[feature]: add MCP write-operation tools (cluster update, workload apply, cipher encrypt/decrypt)

[github-actions]

User Story

As a developer or AI agent using KSail via an MCP-compatible client (VS Code, Claude, Copilot),
I want to invoke cluster update, workload apply, and cipher encrypt/decrypt as MCP tools,
So that I can manage KSail clusters autonomously through AI assistants without switching to the terminal.

Context

The Weekly Roadmap — March 16, 2026 identifies MCP write-operation tools as the second highest unshipped "Now" priority:

MCP read-only tools are already live; write operations unlock autonomous agentic workflows. No other provisioning tool offers write-side MCP operations on local Kubernetes clusters — this is a unique differentiator.

MCP adoption continues to accelerate — VS Code, JetBrains, and Zed all have first-class MCP client support. KSail's toolgen system (pkg/toolgen/) auto-generates MCP tools from the Cobra command tree using ai.toolgen.consolidate + ai.toolgen.permission annotations. Commands annotated with these produce paired read/write tools (cluster_read/cluster_write, etc.).

The key question is whether write-side commands (cluster update, workload apply, cipher encrypt/decrypt) are currently reachable via the auto-generated write tools, or whether they require additional annotation or explicit exclusion removal.

Approach

1. Audit current MCP coverage — check pkg/toolgen/ to see which commands are currently exposed as write tools and whether cluster update, workload apply, cipher encrypt/decrypt are included or excluded.
2. Verify ai.toolgen.consolidate + ai.toolgen.permission annotations on the relevant command groups (cluster, workload, cipher) in pkg/cli/cmd/.
3. Ensure write operations are not excluded — check toolgen.DefaultOptions() for any exclusions of write commands.
4. Structure tool output for AI consumption — ensure JSON/structured output mode is available for these commands.
5. Validate via MCP client — confirm cluster_write, workload_write, cipher_write tools are callable with correct arguments.

Key files:

• pkg/toolgen/ — tool generation logic; toolgen.DefaultOptions() for exclusions
• pkg/cli/cmd/cluster/, pkg/cli/cmd/workload/, pkg/cli/cmd/cipher/ — command definitions and annotations
• pkg/cli/annotations/ — annotation constants (ai.toolgen.consolidate, ai.toolgen.permission, ai.toolgen.exclude)
• pkg/svc/mcp/ — MCP server wiring

Acceptance Criteria

• cluster_write MCP tool covers cluster update (and related lifecycle commands)
• workload_write MCP tool covers workload apply and workload reconcile
• cipher_write MCP tool covers cipher encrypt and cipher decrypt
• Tool output is structured for AI consumption (JSON or structured text)
• No regressions in existing MCP read tools
• go build ./... and go test ./... pass
• MCP tool schema is accurate (argument types, descriptions match CLI flags)

Generated by Daily Plan · ◷

[github-actions]

🎯 Agentic Issue Triage

Summary: Backlog issue tracking MCP write-operation tools (cluster update, workload apply, cipher encrypt/decrypt) — a Now priority item from the Weekly Roadmap — March 16, 2026. This is a valid, well-scoped issue.

Analysis & Context

Roadmap priority: 🟢 Now — second highest unshipped priority. Write operations unlock autonomous agentic cluster management via MCP, which is a unique differentiator no competitor offers.

Architecture note: Per the project's toolgen architecture, pkg/toolgen/ already auto-generates 6 consolidated MCP tools from the Cobra command tree via ai.toolgen.consolidate + ai.toolgen.permission annotations:

• cluster_read / cluster_write
• workload_read / workload_write
• cipher_read / cipher_write

The write-side tools may already exist in the generated toolset. The primary work is:

1. Auditing whether cluster update, workload apply, cipher encrypt/decrypt are currently reachable via the auto-generated write tools
2. Verifying they aren't excluded by toolgen.DefaultOptions()
3. Ensuring structured output for AI consumption

Key files to audit:

• pkg/toolgen/ — DefaultOptions() exclusion list
• pkg/cli/annotations/ — annotation constants
• pkg/svc/mcp/ — MCP server wiring
• pkg/cli/cmd/cluster/, pkg/cli/cmd/workload/, pkg/cli/cmd/cipher/

Labels: Current labels (next, backlog, ai-generated) are appropriate. Note: this is a Now item in the roadmap, but no "now" label exists in the repo.

Generated by Daily Plan · ◷