Megaraptor MCP

rotate_certificates

Rotate security certificates for Velociraptor deployments to maintain authentication integrity. Manage certificate validity periods and optionally rotate CA certificates with re-enrollment guidance.

Instructions

Rotate certificates for a deployment.

WARNING: Rotating CA certificate will require re-enrollment of all agents.

Args: deployment_id: The deployment to rotate certificates for rotate_ca: Also rotate the CA certificate (requires re-enrollment) validity_days: Validity period for new certificates

Returns: New certificate fingerprints and re-enrollment instructions.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`deployment_id`	Yes
`rotate_ca`	No
`validity_days`	No

Output Schema

TableJSON Schema

Name	Required	Description	Default
`result`	Yes

Implementation Reference

src/megaraptor_mcp/tools/deployment.py:1471-1566 (handler)

The `rotate_certificates` tool implementation, which manages CA and certificate rotation for Velociraptor deployments.

async def rotate_certificates(
    deployment_id: str,
    rotate_ca: bool = False,
    validity_days: int = 365,
) -> list[TextContent]:
    """Rotate certificates for a deployment.

    WARNING: Rotating CA certificate will require re-enrollment of all agents.

    Args:
        deployment_id: The deployment to rotate certificates for
        rotate_ca: Also rotate the CA certificate (requires re-enrollment)
        validity_days: Validity period for new certificates

    Returns:
        New certificate fingerprints and re-enrollment instructions.
    """
    try:
        from ..deployment.security import CertificateManager
        from ..deployment.deployers import DockerDeployer

        # Get deployment info
        deployer = DockerDeployer()
        info = await deployer.get_status(deployment_id)

        if not info:
            return [TextContent(
                type="text",
                text=json.dumps({
                    "error": f"Deployment not found: {deployment_id}",
                    "hint": "Use list_deployments tool to see available deployments"
                }, indent=2)
            )]

        # Load current certificates
        cert_manager = CertificateManager()
        bundle = cert_manager.load_bundle(deployment_id)

        if not bundle:
            return [TextContent(
                type="text",
                text=json.dumps({
                    "error": "Certificate bundle not found"
                }, indent=2)
            )]

        server_hostname = info.server_url.split("://")[1].split(":")[0]

        if rotate_ca:
            # Generate entirely new bundle
            new_bundle = cert_manager.generate_bundle(
                server_hostname=server_hostname,
                cert_validity_days=validity_days,
            )
            cert_manager.save_bundle(new_bundle, deployment_id)

            return [TextContent(
                type="text",
                text=json.dumps({
                    "success": True,
                    "ca_rotated": True,
                    "new_ca_fingerprint": new_bundle.ca_fingerprint,
                    "warning": "All agents must be re-enrolled with new configuration",
                    "action_required": "Generate new agent installers and redeploy",
                }, indent=2)
            )]

        else:
            # TODO: Implement server/client cert rotation without CA
            return [TextContent(
                type="text",
                text=json.dumps({
                    "error": "Certificate rotation without CA is not yet implemented",
                    "suggestion": "Use rotate_ca=True to perform full rotation"
                }, indent=2)
            )]

    except ImportError as e:
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": f"Missing dependency: {str(e)}",
                "hint": "Install required packages with: pip install megaraptor-mcp[deployment]"
            }, indent=2)
        )]

    except Exception:
        # Generic errors - don't expose internals
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": "Operation failed",
                "hint": "Check deployment configuration and try again"
            }, indent=2)
        )]

Tool Definition Quality

A4.4/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations provided, so description carries full burden. It discloses the critical side effect (re-enrollment required for CA rotation) and return value contents (fingerprints and instructions). Minor gap: doesn't specify if operation is atomic, asynchronous, or causes service interruption.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Uses structured docstring format (Args/Returns) which is slightly formal but necessary given zero schema descriptions. Front-loaded with the core action and WARNING. Every section serves a distinct purpose: purpose statement, critical warning, parameter docs, return value docs.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a high-impact cryptographic operation with 3 parameters and no annotations, coverage is strong: explains the rotation process, warns about CA implications, documents all inputs, and describes return values (complementing the existing output schema). Minor gap: lacks explicit prerequisites (e.g., deployment must be active).

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema has 0% description coverage (only titles), but the description fully compensates by documenting all 3 parameters in the Args section: deployment_id target, rotate_ca boolean implication, and validity_days purpose. Adds crucial semantic context that rotate_ca 'requires re-enrollment'.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

States specific verb 'Rotate' with resource 'certificates' and scope 'for a deployment'. The WARNING about CA certificate rotation distinguishes this from general deployment management tools in the sibling list (like deploy_server or validate_deployment).

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides clear context through the WARNING about re-enrollment requirements when rotating CA certificates, which guides appropriate use. Lacks explicit comparison to specific alternatives (e.g., 'use generate_agent_installer for new agents instead'), but the warning effectively signals when to exercise caution.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/wagonbomb/megaraptor-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server