config

package
v0.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package config defines and loads the mcpmux configuration: the endpoint the proxy exposes to its client, and the set of upstream MCP servers (backends) it multiplexes.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Resolve

func Resolve(explicit string) (string, error)

Resolve returns the config path to use. An explicit (flag-provided) path is returned unchanged; otherwise the first existing SearchPaths entry is used.

func SearchPaths

func SearchPaths() []string

SearchPaths returns the candidate config locations, in priority order: the current directory first (handy for local runs), then the user config directory (on Linux, $XDG_CONFIG_HOME or ~/.config).

Types

type Auth

type Auth struct {
	Type AuthType `yaml:"type"`
	// Token is used when Type is "bearer".
	Token string `yaml:"token"`
	// Header and Value are used when Type is "header".
	Header string `yaml:"header"`
	Value  string `yaml:"value"`
	// Command is the credential-helper argv used when Type is "command". Its
	// stdout is taken as the bearer token.
	Command []string `yaml:"command"`
	// TTL optionally caps how long a "command" token is cached (e.g. "5m").
	// Ignored for JWTs, whose "exp" claim is authoritative. Empty uses the
	// default.
	TTL string `yaml:"ttl"`

	// OAuth fields (Type "oauth").
	Scopes       []string `yaml:"scopes"`        // allowlist: restricts/filters requested OAuth scopes
	ClientName   string   `yaml:"client_name"`   // DCR client_name (default "mcpmux")
	CallbackPort int      `yaml:"callback_port"` // fixed loopback port; 0 = ephemeral
	// ClientID and ClientSecret use a pre-registered ("confidential") OAuth
	// client instead of dynamic client registration, for servers that don't
	// support DCR (e.g. Slack). When ClientID is set, the redirect URI must be
	// registered with the provider, so set a fixed CallbackPort to match.
	// ClientSecret may be empty for a pre-registered public client.
	ClientID     string `yaml:"client_id"`
	ClientSecret string `yaml:"client_secret"`
	// ClientIDCommand / ClientSecretCommand source the value from a helper
	// command's stdout (e.g. ["pass","show","slack/id"] or
	// ["secret-tool","lookup","service","slack"]), as an alternative to a
	// literal or ${ENV}. At most one of the literal or command form may be set
	// for each value.
	ClientIDCommand     []string `yaml:"client_id_command"`
	ClientSecretCommand []string `yaml:"client_secret_command"`
	// AllowIssuerMismatch tolerates an authorization server whose metadata
	// declares a different issuer than the URL it is served from (an RFC 8414
	// violation the SDK rejects by default). Required for Slack, whose metadata
	// at mcp.slack.com declares issuer "https://slack.com".
	AllowIssuerMismatch bool `yaml:"allow_issuer_mismatch"`
	// OpenBrowser controls auto-launching the auth URL (default true). The URL
	// is always logged, so headless use works with this set to false.
	OpenBrowser *bool `yaml:"open_browser"`
}

Auth describes credentials for an HTTP backend.

func (Auth) HTTPHeader

func (a Auth) HTTPHeader() (key, value string)

HTTPHeader returns the header name and value to attach for this auth config, or empty strings when no header should be sent.

func (Auth) OpenBrowserEnabled

func (a Auth) OpenBrowserEnabled() bool

OpenBrowserEnabled reports whether the OAuth flow should launch a browser, defaulting to true when unset.

func (Auth) TokenTTL

func (a Auth) TokenTTL() time.Duration

TokenTTL returns the parsed cache TTL for a "command" token, or the default when unset. Callers should validate the config first.

type AuthType

type AuthType string

AuthType selects how credentials are attached to an HTTP backend's requests.

const (
	// AuthNone sends no credentials.
	AuthNone AuthType = "none"
	// AuthBearer sends "Authorization: Bearer <token>".
	AuthBearer AuthType = "bearer"
	// AuthHeader sends a caller-defined header and value.
	AuthHeader AuthType = "header"
	// AuthCommand obtains a bearer token by running an external command (a
	// credential helper), re-running it when the token expires. This is the
	// non-interactive path for backends fronted by a CLI that already holds a
	// login, e.g. "chainctl auth token --audience <resource>".
	AuthCommand AuthType = "command"
	// AuthOAuth performs the interactive authorization-code (PKCE) flow in a
	// browser at startup, with dynamic client registration. Tokens (and their
	// refresh, if the server issues one) are held in memory for the daemon's
	// lifetime.
	AuthOAuth AuthType = "oauth"
)

type Backend

type Backend struct {
	// Name namespaces the backend's tools and must be unique.
	Name string `yaml:"name"`
	// Description is optional free text about this backend (e.g. which account
	// or environment it targets). mcpmux front-loads it onto each of the
	// backend's tool descriptions and lists it in the server instructions, so a
	// client's model can tell otherwise-identical backends apart.
	Description string `yaml:"description"`
	// Transport is "command" or "http".
	Transport Transport `yaml:"transport"`

	// Command transport: argv of the subprocess to launch, and extra env
	// (merged onto the parent environment) used to pass the backend its secrets.
	Command []string          `yaml:"command"`
	Env     map[string]string `yaml:"env"`

	// HTTP transport: the streamable-HTTP endpoint and its credentials.
	Endpoint string `yaml:"endpoint"`
	Auth     Auth   `yaml:"auth"`
}

Backend is a single upstream MCP server that mcpmux proxies to. Its tools are re-exposed on the proxy under "<Name>__<tool>".

type Config

type Config struct {
	Listen   Listen    `yaml:"listen"`
	Backends []Backend `yaml:"backends"`
	// EagerAuth makes interactive OAuth backends authorize during startup
	// instead of lazily on their first tool call, so all browser consents
	// happen together when the daemon starts rather than at random times mid
	// session. Backends that already authorize during connect (their server
	// challenges the initialize request) are unaffected.
	EagerAuth bool `yaml:"eager_auth"`
}

Config is the top-level mcpmux configuration.

func Load

func Load(path string) (*Config, error)

Load reads the file at path, expands ${ENV} references against the process environment, parses the YAML, applies defaults and validates the result.

func (*Config) Validate

func (c *Config) Validate() error

Validate checks the configuration for internal consistency.

type Listen

type Listen struct {
	// Transport is "stdio" or "http".
	Transport Transport `yaml:"transport"`
	// Address is the host:port to bind when Transport is "http".
	Address string `yaml:"address"`
	// Path is the URL path the MCP endpoint is mounted at when Transport is
	// "http" (e.g. "/mcp"). Clients connect to http://<address><path>.
	Path string `yaml:"path"`
}

Listen configures the single MCP endpoint mcpmux exposes to its client.

func (Listen) IsLoopback

func (l Listen) IsLoopback() bool

IsLoopback reports whether the listen address binds only the loopback interface. An empty host (e.g. ":8080") binds all interfaces and is not loopback. mcpmux performs no client-side authentication, so binding a non-loopback address exposes every backend's credentials to that network.

type Transport

type Transport string

Transport identifies how mcpmux talks to a peer (its client or a backend).

const (
	// TransportStdio exposes the proxy over stdin/stdout (listen only).
	TransportStdio Transport = "stdio"
	// TransportCommand launches a backend as a subprocess and speaks over its
	// stdio (backend only).
	TransportCommand Transport = "command"
	// TransportHTTP uses streamable HTTP (valid for both listen and backends).
	TransportHTTP Transport = "http"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL