Documentation
¶
Overview ¶
Package config defines and loads the mcpmux configuration: the endpoint the proxy exposes to its client, and the set of upstream MCP servers (backends) it multiplexes.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Resolve ¶
Resolve returns the config path to use. An explicit (flag-provided) path is returned unchanged; otherwise the first existing SearchPaths entry is used.
func SearchPaths ¶
func SearchPaths() []string
SearchPaths returns the candidate config locations, in priority order: the current directory first (handy for local runs), then the user config directory (on Linux, $XDG_CONFIG_HOME or ~/.config).
Types ¶
type Auth ¶
type Auth struct {
Type AuthType `yaml:"type"`
// Token is used when Type is "bearer".
Token string `yaml:"token"`
// Header and Value are used when Type is "header".
Header string `yaml:"header"`
Value string `yaml:"value"`
// Command is the credential-helper argv used when Type is "command". Its
// stdout is taken as the bearer token.
Command []string `yaml:"command"`
// TTL optionally caps how long a "command" token is cached (e.g. "5m").
// Ignored for JWTs, whose "exp" claim is authoritative. Empty uses the
// default.
TTL string `yaml:"ttl"`
// OAuth fields (Type "oauth").
Scopes []string `yaml:"scopes"` // allowlist: restricts/filters requested OAuth scopes
ClientName string `yaml:"client_name"` // DCR client_name (default "mcpmux")
CallbackPort int `yaml:"callback_port"` // fixed loopback port; 0 = ephemeral
// ClientID and ClientSecret use a pre-registered ("confidential") OAuth
// client instead of dynamic client registration, for servers that don't
// support DCR (e.g. Slack). When ClientID is set, the redirect URI must be
// registered with the provider, so set a fixed CallbackPort to match.
// ClientSecret may be empty for a pre-registered public client.
ClientID string `yaml:"client_id"`
ClientSecret string `yaml:"client_secret"`
// ClientIDCommand / ClientSecretCommand source the value from a helper
// command's stdout (e.g. ["pass","show","slack/id"] or
// ["secret-tool","lookup","service","slack"]), as an alternative to a
// literal or ${ENV}. At most one of the literal or command form may be set
// for each value.
ClientIDCommand []string `yaml:"client_id_command"`
ClientSecretCommand []string `yaml:"client_secret_command"`
// AllowIssuerMismatch tolerates an authorization server whose metadata
// declares a different issuer than the URL it is served from (an RFC 8414
// violation the SDK rejects by default). Required for Slack, whose metadata
// at mcp.slack.com declares issuer "https://slack.com".
AllowIssuerMismatch bool `yaml:"allow_issuer_mismatch"`
// OpenBrowser controls auto-launching the auth URL (default true). The URL
// is always logged, so headless use works with this set to false.
OpenBrowser *bool `yaml:"open_browser"`
}
Auth describes credentials for an HTTP backend.
func (Auth) HTTPHeader ¶
HTTPHeader returns the header name and value to attach for this auth config, or empty strings when no header should be sent.
func (Auth) OpenBrowserEnabled ¶
OpenBrowserEnabled reports whether the OAuth flow should launch a browser, defaulting to true when unset.
type AuthType ¶
type AuthType string
AuthType selects how credentials are attached to an HTTP backend's requests.
const ( // AuthNone sends no credentials. AuthNone AuthType = "none" // AuthBearer sends "Authorization: Bearer <token>". AuthBearer AuthType = "bearer" // AuthHeader sends a caller-defined header and value. AuthHeader AuthType = "header" // AuthCommand obtains a bearer token by running an external command (a // credential helper), re-running it when the token expires. This is the // non-interactive path for backends fronted by a CLI that already holds a // login, e.g. "chainctl auth token --audience <resource>". AuthCommand AuthType = "command" // AuthOAuth performs the interactive authorization-code (PKCE) flow in a // browser at startup, with dynamic client registration. Tokens (and their // refresh, if the server issues one) are held in memory for the daemon's // lifetime. AuthOAuth AuthType = "oauth" )
type Backend ¶
type Backend struct {
// Name namespaces the backend's tools and must be unique.
Name string `yaml:"name"`
// Description is optional free text about this backend (e.g. which account
// or environment it targets). mcpmux front-loads it onto each of the
// backend's tool descriptions and lists it in the server instructions, so a
// client's model can tell otherwise-identical backends apart.
Description string `yaml:"description"`
// Transport is "command" or "http".
Transport Transport `yaml:"transport"`
// Command transport: argv of the subprocess to launch, and extra env
// (merged onto the parent environment) used to pass the backend its secrets.
Command []string `yaml:"command"`
Env map[string]string `yaml:"env"`
// HTTP transport: the streamable-HTTP endpoint and its credentials.
Endpoint string `yaml:"endpoint"`
Auth Auth `yaml:"auth"`
}
Backend is a single upstream MCP server that mcpmux proxies to. Its tools are re-exposed on the proxy under "<Name>__<tool>".
type Config ¶
type Config struct {
Listen Listen `yaml:"listen"`
Backends []Backend `yaml:"backends"`
// EagerAuth makes interactive OAuth backends authorize during startup
// instead of lazily on their first tool call, so all browser consents
// happen together when the daemon starts rather than at random times mid
// session. Backends that already authorize during connect (their server
// challenges the initialize request) are unaffected.
EagerAuth bool `yaml:"eager_auth"`
}
Config is the top-level mcpmux configuration.
type Listen ¶
type Listen struct {
// Transport is "stdio" or "http".
Transport Transport `yaml:"transport"`
// Address is the host:port to bind when Transport is "http".
Address string `yaml:"address"`
// Path is the URL path the MCP endpoint is mounted at when Transport is
// "http" (e.g. "/mcp"). Clients connect to http://<address><path>.
Path string `yaml:"path"`
}
Listen configures the single MCP endpoint mcpmux exposes to its client.
func (Listen) IsLoopback ¶
IsLoopback reports whether the listen address binds only the loopback interface. An empty host (e.g. ":8080") binds all interfaces and is not loopback. mcpmux performs no client-side authentication, so binding a non-loopback address exposes every backend's credentials to that network.
type Transport ¶
type Transport string
Transport identifies how mcpmux talks to a peer (its client or a backend).
const ( // TransportStdio exposes the proxy over stdin/stdout (listen only). TransportStdio Transport = "stdio" // TransportCommand launches a backend as a subprocess and speaks over its // stdio (backend only). TransportCommand Transport = "command" // TransportHTTP uses streamable HTTP (valid for both listen and backends). TransportHTTP Transport = "http" )