nathan
0c9aebf97a
- Create nexus-mcp/ with 6-shard plugin model (identity, workday, audit, itsm, assets, logistics) - Migrate 31 tools from legacy Identity + Workday servers into unified orchestrator - Add feature flag control (ENABLE_*) for atomic shard deployment per Gemini design - Implement SOC 2 audit logging with automatic PII redaction (CC7.2 / CC6.1) - Create stub shards for ITSM, Assets, Logistics (Red status awaiting credentials) - Add comprehensive mock data library with drift scenarios for credential-free testing - Update README.md: reposition from Workday-MCP to Nexus-MCP as primary server - Document installation, configuration, and shard toggling in Local-Setup.md Architecture: Orchestrator (main.py) + Shards (src/shards/*.py) + Adapters (lib/) enables piece-at-a-time deployment. Mock mode (USE_MOCK=true) supports full 53-tool testing without credentials. Smoke test verified: 33 tools registered successfully. BREAKING CHANGE: Legacy Identity/ and Workday/ servers deprecated. Users must update Claude Desktop config to point to nexus-mcp/src/main.py. Legacy folders preserved for reference pending verification. Refs: WIS-006, WIS-009, WIS-014-018, Gemini conversation 2026-04-06
75 lines
4.4 KiB
Plaintext
75 lines
4.4 KiB
Plaintext
# ─── Mock Mode ────────────────────────────────────────────────────────────────
|
|
# Set USE_MOCK=true to run all 53 tools on synthetic data — no credentials needed.
|
|
# Every tool checks this flag first; real API clients are never instantiated.
|
|
# Drift scenarios pre-seeded in lib/mock_data.py for realistic audit testing.
|
|
USE_MOCK=false
|
|
|
|
# ─── SOC 2 Audit Logging (CC7.2 / CC6.1) ─────────────────────────────────────
|
|
# Every tool call is written as a JSONL record to AUDIT_LOG_FILE.
|
|
# Records include: event_id, timestamp, tool, shard, action_category,
|
|
# sanitised args (passwords/tokens auto-redacted), mock_mode flag,
|
|
# status (success|error), latency_ms, and error details.
|
|
#
|
|
# AUDIT_LOG_FILE — path to the append-only JSONL audit trail
|
|
# AUDIT_LOG_STDERR — also emit each record to stderr (for SIEM / syslog forwarding)
|
|
# AUDIT_LOGGING_ENABLED — set false only to disable in dev; must be true in prod
|
|
AUDIT_LOG_FILE=./logs/nexus_audit.jsonl
|
|
AUDIT_LOG_STDERR=true
|
|
AUDIT_LOGGING_ENABLED=true
|
|
|
|
# ─── Feature Flags ────────────────────────────────────────────────────────────
|
|
# Set to "true" to enable each shard at startup.
|
|
# Set to "false" (or omit) to leave a shard in "holding pattern" mode.
|
|
ENABLE_IDENTITY=true # AD + Entra ID tools
|
|
ENABLE_WORKDAY=true # Workday HCM tools
|
|
ENABLE_ITSM=true # BMC Helix ITSM tools
|
|
ENABLE_ASSETS=true # Lansweeper + Intune tools
|
|
ENABLE_LOGISTICS=true # FedEx tools
|
|
ENABLE_AUDIT=true # Cross-system drift & reporting tools
|
|
|
|
# ─── Active Directory / LDAP ─────────────────────────────────────────────────
|
|
AD_SERVER=ldap://your-dc.company.com
|
|
AD_PORT=389
|
|
AD_BASE_DN=DC=company,DC=com
|
|
AD_USER=CN=svc_account,OU=Service Accounts,DC=company,DC=com
|
|
AD_PASSWORD=your_service_account_password
|
|
AD_USE_SSL=false
|
|
|
|
# ─── Microsoft Entra ID (Azure AD) ───────────────────────────────────────────
|
|
ENTRA_TENANT_ID=your_tenant_id
|
|
ENTRA_CLIENT_ID=your_client_id
|
|
ENTRA_CLIENT_SECRET=your_client_secret
|
|
|
|
# ─── Microsoft Intune (same app registration as Entra) ───────────────────────
|
|
# Uses ENTRA_* vars above by default. Override below if separate app needed.
|
|
# INTUNE_TENANT_ID=
|
|
# INTUNE_CLIENT_ID=
|
|
# INTUNE_CLIENT_SECRET=
|
|
|
|
# ─── Workday ─────────────────────────────────────────────────────────────────
|
|
WORKDAY_BASE_URL=https://wd2-impl-services1.workday.com/ccx/api/v1
|
|
WORKDAY_TENANT=your_tenant
|
|
WORKDAY_CLIENT_ID=your_client_id
|
|
WORKDAY_CLIENT_SECRET=your_client_secret
|
|
WORKDAY_REFRESH_TOKEN=your_refresh_token
|
|
|
|
# ─── BMC Helix (ITSM) ────────────────────────────────────────────────────────
|
|
HELIX_BASE_URL=https://your-company.helix.bmc.com
|
|
HELIX_USERNAME=your_username
|
|
HELIX_PASSWORD=your_password
|
|
|
|
# ─── Lansweeper ───────────────────────────────────────────────────────────────
|
|
LANSWEEPER_API_URL=https://api.lansweeper.com/api/v2/graphql
|
|
LANSWEEPER_APPLICATION_ID=your_application_id
|
|
LANSWEEPER_APPLICATION_SECRET=your_application_secret
|
|
LANSWEEPER_SITE_ID=your_site_id
|
|
|
|
# ─── FedEx ───────────────────────────────────────────────────────────────────
|
|
FEDEX_API_URL=https://apis.fedex.com
|
|
FEDEX_API_KEY=your_api_key
|
|
FEDEX_API_SECRET=your_api_secret
|
|
FEDEX_ACCOUNT_NUMBER=your_account_number
|
|
|
|
# ─── Reporting ────────────────────────────────────────────────────────────────
|
|
REPORT_OUTPUT_DIR=./reports
|