Merge pull request #2 from cloudera/dev

Release v1.0.0: Initial public release with security enhancements

Author: Khauneesh-AI

.github/workflows/ci.yml

@@ -0,0 +1,67 @@
+name: CI/CD
+
+on:
+  push:
+    branches: [main, dev]
+    tags: ['v*']
+  pull_request:
+    branches: [main, dev]
+
+jobs:
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+    
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      
+      - name: Install uv
+        run: curl -LsSf https://astral.sh/uv/install.sh | sh
+      
+      - name: Install dependencies
+        run: |
+          export PATH="$HOME/.cargo/bin:$PATH"
+          uv sync
+      
+      - name: Run tests
+        run: |
+          export PATH="$HOME/.cargo/bin:$PATH"
+          uv run pytest tests/test_all_functions.py -v
+      
+      - name: Security check
+        run: |
+          export PATH="$HOME/.cargo/bin:$PATH"
+          uv run pytest tests/test_all_functions.py::test_no_subprocess_vulnerabilities -v
+  
+  # Publish to PyPI on version tags (optional)
+  publish:
+    name: Publish
+    runs-on: ubuntu-latest
+    needs: test
+    if: startsWith(github.ref, 'refs/tags/v')
+    
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+      
+      - name: Install uv
+        run: curl -LsSf https://astral.sh/uv/install.sh | sh
+      
+      - name: Build and publish
+        env:
+          TWINE_USERNAME: __token__
+          TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        run: |
+          export PATH="$HOME/.cargo/bin:$PATH"
+          uv build
+          uv pip install twine
+          twine upload dist/* || echo "PyPI publish skipped (no token configured)"

.gitignore

@@ -0,0 +1,35 @@
+
+# Build artifacts
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Environment and secrets
+.env
+secrets/
+
+# IDE
+.DS_Store
+.vscode/
+.idea/
+
+# Test cache
+.pytest_cache/
+.cache/

CHANGELOG.md

@@ -1,56 +1,74 @@
 # Changelog
 
-## Latest Cleanup and Documentation Update
+All notable changes to the CML MCP Server will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Comprehensive test suite (`test_all_functions.py`) with 11 unit tests
+- FastMCP integration tests (`test_cml_mcp_client.py`)
+- Security vulnerability detection tests
+- Comprehensive test documentation in `tests/README.md`
+
+### Changed
+- **SECURITY**: Replaced all `subprocess.run` calls with secure `requests` library (46 files)
+- API keys now transmitted securely in HTTPS headers instead of process arguments
+- Updated all function error handling to use `requests.RequestException`
+- Improved timeout handling (30s timeout on all API calls)
+
+### Fixed
+- **CRITICAL**: API key exposure vulnerability in process list (CVE-pending)
+- Error messages now properly report HTTP status codes
+- JSON parsing errors now provide better debugging information
+
+### Security
+- Eliminated subprocess-based API calls that exposed credentials
+- All HTTP requests now use proper header-based authentication
+- Added comprehensive security testing in CI/CD pipeline
+
+---
+
+## [1.0.0] - 2025-10-22
+
+### Added
+- Initial public release
+- Apache 2.0 license
+- NOTICE.txt with third-party attributions
+- 47+ MCP tools for Cloudera ML operations
+- Support for:
+  - Project management
+  - Job creation and management
+  - Model building and deployment
+  - Experiment tracking
+  - File operations
+  - Application management
+- FastMCP-based HTTP and stdio servers
+- OAuth 2.1 support
+- Comprehensive README documentation
 
 ### Changed
-- **Removed `server.py`**: Eliminated the legacy compatibility file entirely
-- **Updated Claude Desktop config**: Now uses `cml_mcp_server.stdio_server` directly
-- **Removed legacy entry point**: `cml-mcp-server` command no longer exists
-- **Cleaner documentation**: Removed all references to the old server.py approach
-- **Completed `stdio_server.py`**: Added all 47 tool definitions (was only 7)
-- **Fixed imports**: Added try/except for package vs direct execution
-
-### Benefits
-- Cleaner codebase with no legacy code
-- Direct usage of appropriate server files (stdio_server.py or http_server.py)
-- Clear separation of concerns
-- Both server files are now complete and self-contained
-
-## Major Refactoring (Previous Update)
-
-### Code Organization
-- **Split server implementations**: Separated STDIO and HTTP into distinct files
-  - `stdio_server.py` - Clean STDIO-only implementation
-  - `http_server.py` - HTTP server with all endpoints
-- **Fixed HTTP issues**: Working `/mcp-api` endpoint with proper initialization
-- **Simplified imports**: Clear separation of concerns
-
-### Server Improvements
-- Added `initialize` method to `/mcp-api` endpoint (fixes 404 errors)
-- All 47 tools now accessible via HTTP with working implementation
-- HTTP transport clearly marked as "development only" without authentication
-- Debug endpoints: `/test`, `/debug/tools`, `/debug/call` for easy testing
-
-### Entry Points
-- `cml-mcp-stdio` - Runs stdio_server.py
-- `cml-mcp-http` - Runs http_server.py
-
-### Documentation
-- Updated README with new server structure
-- Clear examples for both STDIO and HTTP modes
-- Removed OAuth sections (future feature)
-- Added troubleshooting section
-
-### Key Fixes
-- Fixed "Tool not callable" errors by using direct function mappings
-- Fixed 404 errors by adding proper initialize method
-- Maintained backward compatibility while improving structure
-
-### Usage
-```bash
-# STDIO (recommended)
-uv run -m cml_mcp_server.stdio_server
-
-# HTTP (development)
-uv run -m cml_mcp_server.http_server
-```
+- Migrated from private to public repository
+- Updated all repository URLs to `github.com/cloudera/CML_MCP_Server`
+- Updated license from MIT to Apache 2.0
+- Added legal notices for third-party dependencies
+
+---
+
+## Types of Changes
+
+- `Added` for new features
+- `Changed` for changes in existing functionality
+- `Deprecated` for soon-to-be removed features
+- `Removed` for now removed features
+- `Fixed` for any bug fixes
+- `Security` for vulnerability fixes
+
+---
+
+## Release Links
+
+- [Unreleased](https://github.com/cloudera/CML_MCP_Server/compare/v1.0.0...HEAD)
+- [1.0.0](https://github.com/cloudera/CML_MCP_Server/releases/tag/v1.0.0)

CONTRIBUTING.md

@@ -0,0 +1,161 @@
+# Contributing to CML MCP Server
+
+Thanks for contributing! Keep it simple.
+
+## 🚀 Quick Start
+
+```bash
+# 1. Fork and clone
+git clone https://github.com/YOUR_USERNAME/CML_MCP_Server.git
+cd CML_MCP_Server
+
+# 2. Install
+pip install uv
+uv sync
+
+# 3. Run tests
+uv run pytest tests/ -v
+```
+
+---
+
+## 🔄 Making Changes
+
+### Branching Strategy
+
+We use a simple two-branch strategy:
+- **`main`** - Stable, production-ready (default branch)
+- **`dev`** - Active development
+
+**All contributions go to `dev` first, then released to `main`.**
+
+### 1. Create Branch
+
+```bash
+git checkout dev
+git pull origin dev
+git checkout -b feature/your-feature
+```
+
+### 2. Make Changes
+
+- Write code
+- Add tests
+- Run tests: `uv run pytest tests/ -v`
+
+### 3. Commit
+
+```bash
+git add .
+git commit -m "feat: your change"
+git push origin feature/your-feature
+```
+
+**Commit format:** `type: description`
+
+- `feat:` New feature
+- `fix:` Bug fix
+- `docs:` Documentation
+- `test:` Tests
+
+### 4. Create PR
+
+- **Target branch: `dev`** (not main!)
+- Fill in description
+- Wait for review
+
+---
+
+## ✅ Requirements
+
+### All PRs Must:
+
+- ✅ Pass all tests
+- ✅ Have no security vulnerabilities
+- ✅ Follow code style
+- ✅ Include documentation updates if needed
+
+### Code Standards
+
+```python
+# ✅ GOOD - Use requests library
+import requests
+
+headers = {"Authorization": f"Bearer {api_key}"}
+response = requests.get(url, headers=headers, timeout=30)
+
+# ❌ BAD - Never use subprocess with API keys
+import subprocess
+subprocess.run(["curl", "-H", f"Bearer {api_key}", url])
+```
+
+**Key Rules:**
+- Never expose API keys in subprocess/logs
+- Always use `requests` library for HTTP
+- Add timeout to all requests (30s)
+- Use type hints
+- Write docstrings
+
+---
+
+## 🧪 Testing
+
+### Run Tests
+
+```bash
+# All tests
+uv run pytest tests/ -v
+
+# Just security tests
+uv run pytest tests/test_all_functions.py::test_no_subprocess_vulnerabilities -v
+
+# FastMCP test
+uv run python tests/test_cml_mcp_client.py --quick
+```
+
+### Add Tests
+
+Every new function needs tests in `tests/test_all_functions.py`:
+
+```python
+def test_my_function(mock_config):
+    """Test my new function."""
+    result = my_function(mock_config, {"param": "value"})
+    assert isinstance(result, dict)
+    assert "success" in result
+```
+
+---
+
+## 🔒 Security
+
+**Critical:** Never expose API keys!
+
+- ❌ Don't log them
+- ❌ Don't print them
+- ❌ Don't pass as subprocess args
+- ✅ Use HTTPS headers only
+
+**Report vulnerabilities:** Email [email protected] (not GitHub issues!)
+
+---
+
+## 📝 Documentation
+
+Update docs if you:
+- Add new function
+- Change behavior
+- Add dependencies
+
+---
+
+## 🎯 That's It!
+
+Keep it simple:
+1. Fork → Branch → Code → Test → PR
+2. Target `dev` branch
+3. Pass tests
+4. Get approval
+5. Merge!
+
+Questions? Open a GitHub Discussion.