Documentation
¶
Index ¶
Constants ¶
const ( // OAuthProviderDex is the Dex OIDC provider. OAuthProviderDex = "dex" // OAuthProviderGoogle is the Google OAuth provider. OAuthProviderGoogle = "google" // DefaultRefreshTokenTTL is the default TTL for refresh tokens (90 days). DefaultRefreshTokenTTL = 90 * 24 * time.Hour // DefaultIPRateLimit is the default rate limit per IP (requests/second). DefaultIPRateLimit = 10 // DefaultIPBurst is the default burst size for IP rate limiting. DefaultIPBurst = 20 // DefaultUserRateLimit is the default rate limit for authenticated users. DefaultUserRateLimit = 100 // DefaultUserBurst is the default burst size for authenticated user rate limiting. DefaultUserBurst = 200 // DefaultMaxClientsPerIP is the default max clients per IP address. DefaultMaxClientsPerIP = 10 // DefaultReadHeaderTimeout is the default timeout for reading request headers. DefaultReadHeaderTimeout = 10 * time.Second // DefaultWriteTimeout is the default timeout for writing responses. DefaultWriteTimeout = 120 * time.Second // DefaultIdleTimeout is the default idle timeout for keepalive connections. DefaultIdleTimeout = 120 * time.Second // DefaultShutdownTimeout is the default timeout for graceful shutdown. DefaultShutdownTimeout = 30 * time.Second )
const ( ModeAgent = "agent" ModeChat = "chat" )
ProcessMode describes the operating mode of the claude process.
Variables ¶
This section is empty.
Functions ¶
func OwnerMiddleware ¶
OwnerMiddleware returns middleware that restricts access to the configured owner identity. The owner is identified by matching the JWT sub or email claim against ownerSubject.
When ownerSubject is empty the middleware is a no-op (backward-compatible). When a request has no Authorization Bearer token and ownerSubject is set, the request is rejected with HTTP 403.
The JWT is decoded but not signature-verified (decode-only). In Kubernetes deployments the upstream gateway (muster) or the OAuth layer is responsible for token verification; this middleware only performs the authorization check.
func ValidateHTTPSRequirement ¶
ValidateHTTPSRequirement enforces OAuth 2.1 HTTPS requirements. HTTP is permitted only for loopback addresses (localhost, 127.0.0.1, ::1).
Types ¶
type Config ¶
type Config struct {
// Port is the HTTP listen port (e.g. "8080").
Port string
// Mode is the operating mode (ModeAgent or ModeChat).
Mode string
// OwnerSubject restricts MCP access to the configured owner identity
// by matching the JWT sub or email claim. When empty, no owner
// validation is performed (backward-compatible).
OwnerSubject string
}
Config holds non-OAuth server-level configuration.
type DexOAuthConfig ¶
type DexOAuthConfig struct {
IssuerURL string
ClientID string
ClientSecret string
ConnectorID string // optional: bypass connector selection
CAFile string // optional: CA certificate for TLS verification
}
DexOAuthConfig holds Dex OIDC provider settings.
type GoogleOAuthConfig ¶
GoogleOAuthConfig holds Google OAuth provider settings.
type OAuthConfig ¶
type OAuthConfig struct {
// BaseURL is the server base URL (e.g., https://klaus.example.com).
BaseURL string
// Provider specifies the OAuth provider: "dex" or "google".
Provider string
// Google holds Google-specific OAuth credentials.
Google GoogleOAuthConfig
// Dex holds Dex-specific OIDC credentials.
Dex DexOAuthConfig
// Security holds token encryption and registration settings.
Security SecurityConfig
// TLS holds optional TLS certificate paths for HTTPS.
TLS TLSConfig
// DisableStreaming disables streaming for streamable-http transport.
DisableStreaming bool
}
OAuthConfig holds OAuth configuration for the klaus server.
func (OAuthConfig) Validate ¶
func (c OAuthConfig) Validate() error
Validate checks that the OAuthConfig is internally consistent. It validates provider-specific required fields, TLS pairing, and client registration policy.
type OAuthServer ¶
type OAuthServer struct {
// contains filtered or unexported fields
}
OAuthServer wraps the MCP endpoint with OAuth 2.1 authentication.
func NewOAuthServer ¶
func NewOAuthServer(serverCtx context.Context, process claudepkg.Prompter, config OAuthConfig, ownerSubject string) (*OAuthServer, error)
NewOAuthServer creates an OAuth-protected MCP server. The serverCtx controls the lifetime of background goroutines; it should be cancelled during server shutdown. ownerSubject restricts MCP access to the configured owner identity; when empty, no owner validation is performed.
func (*OAuthServer) Start ¶
func (s *OAuthServer) Start(addr string, mode string, config OAuthConfig) error
Start validates the config, registers routes, and begins serving.
type SecurityConfig ¶
type SecurityConfig struct {
// EncryptionKey is the AES-256 key for encrypting tokens at rest (32 bytes).
EncryptionKey []byte
// RegistrationAccessToken is the token required for client registration.
RegistrationAccessToken string
// AllowPublicClientRegistration allows unauthenticated dynamic client registration.
AllowPublicClientRegistration bool
// AllowInsecureAuthWithoutState allows authorization requests without state parameter.
AllowInsecureAuthWithoutState bool
// MaxClientsPerIP limits the number of clients registered per IP.
MaxClientsPerIP int
// EnableCIMD enables Client ID Metadata Documents per MCP 2025-11-25.
EnableCIMD bool
// CIMDAllowPrivateIPs allows CIMD metadata URLs to resolve to private IPs.
CIMDAllowPrivateIPs bool
// TrustedPublicRegistrationSchemes lists URI schemes allowed for unauthenticated registration.
TrustedPublicRegistrationSchemes []string
// DisableStrictSchemeMatching allows mixed redirect URI schemes.
DisableStrictSchemeMatching bool
}
SecurityConfig holds OAuth security settings.
type Server ¶
type Server struct {
// contains filtered or unexported fields
}
Server wraps the MCP and operational HTTP endpoints.
func NewServer ¶
NewServer creates a Server that serves MCP and operational endpoints. The serverCtx controls the lifetime of background goroutines; it should be cancelled during server shutdown to ensure drain goroutines are cleaned up.