Add a download_manifests tool to our agent harness mcp server

[JohnBlackwell]

This should:

• take a cluster handle + service name and fetch the manifests using our service files gql api.

• place those files in a separate subdirectory (use the {handle}-{name} syntax to make it semantically meaningful perhaps)

• instruct the agent harness that the files are located there and it can inspect them as it wishes

This will help agents better understand both plural's gitops system + things like external charts without mistakenly guessing via web searches.

Test Plan

Test environment: https://console.your-env.onplural.sh/

Checklist

• I have added a meaningful title and summary to convey the impact of this PR to a user.
• I have deployed the agent to a test environment and verified that it works as expected.
  • Agent starts successfully.
  • Service creation works without any issues when using raw manifests and Helm templates.
  • Service creation works when resources contain both CRD and CRD instances.
  • Service templating works correctly.
  • Service errors are reported properly and visible in the UI.
  • Service updates are reflected properly in the cluster.
  • Service resync triggers immediately and works as expected.
  • Sync waves annotations are respected.
  • Sync phases annotations are respected. Phases are executed in the correct order.
  • Sync hook delete policies are respected. Resources are not recreated once they reach the desired state.
  • Service deletion works and cleanups resources properly.
  • Services can be recreated after deletion.
  • Service detachment works and keeps resources unaffected.
  • Services can be recreated after detachment.
  • Service component trees are working as expected.
  • Cluster health statuses are being updated.
  • Agent logs do not contain any errors (after running for at least 30 minutes).
  • There are no visible anomalies in Datadog (after running for at least 30 minutes).
• I have added tests to cover my changes.
• If required, I have updated the Plural documentation accordingly.

[linear]

PROD-4782 add a `download_manifests` tool to our agent harness mcp server

[greptile-apps]

Greptile Summary

This PR adds a downloadServiceManifests MCP tool to the agent harness that fetches a Plural service's rendered Kubernetes tarball, extracts it into a manifests/<cluster>-<service>/ subdirectory, and instructs the agent where to find the files. The tool is wired in across Claude, Codex, and Gemini harnesses.

• New DownloadManifests tool (internal/mcpserver/agent/tool/downloadmanifests.go): fetches tarball via existing manifests.GetReader + Untar, writes to a sanitized per-service directory, and returns a JSON result with the path and inspection instructions.
• Harness integration: mcp__plural__downloadServiceManifests added to allow-lists in all three agent runtimes (Claude, Codex, Gemini) and all run modes (analyze, write, babysit).
• Client extension: new GetServiceDeploymentByHandle(cluster, name) method added to the console.Client interface with a corresponding mock.

Confidence Score: 3/5

The core tool implementation has a data race that can cause wrong manifests to be fetched and extracted under concurrent requests, and the underlying tar extraction does not guard against path traversal — both should be addressed before merging.

The handler stores per-request fields (ClusterHandle, ServiceName) on the shared *DownloadManifests receiver, so two concurrent MCP calls will race, potentially extracting a different service's tarball into the wrong directory. Additionally, Untar does not validate that extracted paths stay within the target directory, a well-known zip-slip pattern now reachable via agent-callable tooling.

internal/mcpserver/agent/tool/downloadmanifests.go for the concurrent-state issue, and pkg/manifests/untar.go for the path-containment check.

Security Review

• Zip-slip / path traversal (pkg/manifests/untar.go): filepath.Join(dst, header.Name) is used without verifying the resolved path stays within dst. A tarball with ../-prefixed entry names could write files outside the intended extraction directory. This is pre-existing code but is now reachable via the new agent-callable MCP tool, widening exposure if the Console or its object storage is ever compromised.

Important Files Changed

Filename	Overview
internal/mcpserver/agent/tool/downloadmanifests.go	New MCP tool implementation; per-request fields (ClusterHandle, ServiceName) mutated on a shared receiver creates a data race under concurrent calls
pkg/manifests/untar.go	Pre-existing tar extraction function used by the new tool; missing path-containment check allows zip-slip writes outside the target directory
pkg/client/service.go	Adds GetServiceDeploymentByHandle method; straightforward wrapper around the generated console client with nil-check
pkg/agentrun-harness/tool/claude/claude.go	Adds mcp__plural__downloadServiceManifests to all three Claude run-mode allow-lists; consistent across analyze, write, and babysit modes
pkg/test/mocks/Client_mock.go	Auto-generated mock for the new GetServiceDeploymentByHandle interface method; standard testify/mock pattern

Comments Outside Diff (1)

1. pkg/manifests/untar.go, line 49 (link)

   Zip-slip / path traversal in tar extraction

   target is computed as filepath.Join(dst, header.Name) with no subsequent check that the result still lives under dst. A tarball entry with a name like ../../etc/cron.d/evil will resolve to a path outside the intended directory. While the tarball URL is fetched from the Plural Console (a trusted server), this tool is now callable by agents at runtime via MCP, widening the attack surface if the Console or its storage layer is ever compromised.

   Adding a guard after the join — verifying that strings.HasPrefix(filepath.Clean(target), filepath.Clean(dst)+string(os.PathSeparator)) — would eliminate the class of issue. Note: this is pre-existing code but is being newly exposed through the agent-callable MCP tool.

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into john/prod-4782-..." | Re-trigger Greptile}

[greptile-apps]

Per-request state stored on shared receiver

fromRequest writes in.ClusterHandle and in.ServiceName directly onto the *DownloadManifests receiver, which is a single instance shared across all concurrent MCP tool calls. Two simultaneous invocations can interleave: Request A sets ClusterHandle = "prod", Request B overwrites it with ClusterHandle = "dev", then Request A proceeds to call GetServiceDeploymentByHandle("dev", ...) — fetching and extracting the wrong service's manifests, and potentially writing them to the wrong targetDir.

The fix is to keep clusterHandle and serviceName as function-local variables in handler instead of struct fields.