Missing MCP Tools: Update Architecture (#2426)

* feat(calm-hub): add updateArchitecture MCP tool

* test(calm-hub): add integration tests for updateArchitecture MCP tool

* chore: EasyCLA Failure

* chore: EasyCLA Failure

* fix(calm-hub): resolve MCP updateArchitecture regressions and security gaps

Addresses 4 issues in the MCP updateArchitecture tool:

1. BLOCKER: name/description silently nulled on every update
   - Added optional name/description @ToolArgs (matches REST PUT shape)
   - Preserve existing values when caller omits them via findArchitectureSummary()
   - Added ArgumentCaptor verification in unit tests + post-update regression assertion in integration tests

2. Unsafe semantics: tool description said "publish" but implementation is upsert
   - Updated description to explicitly document upsert behavior
   - Documented legacy/backwards-compatibility intent
   - Clarified that overwrite can silently clobber published versions

3. Configuration gate bypass: allow.put.operations ignored by MCP tool
   - Added allowPutOperations @ConfigProperty (defaults to false)
   - Tool now refuses to execute when flag is false, matching REST PUT behavior
   - Prevents MCP from flipping deployments mutation posture by default
   - Integration profiles enable flag for test suite via getConfigOverrides()

4. Unbounded JSON payload on update AND pre-existing gap on create
   - Added validateMaxLength(architectureJson, MAX_JSON_PAYLOAD_LENGTH) to updateArchitecture
   - Closed pre-existing gap in createArchitecture with same validation
   - Tests cover both paths

All 46 unit tests pass.

---------

Co-authored-by: Matthew Bain <66839492+rocketstack-matt@users.noreply.github.com>

Author: jpgough-ms

calm-hub/src/integration-test/java/integration/IntegrationTestProfile.java

@@ -3,6 +3,7 @@
 import io.quarkus.test.common.QuarkusTestResource;
 import io.quarkus.test.junit.QuarkusTestProfile;
 
+import java.util.Map;
 import java.util.Set;
 
 @QuarkusTestResource(EndToEndResource.class)
@@ -19,5 +20,12 @@ public String getConfigProfile() {
         // Optional: specify a custom profile name if needed
         return "integration-test";
     }
+
+    @Override
+    public Map<String, String> getConfigOverrides() {
+        // Enable the PUT/upsert paths so the MCP updateArchitecture tool and the
+        // equivalent REST PUT endpoint can be exercised by the integration suite.
+        return Map.of("allow.put.operations", "true");
+    }
 }
 

calm-hub/src/integration-test/java/integration/MongoMcpIntegration.java

@@ -368,10 +368,52 @@ void mcp_validation_rejects_decorator_type_filter_with_newline() {
         assertThat(text(result), containsString("Type filter"));
     }
 
-    // --- Control Tools (create paths) ---
+    // --- updateArchitecture ---
 
     @Test
     @Order(26)
+    void mcp_update_architecture_publishes_new_version() {
+        ToolResponse result = architectureTools.updateArchitecture(
+                "finos", createdArchitectureId, "1.1.0", "{\"name\": \"mcp-test-architecture-updated\"}", null, null);
+        assertThat(result.isError(), is(false));
+        assertThat(text(result), containsString("updated successfully"));
+        assertThat(text(result), containsString("1.1.0"));
+    }
+
+    @Test
+    @Order(27)
+    void mcp_list_architecture_versions_includes_updated_version() {
+        ToolResponse result = architectureTools.listArchitectureVersions("finos", createdArchitectureId);
+        assertThat(result.isError(), is(false));
+        assertThat(text(result), containsString("1.0.0"));
+        assertThat(text(result), containsString("1.1.0"));
+    }
+
+    @Test
+    @Order(28)
+    void mcp_list_architectures_preserves_name_after_update() {
+        // Regression guard: prior to this change updateArchitecture silently nulled the
+        // architecture's name and description, so listArchitectures would fall back to
+        // "Architecture <id>" instead of the original "MCP Test Arch".
+        ToolResponse result = architectureTools.listArchitectures("finos");
+        assertThat(result.isError(), is(false));
+        assertThat(text(result), containsString("MCP Test Arch"));
+        assertThat(text(result), containsString("Integration test architecture"));
+    }
+
+    @Test
+    @Order(29)
+    void mcp_update_architecture_returns_error_for_nonexistent_architecture() {
+        ToolResponse result = architectureTools.updateArchitecture(
+                "finos", 999999, "1.1.0", "{\"name\": \"ghost\"}", null, null);
+        assertThat(result.isError(), is(true));
+        assertThat(text(result), containsString("not found"));
+    }
+
+    // --- Control Tools (create paths) ---
+
+    @Test
+    @Order(30)
     void mcp_create_control_requirement() {
         ToolResponse result = controlTools.createControlRequirement(
                 "security", "MCP Test Control", "Integration test control requirement", CONTROL_REQUIREMENT_JSON);
@@ -385,31 +427,31 @@ void mcp_create_control_requirement() {
     }
 
     @Test
-    @Order(27)
+    @Order(31)
     void mcp_list_controls_contains_created() {
         ToolResponse result = controlTools.listControls("security");
         assertThat(result.isError(), is(false));
         assertThat(text(result), containsString("MCP Test Control"));
     }
 
     @Test
-    @Order(28)
+    @Order(32)
     void mcp_list_control_versions_after_create() {
         ToolResponse result = controlTools.listControlVersions("security", createdControlId);
         assertThat(result.isError(), is(false));
         assertThat(text(result), containsString("1.0.0"));
     }
 
     @Test
-    @Order(29)
+    @Order(33)
     void mcp_get_control_after_create() {
         ToolResponse result = controlTools.getControl("security", createdControlId, "1.0.0");
         assertThat(result.isError(), is(false));
         assertThat(text(result), containsString("mcp-test-control"));
     }
 
     @Test
-    @Order(30)
+    @Order(34)
     void mcp_create_control_configuration() {
         ToolResponse result = controlTools.createControlConfiguration(
                 "security", createdControlId, CONTROL_CONFIGURATION_JSON);
@@ -418,7 +460,7 @@ void mcp_create_control_configuration() {
     }
 
     @Test
-    @Order(31)
+    @Order(35)
     void mcp_create_control_configuration_for_missing_control_returns_error() {
         ToolResponse result = controlTools.createControlConfiguration(
                 "security", 99999, CONTROL_CONFIGURATION_JSON);
@@ -427,7 +469,7 @@ void mcp_create_control_configuration_for_missing_control_returns_error() {
     }
 
     @Test
-    @Order(32)
+    @Order(36)
     void mcp_create_control_requirement_rejects_invalid_json() {
         ToolResponse result = controlTools.createControlRequirement(
                 "security", "Bad", "desc", "not-json");

calm-hub/src/integration-test/java/integration/NitriteIntegrationTestProfile.java

@@ -3,6 +3,7 @@
 import io.quarkus.test.junit.QuarkusTestProfile;
 
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
 public class NitriteIntegrationTestProfile implements QuarkusTestProfile {
@@ -21,4 +22,9 @@ public String getConfigProfile() {
     public List<TestResourceEntry> testResources() {
         return List.of(new TestResourceEntry(NitriteEndToEndResource.class));
     }
+
+    @Override
+    public Map<String, String> getConfigOverrides() {
+        return Map.of("allow.put.operations", "true");
+    }
 }

calm-hub/src/integration-test/java/integration/NitriteMcpIntegration.java

@@ -328,10 +328,52 @@ void mcp_validation_rejects_decorator_type_filter_with_newline() {
         assertThat(text(result), containsString("Type filter"));
     }
 
-    // --- Control Tools (create paths) ---
+    // --- updateArchitecture ---
 
     @Test
     @Order(26)
+    void mcp_update_architecture_publishes_new_version() {
+        ToolResponse result = architectureTools.updateArchitecture(
+                "finos", createdArchitectureId, "1.1.0", "{\"name\": \"mcp-nitrite-architecture-updated\"}", null, null);
+        assertThat(result.isError(), is(false));
+        assertThat(text(result), containsString("updated successfully"));
+        assertThat(text(result), containsString("1.1.0"));
+    }
+
+    @Test
+    @Order(27)
+    void mcp_list_architecture_versions_includes_updated_version() {
+        ToolResponse result = architectureTools.listArchitectureVersions("finos", createdArchitectureId);
+        assertThat(result.isError(), is(false));
+        assertThat(text(result), containsString("1.0.0"));
+        assertThat(text(result), containsString("1.1.0"));
+    }
+
+    @Test
+    @Order(28)
+    void mcp_list_architectures_preserves_name_after_update() {
+        // Regression guard: prior to this change updateArchitecture silently nulled the
+        // architecture's name and description, so listArchitectures would fall back to
+        // "Architecture <id>" instead of the original "MCP Nitrite Arch".
+        ToolResponse result = architectureTools.listArchitectures("finos");
+        assertThat(result.isError(), is(false));
+        assertThat(text(result), containsString("MCP Nitrite Arch"));
+        assertThat(text(result), containsString("Nitrite integration test architecture"));
+    }
+
+    @Test
+    @Order(29)
+    void mcp_update_architecture_returns_error_for_nonexistent_architecture() {
+        ToolResponse result = architectureTools.updateArchitecture(
+                "finos", 999999, "1.1.0", "{\"name\": \"ghost\"}", null, null);
+        assertThat(result.isError(), is(true));
+        assertThat(text(result), containsString("not found"));
+    }
+
+    // --- Control Tools (create paths) ---
+
+    @Test
+    @Order(30)
     void mcp_create_control_requirement() {
         ToolResponse result = controlTools.createControlRequirement(
                 "security", "MCP Nitrite Control", "Nitrite integration test control requirement", CONTROL_REQUIREMENT_JSON);
@@ -345,31 +387,31 @@ void mcp_create_control_requirement() {
     }
 
     @Test
-    @Order(27)
+    @Order(31)
     void mcp_list_controls_contains_created() {
         ToolResponse result = controlTools.listControls("security");
         assertThat(result.isError(), is(false));
         assertThat(text(result), containsString("MCP Nitrite Control"));
     }
 
     @Test
-    @Order(28)
+    @Order(32)
     void mcp_list_control_versions_after_create() {
         ToolResponse result = controlTools.listControlVersions("security", createdControlId);
         assertThat(result.isError(), is(false));
         assertThat(text(result), containsString("1.0.0"));
     }
 
     @Test
-    @Order(29)
+    @Order(33)
     void mcp_get_control_after_create() {
         ToolResponse result = controlTools.getControl("security", createdControlId, "1.0.0");
         assertThat(result.isError(), is(false));
         assertThat(text(result), containsString("mcp-nitrite-control"));
     }
 
     @Test
-    @Order(30)
+    @Order(34)
     void mcp_create_control_configuration() {
         ToolResponse result = controlTools.createControlConfiguration(
                 "security", createdControlId, CONTROL_CONFIGURATION_JSON);
@@ -378,7 +420,7 @@ void mcp_create_control_configuration() {
     }
 
     @Test
-    @Order(31)
+    @Order(35)
     void mcp_create_control_configuration_for_missing_control_returns_error() {
         ToolResponse result = controlTools.createControlConfiguration(
                 "security", 99999, CONTROL_CONFIGURATION_JSON);
@@ -387,7 +429,7 @@ void mcp_create_control_configuration_for_missing_control_returns_error() {
     }
 
     @Test
-    @Order(32)
+    @Order(36)
     void mcp_create_control_requirement_rejects_invalid_json() {
         ToolResponse result = controlTools.createControlRequirement(
                 "security", "Bad", "desc", "not-json");

calm-hub/src/main/java/org/finos/calm/mcp/tools/ArchitectureTools.java

@@ -31,6 +31,16 @@ public class ArchitectureTools {
     @ConfigProperty(name = "calm.mcp.enabled", defaultValue = "true")
     boolean mcpEnabled;
 
+    /**
+     * Mirrors the gate applied to {@code PUT /architectures/{id}/versions/{version}}
+     * in {@link org.finos.calm.resources.ArchitectureResource}. When false, the
+     * MCP {@code updateArchitecture} tool refuses to overwrite an existing version,
+     * matching the deployment's REST mutation posture.
+     */
+    @Inject
+    @ConfigProperty(name = "allow.put.operations", defaultValue = "false")
+    boolean allowPutOperations;
+
     @Inject
     ArchitectureStore architectureStore;
 
@@ -129,6 +139,95 @@ public ToolResponse getArchitecture(
         }
     }
 
+    @Tool(description = "Publish or overwrite an architecture version against an existing architecture ID. " +
+            "This is an upsert: if the supplied version already exists for the architecture it will be replaced, " +
+            "otherwise it is added as a new version. Provided primarily for legacy/backwards-compatibility flows " +
+            "that retain a stable architecture ID across versions. Disabled by default - requires the deployment " +
+            "to set 'allow.put.operations=true' (the same flag that gates the equivalent REST PUT). " +
+            "If 'name' or 'description' are omitted, the architecture's existing values are preserved; " +
+            "supplying them will overwrite the stored values for that architecture ID.")
+    public ToolResponse updateArchitecture(
+            @ToolArg(description = "The namespace containing the architecture") String namespace,
+            @ToolArg(description = "The architecture ID to publish a new version for (positive integer)") int architectureId,
+            @ToolArg(description = "The version string to publish or overwrite (e.g. '1.1.0')") String version,
+            @ToolArg(description = "The full CALM architecture JSON content for this version") String architectureJson,
+            @ToolArg(description = "Optional new architecture name. When omitted the existing name is preserved.", required = false) String name,
+            @ToolArg(description = "Optional new architecture description. When omitted the existing description is preserved.", required = false) String description) {
+        Optional<ToolResponse> err = McpValidationHelper.firstError(
+                () -> McpValidationHelper.checkEnabled(mcpEnabled),
+                () -> McpValidationHelper.validateNamespace(namespace),
+                () -> McpValidationHelper.validatePositiveId(architectureId, "Architecture ID"),
+                () -> McpValidationHelper.validateVersion(version),
+                () -> McpValidationHelper.validateNotBlank(architectureJson, "Architecture JSON"),
+                () -> McpValidationHelper.validateMaxLength(architectureJson, McpValidationHelper.MAX_JSON_PAYLOAD_LENGTH, "Architecture JSON"),
+                () -> McpValidationHelper.validateJson(architectureJson, "Architecture JSON"),
+                () -> McpValidationHelper.validateMaxLength(name, McpValidationHelper.MAX_NAME_LENGTH, "Architecture name"),
+                () -> McpValidationHelper.validateDescriptionLength(description, "Architecture description"));
+        if (err.isPresent()) return err.get();
+
+        if (!allowPutOperations) {
+            return ToolResponse.error("Error: Updating architecture versions is disabled on this CalmHub. " +
+                    "Set 'allow.put.operations=true' to enable overwriting an existing architecture version.");
+        }
+
+        try {
+            // Preserve existing name/description when caller does not supply them, otherwise the
+            // store's unconditional $set on architectures.$.name and architectures.$.description
+            // would silently null them out (causing list output to fall back to "Architecture <id>").
+            String resolvedName = name;
+            String resolvedDescription = description;
+            if (resolvedName == null || resolvedDescription == null) {
+                NamespaceArchitectureSummary existing = findArchitectureSummary(namespace, architectureId);
+                if (existing != null) {
+                    if (resolvedName == null) {
+                        resolvedName = existing.getName();
+                    }
+                    if (resolvedDescription == null) {
+                        resolvedDescription = existing.getDescription();
+                    }
+                }
+            }
+
+            Architecture architecture = new Architecture.ArchitectureBuilder()
+                    .setNamespace(namespace)
+                    .setId(architectureId)
+                    .setVersion(version)
+                    .setName(resolvedName)
+                    .setDescription(resolvedDescription)
+                    .setArchitecture(architectureJson)
+                    .build();
+            architectureStore.updateArchitectureForVersion(architecture);
+            logger.info("Architecture [{}] updated with version [{}] in namespace [{}]", architectureId, version, namespace);
+            return ToolResponse.success("Architecture " + architectureId + " updated successfully with version '" + version + "' in namespace '" + namespace + "'.");
+        } catch (NamespaceNotFoundException e) {
+            logger.warn("Namespace not found [{}]", namespace, e);
+            return ToolResponse.error("Error: Namespace '" + namespace + "' not found.");
+        } catch (ArchitectureNotFoundException e) {
+            logger.warn("Architecture [{}] not found in namespace [{}]", architectureId, namespace, e);
+            return ToolResponse.error("Error: Architecture " + architectureId + " not found in namespace '" + namespace + "'.");
+        }
+    }
+
+    /**
+     * Looks up the existing summary (name/description) for an architecture so that the
+     * update tool can preserve them when the caller does not supply replacements.
+     * Returns {@code null} if the namespace cannot be loaded or the architecture is absent;
+     * downstream {@code updateArchitectureForVersion} will surface those errors with the
+     * correct user-facing message.
+     */
+    private NamespaceArchitectureSummary findArchitectureSummary(String namespace, int architectureId) {
+        try {
+            for (NamespaceArchitectureSummary summary : architectureStore.getArchitecturesForNamespace(namespace)) {
+                if (summary.getId() != null && summary.getId() == architectureId) {
+                    return summary;
+                }
+            }
+        } catch (NamespaceNotFoundException e) {
+            logger.debug("Namespace [{}] not found while resolving existing architecture summary", namespace);
+        }
+        return null;
+    }
+
     @Tool(description = "Create a new architecture in a namespace. Returns the allocated architecture ID and version.")
     public ToolResponse createArchitecture(
             @ToolArg(description = "The namespace to create the architecture in") String namespace,
@@ -141,6 +240,7 @@ public ToolResponse createArchitecture(
                 () -> McpValidationHelper.validateMaxLength(name, McpValidationHelper.MAX_NAME_LENGTH, "Architecture name"),
                 () -> McpValidationHelper.validateDescriptionLength(description, "Architecture description"),
                 () -> McpValidationHelper.validateNotBlank(architectureJson, "Architecture JSON"),
+                () -> McpValidationHelper.validateMaxLength(architectureJson, McpValidationHelper.MAX_JSON_PAYLOAD_LENGTH, "Architecture JSON"),
                 () -> McpValidationHelper.validateJson(architectureJson, "Architecture JSON"));
         if (err.isPresent()) return err.get();