Enable MCP for all API endpoints

[R1ckyH]

Summary

• Add mcp=True to 38 remaining API endpoints across 10 modules
• MCP coverage increases from 31/73 (42.5%) to 69/73 (94.5%)
• Only 4 WebSocket endpoints excluded (agent dock, event/activity tail, event ingest)

New MCP endpoints by module

Module	Endpoints
agents	create_agent, delete_agent, get_agent, get_scan_status
activity	list_activities, query_activities, count_activities
assets	query_assets, count_assets
emails	get_emails
events	insert_event, get_event, list_events, query_events, count_events, archive_old_events
findings	query_findings, count_findings, set_risk
presets	create_preset, update_preset, delete_preset
scans	get_scans, query_scans, count_scans, cancel_scan
targets	count_targets, set_default_target, create_target, update_target, copy_target, delete_target, is_blacklisted, query_targets, list_ids
technologies	list_technologies, query_technologies, count_technologies

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[R1ckyH]

I have read the CLA Document and I hereby sign the CLA

[TheTechromancer]

@R1ckyH thanks for the PR! Have you got a chance to test these out? Do they behave well?

[R1ckyH]

@R1ckyH thanks for the PR! Have you got a chance to test these out? Do they behave well?

I am doing some tests on it, currently not yet finished all, but I think MCP is just another way to call the http api.
Therefore, it shouldn't be an issue calling MCP with agents if the standard api are working fine

[R1ckyH]

@TheTechromancer, I have added a new commit. This should fix the MCP API key issue mentioned in the README.
I have tested that the API-key works in Claude code mcp after the modification.

NOTE: Authentication is https://github.com/blacklanternsecurity/bbot-server/issues/52 in Cursor, Cline, and it seems most other VS Code forks. A workaround is to disable authentication with --no-authentication when starting the server. Obviously, be careful with this and don't be a dumbass.

[R1ckyH]

I have also added some bug fixes here

[R1ckyH]

ca927c1 — Fix streaming endpoints crashing with async_generator serialization error

Error:
All type="http_stream" endpoints (e.g. /scans/list, /assets/list, /events/list) return 500 with:

TypeError: Type is not JSON serializable: async_generator
  File "fastapi/routing.py", line 671, in app
    response = actual_response_class(content=gen, **response_args)
  File "starlette/responses.py", line 45, in __init__
    self.body = self.render(content)
  File "fastapi/responses.py", line 96, in render
    return orjson.dumps(...)

Cause:
HTTPStreamRoute.wrapped_function() wraps the original async generator into a regular async def that returns StreamingResponse. However, @functools.wraps(self.orig_function) copied attributes like __wrapped__ and __annotations__ from the original async generator function onto the wrapper. FastAPI detected these markers, treated the wrapper as an async generator, and tried to serialize the raw generator object through orjson.dumps() instead of letting StreamingResponse handle it.

Fix:
Replace @functools.wraps with manual copying of only the 3 attributes FastAPI actually needs for parameter routing — __name__, __qualname__, __signature__. This gives FastAPI correct endpoint introspection without the async generator identity markers.

[R1ckyH]

Hey @TheTechromancer, after testing the MCP endpoints against a live server with a full scan workflow (create target → start scan → agent runs → query results), I found a few issues. Wanted to flag before this goes further:

1. get_scan_status calls a non-existent agent command

agents_api.py:98 sends "get_scan_status" to the agent, but the agent only implements these 6 commands: start_scan, cancel_scan, get_agent_status, finish_scan, kill_module, get_file. The endpoint always returns "Invalid command" — it has never worked.

2. get_scan_status uses UUID type for id param

agents_api.py:96 — This generates format: uuid in the MCP tool schema, which causes some MCP clients (including Claude Code) to reject valid UUIDs with -32602 Invalid request parameters. Other endpoints like get_scan use str and work fine.

3. Scope checks (in_scope, is_in_target, is_blacklisted) always return false when targets are created with only seeds

When a target is created with target=[] (empty) and seeds=["evilcorp.com"], BBOTTarget.in_scope() only checks the target list — it ignores seeds. So scope checks always return false:

target=[], seeds=["evilcorp.com"]    → in_scope("evilcorp.com") = False
target=["evilcorp.com"], seeds=None  → in_scope("evilcorp.com") = True  # seeds auto-derived from target

The fix could be in targets_models.py:110-111 — when target is empty but seeds is provided, the seeds should also define scope.

---

Would you prefer I commit the fixes in this PR, or should I open a separate PR for these?

[R1ckyH]

One more thing to talk about here, when I am trying to do the MCP testing, I face many issues, such as the function not yet implemented. I want to know your attitude before I continue.