCopy() *MCPAccessGrant
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAccessGrant.


func (in *MCPAccessGrant) DeepCopyInto(out *MCPAccessGrant)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


func (in *MCPAccessGrant) DeepCopyObject() runtime.Object
    DeepCopyObject is an autogenerated deepcopy function, copying the receiver,
    creating a new runtime.Object.


func (r *MCPAccessGrant) SetupWebhookWithManager(mgr ctrl.Manager) error
    +kubebuilder:webhook:path=/validate-mcpruntime-org-v1alpha1-mcpaccessgrant,mutating=false,failurePolicy=fail,sideEffects=None,groups=mcpruntime.org,resources=mcpaccessgrants,verbs=create;update,versions=v1alpha1,name=vmcpaccessgrant.kb.io,admissionReviewVersions=v1


func (r *MCPAccessGrant) ValidateCreate() (admission.Warnings, error)


func (r *MCPAccessGrant) ValidateDelete() (admission.Warnings, error)


func (r *MCPAccessGrant) ValidateUpdate(_ runtime.Object) (admission.Warnings, error)


type MCPAccessGrantList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata,omitempty"`
    Items           []MCPAccessGrant `json:"items"`
}
    MCPAccessGrantList contains a list of MCPAccessGrant.


func (in *MCPAccessGrantList) DeepCopy() *MCPAccessGrantList
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAccessGrantList.


func (in *MCPAccessGrantList) DeepCopyInto(out *MCPAccessGrantList)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


func (in *MCPAccessGrantList) DeepCopyObject() runtime.Object
    DeepCopyObject is an autogenerated deepcopy function, copying the receiver,
    creating a new runtime.Object.


type MCPAccessGrantSpec struct {
    ServerRef          ServerReference  `json:"serverRef"`
    Subject            SubjectRef       `json:"subject"`
    MaxTrust           TrustLevel       `json:"maxTrust,omitempty"`
    AllowedSideEffects []ToolSideEffect `json:"allowedSideEffects,omitempty"`
    PolicyVersion      string           `json:"policyVersion,omitempty"`
    Disabled           bool             `json:"disabled,omitempty"`
    ToolRules          []ToolRule       `json:"toolRules,omitempty"`
}
    MCPAccessGrantSpec defines who can use which MCP server and with what trust
    ceiling. +kubebuilder:object:generate=true


func (in *MCPAccessGrantSpec) DeepCopy() *MCPAccessGrantSpec
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAccessGrantSpec.


func (in *MCPAccessGrantSpec) DeepCopyInto(out *MCPAccessGrantSpec)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type MCPAccessGrantStatus struct {
    Phase      string             `json:"phase,omitempty"`
    Message    string             `json:"message,omitempty"`
    Conditions []metav1.Condition `json:"conditions,omitempty"`
}
    MCPAccessGrantStatus captures observed grant state.
    +kubebuilder:object:generate=true


func (in *MCPAccessGrantStatus) DeepCopy() *MCPAccessGrantStatus
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAccessGrantStatus.


func (in *MCPAccessGrantStatus) DeepCopyInto(out *MCPAccessGrantStatus)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type MCPAgentSession struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    Spec   MCPAgentSessionSpec   `json:"spec,omitempty"`
    Status MCPAgentSessionStatus `json:"status,omitempty"`
}
    MCPAgentSession stores consent and upstream token state for an agent
    session.


func (in *MCPAgentSession) DeepCopy() *MCPAgentSession
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAgentSession.


func (in *MCPAgentSession) DeepCopyInto(out *MCPAgentSession)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


func (in *MCPAgentSession) DeepCopyObject() runtime.Object
    DeepCopyObject is an autogenerated deepcopy function, copying the receiver,
    creating a new runtime.Object.


func (r *MCPAgentSession) SetupWebhookWithManager(mgr ctrl.Manager) error
    +kubebuilder:webhook:path=/validate-mcpruntime-org-v1alpha1-mcpagentsession,mutating=false,failurePolicy=fail,sideEffects=None,groups=mcpruntime.org,resources=mcpagentsessions,verbs=create;update,versions=v1alpha1,name=vmcpagentsession.kb.io,admissionReviewVersions=v1


func (r *MCPAgentSession) ValidateCreate() (admission.Warnings, error)


func (r *MCPAgentSession) ValidateDelete() (admission.Warnings, error)


func (r *MCPAgentSession) ValidateUpdate(_ runtime.Object) (admission.Warnings, error)


type MCPAgentSessionList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata,omitempty"`
    Items           []MCPAgentSession `json:"items"`
}
    MCPAgentSessionList contains a list of MCPAgentSession.


func (in *MCPAgentSessionList) DeepCopy() *MCPAgentSessionList
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAgentSessionList.


func (in *MCPAgentSessionList) DeepCopyInto(out *MCPAgentSessionList)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


func (in *MCPAgentSessionList) DeepCopyObject() runtime.Object
    DeepCopyObject is an autogenerated deepcopy function, copying the receiver,
    creating a new runtime.Object.


type MCPAgentSessionSpec struct {
    ServerRef              ServerReference `json:"serverRef"`
    Subject                SubjectRef      `json:"subject"`
    ConsentedTrust         TrustLevel      `json:"consentedTrust,omitempty"`
    ExpiresAt              *metav1.Time    `json:"expiresAt,omitempty"`
    Revoked                bool            `json:"revoked,omitempty"`
    UpstreamTokenSecretRef *SecretKeyRef   `json:"upstreamTokenSecretRef,omitempty"`
    PolicyVersion          string          `json:"policyVersion,omitempty"`
}
    MCPAgentSessionSpec defines a consented server-side agent session.
    +kubebuilder:object:generate=true


func (in *MCPAgentSessionSpec) DeepCopy() *MCPAgentSessionSpec
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAgentSessionSpec.


func (in *MCPAgentSessionSpec) DeepCopyInto(out *MCPAgentSessionSpec)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type MCPAgentSessionStatus struct {
    Phase      string             `json:"phase,omitempty"`
    Message    string             `json:"message,omitempty"`
    Conditions []metav1.Condition `json:"conditions,omitempty"`
}
    MCPAgentSessionStatus captures observed session state.
    +kubebuilder:object:generate=true


func (in *MCPAgentSessionStatus) DeepCopy() *MCPAgentSessionStatus
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPAgentSessionStatus.


func (in *MCPAgentSessionStatus) DeepCopyInto(out *MCPAgentSessionStatus)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type MCPServer struct {
    metav1.TypeMeta   `json:",inline"`
    metav1.ObjectMeta `json:"metadata,omitempty"`

    Spec   MCPServerSpec   `json:"spec,omitempty"`
    Status MCPServerStatus `json:"status,omitempty"`
}
    MCPServer is the Schema for the mcpservers API.


func (in *MCPServer) DeepCopy() *MCPServer
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPServer.


func (in *MCPServer) DeepCopyInto(out *MCPServer)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


func (in *MCPServer) DeepCopyObject() runtime.Object
    DeepCopyObject is an autogenerated deepcopy function, copying the receiver,
    creating a new runtime.Object.


func (r *MCPServer) Default()
    +kubebuilder:webhook:path=/mutate-mcpruntime-org-v1alpha1-mcpserver,mutating=true,failurePolicy=fail,sideEffects=None,groups=mcpruntime.org,resources=mcpservers,verbs=create;update,versions=v1alpha1,name=mmcpserver.kb.io,admissionReviewVersions=v1


func (r *MCPServer) SetupWebhookWithManager(mgr ctrl.Manager) error
    +kubebuilder:webhook:path=/validate-mcpruntime-org-v1alpha1-mcpserver,mutating=false,failurePolicy=fail,sideEffects=None,groups=mcpruntime.org,resources=mcpservers,verbs=create;update,versions=v1alpha1,name=vmcpserver.kb.io,admissionReviewVersions=v1


func (r *MCPServer) String() string


func (r *MCPServer) ValidateCreate() (admission.Warnings, error)


func (r *MCPServer) ValidateDelete() (admission.Warnings, error)


func (r *MCPServer) ValidateUpdate(_ runtime.Object) (admission.Warnings, error)


type MCPServerList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata,omitempty"`
    Items           []MCPServer `json:"items"`
}
    MCPServerList contains a list of MCPServer.


func (in *MCPServerList) DeepCopy() *MCPServerList
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPServerList.


func (in *MCPServerList) DeepCopyInto(out *MCPServerList)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


func (in *MCPServerList) DeepCopyObject() runtime.Object
    DeepCopyObject is an autogenerated deepcopy function, copying the receiver,
    creating a new runtime.Object.


type MCPServerSpec struct {
    // TeamID is the stable platform team identifier that owns this server.
    // The operator renders it into gateway policy and analytics events.
    TeamID string `json:"teamID,omitempty"`

    // Description is a human-readable summary of what the MCP server provides.
    Description string `json:"description,omitempty"`

    // Image is the container image for the MCP server.
    Image string `json:"image"`

    // ImageTag is the tag of the container image (defaults to "latest").
    ImageTag string `json:"imageTag,omitempty"`

    // RegistryOverride, if set, overrides the registry portion of the image (e.g., registry.mcpruntime.com).
    RegistryOverride string `json:"registryOverride,omitempty"`

    // UseProvisionedRegistry tells the controller to use the provisioned registry (from operator env) for this server.
    UseProvisionedRegistry bool `json:"useProvisionedRegistry,omitempty"`

    // ImagePullSecrets are secrets to use for pulling the image.
    ImagePullSecrets []string `json:"imagePullSecrets,omitempty"`

    // Replicas is the number of desired replicas (defaults to 1).
    Replicas *int32 `json:"replicas,omitempty"`

    // Port is the port the container listens on (defaults to 8088).
    Port int32 `json:"port,omitempty"`

    // ServicePort is the port exposed by the service (defaults to 80).
    ServicePort int32 `json:"servicePort,omitempty"`

    // IngressPath is the path for the ingress route (defaults to /{name}/mcp).
    IngressPath string `json:"ingressPath,omitempty"`

    // IngressHost is the hostname for the ingress (required unless publicPathPrefix is set; defaults from MCP_DEFAULT_INGRESS_HOST env var if set on the operator).
    IngressHost string `json:"ingressHost,omitempty"`

    // PublicPathPrefix enables path-based public routing and is used to compute /<publicPathPrefix>/mcp.
    // When ingressHost is also set, the route is path-based under that host; otherwise it is hostless.
    PublicPathPrefix string `json:"publicPathPrefix,omitempty"`

    // IngressClass is the ingress class to use (e.g., "traefik", "nginx", "istio"). Defaults to "traefik".
    IngressClass string `json:"ingressClass,omitempty"`

    // IngressAnnotations are additional annotations for the ingress controller.
    IngressAnnotations map[string]string `json:"ingressAnnotations,omitempty"`

    // Resources defines resource limits and requests.
    Resources ResourceRequirements `json:"resources,omitempty"`

    // EnvVars are literal environment variables to pass to the container.
    EnvVars []EnvVar `json:"envVars,omitempty"`

    // SecretEnvVars are secret-backed environment variables to pass to the container.
    SecretEnvVars []SecretEnvVar `json:"secretEnvVars,omitempty"`

    // Tools describes the MCP tool inventory exposed by the server.
    Tools []ToolConfig `json:"tools,omitempty"`

    // Prompts describes the MCP prompt inventory exposed by the server.
    Prompts []InventoryItem `json:"prompts,omitempty"`

    // MCPResources describes the MCP resource inventory exposed by the server.
    MCPResources []InventoryItem `json:"mcpResources,omitempty"`

    // Tasks describes task templates or workflows exposed by the server.
    Tasks []InventoryItem `json:"tasks,omitempty"`

    // Auth configures how the gateway extracts human, agent, and session identity.
    Auth *AuthConfig `json:"auth,omitempty"`

    // Policy configures gateway-side authorization behavior.
    Policy *PolicyConfig `json:"policy,omitempty"`

    // Session configures server-side agent session behavior.
    Session *SessionConfig `json:"session,omitempty"`

    // Gateway configures an optional MCP proxy sidecar in front of the server container.
    Gateway *GatewayConfig `json:"gateway,omitempty"`

    // Analytics configures audit/analytics emission for the gateway sidecar.
    // Analytics is only applied when Gateway is enabled. Emission is on by
    // default whenever the operator has an analytics ingest URL configured;
    // set Analytics.Disabled to true to opt this server out.
    Analytics *AnalyticsConfig `json:"analytics,omitempty"`

    // Rollout configures deployment rollout behavior for this server.
    Rollout *RolloutConfig `json:"rollout,omitempty"`
}
    MCPServerSpec defines the desired state of MCPServer.
    +kubebuilder:object:generate=true


func (in *MCPServerSpec) DeepCopy() *MCPServerSpec
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPServerSpec.


func (in *MCPServerSpec) DeepCopyInto(out *MCPServerSpec)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type MCPServerStatus struct {
    // Phase represents the current phase of the MCPServer.
    Phase string `json:"phase,omitempty"`

    // Message provides additional information about the status.
    Message string `json:"message,omitempty"`

    // Conditions represent the latest available observations.
    Conditions []metav1.Condition `json:"conditions,omitempty"`

    // DeploymentReady indicates if the deployment is ready.
    DeploymentReady bool `json:"deploymentReady,omitempty"`

    // ServiceReady indicates if the service is ready.
    ServiceReady bool `json:"serviceReady,omitempty"`

    // IngressReady indicates if the ingress is ready.
    IngressReady bool `json:"ingressReady,omitempty"`

    // GatewayReady indicates if the gateway configuration and sidecar are ready.
    GatewayReady bool `json:"gatewayReady,omitempty"`

    // PolicyReady indicates if policy data for the gateway has been generated.
    PolicyReady bool `json:"policyReady,omitempty"`

    // CanaryReady indicates if the canary deployment, when configured, is ready.
    CanaryReady bool `json:"canaryReady,omitempty"`
}
    MCPServerStatus defines the observed state of MCPServer.
    +kubebuilder:object:generate=true


func (in *MCPServerStatus) DeepCopy() *MCPServerStatus
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new MCPServerStatus.


func (in *MCPServerStatus) DeepCopyInto(out *MCPServerStatus)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type PolicyConfig struct {
    Mode            PolicyMode     `json:"mode,omitempty"`
    DefaultDecision PolicyDecision `json:"defaultDecision,omitempty"`
    EnforceOn       string         `json:"enforceOn,omitempty"`
    PolicyVersion   string         `json:"policyVersion,omitempty"`
}
    PolicyConfig configures authorization behavior at the gateway.
    +kubebuilder:object:generate=true


func (in *PolicyConfig) DeepCopy() *PolicyConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new PolicyConfig.


func (in *PolicyConfig) DeepCopyInto(out *PolicyConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type PolicyDecision string
    +kubebuilder:validation:Enum=allow;deny

const (
    PolicyDecisionAllow PolicyDecision = "allow"
    PolicyDecisionDeny  PolicyDecision = "deny"
)


type PolicyMode string
    +kubebuilder:validation:Enum=allow-list;observe

const (
    PolicyModeAllowList PolicyMode = "allow-list"
    PolicyModeObserve   PolicyMode = "observe"
)


type ResourceList struct {
    CPU    string `json:"cpu,omitempty"`
    Memory string `json:"memory,omitempty"`
}
    ResourceList defines CPU and memory resources.
    +kubebuilder:object:generate=true


func (in *ResourceList) DeepCopy() *ResourceList
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new ResourceList.


func (in *ResourceList) DeepCopyInto(out *ResourceList)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type ResourceRequirements struct {
    Limits   *ResourceList `json:"limits,omitempty"`
    Requests *ResourceList `json:"requests,omitempty"`
}
    ResourceRequirements defines resource limits and requests.
    +kubebuilder:object:generate=true


func (in *ResourceRequirements) DeepCopy() *ResourceRequirements
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new ResourceRequirements.


func (in *ResourceRequirements) DeepCopyInto(out *ResourceRequirements)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type RolloutConfig struct {
    Strategy       RolloutStrategy `json:"strategy,omitempty"`
    MaxUnavailable string          `json:"maxUnavailable,omitempty"`
    MaxSurge       string          `json:"maxSurge,omitempty"`
    CanaryReplicas *int32          `json:"canaryReplicas,omitempty"`
}
    RolloutConfig configures deployment rollout behavior.
    +kubebuilder:object:generate=true


func (in *RolloutConfig) DeepCopy() *RolloutConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new RolloutConfig.


func (in *RolloutConfig) DeepCopyInto(out *RolloutConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type RolloutStrategy string
    +kubebuilder:validation:Enum=RollingUpdate;Recreate;Canary

const (
    RolloutStrategyRollingUpdate RolloutStrategy = "RollingUpdate"
    RolloutStrategyRecreate      RolloutStrategy = "Recreate"
    RolloutStrategyCanary        RolloutStrategy = "Canary"
)


type SecretEnvVar struct {
    Name         string        `json:"name"`
    SecretKeyRef *SecretKeyRef `json:"secretKeyRef,omitempty"`
}
    SecretEnvVar represents a secret-backed environment variable.
    +kubebuilder:object:generate=true


func (in *SecretEnvVar) DeepCopy() *SecretEnvVar
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new SecretEnvVar.


func (in *SecretEnvVar) DeepCopyInto(out *SecretEnvVar)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type SecretKeyRef struct {
    Name string `json:"name"`
    Key  string `json:"key"`
}
    SecretKeyRef points to a single key in a Kubernetes Secret.
    +kubebuilder:object:generate=true


func (in *SecretKeyRef) DeepCopy() *SecretKeyRef
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new SecretKeyRef.


func (in *SecretKeyRef) DeepCopyInto(out *SecretKeyRef)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type ServerReference struct {
    Name      string `json:"name"`
    Namespace string `json:"namespace,omitempty"`
}
    ServerReference identifies an MCPServer. +kubebuilder:object:generate=true


func (in *ServerReference) DeepCopy() *ServerReference
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new ServerReference.


func (in *ServerReference) DeepCopyInto(out *ServerReference)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type SessionConfig struct {
    Required            bool   `json:"required,omitempty"`
    Store               string `json:"store,omitempty"`
    HeaderName          string `json:"headerName,omitempty"`
    MaxLifetime         string `json:"maxLifetime,omitempty"`
    IdleTimeout         string `json:"idleTimeout,omitempty"`
    UpstreamTokenHeader string `json:"upstreamTokenHeader,omitempty"`
}
    SessionConfig configures server-side agent session behavior.
    +kubebuilder:object:generate=true


func (in *SessionConfig) DeepCopy() *SessionConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new SessionConfig.


func (in *SessionConfig) DeepCopyInto(out *SessionConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type SubjectRef struct {
    HumanID string `json:"humanID,omitempty"`
    AgentID string `json:"agentID,omitempty"`
    // TeamID constrains the subject to a stable platform team identifier.
    // A subject with only teamID grants or binds any authenticated principal in that team.
    TeamID string `json:"teamID,omitempty"`
}
    SubjectRef identifies the human and optional agent a grant or session
    applies to. +kubebuilder:object:generate=true


func (in *SubjectRef) DeepCopy() *SubjectRef
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new SubjectRef.


func (in *SubjectRef) DeepCopyInto(out *SubjectRef)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type ToolConfig struct {
    Name          string            `json:"name"`
    Description   string            `json:"description,omitempty"`
    RequiredTrust TrustLevel        `json:"requiredTrust,omitempty"`
    SideEffect    ToolSideEffect    `json:"sideEffect"`
    Labels        map[string]string `json:"labels,omitempty"`
}
    ToolConfig describes one MCP tool exposed by a server.
    +kubebuilder:object:generate=true


func (in *ToolConfig) DeepCopy() *ToolConfig
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new ToolConfig.


func (in *ToolConfig) DeepCopyInto(out *ToolConfig)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type ToolRule struct {
    Name          string         `json:"name"`
    Decision      PolicyDecision `json:"decision"`
    RequiredTrust TrustLevel     `json:"requiredTrust,omitempty"`
}
    ToolRule controls access to an individual MCP tool.
    +kubebuilder:object:generate=true


func (in *ToolRule) DeepCopy() *ToolRule
    DeepCopy is an autogenerated deepcopy function, copying the receiver,
    creating a new ToolRule.


func (in *ToolRule) DeepCopyInto(out *ToolRule)
    DeepCopyInto is an autogenerated deepcopy function, copying the receiver,
    writing into out. in must be non-nil.


type ToolSideEffect string
    +kubebuilder:validation:Enum=read;write;destructive

const (
    ToolSideEffectRead        ToolSideEffect = "read"
    ToolSideEffectWrite       ToolSideEffect = "write"
    ToolSideEffectDestructive ToolSideEffect = "destructive"
)


type TrustLevel string
    +kubebuilder:validation:Enum=low;medium;high

const (
    TrustLevelLow    TrustLevel = "low"
    TrustLevelMedium TrustLevel = "medium"
    TrustLevelHigh   TrustLevel = "high"
)

Metadata helpers

Package: metadata Import path: mcp-runtime/pkg/metadata

Source command:

go doc -all ./pkg/metadata

Overview

No package overview is documented.

Jump To

Index

Constants

const DefaultRegistryHost = "registry.local"

Functions

func DisplayImageReference(image string) string
    DisplayImageReference rewrites internal registry image refs for user-facing
    display. It prefers the public registry host when configured, and otherwise
    strips the internal host so cluster-only endpoints do not leak into UI/API
    responses.


func GenerateCRD(server *ServerMetadata, outputPath string) error
    GenerateCRD generates a Kubernetes CRD YAML file for a single server
    metadata entry at the given output path.


func GenerateCRDsFromRegistry(registry *RegistryFile, outputDir string) error
    GenerateCRDsFromRegistry renders CRD YAML files for every server in a
    registry into outputDir.


func NormalizePlatformDomain(raw string) string
    NormalizePlatformDomain returns a lowercased FQDN suitable for "registry." +
    d and "mcp." + d, or an empty string if the input is unusable.


func ResolveMcpIngressHost() string
    ResolveMcpIngressHost is the public hostname for the MCP / gateway
    (operator default): MCP_MCP_INGRESS_HOST, else mcp.<MCP_PLATFORM_DOMAIN>
    when the platform domain is set, else empty (operator falls back to spec or
    publicPathPrefix).


func ResolvePlatformIngressHost() string
    ResolvePlatformIngressHost is the public hostname for the platform / admin
    dashboard UI: MCP_PLATFORM_INGRESS_HOST, else platform.<MCP_PLATFORM_DOMAIN>
    when the platform domain is set, else empty (path-based dev routing is
    used).


func ResolveRegistryEndpoint() string
    ResolveRegistryEndpoint returns the registry hostname/endpoint for pulls
    and in-cluster skopeo (MCP_REGISTRY_ENDPOINT, then MCP_REGISTRY_HOST,
    then registry.<MCP_PLATFORM_DOMAIN> when the platform domain is set).


func ResolveRegistryHost() string
    ResolveRegistryHost resolves the host used for default image names.
    Precedence: MCP_REGISTRY_INGRESS_HOST, legacy MCP_REGISTRY_HOST, then
    registry.<MCP_PLATFORM_DOMAIN>, else fallback default.


func ResolveRegistryPullHost() string
    ResolveRegistryPullHost returns the registry host kubelet should
    use for in-cluster image pulls. Precedence: MCP_REGISTRY_PULL_HOST,
    MCP_REGISTRY_ENDPOINT, then bundled cluster DNS.

    Public ingress hostnames are intentionally excluded. Workload pods must
    pull from the internal registry endpoint, not the auth-protected external
    ingress.


func RewriteImageRegistryHost(image, registry string) (string, bool)
    RewriteImageRegistryHost replaces the registry portion of an image
    reference.

Types

type AnalyticsConfig struct {
    Disabled        bool          `yaml:"disabled,omitempty" json:"disabled,omitempty"`
    IngestURL       string        `yaml:"ingestURL,omitempty" json:"ingestURL,omitempty"`
    Source          string        `yaml:"source,omitempty" json:"source,omitempty"`
    EventType       string        `yaml:"eventType,omitempty" json:"eventType,omitempty"`
    APIKeySecretRef *SecretKeyRef `yaml:"apiKeySecretRef,omitempty" json:"apiKeySecretRef,omitempty"`
}
    AnalyticsConfig configures analytics emission from the gateway sidecar.
    Emission is on by default whenever the operator has an analytics ingest URL
    configured; set Disabled to true to opt out per server.


type AuthConfig struct {
    Mode            AuthMode `yaml:"mode,omitempty" json:"mode,omitempty"`
    HumanIDHeader   string   `yaml:"humanIDHeader,omitempty" json:"humanIDHeader,omitempty"`
    AgentIDHeader   string   `yaml:"agentIDHeader,omitempty" json:"agentIDHeader,omitempty"`
    TeamIDHeader    string   `yaml:"teamIDHeader,omitempty" json:"teamIDHeader,omitempty"`
    SessionIDHeader string   `yaml:"sessionIDHeader,omitempty" json:"sessionIDHeader,omitempty"`
    TokenHeader     string   `yaml:"tokenHeader,omitempty" json:"tokenHeader,omitempty"`
    IssuerURL       string   `yaml:"issuerURL,omitempty" json:"issuerURL,omitempty"`
    Audience        string   `yaml:"audience,omitempty" json:"audience,omitempty"`
}
    AuthConfig configures how identities are extracted at the gateway.


type AuthMode string
    +kubebuilder:validation:Enum=none;header;oauth

const (
    AuthModeNone   AuthMode = "none"
    AuthModeHeader AuthMode = "header"
    AuthModeOAuth  AuthMode = "oauth"
)


type EnvVar struct {
    Name  string `yaml:"name" json:"name"`
    Value string `yaml:"value" json:"value"`
}
    EnvVar defines a literal environment variable.


type GatewayConfig struct {
    Enabled     bool                  `yaml:"enabled,omitempty" json:"enabled,omitempty"`
    Image       string                `yaml:"image,omitempty" json:"image,omitempty"`
    Port        int32                 `yaml:"port,omitempty" json:"port,omitempty"`
    UpstreamURL string                `yaml:"upstreamURL,omitempty" json:"upstreamURL,omitempty"`
    StripPrefix string                `yaml:"stripPrefix,omitempty" json:"stripPrefix,omitempty"`
    Resources   *ResourceRequirements `yaml:"resources,omitempty" json:"resources,omitempty"`
}
    GatewayConfig configures an optional MCP proxy sidecar for a server.


type InventoryItem struct {
    Name        string            `yaml:"name" json:"name"`
    Description string            `yaml:"description,omitempty" json:"description,omitempty"`
    Labels      map[string]string `yaml:"labels,omitempty" json:"labels,omitempty"`
}
    InventoryItem describes a named MCP prompt, resource, or task.


type PolicyConfig struct {
    Mode            PolicyMode     `yaml:"mode,omitempty" json:"mode,omitempty"`
    DefaultDecision PolicyDecision `yaml:"defaultDecision,omitempty" json:"defaultDecision,omitempty"`
    EnforceOn       string         `yaml:"enforceOn,omitempty" json:"enforceOn,omitempty"`
    PolicyVersion   string         `yaml:"policyVersion,omitempty" json:"policyVersion,omitempty"`
}
    PolicyConfig configures authorization behavior at the gateway.


type PolicyDecision string
    +kubebuilder:validation:Enum=allow;deny

const (
    PolicyDecisionAllow PolicyDecision = "allow"
    PolicyDecisionDeny  PolicyDecision = "deny"
)


type PolicyMode string
    +kubebuilder:validation:Enum=allow-list;observe

const (
    PolicyModeAllowList PolicyMode = "allow-list"
    PolicyModeObserve   PolicyMode = "observe"
)


type PublishScope string
    PublishScope selects the platform catalog or tenant boundary for publishing.

const (
    PublishScopeTenant PublishScope = "tenant"
    PublishScopeOrg    PublishScope = "org"
    PublishScopePublic PublishScope = "public"
)


type RegistryFile struct {
    // Version of the metadata format.
    Version string `yaml:"version" json:"version"`

    // Servers is a list of MCP server definitions.
    Servers []ServerMetadata `yaml:"servers" json:"servers"`
}
    RegistryFile represents the complete registry/metadata file.


func LoadFromDirectory(dirPath string) (*RegistryFile, error)
    LoadFromDirectory aggregates all .yaml/.yml registry files in a directory
    into one registry object.


func LoadFromFile(filePath string) (*RegistryFile, error)
    LoadFromFile reads a single registry YAML file from disk and applies default
    values.


type ResourceList struct {
    CPU    string `yaml:"cpu,omitempty" json:"cpu,omitempty"`
    Memory string `yaml:"memory,omitempty" json:"memory,omitempty"`
}
    ResourceList defines CPU and memory resources.


type ResourceRequirements struct {
    Limits   *ResourceList `yaml:"limits,omitempty" json:"limits,omitempty"`
    Requests *ResourceList `yaml:"requests,omitempty" json:"requests,omitempty"`
}
    ResourceRequirements defines resource limits and requests.


type RolloutConfig struct {
    Strategy       RolloutStrategy `yaml:"strategy,omitempty" json:"strategy,omitempty"`
    MaxUnavailable string          `yaml:"maxUnavailable,omitempty" json:"maxUnavailable,omitempty"`
    MaxSurge       string          `yaml:"maxSurge,omitempty" json:"maxSurge,omitempty"`
    CanaryReplicas *int32          `yaml:"canaryReplicas,omitempty" json:"canaryReplicas,omitempty"`
}
    RolloutConfig configures deployment rollout behavior.


type RolloutStrategy string
    +kubebuilder:validation:Enum=RollingUpdate;Recreate;Canary

const (
    RolloutStrategyRollingUpdate RolloutStrategy = "RollingUpdate"
    RolloutStrategyRecreate      RolloutStrategy = "Recreate"
    RolloutStrategyCanary        RolloutStrategy = "Canary"
)


type SecretEnvVar struct {
    Name         string        `yaml:"name" json:"name"`
    SecretKeyRef *SecretKeyRef `yaml:"secretKeyRef,omitempty" json:"secretKeyRef,omitempty"`
}
    SecretEnvVar defines a secret-backed environment variable.


type SecretKeyRef struct {
    Name string `yaml:"name" json:"name"`
    Key  string `yaml:"key" json:"key"`
}
    SecretKeyRef points to a single key in a Kubernetes Secret.


type ServerMetadata struct {
    // Name is the unique name of the MCP server.
    Name string `yaml:"name" json:"name"`

    // Description is a human-readable summary of what the MCP server provides.
    Description string `yaml:"description,omitempty" json:"description,omitempty"`

    // Image is the container image for the server.
    Image string `yaml:"image" json:"image"`

    // ImageTag is the tag of the container image (defaults to "latest").
    ImageTag string `yaml:"imageTag,omitempty" json:"imageTag,omitempty"`

    // Route is the route path for the server (defaults to name/mcp).
    Route string `yaml:"route,omitempty" json:"route,omitempty"`

    // IngressHost is the hostname for the server ingress route.
    IngressHost string `yaml:"ingressHost,omitempty" json:"ingressHost,omitempty"`

    // PublicPathPrefix enables hostless path-based routing and resolves to /<publicPathPrefix>/mcp.
    PublicPathPrefix string `yaml:"publicPathPrefix,omitempty" json:"publicPathPrefix,omitempty"`

    // Port is the port the container listens on (defaults to 8088).
    Port int32 `yaml:"port,omitempty" json:"port,omitempty"`

    // Replicas is the number of desired replicas (defaults to 1).
    Replicas *int32 `yaml:"replicas,omitempty" json:"replicas,omitempty"`

    // Resources defines resource limits and requests.
    Resources *ResourceRequirements `yaml:"resources,omitempty" json:"resources,omitempty"`

    // EnvVars are literal environment variables to pass to the container.
    EnvVars []EnvVar `yaml:"envVars,omitempty" json:"envVars,omitempty"`

    // SecretEnvVars are secret-backed environment variables to pass to the container.
    SecretEnvVars []SecretEnvVar `yaml:"secretEnvVars,omitempty" json:"secretEnvVars,omitempty"`

    // Namespace is the Kubernetes namespace (defaults to "mcp-servers").
    Namespace string `yaml:"namespace,omitempty" json:"namespace,omitempty"`

    // Scope selects a publish destination: tenant, org, or public.
    Scope PublishScope `yaml:"scope,omitempty" json:"scope,omitempty"`

    // TeamID is the stable platform team identifier that owns the server.
    TeamID string `yaml:"teamID,omitempty" json:"teamID,omitempty"`

    // Tools describes the MCP tool inventory exposed by the server.
    Tools []ToolConfig `yaml:"tools,omitempty" json:"tools,omitempty"`

    // Prompts describes the MCP prompt inventory exposed by the server.
    Prompts []InventoryItem `yaml:"prompts,omitempty" json:"prompts,omitempty"`

    // MCPResources describes the MCP resource inventory exposed by the server.
    MCPResources []InventoryItem `yaml:"mcpResources,omitempty" json:"mcpResources,omitempty"`

    // Tasks describes task templates or workflows exposed by the server.
    Tasks []InventoryItem `yaml:"tasks,omitempty" json:"tasks,omitempty"`

    // Auth configures how the gateway extracts human, agent, and session identity.
    Auth *AuthConfig `yaml:"auth,omitempty" json:"auth,omitempty"`

    // Policy configures gateway-side authorization behavior.
    Policy *PolicyConfig `yaml:"policy,omitempty" json:"policy,omitempty"`

    // Session configures server-side agent session behavior.
    Session *SessionConfig `yaml:"session,omitempty" json:"session,omitempty"`

    // Gateway configures an optional MCP proxy sidecar in front of the server container.
    Gateway *GatewayConfig `yaml:"gateway,omitempty" json:"gateway,omitempty"`

    // Analytics configures analytics emission for the gateway sidecar.
    Analytics *AnalyticsConfig `yaml:"analytics,omitempty" json:"analytics,omitempty"`

    // Rollout configures deployment rollout behavior.
    Rollout *RolloutConfig `yaml:"rollout,omitempty" json:"rollout,omitempty"`
}
    ServerMetadata defines the metadata for an MCP server.


type SessionConfig struct {
    Required            bool   `yaml:"required,omitempty" json:"required,omitempty"`
    Store               string `yaml:"store,omitempty" json:"store,omitempty"`
    HeaderName          string `yaml:"headerName,omitempty" json:"headerName,omitempty"`
    MaxLifetime         string `yaml:"maxLifetime,omitempty" json:"maxLifetime,omitempty"`
    IdleTimeout         string `yaml:"idleTimeout,omitempty" json:"idleTimeout,omitempty"`
    UpstreamTokenHeader string `yaml:"upstreamTokenHeader,omitempty" json:"upstreamTokenHeader,omitempty"`
}
    SessionConfig configures server-side agent session behavior.


type ToolConfig struct {
    Name          string            `yaml:"name" json:"name"`
    Description   string            `yaml:"description,omitempty" json:"description,omitempty"`
    RequiredTrust TrustLevel        `yaml:"requiredTrust,omitempty" json:"requiredTrust,omitempty"`
    SideEffect    ToolSideEffect    `yaml:"sideEffect" json:"sideEffect"`
    Labels        map[string]string `yaml:"labels,omitempty" json:"labels,omitempty"`
}
    ToolConfig describes one MCP tool exposed by a server.


type ToolSideEffect string
    +kubebuilder:validation:Enum=read;write;destructive

const (
    ToolSideEffectRead        ToolSideEffect = "read"
    ToolSideEffectWrite       ToolSideEffect = "write"
    ToolSideEffectDestructive ToolSideEffect = "destructive"
)


type TrustLevel string
    +kubebuilder:validation:Enum=low;medium;high

const (
    TrustLevelLow    TrustLevel = "low"
    TrustLevelMedium TrustLevel = "medium"
    TrustLevelHigh   TrustLevel = "high"
)

Publish scope helpers

Package: publishscope Import path: mcp-runtime/pkg/publishscope

Source command:

go doc -all ./pkg/publishscope

Overview

No package overview is documented.

Jump To

Index

Constants

const (
    Tenant Scope = "tenant"
    Org    Scope = "org"
    Public Scope = "public"

    DefaultOrgCatalogNamespace    = "mcp-servers-org"
    DefaultPublicCatalogNamespace = "mcp-servers-public"

    OrgRegistryAlias    = "org"
    PublicRegistryAlias = "public"
)

Functions

func CatalogNamespace(scope Scope) (string, bool)


func RegistryAlias(scope Scope) (string, bool)

Types

type Scope string


func Normalize(raw string) (Scope, error)

Agent adapters

Package: agentadapter Import path: mcp-runtime/internal/agentadapter

Source command:

go doc -all ./internal/agentadapter

Overview

Package agentadapter implements optional agent-side HTTP and stdio adapters that forward MCP traffic to governed MCP Runtime routes.

Jump To

Index

Constants

const (
    EnvRuntimeURL       = "MCP_RUNTIME_URL"
    EnvHumanID          = "MCP_RUNTIME_HUMAN_ID"
    EnvAgentID          = "MCP_RUNTIME_AGENT_ID"
    EnvTeamID           = "MCP_RUNTIME_TEAM_ID"
    EnvSessionID        = "MCP_RUNTIME_SESSION_ID"
    EnvHostHeader       = "MCP_RUNTIME_HOST_HEADER"
    EnvListenAddr       = "MCP_RUNTIME_LISTEN_ADDR"
    EnvProtocolVersion  = "MCP_RUNTIME_PROTOCOL_VERSION"
    EnvSetXForwarded    = "MCP_RUNTIME_SET_XFF"
    EnvRequestTimeout   = "MCP_RUNTIME_REQUEST_TIMEOUT"
    EnvLogLevel         = "MCP_RUNTIME_LOG_LEVEL"
    EnvAnonymous        = "MCP_RUNTIME_ANONYMOUS"
    EnvAnonymousMethods = "MCP_RUNTIME_ANONYMOUS_METHODS"
    EnvAuthHeader       = "MCP_RUNTIME_AUTH_HEADER"
    EnvTLSClientCert    = "MCP_RUNTIME_TLS_CLIENT_CERT"
    EnvTLSClientKey     = "MCP_RUNTIME_TLS_CLIENT_KEY"
    EnvTLSCABundle      = "MCP_RUNTIME_TLS_CA_BUNDLE"
    EnvMaxInboundBytes  = "MCP_RUNTIME_MAX_INBOUND_BYTES"
    EnvToolsCacheTTL    = "MCP_RUNTIME_TOOLS_CACHE_TTL"

    DefaultListenAddr      = "127.0.0.1:8099"
    DefaultProtocolVersion = "2025-06-18"

    HumanIDHeader      = "X-MCP-Human-ID"
    AgentIDHeader      = "X-MCP-Agent-ID"
    TeamIDHeader       = "X-MCP-Team-ID"
    AgentSessionHeader = "X-MCP-Agent-Session"
    MCPProtocolHeader  = "Mcp-Protocol-Version"
    MCPSessionHeader   = "Mcp-Session-Id"
)
const (

    // DefaultMaxInboundBytes caps the size of inbound JSON-RPC bodies that
    // the proxy buffers for metadata capture. Requests over the cap get a
    // 413 with a JSON-RPC parse-error body so the agent SDK can recover.
    DefaultMaxInboundBytes int64 = 16 << 20
)

Variables

var DefaultAnonymousMethods = []string{
    "initialize",
    "notifications/initialized",
    "ping",
    "tools/list",
    "resources/list",
    "prompts/list",
}
    DefaultAnonymousMethods is the set of MCP methods the stdio shim allows
    in anonymous mode when no explicit AnonymousMethods list is configured.
    These are read-only discovery methods and the protocol handshake.

Functions

func BuildTLSConfig(certFile, keyFile, caFile string) (*tls.Config, error)
    BuildTLSConfig builds a *tls.Config for outbound runtime connections.
    certFile and keyFile must both be set (or both empty) for mTLS. caFile,
    when non-empty, replaces the default system CA pool.


func NewHTTPProxyHandler(cfg ProxyConfig) (http.Handler, error)
    NewHTTPProxyHandler returns a reverse proxy that forwards MCP HTTP traffic
    to the configured runtime route and injects issued governance identity
    headers.


func NewHTTPTransportWithTLS(cfg *tls.Config) *http.Transport
    NewHTTPTransportWithTLS returns an *http.Transport that uses the supplied
    TLS config while preserving http.DefaultTransport's dial timeouts,
    keep-alive settings, and ProxyFromEnvironment behaviour.


func RunHTTPProxy(ctx context.Context, cfg ProxyConfig) error
    RunHTTPProxy serves the local HTTP adapter until the context is cancelled.


func RunStdioShim(ctx context.Context, cfg ShimConfig, opts StdioOptions) error
    RunStdioShim reads newline-delimited stdio MCP JSON-RPC messages, forwards
    them to the configured Streamable HTTP route, and writes JSON-RPC responses
    back to stdout.


func SplitTrimmed(s, sep string) []string

Types

type Identity struct {
    HumanID   string
    AgentID   string
    TeamID    string
    SessionID string
}
    Identity is the issued governance identity that adapters attach to every
    runtime request. The platform issues these values out-of-band (or through
    the platform adapter-session endpoint); the adapter only forwards them.


func (id Identity) Apply(headers http.Header)
    Apply writes the governance identity onto an outbound request's headers,
    replacing any caller-supplied values. Headers are always deleted first to
    strip spoofed inbound values. A header is only re-set when its value is
    non-empty, so anonymous-mode adapters with partial identity naturally omit
    the missing headers rather than forwarding empty strings.


type IdentityProvider func() Identity
    IdentityProvider returns the current governance identity. Adapters call it
    before each outbound request so callers that rotate identity at runtime
    (for example, platform-issued sessions refreshed before expiry) get the
    new values applied without restarting the adapter process. When non-nil on
    ProxyConfig / ShimConfig it takes precedence over the static Identity.


type ProxyConfig struct {
    RuntimeURL        *url.URL
    Identity          Identity
    Transport         *RuntimeTransport
    HostHeader        string
    ListenAddr        string
    ProtocolVersion   string
    LogLevel          string
    LogWriter         io.Writer
    DisableXForwarded bool
    // MaxInboundBytes caps the size of JSON-RPC request bodies the proxy
    // buffers when capturing metadata. Zero (or negative) means use
    // DefaultMaxInboundBytes (16 MiB). Over-cap requests respond with 413.
    MaxInboundBytes int64
    // MetricsHandler, when set, is served at /metrics. Typical use: a
    // Prometheus exporter wired to the OTel MeterProvider that backs
    // RuntimeTransport.Meter. Nil → /metrics returns 404.
    MetricsHandler http.Handler
    // IdentityProvider overrides Identity per-request when set. Used by
    // callers that rotate identity at runtime (e.g. auto-refreshed
    // platform-issued adapter sessions). Nil → static Identity is used.
    IdentityProvider IdentityProvider
}
    ProxyConfig configures the local HTTP reverse-proxy adapter that exposes
    Streamable HTTP MCP to an agent SDK.


func LoadProxyConfigFromEnv() (ProxyConfig, error)
    LoadProxyConfigFromEnv loads HTTP proxy configuration from environment
    variables.


func (cfg ProxyConfig) Validate() error
    Validate enforces the runtime identity invariants for the HTTP proxy.


type RuntimeTransport struct {
    // Base is the underlying round-tripper. nil means http.DefaultTransport.
    // Tests swap in a mock by setting this field.
    Base http.RoundTripper
    // Timeout is the per-request timeout applied to the *http.Client wrapper
    // returned by Client(). Zero means no timeout.
    Timeout time.Duration
    // AuthHeader is a static Authorization header value injected into every
    // outbound request (e.g. "Bearer <token>"). Empty means no header is set.
    AuthHeader string
    // Tracer is an optional OTel tracer. When non-nil, RoundTrip opens one
    // client span per RPC labelled with the JSON-RPC method name.
    Tracer trace.Tracer
    // Meter is an optional OTel meter. When non-nil, RoundTrip records a
    // latency histogram and a denial counter keyed by method name.
    Meter metric.Meter

    // Has unexported fields.
}
    RuntimeTransport is the shared outbound HTTP transport used by both the
    reverse proxy and the stdio shim when forwarding to the runtime. It owns
    every production gate — auth, OTel instrumentation, and method-keyed retry —
    so both adapters behave identically with a single implementation.


func (t *RuntimeTransport) Client() *http.Client
    Client returns an *http.Client whose Transport is this RuntimeTransport.
    Both adapters route requests through this wrapper so every gate (auth, OTel,
    retry) applies uniformly.


func (t *RuntimeTransport) CloseIdleConnections()
    CloseIdleConnections drains idle connections on the base round-tripper if it
    supports the optional interface, matching net/http's contract.


func (t *RuntimeTransport) RoundTrip(req *http.Request) (*http.Response, error)
    RoundTrip implements http.RoundTripper. Execution order per call:
     1. Start OTel span (if Tracer is set).
     2. Inject Authorization header (if AuthHeader is set).
     3. Execute the request, retrying idempotent methods on gateway errors.
     4. Record OTel latency histogram and denial counter (if Meter is set).
     5. Set span outcome and end it.


type ShimConfig struct {
    RuntimeURL      *url.URL
    Identity        Identity
    Transport       *RuntimeTransport
    HostHeader      string
    ProtocolVersion string
    LogLevel        string
    LogWriter       io.Writer
    // Anonymous, when true, relaxes identity validation so the shim can forward
    // to public/read-only runtime routes without a session or human/agent ID.
    // Only methods in AnonymousMethods are forwarded; all others are rejected
    // with a JSON-RPC error before reaching the runtime.
    Anonymous bool
    // AnonymousMethods is the allowlist used when Anonymous is true. When empty
    // the DefaultAnonymousMethods list applies.
    AnonymousMethods []string
    // ToolsCacheTTL enables a process-local tools/list response cache when
    // set to a positive duration. Zero (or negative) disables the cache.
    // Entries are keyed by identity + runtime URL and invalidated on a
    // tools/list_changed notification or when the TTL expires.
    ToolsCacheTTL time.Duration
    // IdentityProvider overrides Identity per-request when set.
    // See ProxyConfig.IdentityProvider for the contract.
    IdentityProvider IdentityProvider
}
    ShimConfig configures the stdio adapter that bridges newline-delimited
    JSON-RPC MCP traffic to the runtime over HTTP.


func LoadShimConfigFromEnv() (ShimConfig, error)
    LoadShimConfigFromEnv loads stdio shim configuration from environment
    variables.


func (cfg ShimConfig) Validate() error
    Validate enforces the runtime identity invariants for the stdio shim.
    In anonymous mode only the runtime URL is required.


type StdioOptions struct {
    Stdin  io.Reader
    Stdout io.Writer
}

Operator internals

Package: operator Import path: mcp-runtime/internal/operator

Source command:

go doc -all ./internal/operator

Overview

Package operator provides the Kubernetes operator for MCPServer resources.

Jump To

Index

Constants

const (
    // DefaultRequestCPU is the default CPU request for containers.
    DefaultRequestCPU = "50m"
    // DefaultRequestMemory is the default memory request for containers.
    DefaultRequestMemory = "64Mi"
    // DefaultLimitCPU is the default CPU limit for containers.
    DefaultLimitCPU = "500m"
    // DefaultLimitMemory is the default memory limit for containers.
    DefaultLimitMemory = "256Mi"
)
    Resource defaults for MCPServer deployments.

const (
    // DefaultReplicas is the default number of replicas.
    DefaultReplicas = 1
    // DefaultPort is the default container port.
    DefaultPort = 8088
    // DefaultGatewayPort is the default container port for the MCP proxy sidecar.
    DefaultGatewayPort = 8091
    // DefaultServicePort is the default service port.
    DefaultServicePort = 80
)
    MCPServer defaults.

const (
    // LabelApp is the standard app label key.
    LabelApp = "app"
    // LabelManagedBy is the label indicating the managing controller.
    LabelManagedBy = "app.kubernetes.io/managed-by"
    // LabelManagedByValue is the value for the managed-by label.
    LabelManagedByValue = "mcp-runtime"
)
    Labels used by the operator.

const (
    // DefaultIngressClass is the default ingress class.
    DefaultIngressClass = "traefik"
    // DefaultIngressPathType is the default path type for ingress rules.
    DefaultIngressPathType = "Prefix"
    // IngressReadinessModeStrict requires Ingress.status.loadBalancer.ingress to be populated.
    IngressReadinessModeStrict = "strict"
    // IngressReadinessModePermissive treats an Ingress with rules as ready when LB status is absent.
    IngressReadinessModePermissive = "permissive"
)
    Ingress configuration.

const (
    // DefaultRegistrySecretName is the default name for registry pull secrets.
    // #nosec G101 -- This is a secret name, not a credential.
    DefaultRegistrySecretName = "mcp-runtime-registry-pull"
)
    Secret names.

const (
    // RequeueDelayNotReady is the delay before requeueing when resources are not ready.
    RequeueDelayNotReady = 10 // seconds
)
    Requeue delays for reconciliation.

Variables

var (
    // Reconciliation errors.
    ErrReconcileDeployment = fmt.Errorf("failed to reconcile deployment")
    ErrReconcileService    = fmt.Errorf("failed to reconcile service")
    ErrReconcileIngress    = fmt.Errorf("failed to reconcile ingress")
    ErrUpdateStatus        = fmt.Errorf("failed to update status")
    ErrApplyDefaults       = fmt.Errorf("failed to apply defaults")

    // Validation errors.
    ErrMissingIngressHost = fmt.Errorf("missing ingress host")
    ErrMissingIngressPath = fmt.Errorf("missing ingress path")

    // Resource errors.
    ErrInvalidCPURequest    = fmt.Errorf("invalid CPU request")
    ErrInvalidMemoryRequest = fmt.Errorf("invalid memory request")
    ErrInvalidCPULimit      = fmt.Errorf("invalid CPU limit")
    ErrInvalidMemoryLimit   = fmt.Errorf("invalid memory limit")
)
    Sentinel errors for operator operations.

var DefaultOperatorConfig = LoadOperatorConfig()
    DefaultOperatorConfig is the default configuration loaded at startup.

Functions

func NormalizeIngressReadinessMode(value string) (string, bool)
    NormalizeIngressReadinessMode returns a supported ingress readiness mode.
    Empty or invalid values fall back to strict mode.

Types

type MCPServerReconciler struct {
    client.Client
    Scheme *runtime.Scheme

    // DefaultIngressHost is the default ingress host if not specified in the CR.
    DefaultIngressHost string

    // DefaultIngressEntryPoints is the default Traefik entrypoint annotation for MCP server ingresses.
    DefaultIngressEntryPoints string

    // DefaultIngressTLS enables Traefik TLS routing for MCP server ingresses by default.
    DefaultIngressTLS bool

    // IngressReadinessMode controls how ingress readiness is evaluated.
    IngressReadinessMode string

    // ProvisionedRegistry holds the provisioned registry configuration.
    // If nil or URL is empty, provisioned registry features are disabled.
    ProvisionedRegistry *RegistryConfig

    // GatewayProxyImage is the default image used for the optional MCP gateway sidecar.
    GatewayProxyImage string

    // GatewayOTLPEndpoint is the OTLP/HTTP endpoint injected into MCP gateway sidecars.
    GatewayOTLPEndpoint string

    // DefaultAnalyticsIngestURL is the default analytics ingest endpoint used when analytics is enabled.
    DefaultAnalyticsIngestURL string

    // ClusterName is the cluster label attached to policy and audit events.
    ClusterName string
}
    MCPServerReconciler reconciles a MCPServer object


func (r *MCPServerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error)
    Reconcile is part of the main kubernetes reconciliation loop


func (r *MCPServerReconciler) SetupWithManager(mgr ctrl.Manager) error


type OperatorConfig struct {
    // DefaultIngressHost is the default host for ingress resources.
    DefaultIngressHost string

    // DefaultIngressClass is the ingress class to use.
    DefaultIngressClass string

    // DefaultIngressEntryPoints is the default Traefik entrypoint annotation for MCP server ingresses.
    DefaultIngressEntryPoints string

    // DefaultIngressTLS enables Traefik TLS routing for MCP server ingresses by default.
    DefaultIngressTLS bool

    // IngressReadinessMode controls how ingress readiness is evaluated.
    IngressReadinessMode string

    // ProvisionedRegistryURL is the URL of the provisioned registry.
    ProvisionedRegistryURL string

    // ProvisionedRegistryUsername is the username for the provisioned registry.
    ProvisionedRegistryUsername string

    // ProvisionedRegistryPassword is the password for the provisioned registry.
    ProvisionedRegistryPassword string

    // ProvisionedRegistrySecretName is the name of the secret for registry credentials.
    ProvisionedRegistrySecretName string

    // InternalRegistryEndpoint is the internal registry endpoint to use for image refs when not using a provisioned registry.
    InternalRegistryEndpoint string

    // RegistryPullHost is the pullable registry host used in image refs when the operator
    // needs to rewrite images to the platform-managed registry.
    RegistryPullHost string

    // RequeueDelaySeconds is the delay in seconds before requeueing when resources aren't ready.
    RequeueDelaySeconds int

    // GatewayProxyImage is the default image used for the optional MCP gateway sidecar.
    GatewayProxyImage string

    // GatewayOTLPEndpoint is the OTLP/HTTP endpoint injected into MCP gateway sidecars.
    GatewayOTLPEndpoint string

    // AnalyticsIngestURL is the default analytics ingest endpoint for gateway sidecars.
    AnalyticsIngestURL string

    // ClusterName is the cluster label attached to emitted audit events.
    ClusterName string
}
    OperatorConfig holds configuration for the operator loaded from environment
    variables.


func LoadOperatorConfig() *OperatorConfig
    LoadOperatorConfig loads operator configuration from environment variables.


func (c *OperatorConfig) HasProvisionedRegistry() bool
    HasProvisionedRegistry returns true if a provisioned registry is configured.


func (c *OperatorConfig) ToRegistryConfig() *RegistryConfig
    ToRegistryConfig converts the config to a RegistryConfig if provisioned
    registry is enabled.


type RegistryConfig struct {
    URL        string
    Username   string
    Password   string
    SecretName string
}

CLI command routing

Package: root Import path: mcp-runtime/internal/cli/root

Source command:

go doc -all ./internal/cli/root

Overview

Package root provides the foldered CLI command routing layer for the mcp-runtime binary.

Each subpackage owns one top-level Cobra command boundary and uses internal/cli/core for shared CLI infrastructure.

Jump To

Index

Functions

func AddCommands(root *cobra.Command, logger *zap.Logger)
    AddCommands registers every top-level mcp-runtime command on root.

CLI core

Package: core Import path: mcp-runtime/internal/cli/core

Source command:

go doc -all ./internal/cli/core

Overview

Package cli contains shared CLI infrastructure used by command packages.

Command-specific behavior belongs in internal/cli/; this package is limited to config, constants, errors, runtime composition, process execution, kubectl clients, terminal output, and test doubles.

Jump To

Index

Constants

const (

    // Exported aliases for tests and subpackages (same values as above).
    DefaultRegistryEndpoint    = defaultRegistryEndpoint
    DefaultRegistryIngressHost = defaultRegistryIngressHost
)
    Default values

const (
    // NamespaceMCPRuntime is the namespace for the MCP runtime operator.
    NamespaceMCPRuntime = "mcp-runtime"

    // NamespaceRegistry is the namespace for the container registry.
    NamespaceRegistry = "registry"

    // NamespaceMCPServers is the default namespace for MCP server deployments.
    NamespaceMCPServers = "mcp-servers"

    // DefaultAnalyticsNamespace is the namespace for the bundled mcp-sentinel stack.
    DefaultAnalyticsNamespace = "mcp-sentinel"
)
    This file defines constants used across the CLI, including:
      - Kubernetes namespace names
      - Deployment and resource names
      - Label selectors
      - Default values

const (
    // OperatorDeploymentName is the name of the operator deployment.
    OperatorDeploymentName = "mcp-runtime-operator-controller-manager"

    // OperatorManagerContainerName is the main manager container in the operator deployment.
    OperatorManagerContainerName = "manager"

    // RegistryDeploymentName is the name of the registry deployment.
    RegistryDeploymentName = "registry"

    // RegistryServiceName is the name of the registry service.
    RegistryServiceName = "registry"

    // RegistryPVCName is the name of the registry persistent volume claim.
    RegistryPVCName = "registry-storage"
)
    Deployment and resource names.

const (
    // MCPServerCRDName is the full name of the MCPServer CRD.
    MCPServerCRDName = "mcpservers.mcpruntime.org"

    // CertManagerCRDName is the full name of the cert-manager Certificate CRD.
    CertManagerCRDName = "certificates.cert-manager.io"
)
    CRD identifiers.

const (
    // LabelApp is the standard app label key.
    LabelApp = "app"

    // LabelManagedBy is the label indicating the managing controller.
    LabelManagedBy = "app.kubernetes.io/managed-by"

    // LabelManagedByValue is the value for the managed-by label.
    LabelManagedByValue = "mcp-runtime"
)
    Labels used for resource identification.

const (
    // SelectorRegistry is the label selector for registry pods.
    SelectorRegistry = "app=registry"

    // SelectorOperator is the label selector for operator pods.
    SelectorOperator = "control-plane=controller-manager"

    // SelectorManagedBy is the label selector for MCP-managed resources.
    SelectorManagedBy = "app.kubernetes.io/managed-by=mcp-runtime"
)
    Selector strings for kubectl queries.

Variables

var (
    // CLI errors.
    ErrImageRequired             = newSentinelError("image is required", errx.CodeCLI, errx.DescCLI)
    ErrInvalidServerName         = newSentinelError("invalid server name", errx.CodeCLI, errx.DescCLI)
    ErrGetWorkingDirectoryFailed = newSentinelError("get working directory", errx.CodeCLI, errx.DescCLI)
    ErrControlCharsNotAllowed    = newSentinelError("value must not contain control characters", errx.CodeCLI, errx.DescCLI)
    ErrFieldRequired             = newSentinelError("field is required", errx.CodeCLI, errx.DescCLI)
    ErrGetHomeDirectoryFailed    = newSentinelError("failed to get home directory", errx.CodeCLI, errx.DescCLI)
    ErrUnknownRegistryMode       = newSentinelError("unknown registry mode", errx.CodeCLI, errx.DescCLI)

    // Auth package errors.
    ErrAuthAPIURLRequired                  = newSentinelError("api URL is required", errx.CodeAuth, errx.DescAuth)
    ErrAuthAPIURLInvalid                   = newSentinelError("api URL must include scheme and host", errx.CodeAuth, errx.DescAuth)
    ErrAuthEmailPasswordRequired           = newSentinelError("email and password are both required for password login", errx.CodeAuth, errx.DescAuth)
    ErrAuthPlatformLoginFailed             = newSentinelError("platform login failed", errx.CodeAuth, errx.DescAuth)
    ErrAuthReadStdinFailed                 = newSentinelError("read stdin", errx.CodeAuth, errx.DescAuth)
    ErrAuthTTYRequired                     = newSentinelError("not a TTY: pass --token, --token-stdin, or run in an interactive terminal", errx.CodeAuth, errx.DescAuth)
    ErrAuthReadTokenFailed                 = newSentinelError("read token", errx.CodeAuth, errx.DescAuth)
    ErrAuthTokenRequired                   = newSentinelError("token is required", errx.CodeAuth, errx.DescAuth)
    ErrAuthTokenVerificationFailed         = newSentinelError("API token could not be verified", errx.CodeAuth, errx.DescAuth)
    ErrAuthLoginHTTPStatus                 = newSentinelError("login HTTP status failed", errx.CodeAuth, errx.DescAuth)
    ErrAuthLoginResponseMissingAccessToken = newSentinelError("login response did not include access_token", errx.CodeAuth, errx.DescAuth)
    ErrAuthServerRejectedToken             = newSentinelError("server rejected the token", errx.CodeAuth, errx.DescAuth)
    ErrAuthAPIURLMayBeWrong                = newSentinelError("API URL may be wrong", errx.CodeAuth, errx.DescAuth)
    ErrAuthVerifyRequestFailed             = newSentinelError("verify request failed", errx.CodeAuth, errx.DescAuth)
    ErrAuthFileDescriptorOutOfRange        = newSentinelError("file descriptor out of range", errx.CodeAuth, errx.DescAuth)

    // Pipeline errors.
    ErrLoadMetadataFailed      = newSentinelError("failed to load metadata", errx.CodePipeline, errx.DescPipeline)
    ErrNoServersInMetadata     = newSentinelError("no servers found in metadata", errx.CodePipeline, errx.DescPipeline)
    ErrGenerateCRDsFailed      = newSentinelError("failed to generate CRDs", errx.CodePipeline, errx.DescPipeline)
    ErrListManifestFilesFailed = newSentinelError("failed to list manifest files", errx.CodePipeline, errx.DescPipeline)
    ErrNoManifestFilesFound    = newSentinelError("no manifest files found", errx.CodePipeline, errx.DescPipeline)
    ErrApplyManifestFailed     = newSentinelError("failed to apply manifest", errx.CodePipeline, errx.DescPipeline)

    // Operator errors.
    ErrOperatorNotFound = newSentinelError("operator not found", errx.CodeOperator, errx.DescOperator)
    ErrOperatorNotReady = newSentinelError("operator not ready", errx.CodeOperator, errx.DescOperator)

    // Setup errors.
    ErrClusterInitFailed                   = newSentinelError("failed to initialize cluster", errx.CodeSetup, errx.DescSetup)
    ErrClusterConfigFailed                 = newSentinelError("cluster configuration failed", errx.CodeSetup, errx.DescSetup)
    ErrTLSSetupFailed                      = newSentinelError("TLS setup failed", errx.CodeSetup, errx.DescSetup)
    ErrDeployRegistryFailed                = newSentinelError("failed to deploy registry", errx.CodeSetup, errx.DescSetup)
    ErrOperatorImageBuildFailed            = newSentinelError("operator image build failed", errx.CodeSetup, errx.DescSetup)
    ErrGatewayProxyImageBuildFailed        = newSentinelError("gateway proxy image build failed", errx.CodeSetup, errx.DescSetup)
    ErrEnsureRegistryNamespaceFailed       = newSentinelError("failed to ensure registry namespace", errx.CodeSetup, errx.DescSetup)
    ErrPushOperatorImageInternalFailed     = newSentinelError("failed to push operator image to internal registry", errx.CodeSetup, errx.DescSetup)
    ErrPushGatewayProxyImageInternalFailed = newSentinelError("failed to push gateway proxy image to internal registry", errx.CodeSetup, errx.DescSetup)
    ErrOperatorDeploymentFailed            = newSentinelError("operator deployment failed", errx.CodeSetup, errx.DescSetup)
    ErrConfigureExternalRegistryEnvFailed  = newSentinelError("failed to configure external registry env on operator", errx.CodeSetup, errx.DescSetup)
    ErrRestartOperatorDeploymentFailed     = newSentinelError("failed to restart operator deployment after registry env update", errx.CodeSetup, errx.DescSetup)
    ErrCRDCheckFailed                      = newSentinelError("CRD check failed", errx.CodeSetup, errx.DescSetup)
    ErrRenderSecretManifestFailed          = newSentinelError("render secret manifest", errx.CodeSetup, errx.DescSetup)
    ErrApplySecretManifestFailed           = newSentinelError("apply secret manifest", errx.CodeSetup, errx.DescSetup)
    ErrMarshalDockerConfigFailed           = newSentinelError("marshal docker config", errx.CodeSetup, errx.DescSetup)
    ErrApplyImagePullSecretFailed          = newSentinelError("apply imagePullSecret", errx.CodeSetup, errx.DescSetup)
    ErrPushImageInClusterFailed            = newSentinelError("failed to push image in-cluster", errx.CodeSetup, errx.DescSetup)
    ErrSetupStepFailed                     = newSentinelError("setup step failed", errx.CodeSetup, errx.DescSetup)
    ErrApplyCRDFailed                      = newSentinelError("failed to apply CRD", errx.CodeSetup, errx.DescSetup)
    ErrEnsureOperatorNamespaceFailed       = newSentinelError("failed to ensure operator namespace", errx.CodeSetup, errx.DescSetup)
    ErrApplyRBACFailed                     = newSentinelError("failed to apply RBAC", errx.CodeSetup, errx.DescSetup)
    ErrReadManagerYAMLFailed               = newSentinelError("failed to read manager.yaml", errx.CodeSetup, errx.DescSetup)
    ErrReadIngressManifestFailed           = newSentinelError("failed to read ingress manifest", errx.CodeSetup, errx.DescSetup)
    ErrParseManagerYAMLFailed              = newSentinelError("failed to parse manager.yaml", errx.CodeSetup, errx.DescSetup)
    ErrSetOperatorImageFailed              = newSentinelError("failed to set operator image", errx.CodeSetup, errx.DescSetup)
    ErrMutateManagerYAMLFailed             = newSentinelError("failed to mutate manager.yaml", errx.CodeSetup, errx.DescSetup)
    ErrRenderManagerYAMLFailed             = newSentinelError("failed to render mutated manager.yaml", errx.CodeSetup, errx.DescSetup)
    ErrCreateTempFileFailed                = newSentinelError("failed to create temp file", errx.CodeSetup, errx.DescSetup)
    ErrCloseTempFileFailed                 = newSentinelError("failed to close temp file", errx.CodeSetup, errx.DescSetup)
    ErrWriteTempFileFailed                 = newSentinelError("failed to write temp file", errx.CodeSetup, errx.DescSetup)
    ErrApplyManagerDeploymentFailed        = newSentinelError("failed to apply manager deployment", errx.CodeSetup, errx.DescSetup)
    ErrClusterIssuerApplyFailed            = newSentinelError("failed to apply ClusterIssuer", errx.CodeSetup, errx.DescSetup)
    ErrCreateRegistryNamespaceFailed       = newSentinelError("failed to create registry namespace", errx.CodeSetup, errx.DescSetup)
    ErrApplyCertificateFailed              = newSentinelError("failed to apply Certificate", errx.CodeSetup, errx.DescSetup)

    // Setup platform package errors.
    ErrSetupImagePlatformNoNodeArchitectures       = newSentinelError("could not resolve setup image platform: no Kubernetes node architectures were reported", errx.CodeSetup, errx.DescSetup)
    ErrSetupImagePlatformMixedNodeArchitectures    = newSentinelError("mixed Kubernetes node architectures detected", errx.CodeSetup, errx.DescSetup)
    ErrSetupImagePlatformMismatch                  = newSentinelError("MCP_IMAGE_PLATFORM does not match Kubernetes node architecture", errx.CodeSetup, errx.DescSetup)
    ErrSetupImagePlatformInvalid                   = newSentinelError("invalid MCP_IMAGE_PLATFORM", errx.CodeSetup, errx.DescSetup)
    ErrSetupImagePlatformUnsupported               = newSentinelError("unsupported MCP_IMAGE_PLATFORM", errx.CodeSetup, errx.DescSetup)
    ErrSetupImagePlatformKubectlNil                = newSentinelError("could not resolve setup image platform: kubectl runner is nil", errx.CodeSetup, errx.DescSetup)
    ErrSetupInspectNodeArchitecturesFailed         = newSentinelError("could not inspect Kubernetes node architectures", errx.CodeSetup, errx.DescSetup)
    ErrSetupInvalidStorageMode                     = newSentinelError("invalid storage mode", errx.CodeSetup, errx.DescSetup)
    ErrSetupInvalidPlatformMode                    = newSentinelError("invalid platform mode", errx.CodeSetup, errx.DescSetup)
    ErrSetupInvalidRegistryMode                    = newSentinelError("invalid registry mode", errx.CodeSetup, errx.DescSetup)
    ErrSetupSetRuntimeTestModeFailed               = newSentinelError("set MCP_RUNTIME_TEST_MODE", errx.CodeSetup, errx.DescSetup)
    ErrSetupUnsetRuntimeTestModeFailed             = newSentinelError("unset MCP_RUNTIME_TEST_MODE", errx.CodeSetup, errx.DescSetup)
    ErrSetupSetPlatformModeFailed                  = newSentinelError("set MCP_PLATFORM_MODE", errx.CodeSetup, errx.DescSetup)
    ErrSetupListTraefikDeploymentsFailed           = newSentinelError("list traefik deployments", errx.CodeSetup, errx.DescSetup)
    ErrSetupMarshalTraefikDeploymentPatchFailed    = newSentinelError("marshal traefik deployment patch", errx.CodeSetup, errx.DescSetup)
    ErrSetupReadTraefikDeploymentFailed            = newSentinelError("read traefik deployment", errx.CodeSetup, errx.DescSetup)
    ErrSetupDecodeTraefikDeploymentFailed          = newSentinelError("decode traefik deployment", errx.CodeSetup, errx.DescSetup)
    ErrSetupDeploymentReadinessDeadlineExceeded    = newSentinelError("deployment readiness deadline exceeded", errx.CodeSetup, errx.DescSetup)
    ErrSetupTLSKubectlRunnerNil                    = newSentinelError("kubectl runner is nil", errx.CodeSetup, errx.DescSetup)
    ErrSetupInspectClusterIssuerFailed             = newSentinelError("inspect ClusterIssuer", errx.CodeSetup, errx.DescSetup)
    ErrSetupTLSCertificateSANsEmpty                = newSentinelError("no DNS names or IP addresses resolved for the Certificate", errx.CodeSetup, errx.DescSetup)
    ErrSetupDeleteClickHouseInitJobFailed          = newSentinelError("delete existing clickhouse init job", errx.CodeSetup, errx.DescSetup)
    ErrSetupAnalyticsRolloutFailed                 = newSentinelError("analytics components failed to roll out", errx.CodeSetup, errx.DescSetup)
    ErrSetupRenderManifestFailed                   = newSentinelError("render manifest", errx.CodeSetup, errx.DescSetup)
    ErrSetupApplyPlatformUIIngressFailed           = newSentinelError("apply platform UI ingress", errx.CodeSetup, errx.DescSetup)
    ErrSetupRemovePathBasedSentinelIngressesFailed = newSentinelError("remove path-based sentinel ingresses for public platform host", errx.CodeSetup, errx.DescSetup)
    ErrSetupDecodeAnalyticsConfigManifestFailed    = newSentinelError("decode analytics config manifest", errx.CodeSetup, errx.DescSetup)
    ErrSetupEncodeAnalyticsConfigManifestFailed    = newSentinelError("encode analytics config manifest", errx.CodeSetup, errx.DescSetup)
    ErrSetupReadConfigMapFailed                    = newSentinelError("read configmap", errx.CodeSetup, errx.DescSetup)
    ErrSetupDecodeConfigMapFailed                  = newSentinelError("decode configmap", errx.CodeSetup, errx.DescSetup)
    ErrSetupReadSecretKeyFailed                    = newSentinelError("read secret key", errx.CodeSetup, errx.DescSetup)
    ErrSetupDecodeSecretKeyFailed                  = newSentinelError("decode secret key", errx.CodeSetup, errx.DescSetup)

    // Cert errors.
    ErrCertManagerNotInstalled     = newSentinelError("cert-manager not installed", errx.CodeCert, errx.DescCert)
    ErrCertManagerInstallFailed    = newSentinelError("cert-manager install failed", errx.CodeCert, errx.DescCert)
    ErrCASecretNotFound            = newSentinelError("CA secret not found", errx.CodeCert, errx.DescCert)
    ErrCertificateNotReady         = newSentinelError("certificate not ready", errx.CodeCert, errx.DescCert)
    ErrClusterIssuerNotFound       = newSentinelError("ClusterIssuer not found", errx.CodeCert, errx.DescCert)
    ErrRegistryCertificateNotFound = newSentinelError("registry Certificate not found", errx.CodeCert, errx.DescCert)

    // Certmanager package errors.
    ErrCertEncodeGeneratedCAFailed         = newSentinelError("failed to encode generated internal CA", errx.CodeCert, errx.DescCert)
    ErrCertLookupRegistryIngressFailed     = newSentinelError("failed to look up registry ingress", errx.CodeCert, errx.DescCert)
    ErrCertRemoveRegistryIngressAnnotation = newSentinelError("failed to remove cert-manager.io/cluster-issuer from registry ingress", errx.CodeCert, errx.DescCert)
    ErrCertRegistryTLSSecretConflict       = newSentinelError("registry TLS secret is already referenced by Certificate(s)", errx.CodeCert, errx.DescCert)
    ErrCertListCertificatesFailed          = newSentinelError("failed to list cert-manager Certificates", errx.CodeCert, errx.DescCert)
    ErrCertParseCertificatesFailed         = newSentinelError("failed to parse cert-manager Certificates", errx.CodeCert, errx.DescCert)
    ErrCertACMEPublicDNSNameRequired       = newSentinelError("ACME public CA requires a public DNS name", errx.CodeCert, errx.DescCert)
    ErrCertACMEPublicDNSNameInvalid        = newSentinelError("ACME public CA requires a public DNS name; invalid host", errx.CodeCert, errx.DescCert)
    ErrCertACMEIngressManifestInvalid      = newSentinelError("http-01 ingress manifest is not valid for Let's Encrypt", errx.CodeCert, errx.DescCert)
    ErrCertTraefikNotReady                 = newSentinelError("traefik not ready", errx.CodeCert, errx.DescCert)
    ErrCertACMEEmailRequired               = newSentinelError("ACME email is required", errx.CodeCert, errx.DescCert)
    ErrCertCertificateSANsEmpty            = newSentinelError("TLS has no DNS names or IP addresses to request", errx.CodeCert, errx.DescCert)

    // Cluster errors.
    ErrCRDNotInstalled                = newSentinelError("MCPServer CRD not installed", errx.CodeCluster, errx.DescCluster)
    ErrClusterNotAccessible           = newSentinelError("cluster not accessible", errx.CodeCluster, errx.DescCluster)
    ErrNamespaceNotFound              = newSentinelError("namespace not found", errx.CodeCluster, errx.DescCluster)
    ErrDeploymentTimeout              = newSentinelError("deployment timed out waiting for readiness", errx.CodeCluster, errx.DescCluster)
    ErrInstallCRDFailed               = newSentinelError("failed to install CRD", errx.CodeCluster, errx.DescCluster)
    ErrEnsureRuntimeNamespaceFailed   = newSentinelError("failed to ensure mcp-runtime namespace", errx.CodeCluster, errx.DescCluster)
    ErrEnsureServersNamespaceFailed   = newSentinelError("failed to ensure mcp-servers namespace", errx.CodeCluster, errx.DescCluster)
    ErrKubeconfigNotReadable          = newSentinelError("kubeconfig not found or not readable", errx.CodeCluster, errx.DescCluster)
    ErrSetKubeconfigFailed            = newSentinelError("failed to set KUBECONFIG", errx.CodeCluster, errx.DescCluster)
    ErrSetContextFailed               = newSentinelError("failed to set context", errx.CodeCluster, errx.DescCluster)
    ErrAKSKubeconfigNotImplemented    = newSentinelError("AKS kubeconfig not yet implemented", errx.CodeCluster, errx.DescCluster)
    ErrGKEKubeconfigNotImplemented    = newSentinelError("GKE kubeconfig not yet implemented", errx.CodeCluster, errx.DescCluster)
    ErrUnsupportedProvider            = newSentinelError("unsupported provider", errx.CodeCluster, errx.DescCluster)
    ErrInvalidClusterName             = newSentinelError("invalid cluster name", errx.CodeCluster, errx.DescCluster)
    ErrInvalidNodeCount               = newSentinelError("invalid node count", errx.CodeCluster, errx.DescCluster)
    ErrUnsupportedIngressController   = newSentinelError("unsupported ingress controller", errx.CodeCluster, errx.DescCluster)
    ErrInstallIngressControllerFailed = newSentinelError("failed to install ingress controller", errx.CodeCluster, errx.DescCluster)
    ErrCreateKindConfigFailed         = newSentinelError("failed to create temp kind config", errx.CodeCluster, errx.DescCluster)
    ErrCloseKindConfigFailed          = newSentinelError("failed to close kind config", errx.CodeCluster, errx.DescCluster)
    ErrWriteKindConfigFailed          = newSentinelError("failed to write kind config", errx.CodeCluster, errx.DescCluster)
    ErrCreateKindClusterFailed        = newSentinelError("failed to create kind cluster", errx.CodeCluster, errx.DescCluster)
    ErrDockerDaemonNotReachable       = newSentinelError("docker daemon not reachable", errx.CodeCluster, errx.DescCluster)
    ErrKindClusterAlreadyExists       = newSentinelError("kind cluster already exists", errx.CodeCluster, errx.DescCluster)
    ErrGKEProvisioningNotImplemented  = newSentinelError("GKE provisioning not yet implemented", errx.CodeCluster, errx.DescCluster)
    ErrProvisionEKSFailed             = newSentinelError("failed to provision EKS cluster", errx.CodeCluster, errx.DescCluster)
    ErrAKSProvisioningNotImplemented  = newSentinelError("AKS provisioning not yet implemented", errx.CodeCluster, errx.DescCluster)

    // Cluster doctor package errors.
    ErrDoctorResourceNotFoundBeforeTimeout = newSentinelError("resource not found before timeout", errx.CodeCluster, errx.DescCluster)
    ErrDoctorDeploymentRolloutFailed       = newSentinelError("deployment rollout failed", errx.CodeCluster, errx.DescCluster)
    ErrDoctorPodsNotScheduledBeforeTimeout = newSentinelError("no scheduled pod found before timeout", errx.CodeCluster, errx.DescCluster)
    ErrDoctorDecodeBase64Failed            = newSentinelError("decode base64 value", errx.CodeCluster, errx.DescCluster)
    ErrDoctorImagePullStatusFailed         = newSentinelError("pod image pull status failed", errx.CodeCluster, errx.DescCluster)
    ErrDoctorPodPhaseFailed                = newSentinelError("pod phase Failed", errx.CodeCluster, errx.DescCluster)
    ErrDoctorKubectlError                  = newSentinelError("kubectl error", errx.CodeCluster, errx.DescCluster)
    ErrDoctorTraefikServiceNotFound        = newSentinelError("traefik service not found", errx.CodeCluster, errx.DescCluster)
    ErrDoctorDeploymentNotFound            = newSentinelError("deployment not found", errx.CodeCluster, errx.DescCluster)
    ErrDoctorUnexpectedReplicaStatus       = newSentinelError("unexpected replica status", errx.CodeCluster, errx.DescCluster)

    // Registry errors.
    ErrRegistryNotReady             = newSentinelError("registry not ready", errx.CodeRegistry, errx.DescRegistry)
    ErrRegistryNotFound             = newSentinelError("registry not found", errx.CodeRegistry, errx.DescRegistry)
    ErrBuildOperatorImageFailed     = newSentinelError("failed to build operator image", errx.CodeRegistry, errx.DescRegistry)
    ErrPushOperatorImageFailed      = newSentinelError("failed to push operator image", errx.CodeRegistry, errx.DescRegistry)
    ErrBuildGatewayProxyImageFailed = newSentinelError("failed to build gateway proxy image", errx.CodeRegistry, errx.DescRegistry)
    ErrPushGatewayProxyImageFailed  = newSentinelError("failed to push gateway proxy image", errx.CodeRegistry, errx.DescRegistry)
    ErrUnsupportedRegistryType      = newSentinelError("unsupported registry type", errx.CodeRegistry, errx.DescRegistry)
    ErrEnsureNamespaceFailed        = newSentinelError("failed to ensure namespace", errx.CodeRegistry, errx.DescRegistry)
    ErrReadRegistryStorageFailed    = newSentinelError("failed to read current registry storage size", errx.CodeRegistry, errx.DescRegistry)
    ErrUpdateRegistryStorageFailed  = newSentinelError("failed to update registry storage size", errx.CodeRegistry, errx.DescRegistry)
    ErrRegistryLoginFailed          = newSentinelError("failed to login to registry", errx.CodeRegistry, errx.DescRegistry)
    ErrTagImageFailed               = newSentinelError("failed to tag image", errx.CodeRegistry, errx.DescRegistry)
    ErrPushImageFailed              = newSentinelError("failed to push image", errx.CodeRegistry, errx.DescRegistry)
    ErrHelperNamespaceNotFound      = newSentinelError("helper namespace not found", errx.CodeRegistry, errx.DescRegistry)
    ErrSaveImageFailed              = newSentinelError("failed to save image", errx.CodeRegistry, errx.DescRegistry)
    ErrStartHelperPodFailed         = newSentinelError("failed to start helper pod", errx.CodeRegistry, errx.DescRegistry)
    ErrHelperPodNotReady            = newSentinelError("helper pod not ready", errx.CodeRegistry, errx.DescRegistry)
    ErrCopyImageToHelperFailed      = newSentinelError("failed to copy image tar to helper pod", errx.CodeRegistry, errx.DescRegistry)
    ErrPushImageFromHelperFailed    = newSentinelError("failed to push image from helper pod", errx.CodeRegistry, errx.DescRegistry)

    // Config errors.
    ErrRegistryURLRequired           = newSentinelError("registry url is required", errx.CodeConfig, errx.DescConfig)
    ErrRegistryURLMissingInConfig    = newSentinelError("registry url missing in config", errx.CodeConfig, errx.DescConfig)
    ErrSaveRegistryConfigFailed      = newSentinelError("failed to save registry config", errx.CodeConfig, errx.DescConfig)
    ErrReadRegistryConfigFailed      = newSentinelError("failed to read registry config", errx.CodeConfig, errx.DescConfig)
    ErrUnmarshalRegistryConfigFailed = newSentinelError("failed to unmarshal registry config", errx.CodeConfig, errx.DescConfig)

    // Build errors.
    ErrBuildImageFailed         = newSentinelError("failed to build image", errx.CodeBuild, errx.DescBuild)
    ErrMetadataFileNotFound     = newSentinelError("metadata file not found", errx.CodeBuild, errx.DescBuild)
    ErrServerNotFoundInMetadata = newSentinelError("server not found in metadata", errx.CodeBuild, errx.DescBuild)
    ErrMarshalMetadataFailed    = newSentinelError("failed to marshal metadata", errx.CodeBuild, errx.DescBuild)
    ErrWriteMetadataFailed      = newSentinelError("failed to write metadata", errx.CodeBuild, errx.DescBuild)

    // Server errors.
    ErrMarshalManifestFailed = newSentinelError("failed to marshal manifest", errx.CodeServer, errx.DescServer)
    ErrWriteManifestFailed   = newSentinelError("failed to write manifest", errx.CodeServer, errx.DescServer)
    ErrInvalidFilePath       = newSentinelError("invalid file path", errx.CodeServer, errx.DescServer)
    ErrFileNotAccessible     = newSentinelError("cannot access file", errx.CodeServer, errx.DescServer)
    ErrFileIsDirectory       = newSentinelError("path is a directory, not a file", errx.CodeServer, errx.DescServer)
    ErrGetMCPServerFailed    = newSentinelError("kubectl get mcpserver failed", errx.CodeServer, errx.DescServer)
    ErrListServersFailed     = newSentinelError("failed to list servers", errx.CodeServer, errx.DescServer)
    ErrCreateServerFailed    = newSentinelError("failed to create server", errx.CodeServer, errx.DescServer)
    ErrDeleteServerFailed    = newSentinelError("failed to delete server", errx.CodeServer, errx.DescServer)
    ErrViewServerLogsFailed  = newSentinelError("failed to view server logs", errx.CodeServer, errx.DescServer)
)
    Sentinel errors for CLI operations. Errors are defined and registered in one
    step using newSentinelError to eliminate redundancy.

var DefaultCLIConfig = LoadCLIConfig()
    DefaultCLIConfig is the global CLI configuration loaded at startup.

var DefaultPrinter = &Printer{}
    DefaultPrinter is the default printer instance used by package-level
    functions.

var ValidK8sName = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
    ValidK8sName matches Kubernetes resource name requirements (RFC 1123
    subdomain).

Functions

func Cyan(msg string) string
    Cyan returns cyan text.


func Error(msg string)
    Error prints an error message.


func GetAnalyticsIngestURLOverride() string
    GetAnalyticsIngestURLOverride returns the analytics ingest URL override,
    empty if not set.


func GetCertTimeout() time.Duration
    GetCertTimeout returns the certificate issuance timeout.


func GetClusterName() string
    GetClusterName returns the cluster label attached to analytics/audit events.


func GetDefaultServerPort() int
    GetDefaultServerPort returns the default MCP server port.


func GetDeploymentTimeout() time.Duration
    GetDeploymentTimeout returns the deployment wait timeout.


func GetGatewayOTLPEndpointOverride() string
    GetGatewayOTLPEndpointOverride returns the gateway OTLP endpoint override,
    empty if not set.


func GetGatewayProxyImageOverride() string
    GetGatewayProxyImageOverride returns the gateway proxy image override,
    empty if not set.


func GetHelperPodTimeout() time.Duration
    GetHelperPodTimeout returns the helper pod ready timeout (e.g. registry
    pusher pod).


func GetMcpIngressHost() string
    GetMcpIngressHost returns the public MCP / gateway host (mcp.<domain> when
    MCP_PLATFORM_DOMAIN is set), or empty if not configured.


func GetOperatorImageOverride() string
    GetOperatorImageOverride returns the operator image override, empty if not
    set.


func GetPlatformIngressHost() string
    GetPlatformIngressHost returns the public dashboard UI host
    (platform.<domain> when MCP_PLATFORM_DOMAIN is set), or empty if not
    configured. When empty the dev path-based routing on the gateway ingress is
    used.


func GetRegistryClusterIssuerName() string
    GetRegistryClusterIssuerName returns the setup-selected cert-manager
    ClusterIssuer name (empty if unset).


func GetRegistryEndpoint() string
    GetRegistryEndpoint returns the configured registry endpoint for image refs
    and pushes.


func GetRegistryIngressHost() string
    GetRegistryIngressHost returns the configured registry ingress host.


func GetRegistryPort() int
    GetRegistryPort returns the registry port.


func GetSkopeoImage() string
    GetSkopeoImage returns the skopeo image for in-cluster operations.


func Green(msg string) string
    Green returns green text.


func Header(title string)
    Header prints a header banner.


func Info(msg string)
    Info prints an info message.


func IsDebugMode() bool
    IsDebugMode returns whether debug mode is enabled.


func LogStructuredError(logger *zap.Logger, err error, msg string)


func NewSetupStepFailedError() error


func NewWithSentinel(base error, msg string) error


func Red(msg string) string
    Red returns red text.


func ResolveEmailAlias(email, username string) (string, error)
    ResolveEmailAlias returns the single account email represented by --email
    and the deprecated/alias --username flag.


func Section(title string)
    Section prints a section header.


func SetDebugMode(enabled bool)
    SetDebugMode sets the global debug mode flag. When enabled,
    logStructuredError will output structured error logs to terminal.


func SpinnerStart(msg string) func(success bool, finalMsg string)
    SpinnerStart starts a spinner.


func Step(title string)
    Step prints a step header.


func Success(msg string)
    Success prints a success message.


func SwapDefaultKubectlClient(c *KubectlClient) (restore func())
    SwapDefaultKubectlClient replaces the shared kubectl client (tests only).


func SwapExecExecutor(e Executor) (restore func())
    SwapExecExecutor replaces the global process executor (tests only).


func Table(data [][]string)
    Table prints a table.


func TableBoxed(data [][]string)
    TableBoxed prints a boxed table.


func ValidateK8sNameAndNamespace(nameLabel string, nameSentinel error, name, namespace string) (string, string, error)
    ValidateK8sNameAndNamespace validates a name+namespace pair against RFC-1123
    subdomain rules plus ValidateManifestField. nameLabel customizes the
    invalid-name error message ("server name", "resource name"); nameSentinel
    (may be nil) selects the sentinel error category.


func ValidateManifestField(field, value string) (string, error)
    ValidateManifestField rejects control characters, requires non-empty after
    trimming, and returns the trimmed value.


func Warn(msg string)
    Warn prints a warning message.


func WrapWithSentinel(base, cause error, msg string) error


func WrapWithSentinelAndContext(base, cause error, msg string, context map[string]any) error


func Yellow(msg string) string
    Yellow returns yellow text.

Types

type CLIConfig struct {
    // Timeouts
    DeploymentTimeout time.Duration
    CertTimeout       time.Duration
    HelperPodTimeout  time.Duration

    // Registry settings
    RegistryPort        int
    RegistryEndpoint    string
    RegistryIngressHost string
    // McpIngressHost is the public gateway / MCP host (e.g. mcp.mcpruntime.com), from
    // MCP_MCP_INGRESS_HOST or mcp.<MCP_PLATFORM_DOMAIN>. Empty if unset.
    McpIngressHost string
    // PlatformIngressHost is the public dashboard UI host (e.g. platform.mcpruntime.com), from
    // MCP_PLATFORM_INGRESS_HOST or platform.<MCP_PLATFORM_DOMAIN>. Empty falls back to path-based dev routing.
    PlatformIngressHost string
    // RegistryClusterIssuerName is the cert-manager ClusterIssuer selected by
    // setup --with-tls for TLS-rendered resources (e.g. platform UI ingress).
    // The registry Secret itself is owned by an explicit registry-cert Certificate.
    RegistryClusterIssuerName string
    SkopeoImage               string
    OperatorImage             string // Override for operator image
    GatewayProxyImage         string // Optional default image for the MCP gateway sidecar
    ImagePlatform             string // Optional Docker image platform for setup-built images, e.g. linux/amd64
    GatewayOTLPEndpoint       string // Optional OTLP/HTTP endpoint for MCP gateway sidecar tracing
    AnalyticsIngestURL        string // Optional analytics ingest URL override for the MCP gateway sidecar
    IngressReadinessMode      string // Optional operator ingress readiness mode: strict or permissive
    ClusterName               string // Optional cluster label attached to analytics/audit events

    // Server defaults
    DefaultServerPort int

    // External/Provisioned registry credentials
    ProvisionedRegistryURL      string
    ProvisionedRegistryUsername string
    ProvisionedRegistryPassword string
}
    CLIConfig holds all CLI configuration loaded from environment variables.
    Use LoadCLIConfig() to create an instance with values from the environment.


func LoadCLIConfig() *CLIConfig
    LoadCLIConfig loads CLI configuration from environment variables.


type Command interface {
    Output() ([]byte, error)
    CombinedOutput() ([]byte, error)
    Run() error
    SetStdout(w io.Writer)
    SetStderr(w io.Writer)
    SetStdin(r io.Reader)
}
    Command represents a command that can be executed.


func ExecCommandWithValidators(name string, args []string, validators ...ExecValidator) (Command, error)
    ExecCommandWithValidators runs the named binary with args after validators
    pass.


type ExecSpec struct {
    Name string
    Args []string
}


type ExecValidator func(ExecSpec) error


func AllowlistBins(allowed ...string) ExecValidator


func NoControlChars() ExecValidator


func NoShellMeta() ExecValidator


func PathUnder(root string) ExecValidator


type Executor interface {
    Command(name string, args []string, validators ...ExecValidator) (Command, error)
}
    Executor creates commands for execution.


func DefaultExecutor() Executor
    DefaultExecutor returns the shared process executor used by CLI commands.


type KubectlClient struct {
    // Has unexported fields.
}
    KubectlClient wraps kubectl command execution with validation.


func DefaultKubectlClient() *KubectlClient
    DefaultKubectlClient returns the shared kubectl client used by CLI commands.


func NewKubectlClient(exec Executor) (*KubectlClient, error)
    NewKubectlClient creates a KubectlClient with default validators.


func NewTestKubectlClient(exec Executor) *KubectlClient
    NewTestKubectlClient returns a KubectlClient for tests (no path validators).


func NewTestKubectlClientWithValidators(exec Executor, validators []ExecValidator) *KubectlClient
    NewTestKubectlClientWithValidators returns a KubectlClient for tests using
    the given validator list (or nil for none).


func (c *KubectlClient) CombinedOutput(args []string) ([]byte, error)
    CombinedOutput runs kubectl with the given arguments and returns combined
    stdout/stderr.


func (c *KubectlClient) CommandArgs(args []string) (Command, error)
    CommandArgs builds a kubectl command with the given arguments. Validates
    arguments against configured validators before building.


func (c *KubectlClient) Output(args []string) ([]byte, error)
    Output runs kubectl with the given arguments and returns stdout.


func (c *KubectlClient) Run(args []string) error
    Run runs kubectl with the given arguments.


func (c *KubectlClient) RunWithOutput(args []string, stdout, stderr io.Writer) error
    RunWithOutput runs kubectl with the given arguments, piping to the provided
    writers.


type KubectlRunner interface {
    CommandArgs(args []string) (Command, error)
    Run(args []string) error
    RunWithOutput(args []string, stdout, stderr io.Writer) error
}
    KubectlRunner captures the kubectl methods used by setup helpers.


func DefaultKubectlRunner() KubectlRunner
    DefaultKubectlRunner returns the shared kubectl runner used by CLI commands.


type MockCommand struct {
    Args       []string
    OutputData []byte
    OutputErr  error
    RunErr     error
    StdoutW    io.Writer
    StderrW    io.Writer
    StdinR     io.Reader
    RunFunc    func() error
}
    MockCommand is a test double for Command interface.


func (m *MockCommand) CombinedOutput() ([]byte, error)


func (m *MockCommand) Output() ([]byte, error)


func (m *MockCommand) Run() error


func (m *MockCommand) SetStderr(w io.Writer)


func (m *MockCommand) SetStdin(r io.Reader)


func (m *MockCommand) SetStdout(w io.Writer)


type MockExecutor struct {
    // Commands records all commands that were created.
    Commands []ExecSpec
    // DefaultOutput is returned by commands when CommandFunc is nil.
    DefaultOutput []byte
    // DefaultErr is the error returned by Output/CombinedOutput.
    DefaultErr error
    // DefaultRunErr is the error returned by Run.
    DefaultRunErr error
    // CommandFunc allows custom behavior per command.
    CommandFunc func(spec ExecSpec) *MockCommand
}
    MockExecutor is a test double for Executor interface.


func (m *MockExecutor) Command(name string, args []string, validators ...ExecValidator) (Command, error)


func (m *MockExecutor) HasCommand(name string) bool
    HasCommand checks if a command with the given name was executed.


func (m *MockExecutor) LastCommand() ExecSpec
    LastCommand returns the most recent command spec.


func (m *MockExecutor) Reset()
    Reset clears recorded commands.


type Printer struct {
    // Quiet suppresses non-essential output
    Quiet bool
    // Writer overrides the output destination when set.
    Writer io.Writer
}
    Printer provides formatted terminal output methods. Use the default instance
    via package-level functions.


func (p *Printer) Cyan(msg string) string
    Cyan returns cyan-colored text.


func (p *Printer) Error(msg string)
    Error prints an error message. Note: Errors are intentionally not suppressed
    in quiet mode to ensure critical issues are always visible, even when
    non-essential output is disabled.


func (p *Printer) Green(msg string) string
    Green returns green-colored text.


func (p *Printer) Header(title string)
    Header prints a full-width header banner.


func (p *Printer) Info(msg string)
    Info prints an informational message.


func (p *Printer) Printf(format string, a ...interface{})
    Printf prints formatted text.


func (p *Printer) Println(a ...interface{})
    Println prints a plain line.


func (p *Printer) Red(msg string) string
    Red returns red-colored text.


func (p *Printer) Section(title string)
    Section prints a prominent section header.


func (p *Printer) SpinnerStart(msg string) func(success bool, finalMsg string)
    SpinnerStart starts a spinner with the given message. Returns a stop
    function.


func (p *Printer) Step(title string)
    Step prints a step indicator (e.g., "Step 1: Initialize").


func (p *Printer) Success(msg string)
    Success prints a success message.


func (p *Printer) Table(data [][]string)
    Table prints a formatted table. First row is treated as header.


func (p *Printer) TableBoxed(data [][]string)
    TableBoxed prints a formatted table with box borders.


func (p *Printer) Warn(msg string)
    Warn prints a warning message. Note: Warnings are intentionally not
    suppressed in quiet mode to ensure important notices are visible even when
    non-essential output is disabled.


func (p *Printer) Yellow(msg string) string
    Yellow returns yellow-colored text.


type Runtime struct {
    // Has unexported fields.
}
    Runtime is the shared CLI facade for wiring common dependencies once and
    handing typed managers to the foldered command packages.


func NewRuntime(logger *zap.Logger) *Runtime
    NewRuntime builds the shared CLI runtime facade.


func (r *Runtime) Config() *CLIConfig
    Config returns the loaded CLI configuration.


func (r *Runtime) Executor() Executor
    Executor returns the shared process executor.


func (r *Runtime) KubectlClient() *KubectlClient
    KubectlClient returns the shared kubectl client.


func (r *Runtime) KubectlRunner() KubectlRunner
    KubectlRunner returns the shared kubectl runner.


func (r *Runtime) Logger() *zap.Logger
    Logger returns the shared logger.


func (r *Runtime) Printer() *Printer
    Printer returns the shared terminal printer.

CLI Kubernetes helpers

Package: kube Import path: mcp-runtime/internal/cli/kube

Source command:

go doc -all ./internal/cli/kube

Overview

Package kube contains shared kubectl-oriented helpers for CLI commands.

Jump To

Index

Functions

func ApplyManifestContent[T Command](commandArgs func([]string) (T, error), manifest string) error
    ApplyManifestContent applies manifest YAML from a string via kubectl stdin.


func ApplyManifestContentWithNamespace[T Command](commandArgs func([]string) (T, error), manifest, namespace string) error
    ApplyManifestContentWithNamespace applies manifest YAML from stdin,
    optionally scoped to a namespace.


func ApplyManifestFromFile[T Command](commandArgs func([]string) (T, error), file string, stdout, stderr io.Writer) error
    ApplyManifestFromFile applies a manifest file using kubectl.


func EnsureNamespace[T Command](commandArgs func([]string) (T, error), name string) error
    EnsureNamespace applies/creates a namespace idempotently.


func EnsureNamespaceWithLabels[T Command](commandArgs func([]string) (T, error), name string, labels map[string]string) error
    EnsureNamespaceWithLabels applies/creates a namespace idempotently and sets
    labels via kubectl apply. Labels already present on an existing namespace
    are preserved unless the same key is also supplied here (kubectl apply
    will set them to the new value). Pass nil/empty labels for a label-less
    namespace.


func NormalizePatchDocument(raw string) (string, error)
    NormalizePatchDocument parses YAML or JSON patch content and returns a JSON
    string suitable for kubectl patch --type=json (or merge) style inputs.


func NormalizePatchFile(file string) (string, error)
    NormalizePatchFile reads a patch file from disk and returns normalized JSON
    like NormalizePatchDocument.


func ReadFileAtPath(path string) ([]byte, error)
    ReadFileAtPath reads a regular file without following symlink escapes
    outside its parent directory.


func ResolveRegularFilePath(file string) (string, error)
    ResolveRegularFilePath resolves a path and rejects directories.


func WriteOutputFile(file string, data []byte) error
    WriteOutputFile writes data to a path under a resolved parent directory with
    0600 file permissions and 0750 (or tighter) directory permissions.

Types

type Command interface {
    SetStdin(io.Reader)
    SetStdout(io.Writer)
    SetStderr(io.Writer)
    Run() error
}
    Command is the minimal command shape needed for stdin-based kubectl apply.

CLI Kubernetes errors

Package: kubeerr Import path: mcp-runtime/internal/cli/kubeerr

Source command:

go doc -all ./internal/cli/kubeerr

Overview

No package overview is documented.

Jump To

Index

Constants

const DirectModeGuidance = "Direct Kubernetes mode requires admin/operator cluster access. Use the platform API for normal CLI operations: `mcp-runtime auth login --api-url <platform-url>`."
    DirectModeGuidance explains the boundary for explicit --use-kube operations.

Functions

func CommandDetail(output string, fallback error) string
    CommandDetail extracts a single-line error detail from kubectl output or the
    exec error.


func DirectModeFailureMessage(prefix, detail string) string
    DirectModeFailureMessage appends shared direct Kubernetes mode guidance to a
    command failure.


func DirectModeHint(detail string) string
    DirectModeHint returns guidance for explicit --use-kube failures.


func SetupHint(detail string) (string, bool)
    SetupHint returns a friendlier message when the cluster has not been
    provisioned yet.


func WithDirectModeHint(detail string) string
    WithDirectModeHint appends explicit --use-kube guidance to a command failure
    detail.

CLI cluster

Package: cluster Import path: mcp-runtime/internal/cli/cluster

Source command:

go doc -all ./internal/cli/cluster

Overview

Package cluster owns routing for the cluster top-level command.

Package cluster implements cluster operations for the cluster CLI command.

Jump To

Index

Functions

func New(runtime *core.Runtime) *cobra.Command
    New returns the cluster command.


func NewWithManager(mgr *ClusterManager) *cobra.Command
    NewWithManager returns the cluster command using the provided manager.

Types

type ClusterManager struct {
    // Has unexported fields.
}
    ClusterManager handles cluster operations with injected dependencies.


func DefaultClusterManager(logger *zap.Logger) *ClusterManager
    DefaultClusterManager returns a ClusterManager using default clients.


func NewClusterManager(kubectl *core.KubectlClient, exec core.Executor, logger *zap.Logger) *ClusterManager
    NewClusterManager creates a ClusterManager with the given dependencies.


func (m *ClusterManager) CheckClusterStatus() error
    CheckClusterStatus checks and displays cluster status.


func (m *ClusterManager) ConfigureCluster(opts IngressOptions) error
    ConfigureCluster configures cluster settings like ingress.


func (m *ClusterManager) ConfigureClusterWithValues(mode, manifest string, force bool) error
    ConfigureClusterWithValues adapts exported flag values into the internal
    ingress options shape.


func (m *ClusterManager) ConfigureKubeconfig(kubeconfig, context string) error
    ConfigureKubeconfig sets KUBECONFIG and optionally switches context.


func (m *ClusterManager) ConfigureKubeconfigFromProvider(provider, region, clusterName, resourceGroup, project, zone, kubeconfig string) error
    ConfigureKubeconfigFromProvider updates kubeconfig using a cloud provider
    CLI.


func (m *ClusterManager) EnsureNamespace(name string) error
    EnsureNamespace applies/creates a namespace idempotently.


func (m *ClusterManager) InitCluster(kubeconfig, context string) error
    InitCluster initializes cluster configuration.


func (m *ClusterManager) KubectlRunner() core.KubectlRunner
    KubectlRunner exposes the shared kubectl runner for foldered command
    routing.


func (m *ClusterManager) Logger() *zap.Logger
    Logger exposes the shared logger for foldered command routing.


func (m *ClusterManager) ProvisionCluster(provider, region string, nodeCount int, clusterName string, dryRun bool) error
    ProvisionCluster provisions a new Kubernetes cluster. When dryRun is true,
    it prints the configuration and command that would run without creating any
    cluster or calling out to cloud APIs.


type IngressOptions struct {
    Mode     string
    Manifest string
    Force    bool
}
    IngressOptions captures ingress install settings used by both cluster
    configuration and the setup command.

CLI cluster doctor

Package: doctor Import path: mcp-runtime/internal/cli/cluster/doctor

Source command:

go doc -all ./internal/cli/cluster/doctor

Overview

Package doctor implements cluster readiness diagnostics for the cluster CLI.

Jump To

Index

Functions

func PrintDoctorReport(r DoctorReport)
    PrintDoctorReport emits a human-readable report using the standard printer.

Types

type Distribution string
    Distribution identifies a Kubernetes flavor for remediation messaging.

const (
    DistroK3s           Distribution = "k3s"
    DistroKind          Distribution = "kind"
    DistroMinikube      Distribution = "minikube"
    DistroDockerDesktop Distribution = "docker-desktop"
    DistroGeneric       Distribution = "generic"
)


func DetectDistribution(kubectl core.KubectlRunner) Distribution
    DetectDistribution inspects node info to guess which distribution is
    running. This is best-effort: callers should treat DistroGeneric as
    "probably kubeadm/unknown".


type DoctorCheck struct {
    Name   string
    OK     bool
    Detail string
    Remedy string // Short hint; detailed steps come from the distro checklist.
}
    DoctorCheck is a single preflight check result.


type DoctorCheckProgress func(DoctorCheckProgressEvent) func(DoctorCheck)
    DoctorCheckProgress is called before each doctor check starts. It returns an
    optional completion callback that receives the finished check result.


type DoctorCheckProgressEvent struct {
    Name   string
    Detail string
    Index  int
    Total  int
}
    DoctorCheckProgressEvent describes the check that is about to run.


type DoctorReport struct {
    Distribution Distribution
    Checks       []DoctorCheck
}
    DoctorReport aggregates the full preflight result.


func RunDoctor(kubectl core.KubectlRunner) DoctorReport
    RunDoctor executes cluster diagnostics and returns a report.


func RunDoctorAndPrint(kubectl core.KubectlRunner) DoctorReport
    RunDoctorAndPrint streams doctor progress and results as checks execute.


func RunDoctorWithProgress(kubectl core.KubectlRunner, progress DoctorCheckProgress) DoctorReport
    RunDoctorWithProgress executes cluster diagnostics and calls progress hooks
    before and after each check. It is useful for UIs that need live feedback.


func RunSetupDoctor(kubectl core.KubectlRunner) DoctorReport
    RunSetupDoctor executes pre-setup readiness checks and returns a report.


func RunSetupDoctorAndPrint(kubectl core.KubectlRunner) DoctorReport
    RunSetupDoctorAndPrint streams setup-preflight progress and results.


func RunSetupDoctorWithProgress(kubectl core.KubectlRunner, progress DoctorCheckProgress) DoctorReport
    RunSetupDoctorWithProgress executes pre-setup readiness checks and calls
    progress hooks before and after each check.


func (r DoctorReport) AllOK() bool
    AllOK reports whether every check passed.

CLI cert-manager

Package: certmanager Import path: mcp-runtime/internal/cli/certmanager

Source command:

go doc -all ./internal/cli/certmanager

Overview

No package overview is documented.

Jump To

Index

Constants

const (
    CertClusterIssuerName           = certClusterIssuerName
    RegistryCertificateName         = registryCertificateName
    RegistryTLSSecretName           = registryTLSSecretName
    RegistryInternalCertificateName = registryInternalCertificateName
    RegistryInternalTLSSecretName   = registryInternalTLSSecretName
)

Functions

func ACMETLSDNSNames() []string


func ApplyClusterIssuerWithKubectl(kubectl core.KubectlRunner) error


func ApplyLetsEncryptClusterIssuer(kubectl core.KubectlRunner, email string, staging bool, logger *zap.Logger) error


func ApplyRegistryCertificate(kubectl core.KubectlRunner, dnsNames, ipAddresses []string, issuerName string) error


func ApplyRegistryCertificateForACME(kubectl core.KubectlRunner, dnsNames []string, issuerName string) error


func ApplyRegistryCertificateWithKubectl(kubectl core.KubectlRunner) error


func ApplyRegistryInternalCertificate(kubectl core.KubectlRunner, dnsNames, ipAddresses []string, issuerName string) error


func CertManagerInstallManifestURL() string


func CheckCASecretWithKubectl(kubectl core.KubectlRunner) error


func CheckCertManagerInstalledWithKubectl(kubectl core.KubectlRunner) error


func CheckCertificateWithKubectl(kubectl core.KubectlRunner, name, namespace string) error


func CheckClusterIssuerWithKubectl(kubectl core.KubectlRunner) error


func CheckNamedClusterIssuerWithKubectl(kubectl core.KubectlRunner, name string) error


func CheckRegistryCertificateOwnershipWithKubectl(kubectl core.KubectlRunner) error


func ClusterIssuerNameForACME(staging bool) string
    ClusterIssuerNameForACME returns the ClusterIssuer resource name for Let's
    Encrypt.


func EnsureCASecretWithKubectl(kubectl core.KubectlRunner) (bool, error)


func EnsureCertManagerInstalled(kubectl core.KubectlRunner, logger *zap.Logger) error


func PreflightACMEHostnamesPort80(dnsNames []string)


func RemoveRegistryIngressShimAnnotationWithKubectl(kubectl core.KubectlRunner) error


func RenderGeneratedCASecretManifest(now time.Time) (string, error)


func RenderLetsEncryptClusterIssuerManifest(name, email, serverURL string) string


func RenderRegistryCertificate(certName, secretName string, dnsNames, ipAddresses []string, issuerName string) string


func ValidateACMEHostnameForPublicCA() error


func ValidateIngressManifestForACME(ingressManifest string) error


func WaitForCertificateReadyWithKubectl(kubectl core.KubectlRunner, name, namespace string, timeout time.Duration) error


func WaitForTraefikDeploymentForACME(kubectl core.KubectlRunner) error

Types

type CertManager struct {
    // Has unexported fields.
}
    CertManager manages cert-manager resources for the platform.


func NewCertManager(kubectl core.KubectlRunner, logger *zap.Logger) *CertManager
    NewCertManager creates a CertManager with the given dependencies.


func (m *CertManager) Apply(dryRun bool) error
    Apply installs cert-manager resources required for registry TLS. When dryRun
    is true, the read-only preflight checks still run (to catch obvious problems
    like missing cert-manager) but no kubectl apply is performed.


func (m *CertManager) Status() error
    Status verifies cert-manager installation and required resources.


func (m *CertManager) Wait(timeout time.Duration) error
    Wait blocks until the registry certificate is Ready or times out.

CLI platform API

Package: platformapi Import path: mcp-runtime/internal/cli/platformapi

Source command:

go doc -all ./internal/cli/platformapi

Overview

No package overview is documented.

Jump To

Index

Constants

const PlatformAuthRequiredMessage = "platform API credentials are required; run `mcp-runtime auth login --api-url <platform-url>` for normal platform access. `--use-kube` is direct Kubernetes mode for admin/dev/test environments with admin/operator Kubernetes access only"
    PlatformAuthRequiredMessage tells users how to use the platform-backed CLI
    path.

Functions

func AuthRequiredError(err error) error
    AuthRequiredError wraps platform credential errors with user-facing mode
    guidance.


func HasPlatformClient() bool


func NormalizeBaseURL(raw string) string
    NormalizeBaseURL trims whitespace, trailing slashes, and an optional
    trailing /api suffix from a platform base URL.

Types

type AdapterSession struct {
    Name           string    `json:"name"`
    Namespace      string    `json:"namespace"`
    HumanID        string    `json:"humanID"`
    AgentID        string    `json:"agentID"`
    TeamID         string    `json:"teamID,omitempty"`
    ServerName     string    `json:"serverName"`
    ConsentedTrust string    `json:"consentedTrust"`
    PolicyVersion  string    `json:"policyVersion"`
    ExpiresAt      time.Time `json:"expiresAt"`
    Reused         bool      `json:"reused"`
}
    AdapterSession captures the identity the adapter must inject into runtime
    requests. ExpiresAt is absolute (server-side time); callers should refresh
    before it elapses.


type AdapterSessionRequest struct {
    ServerName     string `json:"serverName"`
    Namespace      string `json:"namespace,omitempty"`
    AgentID        string `json:"agentID"`
    RequestedTrust string `json:"requestedTrust,omitempty"`
    RequestedTTL   string `json:"requestedTTL,omitempty"`
}
    AdapterSessionRequest is the input contract for the platform API endpoint
    POST /api/runtime/adapter/sessions. RequestedTTL/Trust are optional;
    empty values fall back to platform-side defaults.


type ImagePublishRecord struct {
    ImageRef    string `json:"image_ref"`
    SourceImage string `json:"source_image,omitempty"`
    Mode        string `json:"mode,omitempty"`
}


type PlatformClient struct {
    // Has unexported fields.
}
    PlatformClient calls the mcp-sentinel API with an API key.


func NewPlatformClient() (*PlatformClient, error)
    NewPlatformClient returns a client when platform credentials and
    API base URL are configured. If the user is not logged in, returns
    authfile.ErrNotFound.


func ResolvePlatformOrKube(useKube bool) (*PlatformClient, bool, error)
    ResolvePlatformOrKube returns direct Kubernetes mode only when useKube is
    explicit. Otherwise it requires platform API credentials and does not fall
    back to kubeconfig.


func (c *PlatformClient) ApplyAccessFromYAMLFile(ctx context.Context, path string) error


func (c *PlatformClient) ApplyRuntimeServer(ctx context.Context, name, namespace string, spec mcpv1alpha1.MCPServerSpec) (ServerListItem, error)


func (c *PlatformClient) ApplyRuntimeServerWithScope(ctx context.Context, name, namespace, scope string, spec mcpv1alpha1.MCPServerSpec) (ServerListItem, error)


func (c *PlatformClient) ApplyRuntimeServerWithScopeUpdate(ctx context.Context, name, namespace, scope string, spec mcpv1alpha1.MCPServerSpec, update bool) (ServerListItem, error)


func (c *PlatformClient) CreateAdapterSession(ctx context.Context, req AdapterSessionRequest) (AdapterSession, error)
    CreateAdapterSession asks the platform to issue (or reuse) an
    MCPAgentSession for the calling principal. The returned session.Name doubles
    as the SessionID the adapter forwards on every runtime request.


func (c *PlatformClient) CreateTeam(ctx context.Context, slug, name string) (Team, error)


func (c *PlatformClient) CreateTeamUser(ctx context.Context, slug, email, password, role string) (TeamMembership, error)


func (c *PlatformClient) CreateUser(ctx context.Context, email, password, role string) (PlatformUser, error)


func (c *PlatformClient) CurrentPrincipal(ctx context.Context) (Principal, error)


func (c *PlatformClient) DeleteGrant(ctx context.Context, namespace, name string) error


func (c *PlatformClient) DeleteRuntimeServer(ctx context.Context, namespace, name string) error


func (c *PlatformClient) DeleteSession(ctx context.Context, namespace, name string) error


func (c *PlatformClient) GetGrant(ctx context.Context, namespace, name string) (sentinelaccess.GrantSummary, error)


func (c *PlatformClient) GetRuntimePolicy(ctx context.Context, namespace, server string) ([]byte, error)


func (c *PlatformClient) GetSession(ctx context.Context, namespace, name string) (sentinelaccess.SessionSummary, error)


func (c *PlatformClient) GetTeam(ctx context.Context, slug string) (Team, error)


func (c *PlatformClient) ListGrants(ctx context.Context, namespace string) ([]sentinelaccess.GrantSummary, error)


func (c *PlatformClient) ListNamespaces(ctx context.Context) ([]namespaceListItem, error)


func (c *PlatformClient) ListRuntimeServers(ctx context.Context, namespace string) ([]ServerListItem, error)


func (c *PlatformClient) ListSessions(ctx context.Context, namespace string) ([]sentinelaccess.SessionSummary, error)


func (c *PlatformClient) ListTeamMembers(ctx context.Context, slug string) ([]TeamMembership, error)


func (c *PlatformClient) ListTeams(ctx context.Context) ([]Team, error)


func (c *PlatformClient) PatchGrant(ctx context.Context, namespace, name string, disabled bool) error


func (c *PlatformClient) PatchSession(ctx context.Context, namespace, name string, revoked bool) error


func (c *PlatformClient) PushRegistryImage(ctx context.Context, tarPath, target, scope string) error
    PushRegistryImage uploads a docker save tar and asks the platform API to
    push it to the configured registry from inside the cluster.


func (c *PlatformClient) RecordImagePublish(ctx context.Context, record ImagePublishRecord) error


func (c *PlatformClient) UpsertTeamMember(ctx context.Context, slug, userID, role string) (TeamMembership, error)


func (c *PlatformClient) ValidateCredentials(ctx context.Context) error


type PlatformUser struct {
    ID        string `json:"id"`
    Email     string `json:"email"`
    Role      string `json:"role"`
    Namespace string `json:"namespace,omitempty"`
}


type Principal struct {
    Role              string   `json:"role"`
    Subject           string   `json:"subject,omitempty"`
    Email             string   `json:"email,omitempty"`
    Namespace         string   `json:"namespace,omitempty"`
    AllowedNamespaces []string `json:"allowedNamespaces,omitempty"`
    Teams             []Team   `json:"teams,omitempty"`
}


type ServerListItem struct {
    Name        string            `json:"name"`
    Namespace   string            `json:"namespace"`
    Image       string            `json:"image,omitempty"`
    ImageTag    string            `json:"imageTag,omitempty"`
    Description string            `json:"description,omitempty"`
    Ready       string            `json:"ready"`
    Status      string            `json:"status"`
    Labels      map[string]string `json:"labels"`
    Age         string            `json:"age"`
}
    ServerListItem is one row from the platform API runtime servers list.


type Team struct {
    ID        string    `json:"id"`
    Slug      string    `json:"slug"`
    Name      string    `json:"name"`
    Namespace string    `json:"namespace"`
    CreatedAt time.Time `json:"created_at"`
}


type TeamMembership = platform.TeamMembership

CLI platform status

Package: platformstatus Import path: mcp-runtime/internal/cli/platformstatus

Source command:

go doc -all ./internal/cli/platformstatus

Overview

No package overview is documented.

Jump To

Index

Variables

var DefaultPlatformStatusWorkloads = []PlatformWorkload{
    {Component: "ClickHouse", Namespace: core.DefaultAnalyticsNamespace, Kind: "statefulset", Name: "clickhouse"},
    {Component: "Zookeeper", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "zookeeper"},
    {Component: "Kafka", Namespace: core.DefaultAnalyticsNamespace, Kind: "statefulset", Name: "kafka"},
    {Component: "Ingest", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "mcp-sentinel-ingest"},
    {Component: "Processor", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "mcp-sentinel-processor"},
    {Component: "API", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "mcp-sentinel-api"},
    {Component: "UI", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "mcp-sentinel-ui"},
    {Component: "Gateway", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "mcp-sentinel-gateway"},
    {Component: "Prometheus", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "prometheus"},
    {Component: "Grafana", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "grafana"},
    {Component: "OTel Collector", Namespace: core.DefaultAnalyticsNamespace, Kind: "deployment", Name: "otel-collector"},
    {Component: "Tempo", Namespace: core.DefaultAnalyticsNamespace, Kind: "statefulset", Name: "tempo"},
    {Component: "Loki", Namespace: core.DefaultAnalyticsNamespace, Kind: "statefulset", Name: "loki"},
    {Component: "Promtail", Namespace: core.DefaultAnalyticsNamespace, Kind: "daemonset", Name: "promtail"},
}
    DefaultPlatformStatusWorkloads lists bundled analytics stack workloads for
    status output.

Functions

func AnalyticsNamespaceInstalled(kubectl core.KubectlRunner, clusterReachable bool) (bool, error)
    AnalyticsNamespaceInstalled reports whether the analytics namespace exists.


func AnalyticsStackRow(status, details string) []string
    AnalyticsStackRow builds a table row for the analytics namespace aggregate
    status.


func CheckClusterStatusQuiet(kubectl core.KubectlRunner) error
    CheckClusterStatusQuiet probes cluster connectivity without printing status.


func WorkloadStatusRow(kubectl core.KubectlRunner, workload PlatformWorkload, clusterReachable bool) []string
    WorkloadStatusRow renders one workload row for platform status tables.

Types

type PlatformWorkload struct {
    Component string
    Namespace string
    Kind      string
    Name      string
}
    PlatformWorkload identifies a namespaced workload for status tables.

CLI registry

Package: registry Import path: mcp-runtime/internal/cli/registry

Source command:

go doc -all ./internal/cli/registry

Overview

Package registry owns routing for the registry top-level command.

Jump To

Index

Functions

func DefaultGitTag() string


func DeployRegistry(logger *zap.Logger, namespace string, port int, registryType, registryStorageSize, manifestPath string) error


func New(runtime *core.Runtime) *cobra.Command
    New returns the registry command.


func NewWithManager(mgr *RegistryManager) *cobra.Command
    NewWithManager returns the registry command using the provided manager.


func ResolveExternalRegistryConfig(flagCfg *config.ExternalRegistryConfig) (*config.ExternalRegistryConfig, error)


func ResolveInternalPlatformRegistryURL(logger *zap.Logger) string


func ResolvePlatformRegistryURL(logger *zap.Logger) string


func RunAdminRegistryPush(ctx context.Context, mgr *RegistryManager, image, registryURL, name, scope, mode, helperNamespace string) error
    RunAdminRegistryPush pushes an image using direct Kubernetes access for
    operator debugging. Normal users should use registry push instead.


func RunRegistryProvision(mgr *RegistryManager, url, username, password, operatorImage string, dryRun bool) error
    RunRegistryProvision contains the registry provision command flow for folder
    packages.


func RunRegistryPush(ctx context.Context, mgr *RegistryManager, image, registryURL, name, scope string) error
    RunRegistryPush pushes an image through the platform API.


func ScopedRegistryRepository(ctx context.Context, client *platformapi.PlatformClient, repo string, scope publishscope.Scope) (string, error)
    ScopedRegistryRepository applies the repository prefix implied by a publish
    scope.

Types

type RegistryManager struct {
    // Has unexported fields.
}
    RegistryManager handles registry operations with injected dependencies.


func DefaultRegistryManager(logger *zap.Logger) *RegistryManager
    DefaultRegistryManager returns a RegistryManager using default clients.


func NewRegistryManager(kubectl *core.KubectlClient, exec core.Executor, logger *zap.Logger) *RegistryManager
    NewRegistryManager creates a RegistryManager with the given dependencies.


func (m *RegistryManager) CheckRegistryStatus(namespace string) error
    CheckRegistryStatus checks and displays registry status.


func (m *RegistryManager) LoginRegistry(registryURL, username, password string) error
    LoginRegistry logs into a container registry.


func (m *RegistryManager) PushDirect(source, target string) error
    PushDirect pushes an image directly using docker.


func (m *RegistryManager) PushInCluster(source, target, helperNS string) error
    PushInCluster pushes an image using an in-cluster helper pod.


func (m *RegistryManager) PushViaPlatform(ctx context.Context, client *platformapi.PlatformClient, source, target, scope string) error
    PushViaPlatform saves the local image and asks the platform API to push it
    in-cluster.


func (m *RegistryManager) ShowRegistryInfo() error
    ShowRegistryInfo displays registry connection information.

CLI registry config

Package: config Import path: mcp-runtime/internal/cli/registry/config

Source command:

go doc -all ./internal/cli/registry/config

Overview

No package overview is documented.

Jump To

Index

Variables

var (
    ErrURLRequired        = errors.New("registry url is required")
    ErrURLMissingInConfig = errors.New("registry url missing in config")
)

Functions

func Marshal(cfg *ExternalRegistryConfig) ([]byte, error)


func Path() (string, error)


func Save(cfg *ExternalRegistryConfig) error

Types

type Env struct {
    URL      string
    Username string
    Password string
}


type ExternalRegistryConfig struct {
    URL      string `yaml:"url"`
    Username string `yaml:"username,omitempty"`
    Password string `yaml:"password,omitempty"`
}


func Load() (*ExternalRegistryConfig, error)


func Resolve(flagCfg *ExternalRegistryConfig, env Env) (*ExternalRegistryConfig, error)
    Resolve returns external registry config using precedence: flags > env >
    config file.

CLI registry references

Package: ref Import path: mcp-runtime/internal/cli/registry/ref

Source command:

go doc -all ./internal/cli/registry/ref

Overview

No package overview is documented.

Jump To

Index

Functions

func DropRegistryPrefix(repo string) string
    DropRegistryPrefix removes an explicit registry host from an image
    repository.


func SplitImage(image string) (string, string)
    SplitImage returns the repository/name portion and optional tag for an image
    reference.

CLI registry resolution

Package: resolve Import path: mcp-runtime/internal/cli/registry/resolve

Source command:

go doc -all ./internal/cli/registry/resolve

Overview

No package overview is documented.

Jump To

Index

Functions

func GitTag(command CommandFactory) string
    GitTag returns a short git SHA when available, otherwise "latest".


func InternalPlatformURL(logger *zap.Logger, kubectl KubectlCommand, cfg Config) string
    InternalPlatformURL resolves the bundled registry host:port for platform
    pods rendered by setup. It intentionally ignores public ingress hosts
    derived from MCP_PLATFORM_DOMAIN/MCP_REGISTRY_INGRESS_HOST so operator and
    Sentinel pods do not need anonymous or pull-secret access to the public
    registry route.


func PlatformURL(logger *zap.Logger, kubectl KubectlCommand, cfg Config) string
    PlatformURL resolves the registry host:port used for public/user-facing
    image names.

Types

type CommandFactory func(name string, args []string) (OutputCommand, error)


type Config struct {
    RegistryEndpoint        string
    DefaultRegistryEndpoint string
    RegistryIngressHost     string
    DefaultRegistryHost     string
    RegistryPort            int
}


type KubectlCommand func(args []string) (OutputCommand, error)


type OutputCommand interface {
    Output() ([]byte, error)
}

CLI server

Package: server Import path: mcp-runtime/internal/cli/server

Source command:

go doc -all ./internal/cli/server

Overview

Package server owns routing for the server top-level command.

Jump To

Index

Functions

func BuildImage(ctx context.Context, logger *zap.Logger, serverName, dockerfile, metadataFile, metadataDir, registryURL, tag, platform, contextDir string) error
    BuildImage builds a Docker image and updates MCP metadata for the server.


func DiscoverToolsFromServer(serverURL string) ([]string, error)
    DiscoverToolsFromServer connects to a running MCP server at serverURL and
    returns the tool names. They are returned as bare names; callers wrap them
    into --tool flags or metadata.ToolConfig values.

    If the URL has no explicit path, /mcp is appended automatically (the default
    MCP endpoint path used by the go-sdk).


func New(runtime *core.Runtime) *cobra.Command
    New returns the server command.


func NewWithManager(mgr *ServerManager) *cobra.Command
    NewWithManager returns the server command using the provided manager.

Types

type ServerManager struct {
    // Has unexported fields.
}
    ServerManager handles MCP server operations with injected dependencies.


func DefaultServerManager(logger *zap.Logger) *ServerManager
    DefaultServerManager returns a ServerManager using the default kubectl
    client.


func NewServerManager(kubectl *core.KubectlClient, logger *zap.Logger) *ServerManager
    NewServerManager creates a ServerManager with the given dependencies.


func (m *ServerManager) ApplyServerFromFile(file string) error
    ApplyServerFromFile applies an MCPServer manifest from disk.


func (m *ServerManager) BindUseKubeFlag(cmd *cobra.Command)
    BindUseKubeFlag wires the shared --use-kube flag onto the command.


func (m *ServerManager) CreateServer(name, namespace, image, imageTag string) error
    CreateServer creates a new MCP server with the given parameters.


func (m *ServerManager) CreateServerFromFile(file string) error
    CreateServerFromFile creates an MCP server from a YAML file.


func (m *ServerManager) DeleteServer(name, namespace string) error
    DeleteServer deletes an MCP server.


func (m *ServerManager) DeployServer(name, namespace, team, scope, image, imageTag string, replicas, port, servicePort int32, metadataFile, metadataDir string, update bool) error


func (m *ServerManager) ExportServer(name, namespace, file string) error
    ExportServer exports an MCPServer manifest to stdout or a file.


func (m *ServerManager) GenerateManifests(metadataFile, metadataDir, outputDir string) error
    GenerateManifests renders MCPServer YAML from .mcp metadata for review,
    GitOps, or admin workflows. Normal user deploys should call DeployServer.


func (m *ServerManager) GetServer(name, namespace string) error
    GetServer retrieves details for a specific MCP server.


func (m *ServerManager) InitServer(name, metadataDir, image, imageTag, scope, policyMode, defaultDecision string, sessionRequired bool, port int32, tools, toolSpecs []string, force bool) error


func (m *ServerManager) InspectServerPolicy(name, namespace string) error
    InspectServerPolicy prints the rendered gateway policy ConfigMap content for
    a server.


func (m *ServerManager) ListServers(namespace, team string) error
    ListServers lists all MCP servers in the given namespace.


func (m *ServerManager) Logger() *zap.Logger
    Logger exposes the manager logger to foldered command packages.


func (m *ServerManager) PatchServer(name, namespace, patchType, patch, patchFile string) error
    PatchServer patches an existing MCPServer resource using
    merge/json/strategic patch types.


func (m *ServerManager) ServerStatus(namespace string) error
    ServerStatus shows the status of MCP servers in a namespace.


func (m *ServerManager) ViewServerLogs(name, namespace string, follow, previous bool, tail int, since string) error
    ViewServerLogs views logs from an MCP server.

CLI setup asset paths

Package: assetpath Import path: mcp-runtime/internal/cli/setup/assetpath

Source command:

go doc -all ./internal/cli/setup/assetpath

Overview

Package assetpath resolves repository-relative asset paths from the current working directory by walking upward until go.mod, services/, and k8s/ match.

Jump To

Index

Functions

func IsRepoRoot(dir string) bool
    IsRepoRoot reports whether dir looks like the mcp-runtime repository root.


func ResolveRepoAssetPath(path string) (string, error)
    ResolveRepoAssetPath finds a repo-relative path from the current working
    directory by walking upward until the asset exists. The repo assumes a
    flattened root layout (for example services/ and k8s/ at the top level).


func ResolveRepoRoot() (string, error)
    ResolveRepoRoot walks upward from the working directory until IsRepoRoot
    reports true.

CLI setup ingress manifests

Package: ingressmanifest Import path: mcp-runtime/internal/cli/setup/ingressmanifest

Source command:

go doc -all ./internal/cli/setup/ingressmanifest

Overview

Package ingressmanifest builds YAML for the host-based Sentinel platform UI Ingress.

Jump To

Index

Constants

const (
    // PlatformIngressName is the Kubernetes Ingress resource name for the dashboard.
    PlatformIngressName = "mcp-sentinel-platform-ui"
    // PlatformObservabilityIngressName is the admin-gated platform Ingress for observability tools.
    PlatformObservabilityIngressName = "mcp-sentinel-platform-observability"
    // PlatformHTTPRedirectIngressName is the HTTP-only redirect Ingress resource name.
    PlatformHTTPRedirectIngressName = "mcp-sentinel-platform-ui-http"
    // PlatformTLSSecretName is the TLS secret name used when TLS is enabled.
    PlatformTLSSecretName = "mcp-sentinel-platform-tls"
)

Functions

func RenderPlatformUIIngress(host, issuerName, analyticsNamespace string) string
    RenderPlatformUIIngress emits an Ingress that maps platform.<domain> to
    the dashboard UI and /api on the same UI service (which reverse-proxies to
    mcp-sentinel-api via API_UPSTREAM). It also emits a separate admin-gated
    Ingress on the same host for /grafana. The observability Ingress uses the
    repo-managed sentinel-admin-auth@file Traefik middleware so Grafana is
    reachable from admin UI links without exposing it raw on the public platform
    host. Prometheus stays internal as Grafana's metrics datasource and is not
    exposed as a direct public route.

    When issuerName is set, a TLS section and cert-manager annotation
    are added so cert-manager's ingress-shim provisions a Certificate for
    platform.<domain> into the mcp-sentinel-platform-tls Secret in the same
    namespace as the UI Ingress. The observability Ingress references the same
    TLS Secret without a cert-manager annotation to avoid a second Certificate
    owner. A third Ingress on the `web` entrypoint is also emitted so HTTP
    requests to the same host hit the UI service, which redirects to HTTPS.
    (We can't rely on Traefik's entrypoint-level redirect because the prod
    overlay disables it to keep HTTP-01 ACME challenges working on first issue.)

CLI setup plan

Package: plan Import path: mcp-runtime/internal/cli/setup/plan

Source command:

go doc -all ./internal/cli/setup/plan

Overview

Package plan contains pure setup planning types and default resolution.

Jump To

Index

Constants

const (
    StorageModeDynamic  = "dynamic"
    StorageModeHostpath = "hostpath"
)
const (
    PlatformModeTenant = "tenant"
    PlatformModeOrg    = "org"
    PlatformModePublic = "public"
)
const (
    RegistryModeAuto         = "auto"
    RegistryModeBundledHTTP  = "bundled-http"
    RegistryModeBundledHTTPS = "bundled-https"
    RegistryModeExternal     = "external"
)
const (
    DefaultOrgCatalogNamespace    = "mcp-servers-org"
    DefaultPublicCatalogNamespace = "mcp-servers-public"
)

Functions

func CatalogNamespaceForPlatformMode(mode string) string


func NormalizePlatformMode(mode string) (string, bool)


func NormalizeRegistryMode(mode string) (string, bool)

Types

type Input struct {
    Kubeconfig             string
    Context                string
    RegistryType           string
    RegistryStorageSize    string
    RegistryMode           string
    ExternalRegistryURL    string
    ExternalRegistryUser   string
    ExternalRegistryPass   string
    StorageMode            string
    PlatformMode           string
    IngressMode            string
    IngressManifest        string
    IngressManifestChanged bool
    ForceIngressInstall    bool
    TLSEnabled             bool
    TestMode               bool
    ParallelBuilds         bool
    StrictProd             bool
    DeployAnalytics        bool
    OperatorArgs           []string
    // Let's Encrypt (HTTP-01 via cert-manager). If empty, other TLS modes apply; mutually exclusive with TLSClusterIssuer.
    ACMEmail    string
    ACMEStaging bool
    // TLSClusterIssuer is a pre-existing cert-manager.io ClusterIssuer (e.g. org internal CA / Vault / ADCS). Mutually exclusive with ACMEmail.
    TLSClusterIssuer   string
    InstallCertManager bool
}
    Input captures the raw CLI inputs for setup.


type Plan struct {
    Kubeconfig           string
    Context              string
    RegistryType         string
    RegistryStorageSize  string
    RegistryMode         string
    ExternalRegistryURL  string
    ExternalRegistryUser string
    ExternalRegistryPass string
    StorageMode          string
    PlatformMode         string
    Ingress              cluster.IngressOptions
    RegistryManifest     string
    TLSEnabled           bool
    TestMode             bool
    ParallelBuilds       bool
    StrictProd           bool
    DeployAnalytics      bool
    OperatorArgs         []string
    ACMEmail             string
    ACMEStaging          bool
    TLSClusterIssuer     string
    InstallCertManager   bool
}
    Plan captures the resolved setup decisions.


func Build(input Input) Plan
    Build resolves CLI inputs into a concrete setup plan.

CLI setup platform

Package: platform Import path: mcp-runtime/internal/cli/setup/platform

Source command:

go doc -all ./internal/cli/setup/platform

Overview

Package platform implements the setup workflow for MCP Runtime platform components.

Jump To

Index

Functions

func BuildOperatorArgs(metricsAddr, probeAddr string, leaderElect, leaderElectChanged bool) []string
    buildOperatorArgs constructs operator command-line arguments from flags.
    Only includes flags that were explicitly set.


func SetupPlatform(logger *zap.Logger, plan setupplan.Plan, clusterMgr ClusterManagerAPI) error


func ValidatePlatformMode(mode string) error


func ValidatePublicPlatformAuthConfig(platformMode string, tlsEnabled, testMode bool, existingData map[string]string) error


func ValidatePublicPlatformAuthEnv(platformMode string, tlsEnabled, testMode bool) error


func ValidateRegistryMode(mode string) error


func ValidateRegistryTLSMode(mode string, tlsEnabled bool, acmeEmail string) error


func ValidateStorageMode(mode string) error


func ValidateTLSSetupCLIFlags(
    tlsEnabled bool,
    acmeEmailResolved, tlsCIResolved string,
    acmeStagingResolved, skipCertManagerInstall bool,
) error
    validateTLSSetupCLIFlags enforces ACME / internal-issuer mutual exclusion
    and requires --with-tls when any TLS or cert-manager-related options are
    set.

Types

type AnalyticsImageSet struct {
    Ingest        string
    API           string
    Processor     string
    UI            string
    Traefik       string
    ClickHouse    string
    Zookeeper     string
    Kafka         string
    Prometheus    string
    OTelCollector string
    Tempo         string
    Loki          string
    Promtail      string
    Grafana       string
}


type ClusterManagerAPI interface {
    InitCluster(kubeconfig, context string) error
    ConfigureCluster(opts cluster.IngressOptions) error
}


type RegistryManagerAPI interface {
    ShowRegistryInfo() error
    PushInCluster(source, target, helperNS string) error
}


type SetupContext struct {
    Plan                  setupplan.Plan
    ExternalRegistry      *config.ExternalRegistryConfig
    UsingExternalRegistry bool
    RegistryAuthStaged    bool
    RegistrySecretName    string
    OperatorImage         string
    GatewayProxyImage     string
    AnalyticsImages       AnalyticsImageSet
}
    SetupContext carries state shared across setup steps.


type SetupDeps struct {
    ResolveExternalRegistryConfig   func(*config.ExternalRegistryConfig) (*config.ExternalRegistryConfig, error)
    ClusterManager                  ClusterManagerAPI
    RegistryManager                 RegistryManagerAPI
    LoginRegistry                   func(logger *zap.Logger, registryURL, username, password string) error
    DeployRegistry                  func(logger *zap.Logger, namespace string, port int, registryType, registryStorageSize, manifestPath string) error
    WaitForDeploymentAvailable      func(logger *zap.Logger, name, namespace, selector string, timeout time.Duration) error
    PrintDeploymentDiagnostics      func(deploy, namespace, selector string)
    SetupTLS                        func(logger *zap.Logger, plan setupplan.Plan) error
    BuildOperatorImage              func(image string) error
    PushOperatorImage               func(image string) error
    BuildGatewayProxyImage          func(image string) error
    PushGatewayProxyImage           func(image string) error
    BuildAnalyticsImage             func(image, dockerfilePath, buildContext string) error
    PushAnalyticsImage              func(image string) error
    EnsureNamespace                 func(namespace string) error
    EnsureCatalogNamespace          func(namespace string, labels map[string]string) error
    ResolvePlatformRegistryURL      func(logger *zap.Logger) string
    PushOperatorImageToInternal     func(logger *zap.Logger, sourceImage, targetImage, helperNamespace string) error
    PushGatewayProxyImageToInternal func(logger *zap.Logger, sourceImage, targetImage, helperNamespace string) error
    PushAnalyticsImageToInternal    func(logger *zap.Logger, sourceImage, targetImage, helperNamespace string) error
    DeployOperatorManifests         func(logger *zap.Logger, operatorImage, gatewayProxyImage string, operatorArgs []string, imagePullSecretName string) error
    DeployAnalyticsManifests        func(logger *zap.Logger, images AnalyticsImageSet, storageMode, platformMode string) error
    EnsureImagePullSecret           func(namespace, name, registry, username, password string) error
    DisableRegistryIngressAuth      func() error
    EnableRegistryIngressAuth       func() error
    ConfigureProvisionedRegistryEnv func(ext *config.ExternalRegistryConfig, secretName string) error
    RestartDeployment               func(name, namespace string) error
    CheckCRDInstalled               func(name string) error
    GetDeploymentTimeout            func() time.Duration
    GetRegistryPort                 func() int
    OperatorImageFor                func(ext *config.ExternalRegistryConfig) string
    GatewayProxyImageFor            func(ext *config.ExternalRegistryConfig) string
}


type SetupPipeline struct {
    // Has unexported fields.
}
    SetupPipeline provides a fluent API for building step sequences.


func NewSetupPipeline() *SetupPipeline


func (p *SetupPipeline) Build() []SetupStep


func (p *SetupPipeline) With(step SetupStep) *SetupPipeline


func (p *SetupPipeline) WithIf(condition bool, step SetupStep) *SetupPipeline


type SetupStep interface {
    Name() string
    Run(logger *zap.Logger, deps SetupDeps, ctx *SetupContext) error
}
    SetupStep models a single setup phase.

CLI binary

Package: main Import path: mcp-runtime/cmd/mcp-runtime

Source command:

go doc -cmd ./cmd/mcp-runtime

Overview

No package overview is documented.

Jump To

Index

No exported declarations.

Operator binary

Package: main Import path: mcp-runtime/cmd/operator

Source command:

go doc -cmd ./cmd/operator

Overview

No package overview is documented.

Jump To

Index

No exported declarations.