server

package
v0.0.272 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2026 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// OAuthProviderDex is the Dex OIDC provider.
	OAuthProviderDex = "dex"
	// OAuthProviderGoogle is the Google OAuth provider.
	OAuthProviderGoogle = "google"

	// DefaultRefreshTokenTTL is the default TTL for refresh tokens (90 days).
	DefaultRefreshTokenTTL = 90 * 24 * time.Hour

	// DefaultIPRateLimit is the default rate limit per IP (requests/second).
	DefaultIPRateLimit = 10
	// DefaultIPBurst is the default burst size for IP rate limiting.
	DefaultIPBurst = 20
	// DefaultUserRateLimit is the default rate limit for authenticated users.
	DefaultUserRateLimit = 100
	// DefaultUserBurst is the default burst size for authenticated user rate limiting.
	DefaultUserBurst = 200
	// DefaultMaxClientsPerIP is the default max clients per IP address.
	DefaultMaxClientsPerIP = 10

	// DefaultReadHeaderTimeout is the default timeout for reading request headers.
	DefaultReadHeaderTimeout = 10 * time.Second
	// DefaultWriteTimeout is the default timeout for writing responses.
	DefaultWriteTimeout = 120 * time.Second
	// DefaultIdleTimeout is the default idle timeout for keepalive connections.
	DefaultIdleTimeout = 120 * time.Second
	// DefaultShutdownTimeout is the default timeout for graceful shutdown.
	DefaultShutdownTimeout = 30 * time.Second
)
View Source
const (
	ModeAgent = "agent"
	ModeChat  = "chat"
)

ProcessMode describes the operating mode of the claude process.

Variables

This section is empty.

Functions

func OwnerMiddleware

func OwnerMiddleware(ownerSubject string, logger *slog.Logger) func(http.Handler) http.Handler

OwnerMiddleware returns middleware that restricts access to the configured owner identity. The owner is identified by matching the JWT sub or email claim against ownerSubject.

When ownerSubject is empty the middleware is a no-op (backward-compatible). When a request has no Authorization Bearer token and ownerSubject is set, the request is rejected with HTTP 403.

The JWT is decoded but not signature-verified (decode-only). In Kubernetes deployments the upstream gateway (muster) or the OAuth layer is responsible for token verification; this middleware only performs the authorization check.

func ValidateHTTPSRequirement

func ValidateHTTPSRequirement(baseURL string) error

ValidateHTTPSRequirement enforces OAuth 2.1 HTTPS requirements. HTTP is permitted only for loopback addresses (localhost, 127.0.0.1, ::1).

Types

type Config

type Config struct {
	// Port is the HTTP listen port (e.g. "8080").
	Port string
	// Mode is the operating mode (ModeAgent or ModeChat).
	Mode string
	// OwnerSubject restricts MCP access to the configured owner identity
	// by matching the JWT sub or email claim. When empty, no owner
	// validation is performed (backward-compatible).
	OwnerSubject string
}

Config holds non-OAuth server-level configuration.

type DexOAuthConfig

type DexOAuthConfig struct {
	IssuerURL    string
	ClientID     string
	ClientSecret string
	ConnectorID  string // optional: bypass connector selection
	CAFile       string // optional: CA certificate for TLS verification
}

DexOAuthConfig holds Dex OIDC provider settings.

type GoogleOAuthConfig

type GoogleOAuthConfig struct {
	ClientID     string
	ClientSecret string
}

GoogleOAuthConfig holds Google OAuth provider settings.

type OAuthConfig

type OAuthConfig struct {
	// BaseURL is the server base URL (e.g., https://klaus.example.com).
	BaseURL string

	// Provider specifies the OAuth provider: "dex" or "google".
	Provider string

	// Google holds Google-specific OAuth credentials.
	Google GoogleOAuthConfig

	// Dex holds Dex-specific OIDC credentials.
	Dex DexOAuthConfig

	// Security holds token encryption and registration settings.
	Security SecurityConfig

	// TLS holds optional TLS certificate paths for HTTPS.
	TLS TLSConfig

	// DisableStreaming disables streaming for streamable-http transport.
	DisableStreaming bool
}

OAuthConfig holds OAuth configuration for the klaus server.

func (OAuthConfig) Validate

func (c OAuthConfig) Validate() error

Validate checks that the OAuthConfig is internally consistent. It validates provider-specific required fields, TLS pairing, and client registration policy.

type OAuthServer

type OAuthServer struct {
	// contains filtered or unexported fields
}

OAuthServer wraps the MCP endpoint with OAuth 2.1 authentication.

func NewOAuthServer

func NewOAuthServer(serverCtx context.Context, process claudepkg.Prompter, config OAuthConfig, ownerSubject string) (*OAuthServer, error)

NewOAuthServer creates an OAuth-protected MCP server. The serverCtx controls the lifetime of background goroutines; it should be cancelled during server shutdown. ownerSubject restricts MCP access to the configured owner identity; when empty, no owner validation is performed.

func (*OAuthServer) Shutdown

func (s *OAuthServer) Shutdown(ctx context.Context) error

func (*OAuthServer) Start

func (s *OAuthServer) Start(addr string, mode string, config OAuthConfig) error

Start validates the config, registers routes, and begins serving.

type SecurityConfig

type SecurityConfig struct {
	// EncryptionKey is the AES-256 key for encrypting tokens at rest (32 bytes).
	EncryptionKey []byte

	// RegistrationAccessToken is the token required for client registration.
	RegistrationAccessToken string

	// AllowPublicClientRegistration allows unauthenticated dynamic client registration.
	AllowPublicClientRegistration bool

	// AllowInsecureAuthWithoutState allows authorization requests without state parameter.
	AllowInsecureAuthWithoutState bool

	// MaxClientsPerIP limits the number of clients registered per IP.
	MaxClientsPerIP int

	// EnableCIMD enables Client ID Metadata Documents per MCP 2025-11-25.
	EnableCIMD bool

	// CIMDAllowPrivateIPs allows CIMD metadata URLs to resolve to private IPs.
	CIMDAllowPrivateIPs bool

	// TrustedPublicRegistrationSchemes lists URI schemes allowed for unauthenticated registration.
	TrustedPublicRegistrationSchemes []string

	// DisableStrictSchemeMatching allows mixed redirect URI schemes.
	DisableStrictSchemeMatching bool
}

SecurityConfig holds OAuth security settings.

type Server

type Server struct {
	// contains filtered or unexported fields
}

Server wraps the MCP and operational HTTP endpoints.

func NewServer

func NewServer(serverCtx context.Context, process claudepkg.Prompter, cfg Config) *Server

NewServer creates a Server that serves MCP and operational endpoints. The serverCtx controls the lifetime of background goroutines; it should be cancelled during server shutdown to ensure drain goroutines are cleaned up.

func (*Server) Shutdown

func (s *Server) Shutdown(ctx context.Context) error

Shutdown gracefully drains MCP sessions, then stops the HTTP server.

func (*Server) Start

func (s *Server) Start() error

Start blocks, serving HTTP requests until Shutdown is called.

type TLSConfig

type TLSConfig struct {
	CertFile string // PEM format
	KeyFile  string // PEM format
}

TLSConfig holds paths for the TLS certificate and key.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL