Error loading MCP servers.
';
}
+ renderToolCatalog("Error loading tools.");
+ }
+}
+
+async function loadToolCatalog() {
+ try {
+ const data = await fetchJSON(scopedPath("/runtime/tools"));
+ toolsCatalogCache = Array.isArray(data.tools) ? data.tools : [];
+ } catch (err) {
+ if (isUnauthorizedError(err)) return;
+ console.error("Failed to load tool catalog:", err);
+ toolsCatalogCache = [];
+ throw err;
}
}
@@ -1575,6 +1593,7 @@ function renderServers() {
const grid = document.getElementById("servers-grid");
if (!grid) return;
renderServerCatalogSummary();
+ renderToolCatalog();
if (serversCache.length === 0) {
grid.innerHTML = 'No MCP servers found.
';
@@ -1657,7 +1676,7 @@ function serverSearchText(server) {
server.ready,
server.endpoint,
metadataSearchText(server.labels),
- ...(inventory.tools || []).map((tool) => `${tool.name || ""} ${tool.requiredTrust || ""} ${tool.sideEffect || ""} ${tool.description || ""} ${tool.drift || ""}`),
+ ...(inventory.tools || []).map((tool) => `${tool.name || ""} ${tool.requiredTrust || ""} ${tool.sideEffect || ""} ${tool.riskLevel || ""} ${tool.description || ""} ${tool.drift || ""}`),
...(inventory.prompts || []).map(inventorySearchText),
...(inventory.resources || []).map(inventorySearchText),
...(inventory.tasks || []).map(inventorySearchText),
@@ -1711,6 +1730,7 @@ function mergeToolInventory(liveItems, declaredItems) {
description: item.description || governance?.description || "",
requiredTrust: governance?.requiredTrust || "",
sideEffect: governance?.sideEffect || "",
+ riskLevel: governance?.riskLevel || computedToolRisk(governance || item),
labels: governance?.labels || item.labels || {},
drift: governance ? "" : "ungoverned",
});
@@ -1780,6 +1800,100 @@ function inventorySearchText(item) {
return `${item?.name || ""} ${item?.uri || ""} ${item?.description || ""} ${item?.drift || ""} ${labels}`;
}
+function renderToolCatalog(errorMessage = "") {
+ const tbody = document.getElementById("tool-catalog-body");
+ if (!tbody) return;
+ const rows = filteredToolCatalogRows();
+ setText("tool-catalog-count", `${formatNumber(rows.length)} tools`);
+ if (errorMessage) {
+ tbody.innerHTML = `
Loading servers...
diff --git a/services/ui/static/styles.css b/services/ui/static/styles.css
index 3f01c206..ede24047 100644
--- a/services/ui/static/styles.css
+++ b/services/ui/static/styles.css
@@ -1487,6 +1487,35 @@ tr:hover td {
overflow: auto;
}
+.tool-catalog {
+ border-top: 1px solid rgba(247, 245, 239, 0.1);
+ display: grid;
+ gap: 10px;
+ margin-top: 14px;
+ padding-top: 14px;
+}
+
+.tool-catalog-head {
+ align-items: center;
+ display: flex;
+ justify-content: space-between;
+}
+
+.tool-catalog-head h3 {
+ font-size: 14px;
+ margin: 0;
+}
+
+.tool-catalog-head span {
+ color: var(--muted);
+ font-size: 12px;
+}
+
+.compact-action {
+ min-height: 28px;
+ padding: 5px 8px;
+}
+
.server-inventory-grid {
align-items: start;
display: grid;
@@ -1616,6 +1645,7 @@ tr:hover td {
}
.inventory-item summary > .trust-chip,
+.inventory-item summary > .risk-chip,
.inventory-item summary > .drift-chip {
grid-column: 2;
}
@@ -1662,6 +1692,29 @@ tr:hover td {
padding: 3px 8px;
}
+.risk-chip {
+ border-radius: 999px;
+ padding: 3px 8px;
+}
+
+.risk-low {
+ background: rgba(80, 200, 120, 0.14);
+ border: 1px solid rgba(80, 200, 120, 0.28);
+ color: #b9f4cf !important;
+}
+
+.risk-medium {
+ background: rgba(242, 184, 75, 0.14);
+ border: 1px solid rgba(242, 184, 75, 0.34);
+ color: #ffd990 !important;
+}
+
+.risk-high {
+ background: rgba(255, 111, 97, 0.14);
+ border: 1px solid rgba(255, 111, 97, 0.3);
+ color: #ffc1ba !important;
+}
+
.drift-chip {
align-items: center;
border-radius: 999px;
diff --git a/test/e2e/kind.sh b/test/e2e/kind.sh
index b1e2a22b..b3c96448 100644
--- a/test/e2e/kind.sh
+++ b/test/e2e/kind.sh
@@ -664,6 +664,9 @@ run_cli_help_sweep() {
"cluster cert status"
"cluster cert apply"
"cluster cert wait"
+ "catalog"
+ "catalog tools"
+ "catalog tool"
"registry"
"registry status"
"registry info"
@@ -680,6 +683,7 @@ run_cli_help_sweep() {
"server delete"
"server logs"
"server status"
+ "server connect-config"
"server policy"
"server policy inspect"
"server build"
@@ -4830,6 +4834,52 @@ print(json.dumps({"email": os.environ["PLATFORM_ADMIN_EMAIL"], "password": os.en
env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime team user list "${DEEP_CLI_TEAM_SLUG}" >/dev/null
env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime server list --namespace mcp-servers >/dev/null
env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime server get "${SERVER_NAME}" --namespace mcp-servers >/dev/null
+ env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime catalog tools \
+ --namespace mcp-servers \
+ --risk low >"${WORKDIR}/catalog-tools.txt"
+ grep -q "${SERVER_NAME}" "${WORKDIR}/catalog-tools.txt"
+ grep -q "aaa-ping" "${WORKDIR}/catalog-tools.txt"
+ env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime catalog tool aaa-ping \
+ --server "${SERVER_NAME}" \
+ --namespace mcp-servers \
+ --output json >"${WORKDIR}/catalog-tool.json"
+ python3 - "${WORKDIR}/catalog-tool.json" <<'PY'
+import json
+import sys
+
+payload = json.load(open(sys.argv[1], encoding="utf-8"))
+matches = [
+ tool for tool in payload.get("tools", [])
+ if tool.get("tool_name") == "aaa-ping"
+]
+if not matches:
+ raise SystemExit("catalog tool output did not include aaa-ping")
+tool = matches[0]
+if tool.get("risk_level") != "low":
+ raise SystemExit(f"expected aaa-ping low risk, got {tool.get('risk_level')!r}")
+config = tool.get("connect_config") or {}
+if not config.get("mcpServers"):
+ raise SystemExit("catalog tool output did not include connect_config.mcpServers")
+PY
+ env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime server connect-config "${SERVER_NAME}" \
+ --namespace mcp-servers \
+ --client claude \
+ --output json >"${WORKDIR}/server-connect-config.json"
+ python3 - "${WORKDIR}/server-connect-config.json" "${SERVER_NAME}" <<'PY'
+import json
+import sys
+
+payload = json.load(open(sys.argv[1], encoding="utf-8"))
+server_name = sys.argv[2]
+servers = payload.get("mcpServers") or {}
+server = servers.get(server_name)
+if not server:
+ raise SystemExit(f"connect config missing {server_name}")
+if server.get("type") != "http":
+ raise SystemExit(f"expected http connect config, got {server.get('type')!r}")
+if not server.get("url"):
+ raise SystemExit("connect config missing url")
+PY
env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime access grant list --namespace mcp-servers >/dev/null
env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime access grant get "${SERVER_NAME}-grant" --namespace mcp-servers >/dev/null
env "${DEEP_PLATFORM_ENV[@]}" ./bin/mcp-runtime access session list --namespace mcp-servers >/dev/null
diff --git a/test/e2e/scenarios_test.sh b/test/e2e/scenarios_test.sh
index edc72cd8..9538dc0f 100644
--- a/test/e2e/scenarios_test.sh
+++ b/test/e2e/scenarios_test.sh
@@ -137,6 +137,8 @@ selector_expect() {
selector_expect "docs-only" "smoke-auth" "docs/internals/tests.md"
selector_expect "ui" "smoke-auth,ui-auth" "services/ui/main.go"
selector_expect "api" "smoke-auth,api-platform" "services/api/internal/runtimeapi/auth.go"
+selector_expect "runtime-tools-api" "smoke-auth,api-platform,cli-platform" "services/api/internal/runtimeapi/tools.go"
+selector_expect "catalog-cli" "smoke-auth,cli-platform" "internal/cli/catalog/catalog.go"
selector_expect "adapter" "smoke-auth,adapter-proxy,governance" "internal/cli/adapter/proxy.go"
selector_expect "gateway" "smoke-auth,governance,trust,oauth,adapter-proxy" "services/mcp-gateway/main.go"
selector_expect "observability" "smoke-auth,governance,trust,oauth,observability" "services/ingest/main.go"
diff --git a/test/e2e/select_pr_scenarios.sh b/test/e2e/select_pr_scenarios.sh
index 033d0996..5ecb9d79 100755
--- a/test/e2e/select_pr_scenarios.sh
+++ b/test/e2e/select_pr_scenarios.sh
@@ -54,7 +54,7 @@ classify_path() {
mark_all
return
;;
- cmd/mcp-runtime/*|internal/cli/root/*)
+ cmd/mcp-runtime/*|internal/cli/root/*|internal/cli/catalog/*)
add_scenario "cli-platform"
return
;;
@@ -84,6 +84,11 @@ classify_path() {
add_scenario "multitenancy"
return
;;
+ services/api/internal/runtimeapi/*tool*)
+ add_scenario "api-platform"
+ add_scenario "cli-platform"
+ return
+ ;;
services/api/internal/runtimeapi/*adapter*|services/api/internal/runtimeapi/*grant*|services/api/internal/runtimeapi/*session*|services/api/internal/runtimeapi/*access*)
add_scenario "api-platform"
add_scenario "governance"
diff --git a/test/golden/cli/cli_golden_test.go b/test/golden/cli/cli_golden_test.go
index b67ec693..e578e738 100644
--- a/test/golden/cli/cli_golden_test.go
+++ b/test/golden/cli/cli_golden_test.go
@@ -37,6 +37,9 @@ func TestCLIHelpGoldens(t *testing.T) {
{name: "auth_login_help", args: []string{"auth", "login", "--help"}, golden: "mcp-runtime_auth_login_help.golden"},
{name: "auth_logout_help", args: []string{"auth", "logout", "--help"}, golden: "mcp-runtime_auth_logout_help.golden"},
{name: "auth_status_help", args: []string{"auth", "status", "--help"}, golden: "mcp-runtime_auth_status_help.golden"},
+ {name: "catalog_help", args: []string{"catalog", "--help"}, golden: "mcp-runtime_catalog_help.golden"},
+ {name: "catalog_tools_help", args: []string{"catalog", "tools", "--help"}, golden: "mcp-runtime_catalog_tools_help.golden"},
+ {name: "catalog_tool_help", args: []string{"catalog", "tool", "--help"}, golden: "mcp-runtime_catalog_tool_help.golden"},
{name: "status_help", args: []string{"status", "--help"}, golden: "mcp-runtime_status_help.golden"},
{name: "sentinel_help", args: []string{"sentinel", "--help"}, golden: "mcp-runtime_sentinel_help.golden"},
{name: "sentinel_logs_help", args: []string{"sentinel", "logs", "--help"}, golden: "mcp-runtime_sentinel_logs_help.golden"},
@@ -47,6 +50,7 @@ func TestCLIHelpGoldens(t *testing.T) {
{name: "server_list_help", args: []string{"server", "list", "--help"}, golden: "mcp-runtime_server_list_help.golden"},
{name: "server_get_help", args: []string{"server", "get", "--help"}, golden: "mcp-runtime_server_get_help.golden"},
{name: "server_create_help", args: []string{"server", "create", "--help"}, golden: "mcp-runtime_server_create_help.golden"},
+ {name: "server_connect_config_help", args: []string{"server", "connect-config", "--help"}, golden: "mcp-runtime_server_connect_config_help.golden"},
{name: "server_generate_help", args: []string{"server", "generate", "--help"}, golden: "mcp-runtime_server_generate_help.golden"},
{name: "server_delete_help", args: []string{"server", "delete", "--help"}, golden: "mcp-runtime_server_delete_help.golden"},
{name: "server_export_help", args: []string{"server", "export", "--help"}, golden: "mcp-runtime_server_export_help.golden"},
diff --git a/test/golden/cli/testdata/mcp-runtime_catalog_help.golden b/test/golden/cli/testdata/mcp-runtime_catalog_help.golden
new file mode 100644
index 00000000..0d6232e6
--- /dev/null
+++ b/test/golden/cli/testdata/mcp-runtime_catalog_help.golden
@@ -0,0 +1,16 @@
+Search MCP tools exposed by servers visible to the logged-in platform user.
+
+Usage:
+ mcp-runtime catalog [command]
+
+Available Commands:
+ tool Show one tool from the catalog
+ tools List tools across visible MCP servers
+
+Flags:
+ -h, --help help for catalog
+
+Global Flags:
+ --debug Enable debug mode with structured error logging
+
+Use "mcp-runtime catalog [command] --help" for more information about a command.
diff --git a/test/golden/cli/testdata/mcp-runtime_catalog_tool_help.golden b/test/golden/cli/testdata/mcp-runtime_catalog_tool_help.golden
new file mode 100644
index 00000000..a5baeafd
--- /dev/null
+++ b/test/golden/cli/testdata/mcp-runtime_catalog_tool_help.golden
@@ -0,0 +1,19 @@
+Show one tool from the catalog
+
+Usage:
+ mcp-runtime catalog tool [name] [flags]
+
+Flags:
+ --drift string Drift filter: declared, ungoverned, missing
+ -h, --help help for tool
+ --namespace string Namespace filter
+ -o, --output string Output format: table, json, yaml (default "table")
+ -q, --query string Search text
+ --risk string Risk filter: low, medium, high
+ --server string Server name filter
+ --side-effect string Side effect filter: read, write, destructive
+ --team string Team ID filter
+ --trust string Required trust filter: low, medium, high
+
+Global Flags:
+ --debug Enable debug mode with structured error logging
diff --git a/test/golden/cli/testdata/mcp-runtime_catalog_tools_help.golden b/test/golden/cli/testdata/mcp-runtime_catalog_tools_help.golden
new file mode 100644
index 00000000..0062e87c
--- /dev/null
+++ b/test/golden/cli/testdata/mcp-runtime_catalog_tools_help.golden
@@ -0,0 +1,19 @@
+List tools across visible MCP servers
+
+Usage:
+ mcp-runtime catalog tools [flags]
+
+Flags:
+ --drift string Drift filter: declared, ungoverned, missing
+ -h, --help help for tools
+ --namespace string Namespace filter
+ -o, --output string Output format: table, json, yaml (default "table")
+ -q, --query string Search text
+ --risk string Risk filter: low, medium, high
+ --server string Server name filter
+ --side-effect string Side effect filter: read, write, destructive
+ --team string Team ID filter
+ --trust string Required trust filter: low, medium, high
+
+Global Flags:
+ --debug Enable debug mode with structured error logging
diff --git a/test/golden/cli/testdata/mcp-runtime_help.golden b/test/golden/cli/testdata/mcp-runtime_help.golden
index b33b4b79..ac6a296d 100644
--- a/test/golden/cli/testdata/mcp-runtime_help.golden
+++ b/test/golden/cli/testdata/mcp-runtime_help.golden
@@ -12,6 +12,7 @@ Available Commands:
adapter Run agent-side adapters that inject issued MCP governance headers
auth Log in to the platform API and manage saved credentials
bootstrap Bootstrap cluster prerequisites (on-prem focused)
+ catalog Search MCP Runtime catalogs
cluster Manage Kubernetes cluster
completion Generate the autocompletion script for the specified shell
help Help about any command
diff --git a/test/golden/cli/testdata/mcp-runtime_server_connect_config_help.golden b/test/golden/cli/testdata/mcp-runtime_server_connect_config_help.golden
new file mode 100644
index 00000000..80c59e18
--- /dev/null
+++ b/test/golden/cli/testdata/mcp-runtime_server_connect_config_help.golden
@@ -0,0 +1,14 @@
+Print client connection config for an MCP server
+
+Usage:
+ mcp-runtime server connect-config [name] [flags]
+
+Flags:
+ --client string Client config: claude, cursor, vscode, or json (default "json")
+ -h, --help help for connect-config
+ --namespace string Namespace (default "mcp-servers")
+ -o, --output string Output format: text, json, or yaml (default "text")
+
+Global Flags:
+ --debug Enable debug mode with structured error logging
+ --use-kube Use direct Kubernetes mode with kubectl; requires admin/operator cluster access (admin/dev/test only)
diff --git a/test/golden/cli/testdata/mcp-runtime_server_help.golden b/test/golden/cli/testdata/mcp-runtime_server_help.golden
index 6bfd5082..945b9d7c 100644
--- a/test/golden/cli/testdata/mcp-runtime_server_help.golden
+++ b/test/golden/cli/testdata/mcp-runtime_server_help.golden
@@ -17,21 +17,22 @@ Usage:
mcp-runtime server [command]
Available Commands:
- apply Apply an MCP server manifest
- build Build MCP server images (push via `registry push`)
- create Create an MCP server
- delete Delete an MCP server
- deploy Deploy an MCP server through the platform API
- export Export an MCP server manifest
- generate Generate MCPServer manifests from .mcp metadata
- get Get MCP server details
- init Initialize .mcp metadata for a server
- list List MCP servers
- logs View server logs
- patch Patch an MCP server manifest
- policy Inspect rendered gateway policy for an MCP server
- status Show MCP server runtime status (pods, images, pull secrets)
- validate Validate .mcp metadata and optional grant/session YAML files
+ apply Apply an MCP server manifest
+ build Build MCP server images (push via `registry push`)
+ connect-config Print client connection config for an MCP server
+ create Create an MCP server
+ delete Delete an MCP server
+ deploy Deploy an MCP server through the platform API
+ export Export an MCP server manifest
+ generate Generate MCPServer manifests from .mcp metadata
+ get Get MCP server details
+ init Initialize .mcp metadata for a server
+ list List MCP servers
+ logs View server logs
+ patch Patch an MCP server manifest
+ policy Inspect rendered gateway policy for an MCP server
+ status Show MCP server runtime status (pods, images, pull secrets)
+ validate Validate .mcp metadata and optional grant/session YAML files
Flags:
-h, --help help for server
diff --git a/test/golden/cli/testdata/mcp-runtime_server_init_help.golden b/test/golden/cli/testdata/mcp-runtime_server_init_help.golden
index ea8e7555..888154f8 100644
--- a/test/golden/cli/testdata/mcp-runtime_server_init_help.golden
+++ b/test/golden/cli/testdata/mcp-runtime_server_init_help.golden
@@ -16,6 +16,7 @@ Flags:
--session-required Require adapter-issued agent sessions (default true)
--tag string Container image tag (default "latest")
--tool stringArray Tool name to add with read side-effect metadata; repeat for multiple tools
+ --tool-risk string Informational risk level for seeded tools: low, medium, or high
--tool-spec stringArray Tool metadata as name:low|medium|high:read|write|destructive; repeat for mixed trust or side effects
Global Flags: