# Burrow MCP Hub Extraction This directory is the in-repo extraction plan for a dedicated MCP hub repository. Target repository: ```text compatible.systems/burrow/mcp-hub ``` The hub should expose Burrow-operated tools for: - Authentik users, groups, OIDC, SAML, SCIM, and WIF applications - OpenBao mounts, policies, AppRole, and secret-read workflows - Google KMS key catalog, public-key export, and signing readiness - Forgejo workflow dispatch, runner identity, and Namespace runner status - Grafana dashboard and alert checks - Jitsi meeting readiness and service health - mail and webmail readiness after the Stalwart phase starts - release signing, store upload readiness, and distribution metadata checks - agent identity inventory derived from `contributors.nix` The hub must keep identity and authorization explicit. Agent identities should be named, attributable, and backed by Authentik/WIF or OpenBao AppRole rather than static shared tokens.