Added allowed-tools declaration to all 71 skills across 7 packs

.github/workflows/README.md

@@ -409,6 +409,58 @@ gh workflow run skill-code-review.yml -f pr_number=42
 - `MAINTAINERS` — authorized users list
 - `.github/workflows/skill-code-review.yml` — workflow definition
 
+### 6. `mcp-tool-validation.yml` - MCP Tool Validation
+
+**Purpose**: Validates that `allowed-tools` declarations in SKILL.md frontmatter match the actual tools exposed by MCP servers defined in each pack's `mcps.json`.
+
+**Triggers**:
+- **Pull requests** → Validates only packs with changed `mcps.json` or `skills/*/SKILL.md` files
+- **Pushes to main** → Validates all packs
+- **Manual dispatch** → Optionally specify a single pack name to validate
+
+**What it validates**:
+- ✅ Starts each container-based MCP server via `podman`
+- ✅ Queries tools via JSON-RPC (`initialize` + `tools/list`)
+- ✅ Cross-references declared `allowed-tools` against actual tool names
+- ✅ Suggests corrections for misspelled tool names (Levenshtein distance)
+
+**Classification**:
+- **PASS** — All declared tools found in started MCP servers
+- **WARN** — Tools could not be verified because their MCP server is non-container (`npx`, `uvx`, empty command) or failed to start. Does not block the PR
+- **SKIP** — Skill has no `allowed-tools` declared
+- **FAIL** — Tools missing from MCP servers that were successfully started. Blocks the PR
+
+**How to run locally**:
+```bash
+# Validate all packs
+python scripts/validate_mcp_tools.py
+
+# Validate specific packs
+python scripts/validate_mcp_tools.py rh-sre ocp-admin rh-virt
+```
+
+**Expected output**:
+```
+VALIDATION SUMMARY
+------------------------------------------------------------------
+  Total skills:                71
+  Passed:                      31
+  Warned (unverifiable):       31
+  Skipped (no allowed-tools):  9
+  Failed:                      0
+
+PASSED WITH WARNINGS - some tools could not be verified (MCP servers not started)
+```
+
+**Prerequisites**:
+- `podman` installed
+- `KUBECONFIG` set (or `~/.kube/config` present) — a dummy kubeconfig is created in CI
+
+**Related files**:
+- `scripts/validate_mcp_tools.py` — validation script
+- `*/mcps.json` — MCP server configurations per pack
+- `*/skills/*/SKILL.md` — skill definitions with `allowed-tools` frontmatter
+
 ## Adding New Workflows
 
 When adding new workflows:
@@ -482,5 +534,5 @@ This README should be updated when:
 - New validation levels are introduced
 - Troubleshooting patterns emerge
 
-**Last Updated**: 2026-05-06
-**Workflows Count**: 5 (skill-spec-report.yml, compliance-check.yml, deploy-pages.yml, skill-security-scan.yml, skill-code-review.yml)
+**Last Updated**: 2026-05-26
+**Workflows Count**: 6 (skill-spec-report.yml, compliance-check.yml, deploy-pages.yml, skill-security-scan.yml, skill-code-review.yml, mcp-tool-validation.yml)

.github/workflows/mcp-tool-validation.yml

@@ -57,16 +57,26 @@ jobs:
           - cluster:
               server: https://localhost:6443
             name: mcp-validation
+          - cluster:
+              server: https://localhost:6444
+            name: mcp-validation-2
           contexts:
           - context:
               cluster: mcp-validation
               user: mcp-validation
             name: mcp-validation
+          - context:
+              cluster: mcp-validation-2
+              user: mcp-validation-2
+            name: mcp-validation-2
           current-context: mcp-validation
           users:
           - name: mcp-validation
             user:
               token: dummy-token-for-tool-listing
+          - name: mcp-validation-2
+            user:
+              token: dummy-token-for-tool-listing-2
           KUBECONFIG
           echo "KUBECONFIG=$HOME/.kube/config" >> "$GITHUB_ENV"
 

ocp-admin/skills/cluster-creator/SKILL.md

@@ -20,6 +20,7 @@ description: |
 license: Apache-2.0
 model: inherit
 color: green
+allowed-tools: list_versions create_cluster cluster_info set_cluster_vips set_host_role cluster_iso_download_url install_cluster cluster_credentials_download_url cluster_logs_download_url list_static_network_config generate_nmstate_yaml validate_nmstate_yaml alter_static_network_config_nmstate_for_host
 metadata:
   mcp_server: openshift-self-managed
   mcp_tools_priority: true

ocp-admin/skills/cluster-inventory/SKILL.md

@@ -16,6 +16,7 @@ description: |
 license: Apache-2.0
 model: inherit
 color: cyan
+allowed-tools: list_clusters cluster_info cluster_events cluster_logs_download_url
 metadata:
   mcp_servers:
     - openshift-self-managed

ocp-admin/skills/cluster-report/SKILL.md

@@ -16,6 +16,7 @@ description: |
 license: Apache-2.0
 model: inherit
 color: cyan
+allowed-tools: configuration_contexts_list resources_get nodes_top resources_list namespaces_list pods_list
 metadata:
   mcp_server: openshift-administration
   mcp_tools_priority: true

rh-ai-engineer/skills/ai-observability/SKILL.md

@@ -18,6 +18,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: list_models list_vllm_namespaces get_gpu_info get_deployment_info analyze_vllm chat_vllm analyze_openshift list_openshift_metric_groups list_openshift_namespaces query_tempo_tool get_trace_details_tool search_metrics execute_promql korrel8r_get_correlated list_data_science_projects list_inference_services get_inference_service resources_get resources_list pods_list
 ---
 
 # /ai-observability Skill

rh-ai-engineer/skills/debug-inference/SKILL.md

@@ -17,6 +17,7 @@ description: |
 model: inherit
 color: yellow
 license: Apache-2.0
+allowed-tools: resources_get resources_list pods_list pods_log events_list list_inference_services get_inference_service get_model_endpoint get_deployment_info analyze_vllm chat_vllm get_gpu_info analyze_openshift query_tempo_tool get_trace_details_tool execute_promql korrel8r_get_correlated
 ---
 
 # /debug-inference Skill

rh-ai-engineer/skills/ds-project-setup/SKILL.md

@@ -21,6 +21,7 @@ metadata:
   author: "Red Hat Ecosystem Engineering"
   version: "1.0"
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update list_data_science_projects create_data_science_project get_project_details get_project_status create_s3_data_connection list_data_connections get_pipeline_server set_model_serving_mode
 ---
 
 # /ds-project-setup Skill

rh-ai-engineer/skills/guardrails-config/SKILL.md

@@ -18,6 +18,7 @@ description: |
 model: inherit
 color: blue
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update resources_delete pods_list pods_log events_list list_inference_services get_inference_service get_model_endpoint test_model_endpoint deploy_model list_serving_runtimes recommend_serving_runtime execute_promql analyze_vllm
 ---
 
 # /guardrails-config Skill

rh-ai-engineer/skills/model-deploy/SKILL.md

@@ -17,6 +17,7 @@ description: |
 model: inherit
 color: green
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update pods_list pods_log events_list deploy_model list_inference_services get_inference_service get_model_endpoint list_serving_runtimes list_data_science_projects list_data_connections get_gpu_info get_deployment_info analyze_vllm
 ---
 
 # /model-deploy Skill

rh-ai-engineer/skills/model-monitor/SKILL.md

@@ -18,6 +18,7 @@ description: |
 model: inherit
 color: blue
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update pods_list pods_log events_list list_inference_services get_inference_service list_data_science_projects execute_promql
 ---
 
 # /model-monitor Skill

rh-ai-engineer/skills/model-registry/SKILL.md

@@ -17,6 +17,7 @@ description: |
 color: cyan
 model: inherit
 license: Apache-2.0
+allowed-tools: resources_create_or_update resources_get resources_list list_registered_models get_registered_model list_model_versions get_model_version get_model_artifacts get_model_benchmarks get_catalog_model_artifacts list_data_science_projects list_data_connections
 ---
 
 # /model-registry Skill

rh-ai-engineer/skills/nim-setup/SKILL.md

@@ -16,6 +16,7 @@ description: |
 model: inherit
 color: blue
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update events_list list_data_science_projects list_serving_runtimes get_gpu_info
 ---
 
 # /nim-setup Skill

rh-ai-engineer/skills/pipeline-manage/SKILL.md

@@ -19,6 +19,7 @@ description: |
 color: green
 model: inherit
 license: Apache-2.0
+allowed-tools: resources_create_or_update resources_list resources_get resources_delete events_list pods_list pods_log list_data_science_projects get_pipeline_server delete_pipeline_server list_resources get_resource list_resource_names resource_status diagnose_resource list_data_connections project_summary
 ---
 
 # /pipeline-manage Skill

rh-ai-engineer/skills/serving-runtime-config/SKILL.md

@@ -17,6 +17,7 @@ description: |
 model: inherit
 color: blue
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update list_serving_runtimes create_serving_runtime list_data_science_projects list_models
 ---
 
 # /serving-runtime-config Skill

rh-ai-engineer/skills/workbench-manage/SKILL.md

@@ -21,6 +21,7 @@ metadata:
   author: "Red Hat Ecosystem Engineering"
   version: "1.0"
 license: Apache-2.0
+allowed-tools: resources_get resources_list resources_create_or_update resources_delete events_list pods_list list_data_science_projects list_workbenches get_workbench create_workbench start_workbench stop_workbench delete_workbench get_workbench_url list_storage create_storage delete_storage list_data_connections
 ---
 
 # /workbench-manage Skill

rh-automation/skills/aap-mcp-validator/SKILL.md

@@ -12,6 +12,7 @@ description: |
 model: inherit
 color: blue
 license: Apache-2.0
+allowed-tools: job_templates_list inventories_list notification_templates_list credentials_list instance_groups_list users_list
 ---
 
 # AAP MCP Validator

rh-automation/skills/execution-risk-analyzer/SKILL.md

@@ -13,6 +13,7 @@ description: |
 model: inherit
 color: yellow
 license: Apache-2.0
+allowed-tools: job_templates_list job_templates_retrieve job_templates_launch_retrieve jobs_list jobs_job_events_list workflow_job_templates_list inventories_list hosts_list
 ---
 
 # Execution Risk Analyzer

rh-automation/skills/execution-summary/SKILL.md

@@ -13,6 +13,7 @@ description: |
 model: inherit
 color: green
 license: Apache-2.0
+allowed-tools:
 ---
 
 # Execution Summary

rh-automation/skills/forensic-troubleshooter/SKILL.md

@@ -12,6 +12,7 @@ description: |
 model: inherit
 color: yellow
 license: Apache-2.0
+allowed-tools: job_templates_list jobs_retrieve jobs_job_events_list jobs_job_host_summaries_list jobs_stdout_retrieve inventories_list hosts_list hosts_variable_data_retrieve notification_templates_list credentials_list instance_groups_list users_list
 ---
 
 # Forensic Troubleshooter

rh-automation/skills/governance-assessor/SKILL.md

@@ -23,6 +23,7 @@ description: |
 model: inherit
 color: red
 license: Apache-2.0
+allowed-tools: job_templates_list workflow_job_templates_list inventories_list hosts_list notification_templates_list execution_environments_list notification_templates_create execution_environments_create credentials_list credential_types_list credentials_create instance_groups_list activity_stream_list instance_groups_create users_list teams_list role_user_assignments_list role_team_assignments_list authenticators_list teams_create role_user_assignments_create authenticators_create
 ---
 
 # Governance Assessor

rh-automation/skills/governance-executor/SKILL.md

@@ -12,6 +12,7 @@ description: |
 model: inherit
 color: red
 license: Apache-2.0
+allowed-tools: job_templates_list job_templates_retrieve job_templates_launch_retrieve job_templates_launch_create jobs_list jobs_retrieve jobs_job_events_list jobs_job_host_summaries_list jobs_relaunch_create workflow_job_templates_list inventories_list hosts_list notification_templates_list credentials_list instance_groups_list users_list
 ---
 
 # Governance Executor

rh-automation/skills/governance-readiness-assessor/SKILL.md

@@ -14,6 +14,7 @@ description: |
 model: inherit
 color: red
 license: Apache-2.0
+allowed-tools: workflow_job_templates_list job_templates_list notification_templates_list execution_environments_list notification_templates_create execution_environments_create users_list teams_list role_user_assignments_list role_team_assignments_list authenticators_list teams_create role_user_assignments_create authenticators_create credentials_list credential_types_list credentials_create instance_groups_list activity_stream_list instance_groups_create inventories_list hosts_list
 ---
 
 # Governance Readiness Assessor

rh-automation/skills/governed-job-launcher/SKILL.md

@@ -13,6 +13,7 @@ description: |
 model: inherit
 color: red
 license: Apache-2.0
+allowed-tools: job_templates_launch_create jobs_retrieve jobs_job_events_list jobs_job_host_summaries_list jobs_relaunch_create
 ---
 
 # Governed Job Launcher

rh-automation/skills/host-fact-inspector/SKILL.md

@@ -13,6 +13,7 @@ description: |
 model: inherit
 color: blue
 license: Apache-2.0
+allowed-tools: hosts_list hosts_variable_data_retrieve
 ---
 
 # Host Fact Inspector

rh-automation/skills/job-failure-analyzer/SKILL.md

@@ -12,6 +12,7 @@ description: |
 model: inherit
 color: yellow
 license: Apache-2.0
+allowed-tools: jobs_retrieve jobs_job_events_list jobs_job_host_summaries_list jobs_stdout_retrieve
 ---
 
 # Job Failure Analyzer

rh-automation/skills/resolution-advisor/SKILL.md

@@ -13,6 +13,7 @@ description: |
 model: inherit
 color: green
 license: Apache-2.0
+allowed-tools:
 ---
 
 # Resolution Advisor

rh-basic/skills/red-hat-cve-explainer/SKILL.md

@@ -5,6 +5,7 @@ license: Apache-2.0
 user_invocable: true
 model: inherit
 color: cyan
+allowed-tools: cve-detail map-cve-advisories get-advisory-solution summarize-advisory
 ---
 
 # Red Hat CVE Explainer

rh-basic/skills/red-hat-diagnostics/SKILL.md

@@ -5,6 +5,7 @@ license: Apache-2.0
 user_invocable: true
 model: inherit
 color: cyan
+allowed-tools:
 ---
 
 # Red Hat Diagnostic Information Gathering

rh-basic/skills/red-hat-get-started/SKILL.md

@@ -5,6 +5,7 @@ license: Apache-2.0
 user_invocable: true
 model: inherit
 color: yellow
+allowed-tools:
 ---
 
 # Red Hat Skills Installer

rh-basic/skills/red-hat-product-lifecycle/SKILL.md

@@ -5,6 +5,7 @@ license: Apache-2.0
 user_invocable: true
 model: inherit
 color: cyan
+allowed-tools:
 ---
 
 # Red Hat Product Lifecycle Advisor

rh-basic/skills/red-hat-security-mcp-setup/SKILL.md

@@ -5,6 +5,7 @@ license: Apache-2.0
 user_invocable: true
 model: inherit
 color: blue
+allowed-tools:
 ---
 
 # Red Hat Security MCP Setup

rh-basic/skills/red-hat-support-severity/SKILL.md

@@ -5,6 +5,7 @@ license: Apache-2.0
 user_invocable: true
 model: inherit
 color: cyan
+allowed-tools: cve-detail
 ---
 
 # Red Hat Support Ticket Severity Helper

rh-developer/skills/containerize-deploy/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: green
 license: Apache-2.0
+allowed-tools: resources_list resources_get resources_create_or_update pods_list pods_list_in_namespace pods_log events_list get_file_contents helm_list helm_install inventory__find_host_by_name vulnerability__get_system_cves planning__get_rhel_lifecycle
 metadata:
    user_invocable: "true"
 ---

rh-developer/skills/debug-build/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: resources_list resources_get pods_log
 metadata:
   user_invocable: "true"
 ---

rh-developer/skills/debug-container/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: container_list container_inspect container_logs image_list
 metadata:
   user_invocable: "true"
 ---

rh-developer/skills/debug-network/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: resources_list resources_get pods_list
 metadata:
   user_invocable: "true"
 ---

rh-developer/skills/debug-pipeline/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: resources_list resources_get pods_log
 metadata:
   user_invocable: "true"
 ---

rh-developer/skills/debug-pod/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: pods_list resources_get events_list pods_log
 metadata:
   user_invocable: "true"
 ---

rh-developer/skills/debug-rhel/SKILL.md

@@ -5,6 +5,7 @@ description: |
 model: inherit
 color: cyan
 license: Apache-2.0
+allowed-tools: inventory__find_host_by_name vulnerability__get_system_cves advisor__get_active_rules advisor__get_rule_by_text_search
 metadata:
   user_invocable: "true"
 ---