diff --git a/README.md b/README.md index faf1f83..0b08686 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,63 @@ # mcaxl +[![PyPI](https://img.shields.io/pypi/v/mcaxl.svg)](https://pypi.org/project/mcaxl/) +[![Python](https://img.shields.io/pypi/pyversions/mcaxl.svg)](https://pypi.org/project/mcaxl/) +[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE) + Read-only MCP server for **Cisco Unified Communications Manager (CUCM)** — exposes the AXL SOAP API and RisPort70 real-time registration state to LLMs for dial-plan analysis, configuration auditing, and impact analysis. > Tested against CUCM 15.0(1). Should work on any CUCM 12.5+. +## What it looks like + +Invoke the `whoami` prompt in any MCP-aware LLM client. With no +arguments, it defaults to the AXL service account from your `.env`: + +> **Account**: `axl-readonly` (applicationuser) +> **Access control groups**: 1 — `Read-Only-AXL` +> **Effective roles** (5): +> - **Standard CCM Admin Users** ← write access +> - **Standard AXL API Access** ← full read-write AXL +> - Standard AXL Read Only API Access +> - Standard Packet Sniffing +> - Standard RealtimeAndTraceCollection +> +> **Finding**: the group `Read-Only-AXL` contains two write-capable +> roles. The name implies read-only intent but the membership grants +> full administrative write access. Consider renaming the group OR +> removing the write-capable roles from its membership. + +One tool call. One SQL join across four tables (`applicationuser → +applicationuserdirgroupmap → dirgroup → functionroledirgroupmap → +functionrole`). One audit finding with severity and remediation — +not a raw query result the operator has to interpret on their own. +That's the shape of every prompt mcaxl ships with: orchestrated +queries, structured findings, ready-to-act recommendations. + +## Scope and complement + +`mcaxl` is intentionally narrow — read-only audit of CUCM +configuration via AXL, with RisPort70 cross-reference for live +registration state. It does *not* cover operational debugging: +log collection, packet capture, perfmon counters, service control. + +For those, install +[`@calltelemetry/cisco-cucm-mcp`](https://github.com/calltelemetry/cisco-cucm-mcp) +alongside this server: + +```bash +claude mcp add cucm-ops -- npx -y @calltelemetry/cisco-cucm-mcp@latest +``` + +The two are designed to compose. `mcaxl` answers *"what does the +config say?"*; `cisco-cucm-mcp` answers *"what's happening right +now?"*. An LLM session with both connected can produce compound +findings like *"audit found CSS X has 0 references AND RisPort +confirms zero phones currently registered against any device pool +that inherits it → confirmed safe to delete."* + ## Why this exists CUCM's admin UI is great for one-config-at-a-time work but painful for @@ -30,12 +82,10 @@ The server **never registers** AXL write methods. There is no operations, not by runtime sanitization. Defense-in-depth: SQL queries are also client-side validated to begin with `SELECT` or `WITH`. -For operations that require write access (service control, packet capture, -log download, perfmon, etc.), install -[`@calltelemetry/cisco-cucm-mcp`](https://github.com/calltelemetry/cisco-cucm-mcp) -alongside this server. The two are complementary — `mcaxl` answers -"what does the config say?", `cisco-cucm-mcp` answers "what's happening -right now?". +This means the AXL service account `mcaxl` uses can be granted only +the `Standard AXL Read Only API Access` role. Even if it had write +roles attached (and operators sometimes do this for convenience), +`mcaxl` is structurally incapable of using them. ## Install @@ -149,10 +199,10 @@ audit narrative. They appear in Claude Code's slash menu under Set `CISCO_DOCS_INDEX_PATH` to a directory containing `chunks.jsonl` and `index_meta.json` (produced by the -[`mcp-cisco-docs`](https://github.com/...) indexer or any compatible +[`mcdewey`](https://pypi.org/project/mcdewey/) indexer or any compatible embedding pipeline) to have prompts pull relevant Cisco documentation chunks inline. Without this, prompts gracefully degrade to a fallback -notice instructing the LLM to use the sibling cisco-docs server's +notice instructing the LLM to use the sibling docs server's `search_docs` tool. ## Cache