Add MCP support with two read-only tools

Author: kraih

.gitignore

@@ -8,3 +8,4 @@ blib
 pm_to_blib
 MYMETA.*
 Makefile
+.gemini

README.md

@@ -14,6 +14,7 @@
 * Legal risk assessments by lawyers for every pattern match
 * Human reviews with approval/rejection workflow, and optional automatic approvals based on risk
 * Optional support for machine learning models to classify pattern matches
+* MCP support for integration into AI assisted legal review workflows
 * REST API for integration into existing source code management systems
 * [Open Build Service](https://github.com/openSUSE/openSUSE-release-tools) and [Gitea](https://github.com/openSUSE/cavil-gitea) integration
   via bots
@@ -59,7 +60,7 @@ There are currently two example implementations for a companion server applicati
       perl-Mojo-Pg perl-Minion perl-File-Unpack perl-Cpanel-JSON-XS \
       perl-Spooky-Patterns-XS perl-Mojolicious-Plugin-OAuth2 perl-Mojo-JWT \
       perl-BSD-Resource perl-Term-ProgressBar perl-Text-Glob perl-IPC-Run \
-      perl-Try-Tiny git git-lfs
+      perl-Try-Tiny perl-MCP git git-lfs
     $ npm i
     $ npm run build
 

assets/vue/ApiKeys.vue

@@ -22,6 +22,7 @@
             <thead>
               <tr>
                 <th>API Key</th>
+                <th>Type</th>
                 <th>Description</th>
                 <th>Expires</th>
                 <th></th>
@@ -47,6 +48,7 @@
                     <span class="real">{{ key.apiKey }}</span>
                   </span>
                 </td>
+                <td>read-only</td>
                 <td>{{ key.description }}</td>
                 <td>{{ key.expires }}</td>
                 <td class="text-center">
@@ -58,7 +60,7 @@
             </tbody>
             <tbody v-else>
               <tr>
-                <td id="all-done" colspan="4">No API keys found.</td>
+                <td id="all-done" colspan="5">No API keys found.</td>
               </tr>
             </tbody>
           </table>

cpanfile

@@ -18,3 +18,4 @@ requires 'Try::Tiny';
 requires 'YAML::XS';
 requires 'JSON::Validator';
 requires 'Digest::SHA1';
+requires 'MCP', '>= 0.06';

docs/UserAPI.md

@@ -1,8 +1,6 @@
 # Cavil User API
 
-## REST API
-
-### Authentication
+## Authentication
 
 All user API endpoints use bearer tokens you can generate with the "API Keys" menu entry after logging into Cavil.
 These bearer tokens are passed with every request via the `Authorization` header.
@@ -31,6 +29,88 @@ $ curl -H 'Authorization: Bearer generated_api_key_here' https://legaldb.suse.de
 ...
 ```
 
+## MCP API
+
+The [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) is a standard that allows Large Language Models
+(LLMs) to interact with web services. MCP is supported natively by Cavil. An MCP endpoint is available with API key
+authentication under the path `/mcp`.
+
+Many features have access restrictions, and which are available to you will depend on the type of API key being used
+(read-only or read-write), and which roles your user account has assigned. Embargoed package updates may not be
+processed with AI and are always excluded.
+
+Most MCP clients today support Bearer token authentication, so that is what Cavil relies on as well. More
+authentication mechanisms will be added as the technology evolves.
+
+This example configuration in the `mcp.json` format, which is commonly used by MCP clients, shows how to include a
+Cavil API key by setting the Authorization HTTP header:
+
+```
+{
+  "mcpServers": {
+    "cavil": {
+      "url": "https://legaldb.suse.de/mcp",
+      "headers": {
+        "Authorization": "Bearer generated_api_key_here"
+      }
+    }
+  }
+}
+```
+
+### 3rd Party MCP Clients
+
+While most MCP clients will work with Cavil, we recommend the use of models specifically designed for legal
+professionals.
+
+#### gemini-cli
+
+Once you have installed and set up [gemini-cli](https://github.com/google-gemini/gemini-cli), you can use the gemini
+mcp command to add Cavil:
+
+```
+gemini mcp add cavil https://legaldb.suse.de/mcp -H 'Authorization: Bearer generated_api_key_here' -t http
+```
+
+After restarting gemini-cli, it will automatically discover available Cavil tools and make use of them on its own:
+
+```
+╭──────────────────────────────────────────────────────────────────────────────╮
+│  > You are a legal reviewer for SUSE Linux Enterprise. Take a look at legal  │
+│    report 1 and make a recommendation if that package update should be       │
+│    accepted for distribution to customers.                                   │
+╰──────────────────────────────────────────────────────────────────────────────╯
+
+ ╭─────────────────────────────────────────────────────────────────────────────╮
+ │ ✔ cavil_get_report (cavil MCP Server) {"package_id":1}.                     │
+ │                                                                             │
+ │    ...                                                                      │
+ ╰─────────────────────────────────────────────────────────────────────────────╯
+
+✦ Based on my review of the legal report for perl-Mojolicious version 7.25, I
+  recommend acceptance of the package for distribution.
+
+  Justification:
+
+   1. Licenses: The package is primarily licensed under the Artistic License
+      2.0, with other files covered by compatible and acceptable licenses
+      such as Apache-2.0, MIT, and CC-BY-SA-4.0. These are all standard and
+      approved open-source licenses.
+   2. High-Risk Item: The single file flagged with "Risk 9 (Unknown)",
+      Mojolicious-7.25/lib/Mojolicious/Guides/Contributing.pod, is a false
+      positive. The flagged text is a standard part of a contributor's guide,
+      instructing on code review practices, and is not a license.
+   3. No Other Issues: The report does not indicate any other legal
+      encumbrances. The email addresses and URLs are standard for an
+      open-source project and do not present any concerns.
+
+  The package is legally sound and meets the criteria for inclusion in SUSE
+  Linux Enterprise.
+
+```
+
+## REST API
+
 ### Compression
 
 All responses larger than `860` bytes will be automatically `gzip` compressed for user-agents that include an
@@ -76,7 +156,8 @@ Content-Type: application/json
 
 `GET /api/v1/report/<package_id>.<format>`
 
-Get legal report in plain text or JSON format. Note that the exact report format is not static and will change from
+Get legal report in plain text or JSON format. Additionally to `txt` and `json`, the extended report format used for
+MCP is available with the format identifier `mcp`. Note that the exact report format is not static and will change from
 time to time.
 
 **Request:**

lib/Cavil.pm

@@ -1,18 +1,5 @@
-# Copyright (C) 2018-2022 SUSE LLC
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, see <http://www.gnu.org/licenses/>.
-
+# Copyright SUSE LLC
+# SPDX-License-Identifier: GPL-2.0-or-later
 package Cavil;
 use Mojo::Base 'Mojolicious', -signatures;
 
@@ -103,6 +90,9 @@ sub startup ($self) {
 
   $self->plugin('Cavil::Plugin::Linux');
 
+  my $mcp_action = $self->plugin('Cavil::Plugin::MCP');
+  $self->types->type(mcp => 'text/plain;charset=utf-8');
+
   # Compress dynamically generated content
   $self->renderer->compress(1);
 
@@ -207,8 +197,9 @@ sub startup ($self) {
   $public->get('/api/1.0/source')->to('API#source')->name('source_api');
 
   # API with key
+  $api_key->any('/mcp' => $mcp_action)->name('mcp');
   $api_key->get('/api/v1/whoami')->to('API#whoami')->name('whoami_api');
-  $api_key->get('/api/v1/report/<id:num>' => [format => ['json', 'txt']])->to('Report#report');
+  $api_key->get('/api/v1/report/<id:num>' => [format => ['json', 'txt', 'mcp']])->to('Report#report');
 
   # API Keys
   $logged_in->get('/api_keys')->to('APIKeys#list')->name('list_api_keys');

lib/Cavil/Controller/Pagination.pm

@@ -80,16 +80,26 @@ sub open_reviews ($self) {
   $v->optional('offset')->num;
   $v->optional('priority')->num;
   $v->optional('inProgress');
+  $v->optional('notEmbargoed');
   $v->optional('filter');
   return $self->reply->json_validation_error if $v->has_error;
-  my $limit       = $v->param('limit')      // 10;
-  my $offset      = $v->param('offset')     // 0;
-  my $priority    = $v->param('priority')   // 2;
-  my $in_progress = $v->param('inProgress') // 'false';
-  my $search      = $v->param('filter')     // '';
+  my $limit         = $v->param('limit')        // 10;
+  my $offset        = $v->param('offset')       // 0;
+  my $priority      = $v->param('priority')     // 2;
+  my $in_progress   = $v->param('inProgress')   // 'false';
+  my $not_embargoed = $v->param('notEmbargoed') // 'false';
+  my $search        = $v->param('filter')       // '';
 
   my $page = $self->packages->paginate_open_reviews(
-    {limit => $limit, offset => $offset, in_progress => $in_progress, priority => $priority, search => $search});
+    {
+      limit         => $limit,
+      offset        => $offset,
+      in_progress   => $in_progress,
+      not_embargoed => $not_embargoed,
+      priority      => $priority,
+      search        => $search
+    }
+  );
   $self->render(json => $self->_mark_active_packages($page));
 }
 

lib/Cavil/Controller/Report.pm

@@ -1,23 +1,9 @@
-# Copyright (C) 2021 SUSE Linux GmbH
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, see <http://www.gnu.org/licenses/>.
-
+# Copyright SUSE LLC
+# SPDX-License-Identifier: GPL-2.0-or-later
 package Cavil::Controller::Report;
 use Mojo::Base 'Mojolicious::Controller', -signatures;
 
 use Mojo::Asset::File;
-use Mojo::JSON 'from_json';
 use Cavil::Util 'lines_context';
 
 sub report ($self) {
@@ -30,14 +16,13 @@ sub report ($self) {
 
   return $self->render(text => 'not indexed', status => 408) unless $pkg->{indexed};
 
-  return $self->render(text => 'no report', status => 408) unless my $report = $self->reports->cached_dig_report($id);
-
-  $report = from_json($report);
-  $self->_sanitize_report($report);
+  return $self->render(text => 'no report', status => 408)
+    unless my $report = $self->reports->sanitized_dig_report($id);
 
   $self->respond_to(
     json => sub { $self->render(json                      => {report => $report, package => $pkg}) },
     txt  => sub { $self->render('reviewer/report', report => $report, package => $pkg) },
+    mcp  => sub { $self->render(text                      => $self->helpers->mcp_report($id)) },
     html => sub {
       my $min = $self->app->config('min_files_short_report');
       $self->render('reviewer/report', report => $report, package => $pkg, max_number_of_files => $min);
@@ -92,81 +77,4 @@ sub spdx ($self) {
   $self->render(template => 'report/waiting', status => 408);
 }
 
-sub _sanitize_report ($self, $report) {
-
-  # Flags
-  $report->{flags} = $report->{flags} || [];
-
-  # Files
-  my $files    = $report->{files};
-  my $expanded = $report->{expanded};
-  my $lines    = $report->{lines};
-  my $snippets = $report->{missed_snippets};
-
-  my @missed;
-  for my $file (keys %$snippets) {
-    $expanded->{$file} = 1;
-    my ($max_risk, $match, $license, $spdx) = @{$report->{missed_files}{$file}};
-    $license = 'Keyword' unless $license;
-    push(
-      @missed,
-      {
-        id       => $file,
-        name     => $files->{$file},
-        max_risk => $max_risk,
-        license  => $license,
-        spdx     => $spdx,
-        match    => int($match * 1000 + 0.5) / 10.
-      }
-    );
-  }
-  delete $report->{missed_files};
-  delete $report->{missed_snippets};
-  $report->{missed_files} = [sort { $b->{max_risk} cmp $a->{max_risk} || $a->{name} cmp $b->{name} } @missed];
-
-  $report->{files} = [];
-  for my $file (sort { $files->{$a} cmp $files->{$b} } keys %$files) {
-    my $path = $files->{$file};
-    push @{$report->{files}}, my $current = {id => $file, path => $path, expand => $expanded->{$file}};
-
-    if ($lines->{$file}) {
-      $current->{lines} = lines_context($lines->{$file});
-    }
-  }
-
-  # Risks
-  my $chart = $report->{chart} = {};
-  my $risks = $report->{risks};
-  $report->{risks} = {};
-  my $licenses = $report->{licenses};
-  for my $risk (reverse sort keys %$risks) {
-    my $current = $report->{risks}{$risk} = {};
-    $risk = $risks->{$risk};
-
-    for my $lic (sort keys %$risk) {
-      my $current = $current->{$lic} = {};
-      my $license = $licenses->{$lic};
-      my $name    = $current->{name} = $license->{name};
-      $current->{spdx} = $license->{spdx};
-
-      my $matches = $risk->{$lic};
-      my %files   = map { $_ => 1 } map {@$_} values %$matches;
-      $chart->{$name} = keys %files;
-
-      $current->{flags} = $license->{flags};
-
-      my $list = $current->{files} = [];
-      for my $file (sort keys %files) {
-        push @$list, [$file, $files->{$file}];
-      }
-    }
-  }
-
-  # Emails and URLs
-  my $emails = $report->{emails};
-  $report->{emails} = [map { [$_, $emails->{$_}] } sort { $emails->{$b} <=> $emails->{$a} } keys %$emails];
-  my $urls = $report->{urls};
-  $report->{urls} = [map { [$_, $urls->{$_}] } sort { $urls->{$b} <=> $urls->{$a} } keys %$urls];
-}
-
 1;