v0.2.0: users, realms, status, syslog tools#1
Conversation
…t_current_user Remove tool families that are either security liabilities or low-value for an LLM-driven workflow: - users-sessions.ts (both tools): disconnect_user_session uses HTTP GET to mutate state, easy for an LLM to fire by accident and log real users out. get_user_sessions had marginal debug value on its own. - update_password / update_current_password: plaintext password flows through the LLM context (transcripts, provider logs, cache). Email-only reset flow (request_password_reset, request_current_password_reset) stays. - reset_user_secret: regenerating a service user's OAuth secret can lock out integrations and, worst case, the MCP server's own auth. - get_current_user: returns the service-user identity that the server already runs as; marginal value to downstream prompts. Net: 24 -> 17 user tools. PUT-replace semantics on update_user and the update_*_roles tools kept as-is (description warnings already present).
Drop the users-sessions import and registerUserSessionTools() call, and remove the trimmed tool names from the LLM-facing instructions block.
README capability table: tool count 49 -> 43; rows for get_current_user, update_password, update_current_password, reset_user_secret, get_user_sessions, disconnect_user_session removed. CLAUDE.md: add project guidance file; scope-boundaries paragraph documents that sessions and direct-credential mutation are deferred (footgun + LLM-context credential leakage); conventions paragraph lists the active users-* split sub-files.
There was a problem hiding this comment.
Pull request overview
This PR bumps the MCP server to v0.2.0 and expands the tool/resource surface from asset/attribute management to include Keycloak-backed user management, realm CRUD, system status, and syslog operations—aligning the implementation with the scope described in issue #2.
Changes:
- Added new tool modules for users (CRUD, roles, self-service, password reset), realms, status, and syslog, and registered them in
src/server.ts. - Added status resources (
openremote://status/health,openremote://status/info) plus Vitest coverage for the new tools/resources. - Updated docs and versioning (
README.md,CLAUDE.md,package.json, server version string).
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/tools/users-self.test.ts | Adds coverage for self-service user profile + locale update tools. |
| tests/tools/users-roles.test.ts | Adds coverage for role catalog + user role assignment tools. |
| tests/tools/users-passwords.test.ts | Adds coverage for password reset email flow tools, including error path. |
| tests/tools/users-crud.test.ts | Adds coverage for user CRUD/query tools, including error path. |
| tests/tools/syslog.test.ts | Adds coverage for syslog event query/clear + config read/replace tools. |
| tests/tools/status.test.ts | Adds coverage for system health/info tools. |
| tests/tools/realms.test.ts | Adds coverage for realm CRUD/list tools. |
| tests/resources/status.test.ts | Adds coverage for new status MCP resources. |
| src/tools/users-self.ts | Implements current-user profile/locale tools. |
| src/tools/users-roles.ts | Implements role catalog and user role assignment tools. |
| src/tools/users-passwords.ts | Implements password reset email flow tools. |
| src/tools/users-crud.ts | Implements user query + CRUD tools. |
| src/tools/syslog.ts | Implements syslog query/clear and config read/replace tools. |
| src/tools/status.ts | Implements health and system info tools. |
| src/tools/realms.ts | Implements realm CRUD and realm listing tools. |
| src/server.ts | Registers the new tools/resources, updates version and instructions text. |
| src/resources/status.ts | Adds openremote://status/health and openremote://status/info resources. |
| README.md | Updates published tool/resource list and adds roadmap section. |
| package.json | Bumps package version to 0.2.0. |
| CLAUDE.md | Adds repo guidance, conventions, and scope boundaries for v0.2.0+. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| inputSchema: { | ||
| level: syslogLevelSchema.optional().describe("Minimum level filter"), | ||
| per_page: z.number().int().min(1).max(1000).optional(), | ||
| page: z.number().int().min(0).optional(), | ||
| from: z.number().int().optional().describe("Lower bound timestamp (epoch ms)"), | ||
| to: z.number().int().optional().describe("Upper bound timestamp (epoch ms)"), | ||
| category: z.array(syslogCategorySchema).optional(), | ||
| subCategory: z.array(z.string()).optional(), |
There was a problem hiding this comment.
Correction to my earlier reply: keeping per_page as-is. The backend SyslogResource.getEvents query param is literally per_page (snake_case), and we intentionally mirror the OpenRemote wire shape for this tool rather than introducing a camelCase rename plus an internal mapping layer. Not changing this.
| "get_health_status", | ||
| { | ||
| description: | ||
| "Get the OpenRemote system health status (database, gateway, etc.). Requires `read:admin`. Returns a map keyed by component.", |
There was a problem hiding this comment.
Not changing this one. getHealthStatus() is typed RestResponse<{ [index: string]: any }> (a flat indexed map), and OpenRemote's /health endpoint returns a map keyed by each HealthStatusProvider name. There is no top-level status field or nested components map — that is the Spring Boot Actuator shape, which OpenRemote does not use. The current wording "Returns a map keyed by component" matches the actual payload. Happy to revisit if you have a live-deployment response showing a different shape.
| - get_client_roles / update_client_roles / update_realm_roles / get_user_realm_roles / update_user_realm_roles / get_user_client_roles / update_user_client_roles / get_current_user_realm_roles / get_current_user_client_roles | ||
| - update_current_user / update_current_user_locale | ||
|
|
||
| Tools — realms (admin): |
There was a problem hiding this comment.
Renamed the heading to "Tools — realms". list_accessible_realms is the non-admin variant, so the (admin) qualifier was misleading (server.ts:45).
list_accessible_realms is the non-admin variant, so the "(admin)" qualifier on the realms instructions heading was inaccurate.
Summary
Extends the MCP server beyond the v0.1.0 asset/attribute surface:
query_users,get_user,create_user,update_user,delete_user), role management, self-service profile/locale, and the password-reset email flow.list_realms,list_accessible_realms,get_realm,create_realm,update_realm,delete_realm).get_health_status,get_system_info+ matching resources.Tool surface: 13 → 43 tools, 4 → 6 resources. Additive only — no v0.1.x breaking changes.
fixes #2