Skip to content

secure-ssid/centralmcp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

323 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

centralmcp — HPE Networking MCP toolkit

License Python MCP

Low-token Model Context Protocol (MCP) server for HPE Networking automation: Aruba Central, HPE GreenLake Platform, ClearPass, Juniper Mist, Apstra, ArubaOS 8, EdgeConnect, and HPE Aruba UXI.

centralmcp gives MCP-capable AI clients a low-token way to search Aruba/HPE docs, look up exact OpenAPI details, inspect Central health, run troubleshooting workflows, manage configuration, and use guarded GreenLake Platform operations.

It is built around direct REST calls with httpx.

flowchart LR
    client["MCP clients<br/>Cursor, VS Code, Claude, local agents<br/>or any MCP-capable model"]
    router["aruba-tool-router<br/>find_tool<br/>invoke_read_tool<br/>invoke_tool"]
    rag["Embedded RAG<br/>LanceDB docs<br/>SQLite OpenAPI lookup"]
    core["Core Aruba backends<br/>Central monitoring/config/NAC/ops<br/>GreenLake Platform"]
    optional["Optional starters<br/>ClearPass, Mist, Apstra<br/>AOS8, EdgeConnect, UXI"]

    client -->|"stdio or streamable HTTP"| router
    router -->|"search_docs / ask_docs / lookup_api"| rag
    router -->|"async httpx REST"| core
    router -->|"opt-in only"| optional
Loading

Search keywords

HPE Networking MCP server, HPE Aruba Networking MCP server, HPE Aruba Central MCP server, Aruba Central AI tools, HPE GreenLake Platform MCP, GreenLake Platform MCP, GreenLake service catalog MCP, GreenLake reporting status MCP, FastMCP network automation, Model Context Protocol networking, network configuration MCP, Aruba API RAG, Aruba Central OpenAPI lookup, ClearPass MCP, Juniper Mist MCP, Apstra MCP, ArubaOS 8 MCP, AOS8 automation, HPE Aruba EdgeConnect MCP, EdgeConnect SD-WAN MCP, HPE Aruba UXI MCP, UXI sensor status MCP, guarded read/write lab automation, EdgeConnect zones, EdgeConnect interface labels, zone-based firewall MCP, Python httpx network automation, EdgeConnect ACL object groups, EdgeConnect services, EdgeConnect bypass mode, EdgeConnect link integrity diagnostics.

Who this is for

You want to... Use centralmcp to...
Connect an MCP-capable AI client to Aruba Central Run the low-token aruba-tool-router over stdio or streamable HTTP
Ask questions about Aruba/HPE docs and APIs Use embedded LanceDB + SQLite RAG/OpenAPI lookup without Docker
Inspect Central health, devices, clients, alerts, events, or sites Discover tools with find_tool and call read-only tools through invoke_read_tool
Automate migrations or SSID workflows Use the 8-stage migration pipeline and SSID helpers
Experiment with ClearPass, Mist, Apstra, AOS8, EdgeConnect, or UXI Enable optional starter backends only when needed

Quick links

Need Start here
Documentation site centralmcp GitHub Pages
Guided setup scripts/setup_wizard.py
Try without API credentials Try it locally without credentials
Try it quickly Quick start
Check your local setup scripts/doctor.py
Install and connect an MCP client docs/getting-started.md
Copy/paste MCP client setup docs/mcp-client-recipes.md
Enable optional products docs/optional-products.md
See typed product workflow roadmap docs/product-workflows.md
Download prebuilt RAG/OpenAPI indexes docs/release-indexes.md
Fix setup or HTTP issues docs/troubleshooting.md
Try useful prompts docs/example-prompts.md
Understand the low-token router docs/tool-router.md
Run with any MCP-capable AI client/model Streamable HTTP mode
See the architecture diagrams docs/architecture/system-overview.md
Browse the documentation map docs/README.md
Review the RAG design docs/architecture/RAG-ARCHITECTURE.md
Run validation before pushing scripts/validate_release.py
Get support or report issues SUPPORT.md
Contribute safely CONTRIBUTING.md, CODE_OF_CONDUCT.md, and SECURITY.md
Agent/developer conventions CLAUDE.md

What is included

Area Current coverage
MCP tools 213 core tools / 312 read-only optional starters / 346 read-write optional starters indexed
Core servers Central monitoring, configuration, operations, NAC, GLP, and RAG
Router find_tool, invoke_read_tool, invoke_tool, optional convenience wrappers, and MCP prompts
RAG Embedded LanceDB docs index + SQLite OpenAPI lookup; no Docker required
GLP Devices, subscriptions, users, audit logs, workspaces, reporting statuses, service catalog, guarded read-only GLP GET, and feature-gated writes
Optional products ClearPass, Mist, Apstra, AOS8, EdgeConnect, and UXI starter backends
Pipeline 8-stage migration flow plus SSID build/delete helpers

Why the router matters

Point your MCP client at one server: mcp_servers/tool_router.py.

The recommended minimal router profile keeps the MCP tool list small while still giving access to the larger backend catalog:

  1. Use find_tool to discover the right backend tool.
  2. Use invoke_read_tool for read-only calls.
  3. Use invoke_tool only for intentional write/destructive calls.

invoke_tool is deliberately marked destructive because it can dispatch destructive backend tools. This gives MCP clients a safer warning boundary without loading hundreds of direct tools into context.

Try it locally without credentials

You can verify the install, build the router catalog, and start the MCP HTTP server before adding Aruba Central or GreenLake credentials. API-backed tools will need credentials later, but the local setup path is safe to test first.

git clone https://github.com/secure-ssid/centralmcp.git
cd centralmcp
python3 scripts/setup_wizard.py --yes --skip-credentials
uv run python scripts/doctor.py
MCP_PORT=8010 bash scripts/run_http_router.sh

Then connect an MCP-capable AI client to:

http://127.0.0.1:8010/mcp

Quick start

git clone https://github.com/secure-ssid/centralmcp.git
cd centralmcp

python3 scripts/setup_wizard.py

The wizard can run uv sync, write local MCP client configs, pick a Central API gateway region, fill credentials without echoing secrets, enable optional products, build the router catalog, and run the local doctor.

Review:

  • config/credentials.yaml with your Central / GLP OAuth credentials.
  • .env if you enabled ClearPass, Mist, Apstra, AOS8, EdgeConnect, or UXI.
  • .mcp.json if you want to tune the generated stdio MCP client config.
  • .mcp.http.json if your MCP client connects to an already-running streamable HTTP server instead of launching stdio.
  • .claude/launch.json if you use those launch profiles; choose the minimal aruba-tool-router profile for daily use.

Build the lightweight router tool index:

uv run python scripts/ingest_tools.py

For optional product starters too:

uv run python scripts/ingest_tools.py --products all

For full RAG docs/API search, download the prebuilt release index:

uv run python scripts/download_indexes.py

To rebuild locally, populate the git-ignored ingestion/sources/ tree with scraped docs/API source files first, then run:

uv run python ingestion/ingest_docs.py

RAG source targets are tracked in ingestion/source_manifest.json, including DevHub, New Central techdocs, and the Switching Feature Navigator seeds.

Check the local setup without making API calls:

uv run python scripts/doctor.py

The doctor reports missing local stdio/HTTP MCP config copies, index files, RAG source-manifest drift, placeholder stdio paths, low-token router profile drift, HTTP config URL or transport mismatches, optional product env, and HTTP listener status without calling Central or GLP APIs.

See docs/getting-started.md for the full setup path.

Default MCP client profile

The committed client examples are intentionally lean:

CENTRALMCP_ROUTER_MODE=minimal
CENTRALMCP_TOOLSETS=central,glp,rag

Enable optional products only when needed:

CENTRALMCP_PRODUCTS=clearpass,mist,apstra,aos8,edgeconnect,uxi
CENTRALMCP_PRODUCT_ACCESS=read-only

The setup wizard can enable a subset for you, write the matching local .env, and add only the product selector to local stdio MCP configs so tokens stay in one local file:

python3 scripts/setup_wizard.py --products clearpass,mist

The optional product starter tools are lab-friendly. Write-capable products include guarded writes that default to dry_run=True with confirm=True required for execution; UXI starts as compact read-only workflows for sensors, agents, groups, networks, service tests, and assignments. Optional product access defaults to read-only, which hides and blocks optional product write tools. Set CENTRALMCP_PRODUCT_ACCESS=read-write or run the wizard with --product-access read-write only for trusted lab write workflows.

Streamable HTTP mode

The MCP server is model-agnostic: any AI client/model that supports MCP streamable HTTP can connect to the same router endpoint.

Start the low-token HTTP router in the foreground. The helper defaults to port 8010, matching the HTTP client example:

MCP_PORT=8010 bash scripts/run_http_router.sh

Then point your MCP client at:

http://127.0.0.1:8010/mcp

Use .mcp.http.json.example as a generic HTTP client snippet. Plain curl is only useful for checking that the server is listening; real MCP clients use streaming headers such as Accept: text/event-stream. The helper loads local .env assignments first, so optional product settings created by the wizard are available to HTTP mode too. If the port is already in use, the helper exits before starting another router and prints the listener details plus the kill <PID> stop command.

Common environment variables

Variable Purpose Default
CREDS_PATH Credentials YAML path config/credentials.yaml
TOKEN_CACHE_DIR OAuth token cache directory ~/.cache/centralmcp/
CENTRALMCP_ROUTER_MODE Router mode: minimal or default; examples use minimal for low-token clients default
CENTRALMCP_TOOLSETS Loaded backend profiles; examples use central,glp,rag all core Aruba backends
CENTRALMCP_PRODUCTS Optional product backends empty
CENTRALMCP_PRODUCT_ACCESS Optional product write-tool visibility: read-write or read-only read-only
CENTRALMCP_GLP_V2BETA1_WRITES Enable guarded GLP write tools off
CENTRALMCP_NORMALIZE_MACS Normalize outbound MAC strings in router responses off
GLP_TOKEN_URL Override GLP SSO token URL HPE default
GLP_BASE_URL Override GLP API base URL HPE default
MCP_TRANSPORT stdio or streamable-http stdio
MCP_HOST HTTP bind address for streamable HTTP mode 127.0.0.1
MCP_PORT HTTP port for streamable HTTP mode; scripts/run_http_router.sh defaults to 8010 8010

Product starter backends also use product-specific URL/token variables. See docs/getting-started.md.

Project layout

.claude/                 Optional launch profiles and repo agent notes
.cursor/                 Cursor MCP profiles: router default and direct-server dev mode
.vscode/                 VS Code MCP example config
config/                  Credentials template; real credentials stay git-ignored
docker-compose.yml       Optional localhost-only Redis/Ollama server backend for power users

mcp_servers/
  tool_router.py        Low-token MCP entrypoint
  prompts.py            Guided MCP prompt templates
  monitoring.py         Central health, alerts, events, clients, devices
  config.py             SSIDs, VLANs, profiles, webhooks, firmware
  ops.py                Ping, traceroute, show, reboot, PoE, cable test
  nac.py                MAC reg, MPSK, visitors, AAA, auth policies
  glp.py                GreenLake Platform tools
  rag.py                ask_docs, search_docs, lookup_api
  clearpass.py          Optional ClearPass starter backend
  mist.py               Optional Mist starter backend
  apstra.py             Optional Apstra starter backend
  aos8.py               Optional ArubaOS 8 starter backend
  edgeconnect.py        Optional EdgeConnect starter backend
  uxi.py                Optional HPE Aruba UXI starter backend

ingestion/
  ingest_docs.py        Build docs/API indexes into LanceDB + SQLite

pipeline/
  clients/              httpx clients, token manager, LanceDB, SQLite specs
  stages/               8-stage migration pipeline

docs/
  getting-started.md    Setup and MCP connection guide
  tool-router.md        Router modes and low-token usage
  architecture/         System overview and RAG design notes

inputs/                  Example CSV inputs for migration workflows
resources/               Postman/API reference material and resource notes
ingestion/source_manifest.json  RAG source seed URLs and source folders
scripts/                 Tool catalog ingest, local doctor, HTTP router helper, release validation
tests/                   Unit, integration, and RAG eval tests

.mcp.json.example        Generic stdio MCP client example using the minimal router
.mcp.http.json.example   Generic streamable HTTP MCP client example
run_pipeline.py          Migration pipeline CLI
run_ssid.py              SSID helper CLI

RAG and API lookup

The default RAG stack is embedded:

Index File Tool Purpose
Docs data/docs.lance search_docs, ask_docs Hybrid retrieval over Aruba/HPE docs
API specs data/specs.sqlite lookup_api Exact endpoint/schema/enum lookup
Tools data/tools.lance find_tool Semantic router tool discovery

Measured on the bundled eval set:

Metric Result
api_exact 1.00
howto_recall@5 0.90
mrr 0.90

Safety model

  • Credentials stay in config/credentials.yaml or environment variables; do not commit real credentials.
  • Token caches live under ~/.cache/centralmcp/ by default with 0600 permissions.
  • GLP v2beta1 writes fail closed unless CENTRALMCP_GLP_V2BETA1_WRITES=1.
  • Optional product writes fail closed unless CENTRALMCP_PRODUCT_ACCESS=read-write.
  • Destructive Central operations use MCP elicitation/confirmation where supported.
  • The router's invoke_read_tool blocks non-read-only backend tools.
  • The generic router invoke_tool is marked destructive because it can reach write/destructive tools.
  • find_tool omits full JSON schemas by default; request include_schema=true only when needed.
  • Generic GLP and optional product GET tools bound list responses with limit / offset.
  • MCP tool list defaults are capped at 200 items to protect client context windows.
  • Report vulnerabilities and accidental credential exposure through SECURITY.md; do not publish real tokens, tenant IDs, or customer data in issues or PRs.

Validation

Run unit tests:

uv run pytest tests/unit -q

Run the local release gate:

uv run python scripts/validate_release.py

The release helper runs unit tests, optional RAG/API eval when indexes exist, tool catalog floor checks, and local tool-index freshness checks. Unit tests also include static guards for the active MCP/pipeline code, committed low-token MCP config examples, local-only config files, router product/toolset docs, bounded generic read-only GET tools, MCP list default bounds, RAG/search top_k bounds, public tool-count claims, tool-count docstrings, tracked Markdown local links and images, Pages sitemap and robots metadata, documented router example arguments, product workflow tool-name tables, and wizard optional-product env tables.

Related projects

With appreciation to these projects and maintainers for official APIs, MCP patterns, and community references that helped shape centralmcp's low-token, lab-friendly direction:

Disclaimer

This is an independent community project. It is not an official HPE or HPE Aruba Networking product and is not endorsed by or supported by HPE.

License

MIT - see LICENSE.

About

Low-token HPE Aruba Networking MCP server for Aruba Central, GreenLake Platform, RAG/OpenAPI lookup, EdgeConnect SD-WAN, UXI, and optional product lab workflows

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

2 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors