feat(mcp): list/execute preset agents

[jordan-umusu]

Summary by cubic

Adds MCP tools to list and run agent presets with streamed responses and approval surfacing, plus a tool to validate template actions. Aligns MCP auth with the main API, including org-scoped tokens, so org admins and platform superusers can access and list workspaces correctly; removes file-path input from validation.

• New Features

  • MCP tools: list_agent_presets, run_agent_preset, validate_template_action.
  • Streamed agent responses via Redis with timeout; resumes from session.last_stream_id; ephemeral session per run; surfaces pending approval requests as JSON.
  • Docker Compose: expose REDIS_URL and TRACECAT__FEATURE_FLAGS/EE_MULTI_TENANT to MCP.
  • Template validation parses YAML, checks schema/references; requires template_yaml with optional DB checks.

• Bug Fixes

  • Org admins/owners with org:workspace:read bypass workspace membership checks.
  • Workspace listing respects org IDs claimed in MCP tokens; org admins see all workspaces in their org(s); platform superusers can list all; others see only direct memberships.
  • Validation tool no longer accepts template_path; no file reads.

^{Written for commit 9a718e0. Summary will update on new commits.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a622d4aeb2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[cubic-dev-ai]

2 issues found across 6 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tracecat/mcp/auth.py">

<violation number="1" location="tracecat/mcp/auth.py:659">
P1: Cross-organization privilege escalation: `can_see_all` is set from a single org's admin scope but applied across all orgs. A user who is an admin in org A but a regular member in org B would see all workspaces in org B (not just their memberships). Track admin-capable org IDs separately and build a query that shows all workspaces only for those specific orgs, while restricting others to membership-based access.</violation>
</file>

<file name="tracecat/mcp/server.py">

<violation number="1" location="tracecat/mcp/server.py:2135">
P1: Reading a user-supplied template_path directly from the server filesystem enables arbitrary file read via MCP. Restrict to YAML content provided in the request or a controlled server-side directory to avoid exposing sensitive files.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[daryllimyt]

Not sure if this is a bug or intentional:
Token org claims are ignored: list_workspaces_for_request (line 735-738) doesn't pass the token's organization_ids to scope results. A token with claims scoped to org A will still see workspaces in org B if the user has membership in both. If MCP tokens are meant to be org-scoped, this is a gap.

[daryllimyt]

backlog a note to optimize this N+1 scope computation - could be batched