Add UI for agent and MCP server management with deployment visualization (#63)

* Initial plan

* Update dashboard UI with agent deployments and MCP server management

Co-authored-by: phrocker <[email protected]>

* Add enhanced Launch Agent modal with MCP server support and enable/disable toggles

Co-authored-by: phrocker <[email protected]>

* Remove TODOs, add MCP proxy controller, and implement GitHub token listing

- Created MCPProxyController to proxy MCP API calls from frontend to integration-proxy service
- Added /api/v1/integrations/github/list endpoint to list GitHub integration tokens
- Removed all TODO comments and implemented proper functionality
- Updated enclave-data.js to remove TODOs with appropriate messages
- Updated add_agent.html to load GitHub tokens from API endpoint
- All MCP endpoints now properly route through integration-proxy service

Co-authored-by: phrocker <[email protected]>

* Fix Authorization header and CSRF token issues

- Removed required Authorization header from MCPProxyController methods
- Extract JWT token from Spring Security context instead of requiring it from client
- Added CSRF token to all MCP POST/DELETE requests in JavaScript
- JavaScript now sends X-CSRF-TOKEN header instead of Authorization header
- Fixes 302 redirect and missing Authorization header errors

Co-authored-by: phrocker <[email protected]>

* Use service principal authentication for MCP proxy calls

- MCPProxyController now uses KeycloakService.getKeycloakToken() for service-to-service auth
- Removed user token forwarding approach that caused 401 errors
- Uses API's service principal JWT token instead of user's token
- Follows the same pattern as AgentClientService for authenticated calls to other services
- All MCP operations (launch, status, delete, list) now authenticate correctly

Co-authored-by: phrocker <[email protected]>

* Add Kubernetes RBAC for integration-proxy pod creation

- Created ServiceAccount for integration-proxy
- Created Role with pod and service creation permissions
- Created RoleBinding to bind role to service account
- Updated integration-proxy deployment to use the service account
- Fixes 403 Forbidden error when creating MCP server pods
- Matches RBAC setup pattern used by agent-launcher service

Co-authored-by: phrocker <[email protected]>

* fixup

* Fix GitHub integration link in Launch Agent modal

- Changed link from /sso/v1/integrations/github/add to /sso/v1/integrations/github
- Fixes NoResourceFoundException when clicking "Add New GitHub Token" button
- Links to existing GitHub integration page in IntegrationController

Co-authored-by: phrocker <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: phrocker <[email protected]>
Co-authored-by: Marc Parisi <[email protected]>

Author: Copilot

api/src/main/java/io/sentrius/sso/controllers/api/IntegrationApiController.java

@@ -21,6 +21,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -137,4 +138,17 @@ public ResponseEntity<String> deleteIntegration(HttpServletRequest request,
         return ResponseEntity.ok("OK");
     }
 
+    @GetMapping("/github/list")
+    @Endpoint(description = "List all GitHub integration tokens")
+    public ResponseEntity<?> listGitHubIntegrations(HttpServletRequest request,
+                                                    HttpServletResponse response) {
+        try {
+            var tokens = integrationService.findByConnectionType("github");
+            return ResponseEntity.ok(tokens);
+        } catch (Exception e) {
+            log.error("Error listing GitHub integrations", e);
+            return ResponseEntity.status(500).body(Map.of("error", "Failed to list GitHub integrations"));
+        }
+    }
+
 }

api/src/main/java/io/sentrius/sso/controllers/api/MCPProxyController.java

@@ -0,0 +1,228 @@
+package io.sentrius.sso.controllers.api;
+
+import io.sentrius.sso.core.annotations.LimitAccess;
+import io.sentrius.sso.core.exceptions.ZtatException;
+import io.sentrius.sso.core.model.security.enums.ApplicationAccessEnum;
+import io.sentrius.sso.core.services.security.KeycloakService;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.*;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestTemplate;
+
+import java.net.URI;
+import java.util.Map;
+
+/**
+ * Proxy controller to forward MCP-related API calls from the frontend 
+ * to the integration-proxy service using service principal authentication
+ */
+@RestController
+@RequestMapping("/api/v1")
+@Slf4j
+public class MCPProxyController {
+
+    @Value("${integration.proxy.url:http://sentrius-integrationproxy:8080}")
+    private String integrationProxyUrl;
+
+    private final KeycloakService keycloakService;
+    private final RestTemplate restTemplate = new RestTemplate();
+
+    public MCPProxyController(KeycloakService keycloakService) {
+        this.keycloakService = keycloakService;
+    }
+
+    /**
+     * Proxy GitHub MCP launch requests to integration-proxy
+     */
+    @PostMapping("/github/mcp/launch")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> launchGitHubMCP(
+        @RequestParam String tokenId,
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/github/mcp/launch?tokenId=" + tokenId;
+            return forwardRequest(url, HttpMethod.POST, null);
+        } catch (Exception e) {
+            log.error("Error launching GitHub MCP server", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to launch GitHub MCP server: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy GitHub MCP status requests to integration-proxy
+     */
+    @GetMapping("/github/mcp/status")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> getGitHubMCPStatus(
+        @RequestParam String tokenId,
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/github/mcp/status?tokenId=" + tokenId;
+            return forwardRequest(url, HttpMethod.GET, null);
+        } catch (Exception e) {
+            log.error("Error getting GitHub MCP server status", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to get GitHub MCP server status: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy GitHub MCP delete requests to integration-proxy
+     */
+    @DeleteMapping("/github/mcp/delete")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> deleteGitHubMCP(
+        @RequestParam String tokenId,
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/github/mcp/delete?tokenId=" + tokenId;
+            return forwardRequest(url, HttpMethod.DELETE, null);
+        } catch (Exception e) {
+            log.error("Error deleting GitHub MCP server", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to delete GitHub MCP server: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy GitHub MCP list requests to integration-proxy
+     */
+    @GetMapping("/github/mcp/list")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> listGitHubMCP(
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/github/mcp/list";
+            return forwardRequest(url, HttpMethod.GET, null);
+        } catch (Exception e) {
+            log.error("Error listing GitHub MCP servers", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to list GitHub MCP servers: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy Coding MCP launch requests to integration-proxy
+     */
+    @PostMapping("/coding/mcp/launch")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> launchCodingMCP(
+        @RequestParam(required = false, defaultValue = "default") String instanceId,
+        @RequestParam(required = false) String githubTokenId,
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            StringBuilder url = new StringBuilder(integrationProxyUrl + "/api/v1/coding/mcp/launch?instanceId=" + instanceId);
+            if (githubTokenId != null && !githubTokenId.isEmpty()) {
+                url.append("&githubTokenId=").append(githubTokenId);
+            }
+            return forwardRequest(url.toString(), HttpMethod.POST, null);
+        } catch (Exception e) {
+            log.error("Error launching Coding MCP server", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to launch Coding MCP server: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy Coding MCP status requests to integration-proxy
+     */
+    @GetMapping("/coding/mcp/status")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> getCodingMCPStatus(
+        @RequestParam(required = false, defaultValue = "default") String instanceId,
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/coding/mcp/status?instanceId=" + instanceId;
+            return forwardRequest(url, HttpMethod.GET, null);
+        } catch (Exception e) {
+            log.error("Error getting Coding MCP server status", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to get Coding MCP server status: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy Coding MCP delete requests to integration-proxy
+     */
+    @DeleteMapping("/coding/mcp/delete")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> deleteCodingMCP(
+        @RequestParam(required = false, defaultValue = "default") String instanceId,
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/coding/mcp/delete?instanceId=" + instanceId;
+            return forwardRequest(url, HttpMethod.DELETE, null);
+        } catch (Exception e) {
+            log.error("Error deleting Coding MCP server", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to delete Coding MCP server: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Proxy Coding MCP list requests to integration-proxy
+     */
+    @GetMapping("/coding/mcp/list")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> listCodingMCP(
+        HttpServletRequest request,
+        HttpServletResponse response
+    ) {
+        try {
+            String url = integrationProxyUrl + "/api/v1/coding/mcp/list";
+            return forwardRequest(url, HttpMethod.GET, null);
+        } catch (Exception e) {
+            log.error("Error listing Coding MCP servers", e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to list Coding MCP servers: " + e.getMessage()));
+        }
+    }
+
+    /**
+     * Forward requests to integration-proxy using service principal authentication
+     */
+    private ResponseEntity<?> forwardRequest(String url, HttpMethod method, Object body) {
+        try {
+            // Get service principal JWT token from Keycloak
+            String keycloakJwt = keycloakService.getKeycloakToken();
+            
+            HttpHeaders headers = new HttpHeaders();
+            headers.setContentType(MediaType.APPLICATION_JSON);
+            headers.setBearerAuth(keycloakJwt);
+
+            HttpEntity<?> entity = new HttpEntity<>(body, headers);
+
+            log.info("Forwarding {} request to integration-proxy: {} with service principal auth", method, url);
+            ResponseEntity<String> httpResponse = restTemplate.exchange(url, method, entity, String.class);
+            
+            return ResponseEntity.status(httpResponse.getStatusCode()).body(httpResponse.getBody());
+        } catch (HttpClientErrorException e) {
+            log.error("HTTP error forwarding request to integration-proxy: {} - {}", url, e.getMessage());
+            return ResponseEntity.status(e.getStatusCode())
+                .body(Map.of("error", "Integration proxy error: " + e.getResponseBodyAsString()));
+        } catch (Exception e) {
+            log.error("Error forwarding request to integration-proxy: {}", url, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to communicate with integration-proxy: " + e.getMessage()));
+        }
+    }
+}

api/src/main/java/io/sentrius/sso/controllers/api/agents/AgentApiController.java

@@ -6,6 +6,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.sql.SQLException;
 import java.time.LocalDateTime;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -857,6 +858,60 @@ public ResponseEntity<AgentContextDTO> createContext(
         return ResponseEntity.ok(dto);
     }
 
+    @GetMapping("/stats")
+    @LimitAccess(applicationAccess = {ApplicationAccessEnum.CAN_LOG_IN})
+    public ResponseEntity<?> getAgentStats(HttpServletRequest request, HttpServletResponse response) throws ZtatException {
+        try {
+            var operatingUser = getOperatingUser(request, response);
+            if (null == operatingUser) {
+                log.warn("No operating user found");
+                return ResponseEntity.status(HttpStatus.SC_UNAUTHORIZED).body("No operating user found");
+            }
+            
+            log.info("Received agent stats request from user: {}", operatingUser.getUsername());
+            var agents = agentService.getAllAgents(true);
+            
+            // Count agents by type and status
+            Map<String, Long> stats = new HashMap<>();
+            long runningCount = 0;
+            long pendingCount = 0;
+            long failedCount = 0;
+            
+            for (AgentDTO agent : agents) {
+                try {
+                    if (agent.getAgentName() != null && !agent.getAgentName().isEmpty()) {
+                        String podStatus = agentClientService.getAgentPodStatus(
+                            appConfig.getSentriusLauncherService(), 
+                            agent.getAgentName()
+                        );
+                        
+                        if (podStatus != null) {
+                            if (podStatus.equalsIgnoreCase("running")) {
+                                runningCount++;
+                            } else if (podStatus.equalsIgnoreCase("pending")) {
+                                pendingCount++;
+                            } else {
+                                failedCount++;
+                            }
+                        }
+                    }
+                } catch (Exception ignored) {
+                    // Skip agents that fail to query
+                }
+            }
+            
+            stats.put("Running", runningCount);
+            stats.put("Pending", pendingCount);
+            stats.put("Stopped", failedCount);
+            
+            return ResponseEntity.ok(stats);
+            
+        } catch (Exception e) {
+            log.error("Error getting agent statistics", e);
+            return ResponseEntity.status(HttpStatus.SC_INTERNAL_SERVER_ERROR)
+                .body(Map.of("error", "Failed to get agent statistics"));
+        }
+    }
 
 
 }