feat(mcp): add MCP library to globally manage MCP servers and their respective tools

.eslintignore

@@ -0,0 +1,13 @@
+# Auto-generated OpenAPI specification
+openapi.json
+
+# Build outputs
+dist/
+build/
+*.tsbuildinfo
+
+# Dependencies
+node_modules/
+
+# Generated files
+*.generated.ts

.prettierignore

@@ -0,0 +1,13 @@
+# Auto-generated OpenAPI specification
+openapi.json
+
+# Build outputs
+dist/
+build/
+*.tsbuildinfo
+
+# Dependencies
+node_modules/
+
+# Generated files
+*.generated.ts

README.md

@@ -9,13 +9,13 @@
 </p>
 
 # ShipSec Studio
+
 **Open-Source Security Workflow Orchestration Platform.**
 
 > ShipSec is currently in active development. We are optimizing the platform for stable production use and high-performance security operations.
 
 ShipSec Studio provides a visual DSL and runtime for building, executing, and monitoring automated security workflows. It decouples security logic from infrastructure management, providing a durable and isolated environment for running security tooling at scale.
 
-
 <div align="center">
   <a href="https://youtu.be/7uyv43VforM">
     <img src="https://img.youtube.com/vi/7uyv43VforM/maxresdefault.jpg" alt="ShipSec Studio Demo" width="600">
@@ -27,10 +27,10 @@ ShipSec Studio provides a visual DSL and runtime for building, executing, and mo
 
 ### 🏗️ Core Pillars
 
-*   **Durable, resumable workflows** powered by Temporal.io for stateful execution across failures.
-*   **Isolated security runtimes** using ephemeral containers with per-run volume management.
-*   **Unified telemetry streams** delivering terminal output, events, and logs via a low-latency SSE pipeline.
-*   **Visual no-code builder** that compiles complex security graphs into an executable DSL.
+- **Durable, resumable workflows** powered by Temporal.io for stateful execution across failures.
+- **Isolated security runtimes** using ephemeral containers with per-run volume management.
+- **Unified telemetry streams** delivering terminal output, events, and logs via a low-latency SSE pipeline.
+- **Visual no-code builder** that compiles complex security graphs into an executable DSL.
 
 ---
 
@@ -47,6 +47,7 @@ curl -fsSL https://raw.githubusercontent.com/ShipSecAI/studio/main/install.sh |
 ```
 
 This installer will:
+
 - Check and install missing dependencies (docker, just, curl, jq, git)
 - Start Docker if not running
 - Clone the repository and start all services
@@ -55,14 +56,18 @@ This installer will:
 Once complete, visit **http://localhost:8090** to access ShipSec Studio.
 
 ### 2. ShipSec Cloud (Preview)
+
 The fastest way to test ShipSec Studio without managing infrastructure.
+
 - **Try it out:** [studio.shipsec.ai](https://studio.shipsec.ai)
 - **Note:** ShipSec Studio is under active development. The cloud environment is a technical preview for evaluation and sandbox testing.
 
 ### 3. Self-Host (Docker)
+
 For teams requiring data residency and air-gapped security orchestrations. This setup runs the full stack (Frontend, Backend, Worker, and Infrastructure).
 
 **Prerequisites:**
+
 - **[docker](https://www.docker.com/)** - For running the application and security components
 - **[just](https://github.com/casey/just)** - Command runner for simplified workflows
 - **curl** and **jq** - For fetching release information
@@ -73,24 +78,34 @@ git clone https://github.com/ShipSecAI/studio.git
 cd studio
 just prod start-latest
 ```
+
 Access the studio at `http://localhost:8090`.
 
 ---
 
 ## 🛠️ Capabilities
 
 ### Integrated Tooling
+
 Native support for industry-standard security tools including:
+
 - **Discovery**: `Subfinder`, `DNSX`, `Naabu`, `HTTPx`
 - **Vulnerability**: `Nuclei`, `TruffleHog`
 - **Utility**: `JSON Transform`, `Logic Scripts`, `HTTP Requests`
 
 ### Advanced Orchestration
+
 - **Human-in-the-Loop**: Pause workflows for approvals, form inputs, or manual validation before continuing.
 - **AI-Driven Analysis**: Leverage LLM nodes and MCP providers for intelligent results interpretation.
 - **Native Scheduling**: Integrated CRON support for recurring security posture and compliance monitoring.
 - **API First**: Trigger and monitor any workflow execution via a comprehensive REST API.
 
+### MCP Integration
+
+- **MCP Library**: Centralized MCP server management with multi-server selection and automatic tool registration
+- **Built-in MCP Servers**: AWS CloudTrail, CloudWatch, and Filesystem support out-of-the-box
+- **Seamless Tool Discovery**: AI Agents automatically discover and use MCP tools via standardized contracts
+
 ---
 
 ## 🏛️ Architecture Overview
@@ -128,4 +143,3 @@ ShipSec Studio is licensed under the **Apache License 2.0**.
 <div align="center">
   <p>Engineered for security teams by the ShipSec AI team.</p>
 </div>
-

backend/src/app.module.ts

@@ -23,6 +23,8 @@ import { McpModule } from './mcp/mcp.module';
 import { ApiKeysModule } from './api-keys/api-keys.module';
 import { WebhooksModule } from './webhooks/webhooks.module';
 import { HumanInputsModule } from './human-inputs/human-inputs.module';
+import { McpServersModule } from './mcp-servers/mcp-servers.module';
+import { McpGroupsModule } from './mcp-groups/mcp-groups.module';
 
 const coreModules = [
   AgentsModule,
@@ -38,6 +40,8 @@ const coreModules = [
   ApiKeysModule,
   WebhooksModule,
   HumanInputsModule,
+  McpServersModule,
+  McpGroupsModule,
   McpModule,
 ];
 

backend/src/database/schema/index.ts

@@ -16,4 +16,6 @@ export * from './webhooks';
 
 export * from './terminal-records';
 export * from './agent-trace-events';
+export * from './mcp-servers';
+
 export * from './node-io';

backend/src/database/schema/mcp-servers.ts

@@ -0,0 +1,172 @@
+import {
+  pgTable,
+  uuid,
+  varchar,
+  text,
+  timestamp,
+  jsonb,
+  boolean,
+  index,
+  uniqueIndex,
+  primaryKey,
+} from 'drizzle-orm/pg-core';
+
+/**
+ * MCP Groups table.
+ * Defines logical groupings of MCP servers with shared credentials and configurations.
+ * Groups provide a way to bundle servers that work well together (e.g., "GitHub Tools", "Data Analysis").
+ */
+export const mcpGroups = pgTable(
+  'mcp_groups',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    slug: varchar('slug', { length: 191 }).notNull().unique(),
+    name: varchar('name', { length: 191 }).notNull(),
+    description: text('description'),
+
+    // Credential configuration
+    credentialContractName: varchar('credential_contract_name', { length: 191 }).notNull(),
+    credentialMapping: jsonb('credential_mapping')
+      .$type<Record<string, unknown> | null>()
+      .default(null),
+
+    // Default Docker image for servers in this group
+    defaultDockerImage: varchar('default_docker_image', { length: 255 }),
+
+    // Template tracking (for seeded groups from templates)
+    templateHash: varchar('template_hash', { length: 64 }),
+
+    // Status
+    enabled: boolean('enabled').notNull().default(true),
+
+    // Timestamps
+    createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
+  },
+  (table) => ({
+    slugIdx: index('mcp_groups_slug_idx').on(table.slug),
+    enabledIdx: index('mcp_groups_enabled_idx').on(table.enabled),
+  }),
+);
+
+/**
+ * MCP Server configurations table.
+ * Stores configuration for Model Context Protocol servers that can be used by AI agents.
+ */
+export const mcpServers = pgTable(
+  'mcp_servers',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    name: varchar('name', { length: 191 }).notNull(),
+    description: text('description'),
+
+    // Transport configuration
+    transportType: varchar('transport_type', { length: 32 }).notNull(), // 'http' | 'stdio' | 'sse' | 'websocket'
+    endpoint: text('endpoint'), // URL for http/sse/websocket transports
+    command: text('command'), // Command for stdio transport
+    args: jsonb('args').$type<string[] | null>().default(null), // Args for stdio command
+
+    // Authentication (encrypted using AES-256-GCM, same pattern as integrations)
+    headers: jsonb('headers')
+      .$type<{
+        ciphertext: string;
+        iv: string;
+        authTag: string;
+        keyId: string;
+      } | null>()
+      .default(null),
+
+    // Status and settings
+    enabled: boolean('enabled').notNull().default(true),
+    healthCheckUrl: text('health_check_url'), // Optional custom health endpoint
+
+    // Health tracking
+    lastHealthCheck: timestamp('last_health_check', { withTimezone: true }),
+    lastHealthStatus: varchar('last_health_status', { length: 32 }), // 'healthy' | 'unhealthy' | 'unknown'
+
+    // Group association (nullable - servers can exist independently)
+    groupId: uuid('group_id').references(() => mcpGroups.id, { onDelete: 'set null' }),
+
+    // Multi-tenancy
+    organizationId: varchar('organization_id', { length: 191 }),
+    createdBy: varchar('created_by', { length: 191 }),
+
+    // Timestamps
+    createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
+  },
+  (table) => ({
+    orgIdx: index('mcp_servers_org_idx').on(table.organizationId),
+    enabledIdx: index('mcp_servers_enabled_idx').on(table.enabled),
+    groupIdx: index('mcp_servers_group_idx').on(table.groupId),
+    nameOrgUnique: uniqueIndex('mcp_servers_name_org_uidx').on(table.name, table.organizationId),
+  }),
+);
+
+/**
+ * MCP Group to Server junction table.
+ * Defines which servers belong to which groups, with metadata about recommendations
+ * and default selection behavior.
+ */
+export const mcpGroupServers = pgTable(
+  'mcp_group_servers',
+  {
+    groupId: uuid('group_id')
+      .notNull()
+      .references(() => mcpGroups.id, { onDelete: 'cascade' }),
+    serverId: uuid('server_id')
+      .notNull()
+      .references(() => mcpServers.id, { onDelete: 'cascade' }),
+
+    // Metadata about the relationship
+    recommended: boolean('recommended').notNull().default(false),
+    defaultSelected: boolean('default_selected').notNull().default(true),
+
+    // Timestamps
+    createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+  },
+  (table) => ({
+    pk: primaryKey({ columns: [table.groupId, table.serverId] }),
+    groupIdx: index('mcp_group_servers_group_idx').on(table.groupId),
+    serverIdx: index('mcp_group_servers_server_idx').on(table.serverId),
+  }),
+);
+
+/**
+ * Cached tool definitions discovered from MCP servers.
+ * Tools are discovered via the MCP protocol and cached here for quick lookup.
+ */
+export const mcpServerTools = pgTable(
+  'mcp_server_tools',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    serverId: uuid('server_id')
+      .notNull()
+      .references(() => mcpServers.id, { onDelete: 'cascade' }),
+    toolName: varchar('tool_name', { length: 191 }).notNull(),
+    description: text('description'),
+    inputSchema: jsonb('input_schema').$type<Record<string, unknown> | null>().default(null),
+    enabled: boolean('enabled').notNull().default(true),
+    discoveredAt: timestamp('discovered_at', { withTimezone: true }).defaultNow().notNull(),
+  },
+  (table) => ({
+    serverIdx: index('mcp_server_tools_server_idx').on(table.serverId),
+    serverToolUnique: uniqueIndex('mcp_server_tools_server_tool_uidx').on(
+      table.serverId,
+      table.toolName,
+    ),
+  }),
+);
+
+// Type exports for use in repositories and services
+export type McpGroupRecord = typeof mcpGroups.$inferSelect;
+export type NewMcpGroupRecord = typeof mcpGroups.$inferInsert;
+
+export type McpGroupServerRecord = typeof mcpGroupServers.$inferSelect;
+export type NewMcpGroupServerRecord = typeof mcpGroupServers.$inferInsert;
+
+export type McpServerRecord = typeof mcpServers.$inferSelect;
+export type NewMcpServerRecord = typeof mcpServers.$inferInsert;
+
+export type McpServerToolRecord = typeof mcpServerTools.$inferSelect;
+export type NewMcpServerToolRecord = typeof mcpServerTools.$inferInsert;