stakpak 0.3.58

Stakpak: Your DevOps AI Agent. Generate infrastructure code, debug Kubernetes, configure CI/CD, automate deployments, without giving an LLM the keys to production.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358

//! MCP (Model Context Protocol) initialization module
//!
//! This module handles the initialization of the MCP server and proxy infrastructure
//! for the interactive agent mode. It sets up:
//! - Certificate chains for mTLS communication
//! - Local MCP server with tools
//! - Proxy server that aggregates multiple MCP servers
//! - Client connection to the proxy

use crate::commands::agent::run::helpers::convert_tools_with_filter;
use crate::commands::get_client;
use crate::config::AppConfig;
use crate::utils::network;
use stakpak_api::local::skills::default_skill_directories;
use stakpak_mcp_client::McpClient;
use stakpak_mcp_proxy::client::{ClientPoolConfig, ServerConfig};
use stakpak_mcp_proxy::server::start_proxy_server;
use stakpak_mcp_server::{
    EnabledToolsConfig, MCPServerConfig, SubagentConfig, ToolMode, start_server,
};
use stakpak_shared::cert_utils::CertificateChain;
use stakpak_shared::models::integrations::openai::ToolCallResultProgress;
use std::collections::HashMap;
use std::sync::Arc;
use tokio::net::TcpListener;
use tokio::sync::broadcast;
use tokio::sync::mpsc::Sender;

/// Configuration options for MCP initialization
#[allow(dead_code)]
pub struct McpInitConfig {
    // --- server config ---
    /// Configuration for which tools are enabled
    pub enabled_tools: EnabledToolsConfig,
    /// Whether to enable mTLS for secure communication
    pub enable_mtls: bool,
    /// Whether to enable subagent tools
    pub enable_subagents: bool,
    /// Optional list of allowed tool names (filters tools if specified)
    pub allowed_tools: Option<Vec<String>>,
    /// Configuration inherited by subagents (profile, config path)
    pub subagent_config: SubagentConfig,

    // --- proxy config (secret redaction is handled exclusively by the proxy) ---
    /// Whether to redact secrets in tool responses
    pub redact_secrets: bool,
    /// Whether to enable privacy mode (redact IPs, account IDs, etc.)
    pub privacy_mode: bool,
}

impl Default for McpInitConfig {
    fn default() -> Self {
        Self {
            enabled_tools: EnabledToolsConfig { slack: false },
            enable_mtls: true,
            enable_subagents: true,
            allowed_tools: None,
            subagent_config: SubagentConfig::default(),
            redact_secrets: true,
            privacy_mode: false,
        }
    }
}

/// Result of MCP initialization containing all necessary handles and tools
pub struct McpInitResult {
    /// The MCP client connected to the proxy
    pub client: Arc<McpClient>,
    /// Raw MCP tools from the server
    pub mcp_tools: Vec<rmcp::model::Tool>,
    /// Converted tools for OpenAI format
    pub tools: Vec<stakpak_shared::models::integrations::openai::Tool>,
    /// Shutdown handle for the MCP server
    pub server_shutdown_tx: broadcast::Sender<()>,
    /// Shutdown handle for the proxy server
    pub proxy_shutdown_tx: broadcast::Sender<()>,
}

/// Certificate chains for server and proxy communication
struct CertificateChains {
    /// Certificate chain for MCP server <-> Proxy communication
    server_chain: Arc<Option<CertificateChain>>,
    /// Certificate chain for Proxy <-> Client communication
    proxy_chain: Arc<CertificateChain>,
}

/// Server binding information
struct ServerBinding {
    address: String,
    listener: TcpListener,
}

impl CertificateChains {
    /// Generate two separate certificate chains for server and proxy
    fn generate() -> Result<Self, String> {
        let server_chain =
            Arc::new(Some(CertificateChain::generate().map_err(|e| {
                format!("Failed to generate server certificates: {}", e)
            })?));

        let proxy_chain = Arc::new(
            CertificateChain::generate()
                .map_err(|e| format!("Failed to generate proxy certificates: {}", e))?,
        );

        Ok(Self {
            server_chain,
            proxy_chain,
        })
    }
}

impl ServerBinding {
    /// Find an available port and create a TCP listener
    async fn new(purpose: &str) -> Result<Self, String> {
        let (address, listener) = network::find_available_bind_address_with_listener()
            .await
            .map_err(|e| format!("Failed to find available port for {}: {}", purpose, e))?;

        Ok(Self { address, listener })
    }

    /// Get the HTTPS URL for this binding
    fn https_url(&self, path: &str) -> String {
        format!("https://{}{}", self.address, path)
    }
}

/// Start the local MCP server with tools
async fn start_mcp_server(
    app_config: &AppConfig,
    mcp_config: &McpInitConfig,
    binding: ServerBinding,
    cert_chain: Arc<Option<CertificateChain>>,
    shutdown_rx: broadcast::Receiver<()>,
) -> Result<(), String> {
    let api_client = get_client(app_config).await?;
    let (ready_tx, ready_rx) = tokio::sync::oneshot::channel::<Result<(), String>>();

    let bind_address = binding.address.clone();
    let enabled_tools = mcp_config.enabled_tools.clone();
    let enable_subagents = mcp_config.enable_subagents;
    let subagent_config = mcp_config.subagent_config.clone();

    tokio::spawn(async move {
        let server_config = MCPServerConfig {
            client: Some(api_client),
            bind_address,
            enabled_tools,
            tool_mode: ToolMode::Combined,
            enable_subagents,
            certificate_chain: cert_chain,
            skill_directories: default_skill_directories(),
            subagent_config,
            server_tls_config: None,
        };

        // Signal that we're about to start
        let _ = ready_tx.send(Ok(()));

        if let Err(e) = start_server(server_config, Some(binding.listener), Some(shutdown_rx)).await
        {
            tracing::error!("Local MCP server error: {}", e);
        }
    });

    // Wait for server to signal it's starting
    ready_rx
        .await
        .map_err(|_| "MCP server task failed to start".to_string())?
        .map_err(|e| format!("MCP server failed to start: {}", e))?;

    // Small delay to ensure the server is actually listening
    tokio::time::sleep(tokio::time::Duration::from_millis(100)).await;

    Ok(())
}

/// Build the proxy configuration with upstream servers
fn build_proxy_config(
    local_server_url: String,
    server_cert_chain: Arc<Option<CertificateChain>>,
) -> ClientPoolConfig {
    let mut servers: HashMap<String, ServerConfig> = HashMap::new();

    // Add local MCP server (tools) as upstream
    servers.insert(
        "stakpak".to_string(),
        ServerConfig::Http {
            url: local_server_url,
            headers: None,
            certificate_chain: server_cert_chain,
            client_tls_config: None,
        },
    );

    // Add external paks server
    servers.insert(
        "paks".to_string(),
        ServerConfig::Http {
            url: "https://apiv2.stakpak.dev/v1/paks/mcp".to_string(),
            headers: None,
            certificate_chain: Arc::new(None),
            client_tls_config: None,
        },
    );

    ClientPoolConfig::with_servers(servers)
}

/// Start the proxy server
async fn start_proxy(
    pool_config: ClientPoolConfig,
    mcp_config: &McpInitConfig,
    binding: ServerBinding,
    cert_chain: Arc<CertificateChain>,
    shutdown_rx: broadcast::Receiver<()>,
) -> Result<(), String> {
    let (ready_tx, ready_rx) = tokio::sync::oneshot::channel::<Result<(), String>>();

    let redact_secrets = mcp_config.redact_secrets;
    let privacy_mode = mcp_config.privacy_mode;

    tokio::spawn(async move {
        // Signal that we're about to start
        let _ = ready_tx.send(Ok(()));

        if let Err(e) = start_proxy_server(
            pool_config,
            binding.listener,
            cert_chain,
            redact_secrets,
            privacy_mode,
            Some(shutdown_rx),
        )
        .await
        {
            tracing::error!("Proxy server error: {}", e);
        }
    });

    // Wait for proxy to signal it's starting
    ready_rx
        .await
        .map_err(|_| "Proxy server task failed to start".to_string())?
        .map_err(|e| format!("Proxy server failed to start: {}", e))?;

    Ok(())
}

/// Connect to the proxy with retry logic
async fn connect_to_proxy(
    proxy_url: &str,
    cert_chain: Arc<CertificateChain>,
    progress_tx: Option<Sender<ToolCallResultProgress>>,
) -> Result<Arc<McpClient>, String> {
    const MAX_RETRIES: u32 = 5;
    let mut retry_delay = tokio::time::Duration::from_millis(50);
    let mut last_error = None;

    for attempt in 1..=MAX_RETRIES {
        match stakpak_mcp_client::connect_https(
            proxy_url,
            Some(cert_chain.clone()),
            progress_tx.clone(),
        )
        .await
        {
            Ok(client) => return Ok(Arc::new(client)),
            Err(e) => {
                last_error = Some(e);
                if attempt < MAX_RETRIES {
                    tokio::time::sleep(retry_delay).await;
                    retry_delay *= 2; // Exponential backoff
                }
            }
        }
    }

    Err(format!(
        "Failed to connect to MCP proxy after {} retries: {}",
        MAX_RETRIES,
        last_error.map(|e| e.to_string()).unwrap_or_default()
    ))
}

/// Initialize the MCP server, proxy, and client infrastructure
///
/// This function sets up the complete MCP infrastructure:
/// 1. Generates certificate chains for mTLS
/// 2. Starts the local MCP server with tools
/// 3. Starts the proxy server that aggregates MCP servers
/// 4. Connects a client to the proxy
///
/// Returns the client, tools, and shutdown handles for graceful cleanup.
pub async fn initialize_mcp_server_and_tools(
    app_config: &AppConfig,
    mcp_config: McpInitConfig,
    progress_tx: Option<Sender<ToolCallResultProgress>>,
) -> Result<McpInitResult, String> {
    // 1. Generate certificate chains
    let certs = CertificateChains::generate()?;

    // 2. Find available ports
    let server_binding = ServerBinding::new("MCP server").await?;
    let proxy_binding = ServerBinding::new("proxy").await?;

    let local_mcp_server_url = server_binding.https_url("/mcp");
    let proxy_url = proxy_binding.https_url("/mcp");

    // 3. Create shutdown channels
    let (server_shutdown_tx, server_shutdown_rx) = broadcast::channel::<()>(1);
    let (proxy_shutdown_tx, proxy_shutdown_rx) = broadcast::channel::<()>(1);

    // 4. Start local MCP server
    start_mcp_server(
        app_config,
        &mcp_config,
        server_binding,
        certs.server_chain.clone(),
        server_shutdown_rx,
    )
    .await?;

    // 5. Build and start proxy
    let pool_config = build_proxy_config(local_mcp_server_url, certs.server_chain);
    start_proxy(
        pool_config,
        &mcp_config,
        proxy_binding,
        certs.proxy_chain.clone(),
        proxy_shutdown_rx,
    )
    .await?;

    // 6. Connect client to proxy
    let mcp_client = connect_to_proxy(&proxy_url, certs.proxy_chain, progress_tx).await?;

    // 7. Get tools from MCP client
    let mcp_tools = stakpak_mcp_client::get_tools(&mcp_client)
        .await
        .map_err(|e| format!("Failed to get tools: {}", e))?;

    // Use allowed_tools from mcp_config if provided, otherwise fall back to app_config
    let allowed_tools_ref = mcp_config
        .allowed_tools
        .as_ref()
        .or(app_config.allowed_tools.as_ref());
    let tools = convert_tools_with_filter(&mcp_tools, allowed_tools_ref);

    Ok(McpInitResult {
        client: mcp_client,
        mcp_tools,
        tools,
        server_shutdown_tx,
        proxy_shutdown_tx,
    })
}