feat[backend](mcp): added mcp module

Author: AlexSanchez-bit

backend/config.go

@@ -51,6 +51,11 @@ type config struct {
 
 	// Features
 	tfaEnabled bool
+
+	// MCP (Model Context Protocol) — exposes the backend usecases to MCP-aware
+	// AI clients at /api/v1/mcp. Auth/permissions/audit reuse the REST stack.
+	mcpEnabled bool
+	mcpVersion string
 }
 
 func loadConfig() *config {
@@ -92,5 +97,8 @@ func loadConfig() *config {
 		uploadDir: env.String("UPLOAD_DIR", "./uploads", false),
 
 		tfaEnabled: env.Bool("APP_TFA_ENABLED", true),
+
+		mcpEnabled: env.Bool("MCP_ENABLED", true),
+		mcpVersion: env.String("MCP_SERVER_VERSION", "v1", false),
 	}
 }

backend/go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/joho/godotenv v1.5.1
+	github.com/modelcontextprotocol/go-sdk v1.4.0
 	github.com/pquerna/otp v1.5.0
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.0
@@ -96,6 +97,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.16 // indirect
+	github.com/google/jsonschema-go v0.4.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.22.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
@@ -122,12 +124,15 @@ require (
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.59.0 // indirect
 	github.com/russellhaering/goxmldsig v1.4.0 // indirect
+	github.com/segmentio/asm v1.2.1 // indirect
+	github.com/segmentio/encoding v0.5.3 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/swaggo/swag v1.16.3 // indirect
 	github.com/tidwall/match v1.2.0 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.1 // indirect
+	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect

backend/go.sum

@@ -540,3 +540,13 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
+github.com/modelcontextprotocol/go-sdk v1.4.0 h1:u0kr8lbJc1oBcawK7Df+/ajNMpIDFE41OEPxdeTLOn8=
+github.com/modelcontextprotocol/go-sdk v1.4.0/go.mod h1:Nxc2n+n/GdCebUaqCOhTetptS17SXXNu9IfNTaLDi1E=
+github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8=
+github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
+github.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=
+github.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=
+github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w=
+github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
+github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
+github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=

backend/modules.go

@@ -26,6 +26,7 @@ import (
 	incidents_connectors "github.com/utmstack/utmstack/backend/modules/incidents/connectors"
 	"github.com/utmstack/utmstack/backend/modules/integrations"
 	"github.com/utmstack/utmstack/backend/modules/loganalyzer"
+	mcpmod "github.com/utmstack/utmstack/backend/modules/mcp"
 	"github.com/utmstack/utmstack/backend/modules/notifications"
 	notifications_domain "github.com/utmstack/utmstack/backend/modules/notifications/domain"
 	opensearchgw "github.com/utmstack/utmstack/backend/modules/opensearch"
@@ -68,6 +69,7 @@ type modules struct {
 	notifications     *notifications.Module
 	socAI             *socai.Module
 	adaudit           *adaudit.Module
+	mcp               *mcpmod.Module
 	signer            *jwtpkg.Signer
 }
 
@@ -167,8 +169,44 @@ func initModules(db *gorm.DB, cfg *config) *modules {
 		)
 	}
 
+	iamMod := iam.NewModule(authUsecase, userUsecase, roleUsecase, tfaUsecase, apiKeyUsecase, idpUsecase, samlUsecase, cfg.uploadDir)
+	socAIMod := socai.NewModule(cfg.socAIBaseURL, cfg.internalKey)
+	incidentsMod := incidents.NewModule(
+		db,
+		incidents_connectors.NewNoopMailer(),
+		incidents.NewAlertsGatewayFromUsecase(alertsMod.GetAlertUsecase()),
+		incidents.NewIAMGatewayFromRepo(userRepo),
+		auditMod.Logger(),
+	)
+	adauditMod := adaudit.NewModule(db)
+
+	var mcpModule *mcpmod.Module
+	if cfg.mcpEnabled {
+		mcpModule = mcpmod.NewModule(&mcpmod.Deps{
+			IAM:             iamMod,
+			Alerts:          alertsMod,
+			Incidents:       incidentsMod,
+			SOAR:            soarMod,
+			Compliance:      complianceMod,
+			Audit:           auditMod,
+			Dashboards:      dashboardsMod,
+			LogAnalyzer:     loganalyzerMod,
+			OpenSearch:      opensearchMod,
+			EventProcessing: eventProcessingMod,
+			Datasources:     datasourcesMod,
+			Integrations:    integrationsMod,
+			Notifications:   notificationsMod,
+			ADAudit:         adauditMod,
+			SOCAI:           socAIMod,
+			Billing:         billingMod,
+			AppConfig:       configMod,
+			ServerName:      cfg.serverName,
+			ServerVersion:   cfg.mcpVersion,
+		})
+	}
+
 	return &modules{
-		iam:               iam.NewModule(authUsecase, userUsecase, roleUsecase, tfaUsecase, apiKeyUsecase, idpUsecase, samlUsecase, cfg.uploadDir),
+		iam:               iamMod,
 		audit:             auditMod,
 		appconfig:         configMod,
 		billing:           billingMod,
@@ -182,16 +220,11 @@ func initModules(db *gorm.DB, cfg *config) *modules {
 		eventProcessing:   eventProcessingMod,
 		opensearchGateway: opensearchMod,
 		integrations:      integrationsMod,
-		socAI:             socai.NewModule(cfg.socAIBaseURL, cfg.internalKey),
-		incidents: incidents.NewModule(
-			db,
-			incidents_connectors.NewNoopMailer(),
-			incidents.NewAlertsGatewayFromUsecase(alertsMod.GetAlertUsecase()),
-			incidents.NewIAMGatewayFromRepo(userRepo),
-			auditMod.Logger(),
-		),
-		notifications: notificationsMod,
-		adaudit:       adaudit.NewModule(db),
-		signer:        signer,
+		socAI:             socAIMod,
+		incidents:         incidentsMod,
+		notifications:     notificationsMod,
+		adaudit:           adauditMod,
+		mcp:               mcpModule,
+		signer:            signer,
 	}
 }

backend/modules/adaudit/module.go

@@ -1,6 +1,7 @@
 package adaudit
 
 import (
+	"github.com/utmstack/utmstack/backend/modules/adaudit/connectors"
 	"github.com/utmstack/utmstack/backend/modules/adaudit/handler"
 	"github.com/utmstack/utmstack/backend/modules/adaudit/repository"
 	"github.com/utmstack/utmstack/backend/modules/adaudit/usecase"
@@ -9,12 +10,14 @@ import (
 
 type Module struct {
 	handler *handler.ADUserHandler
+	uc      connectors.ADUserUsecase
 }
 
 func NewModule(db *gorm.DB) *Module {
 	repo := repository.NewADUserRepository(db)
 	uc := usecase.NewADUserUsecase(repo)
-	return &Module{handler: handler.NewADUserHandler(uc)}
+	return &Module{handler: handler.NewADUserHandler(uc), uc: uc}
 }
 
-func (m *Module) Handler() *handler.ADUserHandler { return m.handler }
+func (m *Module) Handler() *handler.ADUserHandler         { return m.handler }
+func (m *Module) GetUsecase() connectors.ADUserUsecase    { return m.uc }

backend/modules/alerts/module.go

@@ -12,8 +12,11 @@ type Module struct {
 	alertHandler        *handler.AlertHandler
 	alertUsecase        connectors.AlertUsecase
 	alertTagHandler     *handler.AlertTagHandler
+	alertTagUsecase     connectors.AlertTagUsecase
 	alertTagRuleHandler *handler.AlertTagRuleHandler
+	alertTagRuleUsecase connectors.AlertTagRuleUsecase
 	adversaryHandler    *handler.AdversaryHandler
+	adversaryUsecase    connectors.AdversaryUsecase
 }
 
 func NewModule(db *gorm.DB) *Module {
@@ -39,8 +42,11 @@ func NewModule(db *gorm.DB) *Module {
 		alertHandler:        alertH,
 		alertUsecase:        alertUC,
 		alertTagHandler:     alertTagH,
+		alertTagUsecase:     alertTagUC,
 		alertTagRuleHandler: alertTagRuleH,
+		alertTagRuleUsecase: alertTagRuleUC,
 		adversaryHandler:    adversaryH,
+		adversaryUsecase:    adversaryUC,
 	}
 }
 
@@ -50,8 +56,16 @@ func (m *Module) GetAlertUsecase() connectors.AlertUsecase { return m.alertUseca
 
 func (m *Module) GetAlertTagHandler() *handler.AlertTagHandler { return m.alertTagHandler }
 
+func (m *Module) GetAlertTagUsecase() connectors.AlertTagUsecase { return m.alertTagUsecase }
+
 func (m *Module) GetAlertTagRuleHandler() *handler.AlertTagRuleHandler {
 	return m.alertTagRuleHandler
 }
 
+func (m *Module) GetAlertTagRuleUsecase() connectors.AlertTagRuleUsecase {
+	return m.alertTagRuleUsecase
+}
+
 func (m *Module) GetAdversaryHandler() *handler.AdversaryHandler { return m.adversaryHandler }
+
+func (m *Module) GetAdversaryUsecase() connectors.AdversaryUsecase { return m.adversaryUsecase }

backend/modules/audit/domain/event_type.go

@@ -165,6 +165,11 @@ const (
 	// Replacing the signed LICENSE envelope (admin-only).
 	LICENSE_UPLOAD_ATTEMPT ApplicationEventType = "LICENSE_UPLOAD_ATTEMPT"
 	LICENSE_UPLOAD_SUCCESS ApplicationEventType = "LICENSE_UPLOAD_SUCCESS"
+
+	// MCP tool calls — every invocation of an MCP-exposed tool is audited
+	// through the same Logger sink used by REST handlers, so /audit covers
+	// both transports uniformly. ResourceType holds the tool name.
+	APP_EVENT_MCP_TOOL_CALL ApplicationEventType = "MCP_TOOL_CALL"
 	// SERVER_MODULE_CREATE_ATTEMPT       ApplicationEventType = "SERVER_MODULE_CREATE_ATTEMPT"
 	// SERVER_MODULE_CREATE_SUCCESS       ApplicationEventType = "SERVER_MODULE_CREATE_SUCCESS"
 	// SERVER_MODULE_UPDATE_ATTEMPT       ApplicationEventType = "SERVER_MODULE_UPDATE_ATTEMPT"

backend/modules/compliance/module.go

@@ -26,9 +26,14 @@ type Module struct {
 
 	frameworkUC  connectors.FrameworkUsecase
 	evaluatorUC  connectors.EvaluatorUsecase
+	scheduleUC   connectors.ScheduleUsecase
 	evalInterval time.Duration
 }
 
+func (m *Module) GetFrameworkUsecase() connectors.FrameworkUsecase { return m.frameworkUC }
+func (m *Module) GetEvaluatorUsecase() connectors.EvaluatorUsecase { return m.evaluatorUC }
+func (m *Module) GetScheduleUsecase() connectors.ScheduleUsecase   { return m.scheduleUC }
+
 func NewModule(db *gorm.DB, mailSvc mail_connectors.MailService) *Module {
 	scheduleRepo := repository.NewScheduleRepository(db)
 
@@ -77,6 +82,7 @@ func NewModule(db *gorm.DB, mailSvc mail_connectors.MailService) *Module {
 		coverage:     coverageIdx,
 		frameworkUC:  frameworkUC,
 		evaluatorUC:  evaluatorUC,
+		scheduleUC:   scheduleUC,
 		evalInterval: time.Duration(evalHours) * time.Hour,
 	}
 }

backend/modules/dashboards/module.go

@@ -1,6 +1,7 @@
 package dashboards
 
 import (
+	"github.com/utmstack/utmstack/backend/modules/dashboards/connectors"
 	"github.com/utmstack/utmstack/backend/modules/dashboards/handler"
 	"github.com/utmstack/utmstack/backend/modules/dashboards/repository"
 	"github.com/utmstack/utmstack/backend/modules/dashboards/usecase"
@@ -11,17 +12,27 @@ type Module struct {
 	dashboardHandler     *handler.DashboardHandler
 	visualizationHandler *handler.VisualizationHandler
 	layoutHandler        *handler.LayoutHandler
+	dashboardUC          connectors.DashboardUsecase
+	visualizationUC      connectors.VisualizationUsecase
+	layoutUC             connectors.LayoutUsecase
 }
 
 func NewModule(db *gorm.DB) *Module {
 	dashRepo := repository.NewDashboardRepository(db)
 	vizRepo := repository.NewVisualizationRepository(db)
 	layoutRepo := repository.NewLayoutRepository(db)
 
+	dashUC := usecase.NewDashboardUsecase(dashRepo)
+	vizUC := usecase.NewVisualizationUsecase(vizRepo)
+	layoutUC := usecase.NewLayoutUsecase(layoutRepo)
+
 	return &Module{
-		dashboardHandler:     handler.NewDashboardHandler(usecase.NewDashboardUsecase(dashRepo)),
-		visualizationHandler: handler.NewVisualizationHandler(usecase.NewVisualizationUsecase(vizRepo)),
-		layoutHandler:        handler.NewLayoutHandler(usecase.NewLayoutUsecase(layoutRepo)),
+		dashboardHandler:     handler.NewDashboardHandler(dashUC),
+		visualizationHandler: handler.NewVisualizationHandler(vizUC),
+		layoutHandler:        handler.NewLayoutHandler(layoutUC),
+		dashboardUC:          dashUC,
+		visualizationUC:      vizUC,
+		layoutUC:             layoutUC,
 	}
 }
 
@@ -30,3 +41,9 @@ func (m *Module) GetVisualizationHandler() *handler.VisualizationHandler {
 	return m.visualizationHandler
 }
 func (m *Module) GetLayoutHandler() *handler.LayoutHandler { return m.layoutHandler }
+
+func (m *Module) GetDashboardUsecase() connectors.DashboardUsecase { return m.dashboardUC }
+func (m *Module) GetVisualizationUsecase() connectors.VisualizationUsecase {
+	return m.visualizationUC
+}
+func (m *Module) GetLayoutUsecase() connectors.LayoutUsecase { return m.layoutUC }

backend/modules/datasources/module.go

@@ -14,6 +14,9 @@ type Module struct {
 	assetGroupHandler    *handler.AssetGroupHandler
 	connectionKeyHandler *handler.ConnectionKeyHandler
 	reconciler           *usecase.StatsReconciler
+	datasourceUC         connectors.DatasourceUsecase
+	assetGroupUC         connectors.AssetGroupUsecase
+	license              connectors.LicenseCapProvider
 }
 
 func NewModule(dsUC connectors.DatasourceUsecase, groupUC connectors.AssetGroupUsecase, reconciler *usecase.StatsReconciler, license connectors.LicenseCapProvider, agentClient *agentmanager.AgentManagerClient) *Module {
@@ -22,6 +25,9 @@ func NewModule(dsUC connectors.DatasourceUsecase, groupUC connectors.AssetGroupU
 		assetGroupHandler:    handler.NewAssetGroupHandler(groupUC),
 		connectionKeyHandler: handler.NewConnectionKeyHandler(agentClient),
 		reconciler:           reconciler,
+		datasourceUC:         dsUC,
+		assetGroupUC:         groupUC,
+		license:              license,
 	}
 }
 
@@ -36,3 +42,7 @@ func (m *Module) GetAssetGroupHandler() *handler.AssetGroupHandler { return m.as
 func (m *Module) GetConnectionKeyHandler() *handler.ConnectionKeyHandler {
 	return m.connectionKeyHandler
 }
+
+func (m *Module) GetDatasourceUsecase() connectors.DatasourceUsecase { return m.datasourceUC }
+func (m *Module) GetAssetGroupUsecase() connectors.AssetGroupUsecase { return m.assetGroupUC }
+func (m *Module) LicenseCap() connectors.LicenseCapProvider          { return m.license }