@teampitch/mcpx 0.2.1

package/src/k8s-controller.ts

@@ -0,0 +1,201 @@
+/**
+ * Lightweight K8s controller that watches McpxBackend CRDs and generates mcpx.json.
+ * Runs as a sidecar — pairs with config hot-reload to pick up changes automatically.
+ *
+ * Usage: bun src/k8s-controller.ts --namespace default --output /config/mcpx.json
+ */
+import { writeFileSync } from "node:fs";
+
+import type { BackendConfig, McpxConfig } from "./config.js";
+
+interface McpxBackendSpec {
+  transport: "stdio" | "http";
+  command?: string;
+  args?: string[];
+  url?: string;
+  env?: Record<string, string>;
+  headers?: Record<string, string>;
+  allowedRoles?: string[];
+  allowedTeams?: string[];
+}
+
+interface McpxBackendResource {
+  metadata: { name: string; resourceVersion?: string };
+  spec: McpxBackendSpec;
+}
+
+interface K8sWatchEvent {
+  type: "ADDED" | "MODIFIED" | "DELETED";
+  object: McpxBackendResource;
+}
+
+interface K8sListResponse {
+  metadata: { resourceVersion: string };
+  items: McpxBackendResource[];
+}
+
+/** Convert CRD resources to mcpx.json config */
+export function crdToConfig(
+  resources: Map<string, McpxBackendSpec>,
+  baseConfig?: Partial<McpxConfig>,
+): McpxConfig {
+  const backends: Record<string, BackendConfig> = {};
+  for (const [name, spec] of resources) {
+    backends[name] = {
+      transport: spec.transport,
+      command: spec.command,
+      args: spec.args,
+      url: spec.url,
+      env: spec.env,
+      headers: spec.headers,
+      allowedRoles: spec.allowedRoles,
+      allowedTeams: spec.allowedTeams,
+    };
+  }
+
+  return {
+    port: baseConfig?.port ?? 3100,
+    authToken: baseConfig?.authToken,
+    auth: baseConfig?.auth,
+    failOpen: baseConfig?.failOpen ?? true,
+    toolRefreshInterval: baseConfig?.toolRefreshInterval,
+    sessionTtlMinutes: baseConfig?.sessionTtlMinutes,
+    backends,
+  };
+}
+
+function parseArgs(args: string[]): {
+  namespace: string;
+  output: string;
+  baseConfigPath?: string;
+} {
+  let namespace = "default";
+  let output = "/config/mcpx.json";
+  let baseConfigPath: string | undefined;
+
+  for (let i = 0; i < args.length; i++) {
+    if (args[i] === "--namespace" && args[i + 1]) namespace = args[++i];
+    else if (args[i] === "--output" && args[i + 1]) output = args[++i];
+    else if (args[i] === "--base-config" && args[i + 1]) baseConfigPath = args[++i];
+  }
+
+  return { namespace, output, baseConfigPath };
+}
+
+async function k8sFetch(path: string): Promise<Response> {
+  const host = process.env.KUBERNETES_SERVICE_HOST ?? "kubernetes.default.svc";
+  const port = process.env.KUBERNETES_SERVICE_PORT ?? "443";
+  const tokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token";
+  const caPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
+
+  let token: string;
+  try {
+    token = await Bun.file(tokenPath).text();
+  } catch {
+    throw new Error("Not running in K8s — service account token not found");
+  }
+
+  return fetch(`https://${host}:${port}${path}`, {
+    headers: { Authorization: `Bearer ${token.trim()}` },
+    tls: { ca: Bun.file(caPath) },
+  } as RequestInit);
+}
+
+export async function startController(opts: {
+  namespace: string;
+  output: string;
+  baseConfig?: Partial<McpxConfig>;
+}): Promise<void> {
+  const resources = new Map<string, McpxBackendSpec>();
+  const apiPath = `/apis/mcpx.io/v1alpha1/namespaces/${opts.namespace}/mcpxbackends`;
+
+  function writeConfig() {
+    const config = crdToConfig(resources, opts.baseConfig);
+    writeFileSync(opts.output, JSON.stringify(config, null, 2) + "\n");
+    console.log(`Wrote ${opts.output} (${resources.size} backends)`);
+  }
+
+  // Initial list
+  const listRes = await k8sFetch(apiPath);
+  if (!listRes.ok) {
+    throw new Error(`Failed to list McpxBackends: ${listRes.status} ${await listRes.text()}`);
+  }
+
+  const list: K8sListResponse = await listRes.json();
+  for (const item of list.items) {
+    resources.set(item.metadata.name, item.spec);
+  }
+  writeConfig();
+
+  // Watch for changes
+  let resourceVersion = list.metadata.resourceVersion;
+
+  async function watch(): Promise<void> {
+    while (true) {
+      try {
+        const watchRes = await k8sFetch(`${apiPath}?watch=true&resourceVersion=${resourceVersion}`);
+
+        if (!watchRes.ok || !watchRes.body) {
+          console.error(`Watch failed: ${watchRes.status}, reconnecting...`);
+          await new Promise((r) => setTimeout(r, 5000));
+          continue;
+        }
+
+        const reader = watchRes.body.getReader();
+        const decoder = new TextDecoder();
+        let buffer = "";
+
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) break;
+
+          buffer += decoder.decode(value, { stream: true });
+          const lines = buffer.split("\n");
+          buffer = lines.pop() ?? "";
+
+          for (const line of lines) {
+            if (!line.trim()) continue;
+            const event: K8sWatchEvent = JSON.parse(line);
+
+            if (event.type === "ADDED" || event.type === "MODIFIED") {
+              resources.set(event.object.metadata.name, event.object.spec);
+              console.log(`${event.type}: ${event.object.metadata.name}`);
+            } else if (event.type === "DELETED") {
+              resources.delete(event.object.metadata.name);
+              console.log(`DELETED: ${event.object.metadata.name}`);
+            }
+
+            if (event.object.metadata.resourceVersion) {
+              resourceVersion = event.object.metadata.resourceVersion;
+            }
+
+            writeConfig();
+          }
+        }
+      } catch (err) {
+        console.error("Watch error:", (err as Error).message);
+        await new Promise((r) => setTimeout(r, 5000));
+      }
+    }
+  }
+
+  await watch();
+}
+
+// CLI entrypoint
+if (import.meta.main) {
+  const { namespace, output, baseConfigPath } = parseArgs(process.argv.slice(2));
+
+  let baseConfig: Partial<McpxConfig> | undefined;
+  if (baseConfigPath) {
+    const { loadConfig } = await import("./config.js");
+    const full = loadConfig(baseConfigPath);
+    baseConfig = { ...full, backends: {} };
+  }
+
+  console.log(`mcpx k8s controller starting...`);
+  console.log(`  namespace: ${namespace}`);
+  console.log(`  output: ${output}`);
+
+  await startController({ namespace, output, baseConfig });
+}

package/src/oauth.test.ts

@@ -0,0 +1,232 @@
+import { describe, test, expect, beforeEach } from "bun:test";
+
+import { Hono } from "hono";
+
+import { createOAuthRoutes, clearOAuthStores, type OAuthConfig } from "./oauth.js";
+
+const oauthConfig: OAuthConfig = {
+  issuer: "https://mcp.test.com",
+  clients: [{ name: "test-client", redirectUri: "http://localhost:*" }],
+  tokenSecret: "test-oauth-secret-at-least-32-chars!!",
+  tokenTtlMinutes: 60,
+};
+
+function createApp(): Hono {
+  const app = new Hono();
+  createOAuthRoutes(oauthConfig, app);
+  return app;
+}
+
+async function generatePkce(): Promise<{
+  verifier: string;
+  challenge: string;
+}> {
+  const verifier = crypto.randomUUID().replace(/-/g, "") + crypto.randomUUID().replace(/-/g, "");
+  const encoder = new TextEncoder();
+  const digest = await crypto.subtle.digest("SHA-256", encoder.encode(verifier));
+  const challenge = btoa(String.fromCharCode(...new Uint8Array(digest)))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+  return { verifier, challenge };
+}
+
+beforeEach(() => {
+  clearOAuthStores();
+});
+
+describe("OAuth metadata", () => {
+  test("returns authorization server metadata", async () => {
+    const app = createApp();
+    const res = await app.request("/.well-known/oauth-authorization-server");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.issuer).toBe("https://mcp.test.com");
+    expect(body.authorization_endpoint).toBe("https://mcp.test.com/authorize");
+    expect(body.token_endpoint).toBe("https://mcp.test.com/token");
+    expect(body.registration_endpoint).toBe("https://mcp.test.com/register");
+    expect(body.code_challenge_methods_supported).toContain("S256");
+  });
+});
+
+describe("Client registration", () => {
+  test("registers a new client", async () => {
+    const app = createApp();
+    const res = await app.request("/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_name: "my-agent",
+        redirect_uris: ["http://localhost:9999/callback"],
+      }),
+    });
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body.client_id).toBeTruthy();
+    expect(body.client_secret).toBeTruthy();
+    expect(body.client_name).toBe("my-agent");
+  });
+
+  test("rejects unknown redirect URI", async () => {
+    const app = createApp();
+    const res = await app.request("/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_name: "bad-agent",
+        redirect_uris: ["https://evil.com/callback"],
+      }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test("rejects missing fields", async () => {
+    const app = createApp();
+    const res = await app.request("/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.status).toBe(400);
+  });
+});
+
+describe("Full OAuth flow", () => {
+  test("register → authorize → token exchange", async () => {
+    const app = createApp();
+
+    // 1. Register client
+    const regRes = await app.request("/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_name: "flow-test",
+        redirect_uris: ["http://localhost:8888/cb"],
+      }),
+    });
+    const { client_id, client_secret } = await regRes.json();
+
+    // 2. Generate PKCE
+    const { verifier, challenge } = await generatePkce();
+
+    // 3. Authorize (should redirect with code)
+    const authRes = await app.request(
+      `/authorize?client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost:8888/cb")}&code_challenge=${challenge}&code_challenge_method=S256&state=xyz`,
+      { redirect: "manual" },
+    );
+    expect(authRes.status).toBe(302);
+    const location = authRes.headers.get("location")!;
+    const redirectUrl = new URL(location);
+    const code = redirectUrl.searchParams.get("code");
+    expect(code).toBeTruthy();
+    expect(redirectUrl.searchParams.get("state")).toBe("xyz");
+
+    // 4. Exchange code for token
+    const tokenRes = await app.request("/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: "http://localhost:8888/cb",
+        client_id,
+        client_secret,
+        code_verifier: verifier,
+      }),
+    });
+    expect(tokenRes.status).toBe(200);
+    const tokenBody = await tokenRes.json();
+    expect(tokenBody.access_token).toBeTruthy();
+    expect(tokenBody.token_type).toBe("Bearer");
+    expect(tokenBody.expires_in).toBe(3600);
+  });
+
+  test("rejects wrong PKCE verifier", async () => {
+    const app = createApp();
+
+    const regRes = await app.request("/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_name: "pkce-test",
+        redirect_uris: ["http://localhost:7777/cb"],
+      }),
+    });
+    const { client_id } = await regRes.json();
+
+    const { challenge } = await generatePkce();
+
+    const authRes = await app.request(
+      `/authorize?client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost:7777/cb")}&code_challenge=${challenge}`,
+      { redirect: "manual" },
+    );
+    const location = authRes.headers.get("location")!;
+    const code = new URL(location).searchParams.get("code");
+
+    // Use wrong verifier
+    const tokenRes = await app.request("/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: "http://localhost:7777/cb",
+        client_id,
+        code_verifier: "wrong-verifier-that-doesnt-match",
+      }),
+    });
+    expect(tokenRes.status).toBe(400);
+    const body = await tokenRes.json();
+    expect(body.error_description).toContain("PKCE");
+  });
+
+  test("rejects reused authorization code", async () => {
+    const app = createApp();
+
+    const regRes = await app.request("/register", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        client_name: "reuse-test",
+        redirect_uris: ["http://localhost:6666/cb"],
+      }),
+    });
+    const { client_id } = await regRes.json();
+
+    const { verifier, challenge } = await generatePkce();
+
+    const authRes = await app.request(
+      `/authorize?client_id=${client_id}&redirect_uri=${encodeURIComponent("http://localhost:6666/cb")}&code_challenge=${challenge}`,
+      { redirect: "manual" },
+    );
+    const code = new URL(authRes.headers.get("location")!).searchParams.get("code");
+
+    // First use — should succeed
+    const tokenRes1 = await app.request("/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: "http://localhost:6666/cb",
+        client_id,
+        code_verifier: verifier,
+      }),
+    });
+    expect(tokenRes1.status).toBe(200);
+
+    // Second use — should fail
+    const tokenRes2 = await app.request("/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: "http://localhost:6666/cb",
+        client_id,
+        code_verifier: verifier,
+      }),
+    });
+    expect(tokenRes2.status).toBe(400);
+  });
+});

package/src/oauth.ts

@@ -0,0 +1,265 @@
+import type { Hono } from "hono";
+import { SignJWT, jwtVerify } from "jose";
+
+import type { AuthClaims } from "./auth.js";
+
+export interface OAuthConfig {
+  issuer: string;
+  clients: Array<{ name: string; redirectUri: string }>;
+  tokenSecret: string;
+  tokenTtlMinutes: number;
+}
+
+interface RegisteredClient {
+  clientId: string;
+  clientSecret: string;
+  name: string;
+  redirectUri: string;
+}
+
+interface AuthorizationCode {
+  code: string;
+  clientId: string;
+  redirectUri: string;
+  codeChallenge: string;
+  expiresAt: number;
+  claims: AuthClaims;
+}
+
+// In-memory stores (single instance; back with Redis for multi-instance later)
+const clients = new Map<string, RegisteredClient>();
+const authCodes = new Map<string, AuthorizationCode>();
+
+function generateId(): string {
+  return crypto.randomUUID().replace(/-/g, "");
+}
+
+function matchRedirectUri(pattern: string, uri: string): boolean {
+  // Support wildcards: http://localhost:* matches http://localhost:9999/callback
+  if (pattern.includes("*")) {
+    const regex = new RegExp(
+      `^${pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*")}$`,
+    );
+    return regex.test(uri);
+  }
+  return pattern === uri;
+}
+
+/** Verify PKCE S256 challenge */
+async function verifyPkce(codeVerifier: string, codeChallenge: string): Promise<boolean> {
+  const encoder = new TextEncoder();
+  const digest = await crypto.subtle.digest("SHA-256", encoder.encode(codeVerifier));
+  const base64 = btoa(String.fromCharCode(...new Uint8Array(digest)))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+  return base64 === codeChallenge;
+}
+
+/** Mount OAuth 2.0 endpoints on a Hono app */
+export function createOAuthRoutes(config: OAuthConfig, app: Hono): void {
+  const tokenSecret = new TextEncoder().encode(config.tokenSecret);
+
+  // Pre-register configured clients
+  for (const clientConfig of config.clients) {
+    const client: RegisteredClient = {
+      clientId: generateId(),
+      clientSecret: generateId(),
+      name: clientConfig.name,
+      redirectUri: clientConfig.redirectUri,
+    };
+    clients.set(client.clientId, client);
+  }
+
+  // RFC 8414 — Authorization Server Metadata
+  app.get("/.well-known/oauth-authorization-server", (c) => {
+    const baseUrl = config.issuer;
+    return c.json({
+      issuer: baseUrl,
+      authorization_endpoint: `${baseUrl}/authorize`,
+      token_endpoint: `${baseUrl}/token`,
+      registration_endpoint: `${baseUrl}/register`,
+      response_types_supported: ["code"],
+      grant_types_supported: ["authorization_code"],
+      token_endpoint_auth_methods_supported: ["client_secret_post"],
+      code_challenge_methods_supported: ["S256"],
+    });
+  });
+
+  // RFC 7591 — Dynamic Client Registration
+  app.post("/register", async (c) => {
+    const body = await c.req.json();
+    const name = body.client_name;
+    const redirectUris = body.redirect_uris as string[] | undefined;
+    const redirectUri = redirectUris?.[0];
+
+    if (!name || !redirectUri) {
+      return c.json({ error: "client_name and redirect_uris required" }, 400);
+    }
+
+    // Validate redirect URI against allowed patterns
+    const allowed = config.clients.some((cc) => matchRedirectUri(cc.redirectUri, redirectUri));
+    if (!allowed) {
+      return c.json({ error: "redirect_uri not allowed" }, 400);
+    }
+
+    const client: RegisteredClient = {
+      clientId: generateId(),
+      clientSecret: generateId(),
+      name,
+      redirectUri,
+    };
+    clients.set(client.clientId, client);
+
+    return c.json(
+      {
+        client_id: client.clientId,
+        client_secret: client.clientSecret,
+        client_name: client.name,
+        redirect_uris: [client.redirectUri],
+      },
+      201,
+    );
+  });
+
+  // Authorization endpoint
+  app.get("/authorize", async (c) => {
+    const clientId = c.req.query("client_id");
+    const redirectUri = c.req.query("redirect_uri");
+    const codeChallenge = c.req.query("code_challenge");
+    const codeChallengeMethod = c.req.query("code_challenge_method");
+    const state = c.req.query("state");
+
+    if (!clientId || !redirectUri || !codeChallenge) {
+      return c.json({ error: "client_id, redirect_uri, and code_challenge required" }, 400);
+    }
+
+    if (codeChallengeMethod && codeChallengeMethod !== "S256") {
+      return c.json({ error: "only S256 code_challenge_method supported" }, 400);
+    }
+
+    const client = clients.get(clientId);
+    if (!client) {
+      return c.json({ error: "unknown client_id" }, 400);
+    }
+
+    if (!matchRedirectUri(client.redirectUri, redirectUri)) {
+      return c.json({ error: "redirect_uri mismatch" }, 400);
+    }
+
+    // Check if caller already has a valid token (simple mode — no login page)
+    const authHeader = c.req.header("Authorization");
+    const existingToken = authHeader?.replace(/^Bearer\s+/i, "");
+    let claims: AuthClaims = {};
+
+    if (existingToken) {
+      try {
+        const { payload } = await jwtVerify(existingToken, tokenSecret);
+        claims = {
+          sub: payload.sub,
+          email: payload.email as string | undefined,
+          roles: payload.roles as string[] | undefined,
+          teams: payload.teams as string[] | undefined,
+        };
+      } catch {
+        // Invalid token — proceed with empty claims
+      }
+    }
+
+    // Generate authorization code
+    const code = generateId();
+    authCodes.set(code, {
+      code,
+      clientId,
+      redirectUri,
+      codeChallenge,
+      expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
+      claims,
+    });
+
+    const redirectUrl = new URL(redirectUri);
+    redirectUrl.searchParams.set("code", code);
+    if (state) redirectUrl.searchParams.set("state", state);
+
+    return c.redirect(redirectUrl.toString());
+  });
+
+  // Token endpoint
+  app.post("/token", async (c) => {
+    const body = await c.req.json();
+    const { grant_type, code, redirect_uri, client_id, client_secret, code_verifier } = body;
+
+    if (grant_type !== "authorization_code") {
+      return c.json({ error: "unsupported_grant_type" }, 400);
+    }
+
+    if (!code || !redirect_uri || !client_id || !code_verifier) {
+      return c.json({ error: "missing required parameters" }, 400);
+    }
+
+    // Validate client
+    const client = clients.get(client_id);
+    if (!client || (client_secret && client.clientSecret !== client_secret)) {
+      return c.json({ error: "invalid_client" }, 401);
+    }
+
+    // Validate auth code
+    const authCode = authCodes.get(code);
+    if (!authCode) {
+      return c.json({ error: "invalid_grant", error_description: "unknown code" }, 400);
+    }
+
+    authCodes.delete(code); // One-time use
+
+    if (authCode.expiresAt < Date.now()) {
+      return c.json({ error: "invalid_grant", error_description: "code expired" }, 400);
+    }
+
+    if (authCode.clientId !== client_id || authCode.redirectUri !== redirect_uri) {
+      return c.json({ error: "invalid_grant", error_description: "parameter mismatch" }, 400);
+    }
+
+    // PKCE verification
+    const pkceValid = await verifyPkce(code_verifier, authCode.codeChallenge);
+    if (!pkceValid) {
+      return c.json(
+        {
+          error: "invalid_grant",
+          error_description: "PKCE verification failed",
+        },
+        400,
+      );
+    }
+
+    // Issue access token
+    const expiresIn = config.tokenTtlMinutes * 60;
+    const accessToken = await new SignJWT({
+      sub: authCode.claims.sub ?? "anonymous",
+      email: authCode.claims.email,
+      roles: authCode.claims.roles,
+      teams: authCode.claims.teams,
+    })
+      .setProtectedHeader({ alg: "HS256" })
+      .setIssuer(config.issuer)
+      .setExpirationTime(`${config.tokenTtlMinutes}m`)
+      .setIssuedAt()
+      .sign(tokenSecret);
+
+    return c.json({
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: expiresIn,
+    });
+  });
+}
+
+/** Get registered clients (for testing) */
+export function getRegisteredClients(): Map<string, RegisteredClient> {
+  return clients;
+}
+
+/** Clear stores (for testing) */
+export function clearOAuthStores(): void {
+  clients.clear();
+  authCodes.clear();
+}