Optional product starters
centralmcp keeps optional products disabled by default so normal MCP sessions stay low-token. Enable only the starters you want for the current setup.
python3 scripts/setup_wizard.py --products clearpass,mist
Use every starter only when you intentionally want the broader catalog:
python3 scripts/setup_wizard.py --with-products
Product matrix
| Product | Enables | Required settings | Safety surface |
|---|---|---|---|
| ClearPass | status, guarded GET/write, typed endpoint/auth/NAD/guest reads and lab writes | CLEARPASS_BASE_URL, CLEARPASS_API_TOKEN |
Read/write starter; writes dry-run by default |
| Juniper Mist | status, guarded GET/write, typed site/client/WLAN/alarm reads and lab writes | MIST_HOST, MIST_API_TOKEN |
Read/write starter; writes dry-run by default |
| Apstra | status, guarded GET/write, blueprint, template, anomaly, rack, routing-zone, virtual-network, remote-gateway, connectivity-template, application-endpoint, diff-status, protocol-session, and system-info reads | APSTRA_BASE_URL, APSTRA_API_TOKEN |
Read/write starter; writes dry-run by default |
| ArubaOS 8 | status, guarded GET/write, show-command, controller/version/license, AP inventory/active/client lookup/detail/history/radio/BSS, hierarchy/cluster/RF-neighbor/AP-port/IPsec reads, alarms/audit/events, system-log/ARM/monitor diagnostics, WLAN/AP-group/virtual-AP/user-role reads, and typed lab writes for SSID profiles, virtual APs, AP groups, user roles, VLANs, and write-memory | AOS8_BASE_URL, AOS8_API_TOKEN |
Read/write starter; writes dry-run by default |
| EdgeConnect | status, guarded GET/write, appliance inventory/system/alarm/interface/disk/reachability/maintenance/network-role-site/overlay/topology/tunnel, route-map/route-label, firewall-zone/zone-based firewall, interface-label, ACL IP/service object-group, overlay internet-service, bypass-mode, link-integrity diagnostics, tunnel-metadata, VRF-segment reads, and save-changes lab write | EDGECONNECT_BASE_URL, EDGECONNECT_API_TOKEN, optional EDGECONNECT_AUTH_HEADER |
Read/write starter; writes dry-run by default |
| HPE Aruba UXI | status, guarded GET, sensor/agent/group/network/service-test inventories, sensor status, and group-assignment reads | UXI_CLIENT_ID, UXI_CLIENT_SECRET, optional UXI_BASE_URL, optional UXI_TOKEN_URL |
Read-only starter |
The generic GET tools reject absolute URLs and stay bounded to the configured
product host. List-like responses are paged with limit and offset when
possible so broad API calls do not flood the MCP context.
Write-capable optional product tools are intended for lab and controlled
operations. They are annotated as write/destructive, default to dry_run=True,
and require dry_run=False plus confirm=True before sending API changes.
Optional product access now defaults to read-only, which hides optional write
tools from router discovery and blocks direct write-tool execution. Set
CENTRALMCP_PRODUCT_ACCESS=read-write or run the setup wizard with
--product-access read-write only for trusted lab workflows where confirmed
writes are expected. Unrecognized manual access-mode values fail closed as
read-only.
For ArubaOS 8 typed configuration-object writes, the manage tools return
requires_write_memory_for with each affected config_path. Run
aos8_write_memory for those hierarchy nodes only after reviewing the pending
changes and confirming the staged config should be persisted.
Product base URLs must use HTTPS and public hostnames by default. For local lab
testing against localhost or private IPs, set
CENTRALMCP_ALLOW_LOCAL_PRODUCT_URLS=1 only in that trusted lab environment.
What the wizard writes
When you select products, the setup wizard:
flowchart TD
start["scripts/setup_wizard.py"]
choose{"Choose optional products"}
subset["--products clearpass,mist"]
all["--with-products"]
access{"Product access mode"}
ro["read-only default<br/>write tools hidden and blocked"]
rw["read-write lab mode<br/>writes visible<br/>dry_run=False + confirm=True required"]
env[".env<br/>CENTRALMCP_PRODUCTS<br/>CENTRALMCP_PRODUCT_ACCESS<br/>product URLs/tokens"]
config["Local MCP configs<br/>.mcp.json / .mcp.http.json<br/>product selector only, no tokens"]
catalog["Router catalog<br/>scripts/ingest_tools.py"]
doctor["Local doctor<br/>scripts/doctor.py"]
start --> choose
choose --> subset
choose --> all
subset --> access
all --> access
access -->|"default"| ro
access -->|"--product-access read-write"| rw
rw --> env
ro --> env
env --> config
env --> catalog
config --> catalog
catalog --> doctor
- Adds or merges
CENTRALMCP_PRODUCTS,CENTRALMCP_PRODUCT_ACCESS, and product URL/token settings into local.env; existing non-placeholder token values are preserved unless you pass--force. - Adds only
CENTRALMCP_PRODUCTSandCENTRALMCP_PRODUCT_ACCESSto local MCP config files, leaving product tokens in.env. - Builds the router tool catalog with the selected product starters (or every
starter with
--with-products) and access mode; product tokens are not passed to the catalog-build subprocess. - Lets
scripts/doctor.pyconfirm required product variables are present.
Real .env, .mcp.json, and .vscode/mcp.json files are git-ignored.
Manual setup
The wizard defaults optional products to read-only and records the access mode
in local .env / MCP config files. Use explicit read/write lab mode when you
want write tools visible and still guarded by dry_run=False plus
confirm=True:
python3 scripts/setup_wizard.py --products clearpass,mist --product-access read-write
Omit --product-access read-write if you want generated local configs to keep
the safer read-only operating posture.
For manual shell setup:
export CENTRALMCP_PRODUCTS=clearpass,mist
export CENTRALMCP_PRODUCT_ACCESS=read-only
export CLEARPASS_BASE_URL=https://clearpass.example.com
export CLEARPASS_API_TOKEN=...
export MIST_HOST=https://api.mist.com
export MIST_API_TOKEN=...
uv run python scripts/ingest_tools.py --products clearpass,mist
Set CENTRALMCP_PRODUCT_ACCESS=read-write in the same shell only when you want
lab write tools indexed and visible.
For streamable HTTP, scripts/run_http_router.sh safely loads expected local
.env assignments before starting the router, including the product selector,
access mode, supported product URL/token variables, and UXI OAuth settings:
MCP_PORT=8010 bash scripts/run_http_router.sh
When to add product-specific tools
The starters are intentionally small. Add product-specific tools when a workflow is common enough to deserve a typed, named function instead of a generic GET call, for example:
| Workflow type | Better as a typed tool? |
|---|---|
| “Show ClearPass endpoint status for this MAC” | Yes |
| “List Mist sites with client counts” | Yes |
| “Fetch this one documented endpoint while exploring” | Generic GET is fine |
| “Perform a write/remediation action” | Yes, with explicit destructive annotations and confirmation |
See Typed product workflow roadmap for implemented ClearPass, Mist, Apstra, ArubaOS 8, EdgeConnect, and UXI workflows plus candidates.