mcp

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 10, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthMiddleware added in v0.3.0 

func AuthMiddleware(sharedKey string) func(http.Handler) http.Handler

AuthMiddleware returns a middleware that gates the wrapped handler behind a shared bearer key. When sharedKey is empty, the returned middleware is a pass-through (open mode): no header is required and no comparison runs.

When keyed, the middleware computes a SHA-256 prehash of the expected "Bearer <key>" string once at construction, and hashes the incoming Authorization header on every request. The two 32-byte digests are compared with subtle.ConstantTimeCompare. Prehashing both sides closes a subtle timing leak: ConstantTimeCompare returns 0 immediately when its inputs differ in length, which would let a probing attacker recover the expected-key length bit by bit. After prehashing, both sides are always 32 bytes regardless of the attacker's guess, so length is never observable.

There are zero MCP-method carve-outs. initialize, tools/list, tools/call for every tool, resources/list, ping — all gated. See Design Decision #3 in docs/design/mcp-auth-plan.md for why.

func CORSMiddleware added in v0.3.0 

func CORSMiddleware(next http.Handler) http.Handler

CORSMiddleware adds permissive CORS headers to every response and short-circuits OPTIONS preflight requests with 204 No Content.

mcp-go's StreamableHTTPServer returns 404 for any method other than POST/GET/DELETE (streamable_http.go:254-255), so without this layer browser-based MCP clients (Zed, custom dashboards, anything running in a WebView) fail their preflight and never get to the real request. The CORS layer sits OUTSIDE AuthMiddleware because the CORS spec forbids sending credentials on preflight — a browser that can't complete preflight can't authenticate in the first place.

func NewServer 

func NewServer(cx *cortex.Cortex, noemaVersion string) *server.MCPServer

NewServer builds an MCP server exposing all Cortex operations. The version string is plumbed through to the MCP protocol's serverInfo (visible to every client in the initialize handshake) and to the get_instructions output, so any agent or operator can identify which noema build they're talking to without grepping logs. Callers should pass cli.version() so the value matches `noema --version`. An empty string is normalized to "dev" so the protocol field is never blank.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.