ROX-32890: add MCP prompts

[janisz]

Add MCP prompts infrastructure to guide LLMs in performing comprehensive vulnerability detection workflows. Without prompts, LLMs may only call one tool (e.g., just deployments) missing coverage across orchestrator components, deployments, and nodes.

Implement two prompts:

• check-vuln: Flexible vulnerability detection with scope-based workflows
  (fleet/cluster/workloads) supporting single or multiple CVE checks
• list-cluster: Simple cluster inventory prompt

The prompts provide explicit workflows ensuring consistent, complete vulnerability assessment across all infrastructure layers.

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com### Description

Validation

❯ /mcp__stackrox-mcp__list-cluster

● I'll help you list all the Kubernetes/OpenShift clusters secured by StackRox Central.

● stackrox-mcp - list_clusters (MCP)
  ⎿  {
       "clusters": [
         {
     … +29 lines (ctrl+o to expand)

● StackRox Secured Clusters

  Found 5 clusters managed by StackRox Central:

  ┌─────────────────┬──────────────────────────────────────┬────────────────────┐
  │  Cluster Name   │              Cluster ID              │        Type        │
  ├─────────────────┼──────────────────────────────────────┼────────────────────┤
  │ acs-int-us-02   │ e8349cfc-af25-43d0-ab6e-6e104efc1647 │ OPENSHIFT4_CLUSTER │
  ├─────────────────┼──────────────────────────────────────┼────────────────────┤
  │ acs-prod-dp-02  │ 836f3b11-04f0-4068-a76e-b1122f6bcb3d │ OPENSHIFT4_CLUSTER │
  ├─────────────────┼──────────────────────────────────────┼────────────────────┤
  │ acs-prod-eu-02  │ 3dbdaad9-9d02-4dd0-8cb5-c1e9c9f2ab22 │ OPENSHIFT4_CLUSTER │
  ├─────────────────┼──────────────────────────────────────┼────────────────────┤
  │ acs-stage-dp-03 │ 37da3ba5-c487-48c5-9e3c-3bf60d13df64 │ OPENSHIFT4_CLUSTER │
  ├─────────────────┼──────────────────────────────────────┼────────────────────┤
  │ acs-stage-eu-03 │ 1ef7e609-d9fa-47d6-a8d5-162c87d4a216 │ OPENSHIFT4_CLUSTER │
  └─────────────────┴──────────────────────────────────────┴────────────────────┘

  All clusters are running OpenShift 4.

❯ /mcp__stackrox-mcp__list-cluster CVE-2024-25621

● I see you've provided a CVE identifier. Let me fetch the tool to find clusters affected by this specific CVE.

● I'll check for CVE-2024-25621 across all areas: orchestrator components, deployments, and nodes.

● stackrox-mcp - get_clusters_with_orchestrator_cve (MCP)(cveName: "CVE-2024-25621")
  ⎿  {
       "clusters": []
     }

● stackrox-mcp - get_deployments_for_cve (MCP)(cveName: "CVE-2024-25621")
  ⎿  {"deployments":[{"clusterId":"e8349cfc-af25-43d0-ab6e-6e104efc1647","clusterName":"acs-int-us-02","name":"ovnkube-node","namespace":"
     openshift-ovn-kubernetes"},{"clusterId":"836f3b11-04f0-4068-a76e-b1122f6bcb3d","clusterName":"acs-prod-dp-02","name":"node-resolver",
     "namespace":"openshift-dns"},{"clusterId":"3dbdaad9-9d02-4dd0-8cb5-c1e9c9f2ab22","clusterName":"acs-prod-eu-02","name":"node-resolver
     … +115 lines (ctrl+o to expand)

● stackrox-mcp - get_nodes_for_cve (MCP)(cveName: "CVE-2024-25621")
  ⎿  {
       "nodeGroups": [
         {
     … +31 lines (ctrl+o to expand)

● CVE-2024-25621 Detection Report

  Summary: CVE-2024-25621 is detected across all 5 clusters in deployments and node operating systems.

  Affected Areas

  ┌─────────────────────────┬──────────────────────────────┐
  │          Area           │            Status            │
  ├─────────────────────────┼──────────────────────────────┤
  │ Orchestrator Components │ ✓ Not detected               │
  ├─────────────────────────┼──────────────────────────────┤
  │ Deployments             │ ⚠️ 100+ deployments affected │
  ├─────────────────────────┼──────────────────────────────┤
  │ Nodes                   │ ⚠️ All clusters affected     │
  └─────────────────────────┴──────────────────────────────┘

  ---
  Cluster Breakdown

  ┌─────────────────┬─────────────┬────────────────┬────────────────────────────┐
  │     Cluster     │ Deployments │ Nodes Affected │          Node OS           │
  ├─────────────────┼─────────────┼────────────────┼────────────────────────────┤
  │ acs-int-us-02   │ Multiple    │ 11 nodes       │ RHEL CoreOS 9.6.20260314-0 │
  ├─────────────────┼─────────────┼────────────────┼────────────────────────────┤
  │ acs-prod-dp-02  │ Multiple    │ 42 nodes       │ RHEL CoreOS 9.6.20260303-1 │
  ├─────────────────┼─────────────┼────────────────┼────────────────────────────┤
  │ acs-prod-eu-02  │ Multiple    │ 22 nodes       │ RHEL CoreOS 9.6.20260303-1 │
  ├─────────────────┼─────────────┼────────────────┼────────────────────────────┤
  │ acs-stage-dp-03 │ Multiple    │ 17 nodes       │ RHEL CoreOS 9.6.20260303-1 │
  ├─────────────────┼─────────────┼────────────────┼────────────────────────────┤
  │ acs-stage-eu-03 │ Multiple    │ 14 nodes       │ RHEL CoreOS 9.6.20260303-1 │
  └─────────────────┴─────────────┴────────────────┴────────────────────────────┘

  Total: 106 nodes affected

  ---
  Affected Deployment Types

  The vulnerability is primarily detected in OpenShift platform components:

  - Networking: ovnkube-node, ovnkube-control-plane, node-resolver, iptables-alerter, network-node-identity
  - Operator Lifecycle: catalog-operator, olm-operator, packageserver, catalogd-controller-manager
  - Maintenance/SRE: builds-pruner, deployments-pruner, image-pruner, osd-* utilities
  - Marketplace: redhat-marketplace-*, certified-operators-*, community-operators-*

  All clusters show consistent patterns of affected deployments in openshift-* namespaces.

[codecov-commenter]

❌ 2 Tests Failed:

Tests completed	Failed	Passed	Skipped
419	2	417	12

View the full list of 2 ❄️ flaky test(s)

::policy 1

Flake rate in main: 100.00% (Passed 0 times, Failed 12 times)

Stack Traces | 0s run time

- test violation 1
- test violation 2
- test violation 3

::policy 4

Flake rate in main: 100.00% (Passed 0 times, Failed 12 times)

Stack Traces | 0s run time

- testing multiple alert violation messages 1
- testing multiple alert violation messages 2
- testing multiple alert violation messages 3

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[github-actions]

E2E Test Results

Commit: 9533da0
Workflow Run: View Details
Artifacts: Download test results & logs

=== Evaluation Summary ===

  ✓ list-clusters (assertions: 3/3)
  ✓ cve-detected-workloads (assertions: 3/3)
  ✓ cve-detected-clusters (assertions: 3/3)
  ✓ cve-nonexistent (assertions: 3/3)
  ✓ cve-cluster-does-exist (assertions: 3/3)
  ~ cve-cluster-does-not-exist (assertions: 2/3)
      - ToolsUsed: Required tool not called: server=stackrox-mcp, tool=, pattern=list_clusters
  ✓ cve-clusters-general (assertions: 3/3)
  ✓ cve-cluster-list (assertions: 3/3)
  ✓ cve-log4shell (assertions: 3/3)
  ✓ cve-multiple (assertions: 3/3)
  ✓ rhsa-not-supported (assertions: 2/2)

Tasks:      11/11 passed (100.00%)
Assertions: 31/32 passed (96.88%)
Tokens:     ~51575 (estimate - excludes system prompt & cache)
MCP schemas: ~12738 (included in token total)
Agent used tokens:
  Input:  12210 tokens
  Output: 20933 tokens
Judge used tokens:
  Input:  54741 tokens
  Output: 38825 tokens

[mtodor]

There are two conceptual things that we should consider changing:

1. Config: I find the configuration a bit complex. It would be best if we could couple prompts with already existing toolsets. In that case, we know if a toolset is enabled, all tools relevant for a specific prompt are available. In this case, we could get it in a situation where prompt is enabled, but actually, tools are not, and we should avoid such situations.

2. Prompt prefix: Is prefix mcp__<mcp-server>__<prompt> something that's standardized or not? If not, we could have situations where prompts are colliding with other MCP servers. It would be best if we would prefix prompts with acs or stackrox, depending on the build. (i.e. acs-list-cluster).