From 38307aad677fa0eab226fa1b215f61c1a49ef4f8 Mon Sep 17 00:00:00 2001 From: Ryan Malloy Date: Wed, 29 Apr 2026 09:50:36 -0600 Subject: [PATCH] docs: rename cisco-docs cross-reference to mcdewey MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The sibling docs server was renamed from `mcp-cisco-docs` to `mcdewey` (generalized from a Cisco-only corpus to a multi-vendor docs library). Update the prompt-enrichment section to point at the new package name + its PyPI URL, and adjust the prose to call it "the sibling docs server" generically rather than "cisco-docs" specifically. The CHANGELOG entry referencing this project's own pre-rename name (`mcp-cucm-axl`) is left intact — that's legitimate historical record of why this project is now `mcaxl`. --- README.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 58 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index faf1f83..0b08686 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,63 @@ # mcaxl +[![PyPI](https://img.shields.io/pypi/v/mcaxl.svg)](https://pypi.org/project/mcaxl/) +[![Python](https://img.shields.io/pypi/pyversions/mcaxl.svg)](https://pypi.org/project/mcaxl/) +[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE) + Read-only MCP server for **Cisco Unified Communications Manager (CUCM)** — exposes the AXL SOAP API and RisPort70 real-time registration state to LLMs for dial-plan analysis, configuration auditing, and impact analysis. > Tested against CUCM 15.0(1). Should work on any CUCM 12.5+. +## What it looks like + +Invoke the `whoami` prompt in any MCP-aware LLM client. With no +arguments, it defaults to the AXL service account from your `.env`: + +> **Account**: `axl-readonly` (applicationuser) +> **Access control groups**: 1 — `Read-Only-AXL` +> **Effective roles** (5): +> - **Standard CCM Admin Users** ← write access +> - **Standard AXL API Access** ← full read-write AXL +> - Standard AXL Read Only API Access +> - Standard Packet Sniffing +> - Standard RealtimeAndTraceCollection +> +> **Finding**: the group `Read-Only-AXL` contains two write-capable +> roles. The name implies read-only intent but the membership grants +> full administrative write access. Consider renaming the group OR +> removing the write-capable roles from its membership. + +One tool call. One SQL join across four tables (`applicationuser → +applicationuserdirgroupmap → dirgroup → functionroledirgroupmap → +functionrole`). One audit finding with severity and remediation — +not a raw query result the operator has to interpret on their own. +That's the shape of every prompt mcaxl ships with: orchestrated +queries, structured findings, ready-to-act recommendations. + +## Scope and complement + +`mcaxl` is intentionally narrow — read-only audit of CUCM +configuration via AXL, with RisPort70 cross-reference for live +registration state. It does *not* cover operational debugging: +log collection, packet capture, perfmon counters, service control. + +For those, install +[`@calltelemetry/cisco-cucm-mcp`](https://github.com/calltelemetry/cisco-cucm-mcp) +alongside this server: + +```bash +claude mcp add cucm-ops -- npx -y @calltelemetry/cisco-cucm-mcp@latest +``` + +The two are designed to compose. `mcaxl` answers *"what does the +config say?"*; `cisco-cucm-mcp` answers *"what's happening right +now?"*. An LLM session with both connected can produce compound +findings like *"audit found CSS X has 0 references AND RisPort +confirms zero phones currently registered against any device pool +that inherits it → confirmed safe to delete."* + ## Why this exists CUCM's admin UI is great for one-config-at-a-time work but painful for @@ -30,12 +82,10 @@ The server **never registers** AXL write methods. There is no operations, not by runtime sanitization. Defense-in-depth: SQL queries are also client-side validated to begin with `SELECT` or `WITH`. -For operations that require write access (service control, packet capture, -log download, perfmon, etc.), install -[`@calltelemetry/cisco-cucm-mcp`](https://github.com/calltelemetry/cisco-cucm-mcp) -alongside this server. The two are complementary — `mcaxl` answers -"what does the config say?", `cisco-cucm-mcp` answers "what's happening -right now?". +This means the AXL service account `mcaxl` uses can be granted only +the `Standard AXL Read Only API Access` role. Even if it had write +roles attached (and operators sometimes do this for convenience), +`mcaxl` is structurally incapable of using them. ## Install @@ -149,10 +199,10 @@ audit narrative. They appear in Claude Code's slash menu under Set `CISCO_DOCS_INDEX_PATH` to a directory containing `chunks.jsonl` and `index_meta.json` (produced by the -[`mcp-cisco-docs`](https://github.com/...) indexer or any compatible +[`mcdewey`](https://pypi.org/project/mcdewey/) indexer or any compatible embedding pipeline) to have prompts pull relevant Cisco documentation chunks inline. Without this, prompts gracefully degrade to a fallback -notice instructing the LLM to use the sibling cisco-docs server's +notice instructing the LLM to use the sibling docs server's `search_docs` tool. ## Cache