cisco-secure-access-mcp

A community Model Context Protocol (MCP) server for Cisco Secure Access.

It exposes the Secure Access REST API to MCP-compatible AI clients (Cursor, Claude Desktop, VS Code GitHub Copilot, etc.) as a curated catalog of tools grouped by Cisco's own resource categories: Admin, Deployments, Investigate, Policies, and Reports.

Status: v1 in development. See install.md for the build journal and per-phase progress.

---

Why a community DevNet server

This repo is structured to be hosted as a Cisco DevNet community MCP server, following the CiscoDevNet/devnet-template layout. The standard template files (AGENTS.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md, LICENSE, README.md, SECURITY.md) are present and conform to that template.

In addition, install.md is a working journal that captures every step taken to build the server, troubleshooting notes, and any tools we add as enhancements. It is intentionally kept in-tree so future contributors can see the reasoning trail.

---

Quick start

# 1. Clone and install (using uv)
git clone https://github.com/sdntechforum/Secure_Access.git
cd Secure_Access
uv sync

# 2. Provide your Cisco Secure Access API credentials via environment variables
#    (Admin > API Keys in the Secure Access dashboard)
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...

# 3. Run the server (stdio transport, default)
uv run cisco-secure-access-mcp

For client configuration (Cursor / Claude Desktop / VS Code), Docker usage, the full list of tools, and the list of supported environment variables, see AGENTS.md.

---

Authentication at a glance

• OAuth 2.0 Client Credentials Flow against POST https://api.sse.cisco.com/auth/v2/token.
• Bearer token cached in memory and refreshed shortly before its 1-hour expiry.
• Credentials read from environment variables only — never from CLI flags or committed files.
• Multi-org / MSSP supported via SECURE_ACCESS_ORG_ID (sent as X-Umbrella-OrgId).
• A separate, optional Key Admin credential pair gates the small set of tools that manage other API keys.

See Cisco Secure Access — API Authentication for how to mint API keys.

---

Repo layout

.
├── AGENTS.md              # Install + tool catalog + env vars (read this first if you're an AI agent)
├── CODE_OF_CONDUCT.md     # Cisco DevNet template (unchanged)
├── CONTRIBUTING.md        # Cisco DevNet template (project name filled in)
├── LICENSE                # Apache-2.0 (Cisco DevNet template)
├── README.md              # this file
├── SECURITY.md            # Cisco DevNet template (project name filled in)
├── install.md             # Build journal — phases, troubleshooting, enhancements
├── pyproject.toml         # Package metadata + entry point
├── Dockerfile             # Optional secondary distribution
├── .env.example           # Documented env vars; NEVER real secrets
├── src/cisco_secure_access_mcp/
│   ├── server.py          # FastMCP entrypoint (stdio default)
│   ├── auth.py            # OAuth2 client-credentials + token cache
│   ├── client.py          # httpx-based REST client (TLS-only, retry-aware)
│   ├── config.py          # Env-var loading + validation
│   ├── errors.py          # SDK / HTTP errors → MCP errors
│   ├── logging.py         # Structured JSON logs with secret redaction
│   ├── registry.py        # Discovers and registers tools from each category
│   └── tools/
│       ├── admin/         # admin_*  — Admin Resources
│       ├── deployments/   # deploy_* — Deployments Resources
│       ├── investigate/   # investigate_* — Investigate Resources (v1.1)
│       ├── policies/      # policy_*  — Policies Resources
│       └── reports/       # report_*  — Reports Resources (v1.1)
└── tests/
    ├── unit/              # Offline; mock HTTP and clock
    └── integration/       # Opt-in; requires real DevNet sandbox credentials

---

Security

This repo follows the security rules in .cursor (parameterization, no hardcoded credentials, structured logging with redaction, TLS 1.2+ enforcement, distroless-style container hardening, etc.). To report a vulnerability, see SECURITY.md.

---

License

Apache License 2.0 — see LICENSE.