Architecture
MCTL follows a GitOps architecture where every infrastructure change flows through Git.
System Diagram
Request Flow
MCP Request
- AI client sends a tool call via Streamable HTTP to
api.mctl.ai/mcp mctl-apiauthenticates the request (GitHub token, Dex JWT, or OAuth JWT)- The handler validates input and checks RBAC for the tenant
mctl-apisubmits an Argo Workflow for the requested operation- An operation ID is returned immediately
- The workflow commits the desired state to
mctl-gitops - ArgoCD detects the change and syncs the cluster
- The client polls
mctl-apifor workflow execution status and deployment sync/health
Self-Healing Flow
- AlertManager fires an alert (e.g., pod crash loop)
mctl-agentreceives the alert webhook and creates a ticket- Evidence is collected and a skill is selected for diagnosis
- The agent either prepares a direct fix PR or dispatches the incident to an external agent such as OpenClaw
- A fix lands in
mctl-gitopsas a PR rather than mutating the cluster directly - On merge, ArgoCD syncs the change
Data Flow
| Path | Protocol | Auth |
|---|---|---|
| Client -> MCP Server | Streamable HTTP (POST/GET) | Bearer token per request |
| Client -> REST API | HTTPS | GitHub token / Dex JWT / OAuth JWT |
| Argo Workflows -> GitOps | Git (SSH) | Deploy key |
| ArgoCD -> Cluster | Kubernetes API | ServiceAccount |
| AlertManager -> Agent | Webhook (HTTP) | Internal network |
| Agent -> External agents | Signed webhook callbacks | Shared secret / callback auth |