@vfarcic/dot-ai 1.14.1 → 1.15.0

package/dist/core/mcp-client-manager.d.ts

@@ -6,10 +6,47 @@
  * the attachTo routing mechanism.
  *
  * PRD #358: MCP Server Integration
+ * PRD #414: MCP Client Outbound Authentication
  */
-import { McpServerConfig, DiscoveredMcpServer, McpServerStats, McpAttachableOperation } from './mcp-client-types';
+import type { StreamableHTTPClientTransportOptions } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import type { OAuthClientProvider, OAuthDiscoveryState } from '@modelcontextprotocol/sdk/client/auth.js';
+import type { OAuthTokens, OAuthClientMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { McpServerConfig, McpServerAuthConfig, DiscoveredMcpServer, McpServerStats, McpAttachableOperation } from './mcp-client-types';
 import { Logger } from './error-handling';
 import { AITool, ToolExecutor } from './ai-provider.interface';
+/**
+ * Minimal OAuthClientProvider that returns a static bearer token.
+ *
+ * Used when the MCP server expects MCP-spec-compliant auth (authProvider)
+ * but the token is a pre-provisioned service account JWT or API key
+ * rather than an interactive OAuth flow.
+ *
+ * PRD #414: MCP Client Outbound Authentication (M1)
+ */
+export declare class StaticTokenAuthProvider implements OAuthClientProvider {
+    private readonly token;
+    constructor(token: string);
+    get redirectUrl(): undefined;
+    get clientMetadata(): OAuthClientMetadata;
+    clientInformation(): undefined;
+    tokens(): Promise<OAuthTokens>;
+    saveTokens(): Promise<void>;
+    redirectToAuthorization(): Promise<void>;
+    saveCodeVerifier(): Promise<void>;
+    codeVerifier(): Promise<string>;
+    invalidateCredentials(_scope: 'all' | 'client' | 'tokens' | 'verifier' | 'discovery'): Promise<void>;
+    saveDiscoveryState(_state: OAuthDiscoveryState): Promise<void>;
+    discoveryState(): Promise<OAuthDiscoveryState | undefined>;
+}
+/**
+ * Resolve transport options (authProvider and/or requestInit) from auth config.
+ *
+ * Reads token/header values from environment variables (sourced from K8s Secrets).
+ * Returns partial options to merge into StreamableHTTPClientTransportOptions.
+ *
+ * PRD #414: MCP Client Outbound Authentication (M1 + M2 + M4)
+ */
+export declare function resolveTransportAuth(auth: McpServerAuthConfig | undefined, serverName: string, logger: Logger): Pick<StreamableHTTPClientTransportOptions, 'authProvider' | 'requestInit'>;
 /**
  * Manages MCP server connections, tool discovery, and tool routing.
  *

package/dist/core/mcp-client-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-client-manager.d.ts","sourceRoot":"","sources":["../../src/core/mcp-client-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,EACL,eAAe,EAEf,mBAAmB,EACnB,cAAc,EAEd,sBAAsB,EACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAW/D;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAEhC,oDAAoD;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkC;IAE1D,oEAAoE;IACpE,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAyD;IAEpF,sDAAsD;IACtD,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAA+C;IAEjF,0DAA0D;IAC1D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkC;gBAEnD,MAAM,EAAE,MAAM;IAI1B;;;;;;OAMG;IACH,MAAM,CAAC,oBAAoB,IAAI,eAAe,EAAE;IA+DhD;;;;;OAKG;IACG,kBAAkB,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCnE;;OAEG;YACW,kBAAkB;IAmGhC;;;;OAIG;IACH,oBAAoB,CAAC,SAAS,EAAE,sBAAsB,GAAG,MAAM,EAAE;IAoBjE;;OAEG;IACH,qBAAqB,IAAI,MAAM,EAAE;IAejC;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIpC;;;;;;OAMG;IACH,kBAAkB,CAAC,gBAAgB,CAAC,EAAE,YAAY,GAAG,YAAY;IA6DjE;;OAEG;IACH,QAAQ,IAAI,cAAc;IAQ1B;;OAEG;IACH,oBAAoB,IAAI,mBAAmB,EAAE;IAI7C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAkB5B;;OAEG;IACH,OAAO,CAAC,eAAe;CAYxB"}
+{"version":3,"file":"mcp-client-manager.d.ts","sourceRoot":"","sources":["../../src/core/mcp-client-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EAAE,oCAAoC,EAAE,MAAM,oDAAoD,CAAC;AAC/G,OAAO,KAAK,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AAEzG,OAAO,KAAK,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AACjG,OAAO,EACL,eAAe,EACf,mBAAmB,EAEnB,mBAAmB,EACnB,cAAc,EAEd,sBAAsB,EACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAW/D;;;;;;;;GAQG;AACH,qBAAa,uBAAwB,YAAW,mBAAmB;IACjE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;gBAEnB,KAAK,EAAE,MAAM;IAIzB,IAAI,WAAW,IAAI,SAAS,CAAsB;IAElD,IAAI,cAAc,IAAI,mBAAmB,CAKxC;IAED,iBAAiB;IAEX,MAAM,IAAI,OAAO,CAAC,WAAW,CAAC;IAO9B,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAC3B,uBAAuB,IAAI,OAAO,CAAC,IAAI,CAAC;IACxC,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAGjC,YAAY,IAAI,OAAO,CAAC,MAAM,CAAC;IAE/B,qBAAqB,CAAC,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAMpG,kBAAkB,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC;IAC9D,cAAc,IAAI,OAAO,CAAC,mBAAmB,GAAG,SAAS,CAAC;CACjE;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,mBAAmB,GAAG,SAAS,EACrC,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,MAAM,GACb,IAAI,CAAC,oCAAoC,EAAE,cAAc,GAAG,aAAa,CAAC,CAsF5E;AAED;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAEhC,oDAAoD;IACpD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkC;IAE1D,oEAAoE;IACpE,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAyD;IAEpF,sDAAsD;IACtD,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAA+C;IAEjF,0DAA0D;IAC1D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkC;gBAEnD,MAAM,EAAE,MAAM;IAI1B;;;;;;OAMG;IACH,MAAM,CAAC,oBAAoB,IAAI,eAAe,EAAE;IAwIhD;;;;;OAKG;IACG,kBAAkB,CAAC,OAAO,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAwCnE;;OAEG;YACW,kBAAkB;IAwGhC;;;;OAIG;IACH,oBAAoB,CAAC,SAAS,EAAE,sBAAsB,GAAG,MAAM,EAAE;IAoBjE;;OAEG;IACH,qBAAqB,IAAI,MAAM,EAAE;IAejC;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIpC;;;;;;OAMG;IACH,kBAAkB,CAAC,gBAAgB,CAAC,EAAE,YAAY,GAAG,YAAY;IA6DjE;;OAEG;IACH,QAAQ,IAAI,cAAc;IAQ1B;;OAEG;IACH,oBAAoB,IAAI,mBAAmB,EAAE;IAI7C;;OAEG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAkB5B;;OAEG;IACH,OAAO,CAAC,eAAe;CAYxB"}

package/dist/core/mcp-client-manager.js

@@ -7,12 +7,15 @@
  * the attachTo routing mechanism.
  *
  * PRD #358: MCP Server Integration
+ * PRD #414: MCP Client Outbound Authentication
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpClientManager = void 0;
+exports.McpClientManager = exports.StaticTokenAuthProvider = void 0;
+exports.resolveTransportAuth = resolveTransportAuth;
 const node_fs_1 = require("node:fs");
 const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
 const streamableHttp_js_1 = require("@modelcontextprotocol/sdk/client/streamableHttp.js");
+const auth_extensions_js_1 = require("@modelcontextprotocol/sdk/client/auth-extensions.js");
 const mcp_client_types_1 = require("./mcp-client-types");
 /** Path for MCP servers config file (mounted from ConfigMap in K8s) */
 const MCP_SERVERS_CONFIG_PATH = '/etc/dot-ai-mcp/mcp-servers.json';
@@ -20,6 +23,135 @@ const MCP_SERVERS_CONFIG_PATH = '/etc/dot-ai-mcp/mcp-servers.json';
 const TOOL_NAME_SEPARATOR = '__';
 /** Default timeout for MCP requests in milliseconds */
 const DEFAULT_TIMEOUT_MS = 30_000;
+/**
+ * Minimal OAuthClientProvider that returns a static bearer token.
+ *
+ * Used when the MCP server expects MCP-spec-compliant auth (authProvider)
+ * but the token is a pre-provisioned service account JWT or API key
+ * rather than an interactive OAuth flow.
+ *
+ * PRD #414: MCP Client Outbound Authentication (M1)
+ */
+class StaticTokenAuthProvider {
+    token;
+    constructor(token) {
+        this.token = token;
+    }
+    get redirectUrl() { return undefined; }
+    get clientMetadata() {
+        return {
+            redirect_uris: [],
+            client_name: 'dot-ai',
+        };
+    }
+    clientInformation() { return undefined; }
+    async tokens() {
+        return {
+            access_token: this.token,
+            token_type: 'bearer',
+        };
+    }
+    async saveTokens() { }
+    async redirectToAuthorization() { }
+    async saveCodeVerifier() { }
+    // Returns empty string because the SDK type requires string (not undefined).
+    // Static tokens do not use PKCE, so the verifier is never meaningful.
+    async codeVerifier() { return ''; }
+    async invalidateCredentials(_scope) {
+        // No-op for all scopes: static tokens are pre-provisioned and cannot be refreshed.
+        // 'client'/'verifier' are for interactive OAuth (authorization_code + PKCE).
+        // 'tokens'/'discovery' have no effect since the token is fixed at construction.
+    }
+    async saveDiscoveryState(_state) { }
+    async discoveryState() { return undefined; }
+}
+exports.StaticTokenAuthProvider = StaticTokenAuthProvider;
+/**
+ * Resolve transport options (authProvider and/or requestInit) from auth config.
+ *
+ * Reads token/header values from environment variables (sourced from K8s Secrets).
+ * Returns partial options to merge into StreamableHTTPClientTransportOptions.
+ *
+ * PRD #414: MCP Client Outbound Authentication (M1 + M2 + M4)
+ */
+function resolveTransportAuth(auth, serverName, logger) {
+    if (!auth)
+        return {};
+    const result = {};
+    // M1: Static token → authProvider
+    if (auth.tokenEnvVar) {
+        const token = process.env[auth.tokenEnvVar];
+        if (token) {
+            result.authProvider = new StaticTokenAuthProvider(token);
+            logger.info('MCP server auth configured via authProvider (static token)', {
+                server: serverName,
+                envVar: auth.tokenEnvVar,
+            });
+        }
+        else {
+            throw new Error(`MCP server '${serverName}' auth.tokenEnvVar references env var '${auth.tokenEnvVar}' but it is empty or unset — fix the K8s Secret or remove the auth config`);
+        }
+    }
+    // M2: Custom headers → requestInit
+    if (auth.headersEnvVar) {
+        const headersJson = process.env[auth.headersEnvVar];
+        if (headersJson) {
+            try {
+                const headers = JSON.parse(headersJson);
+                if (typeof headers !== 'object' || headers === null || Array.isArray(headers)) {
+                    throw new Error('Headers must be a JSON object of key-value pairs');
+                }
+                // Validate all header values are strings — non-string values cause HTTP errors
+                for (const [key, value] of Object.entries(headers)) {
+                    if (typeof value !== 'string') {
+                        throw new Error(`Header "${key}" value must be a string, got ${typeof value}`);
+                    }
+                }
+                result.requestInit = { headers };
+                logger.info('MCP server auth configured via requestInit headers', {
+                    server: serverName,
+                    envVar: auth.headersEnvVar,
+                    headerCount: Object.keys(headers).length,
+                });
+            }
+            catch (err) {
+                throw new Error(`MCP server '${serverName}' auth.headersEnvVar env var '${auth.headersEnvVar}' contains invalid JSON: ${err instanceof Error ? err.message : String(err)}`, { cause: err });
+            }
+        }
+        else {
+            throw new Error(`MCP server '${serverName}' auth.headersEnvVar references env var '${auth.headersEnvVar}' but it is empty or unset — fix the K8s Secret or remove the auth config`);
+        }
+    }
+    // M4: OAuth client_credentials → authProvider (takes precedence over tokenEnvVar)
+    // Uses SDK built-in ClientCredentialsProvider (@modelcontextprotocol/sdk ^1.27.1)
+    // instead of custom implementation. The SDK handles:
+    //   - prepareTokenRequest() → sets grant_type=client_credentials + scope
+    //   - client_secret_basic auth method (RFC 6749 §2.3.1)
+    //   - Token caching and automatic refresh on 401
+    // No PKCE: client_credentials is non-interactive (RFC 6749 §4.4), PKCE is for
+    // authorization_code grants only (RFC 7636 §1).
+    if (auth.oauth) {
+        const clientSecret = process.env[auth.oauth.clientSecretEnvVar];
+        if (clientSecret) {
+            result.authProvider = new auth_extensions_js_1.ClientCredentialsProvider({
+                clientId: auth.oauth.clientId,
+                clientSecret,
+                clientName: 'dot-ai',
+                scope: auth.oauth.scope,
+            });
+            logger.info('MCP server auth configured via authProvider (OAuth client_credentials)', {
+                server: serverName,
+                clientId: auth.oauth.clientId,
+                clientSecretEnvVar: auth.oauth.clientSecretEnvVar,
+                scope: auth.oauth.scope,
+            });
+        }
+        else {
+            throw new Error(`MCP server '${serverName}' auth.oauth.clientSecretEnvVar references env var '${auth.oauth.clientSecretEnvVar}' but it is empty or unset — fix the K8s Secret or remove the auth config`);
+        }
+    }
+    return result;
+}
 /**
  * Manages MCP server connections, tool discovery, and tool routing.
  *
@@ -83,11 +215,65 @@ class McpClientManager {
                     throw new Error(`MCP server at index ${index} (${s.name || 'unnamed'}) has invalid attachTo value '${op}'. Must be one of: ${validOperations.join(', ')}`);
                 }
             }
+            // Parse optional auth config (PRD #414)
+            // Fail-fast on malformed auth — silent degradation to unauthenticated is a security risk
+            let auth;
+            const serverLabel = s.name || 'unnamed';
+            if (s.auth !== undefined) {
+                if (!s.auth || typeof s.auth !== 'object' || Array.isArray(s.auth)) {
+                    throw new Error(`MCP server at index ${index} (${serverLabel}) auth must be an object`);
+                }
+                const rawAuth = s.auth;
+                auth = {};
+                if ('tokenEnvVar' in rawAuth) {
+                    if (typeof rawAuth.tokenEnvVar !== 'string' || rawAuth.tokenEnvVar.trim() === '') {
+                        throw new Error(`MCP server at index ${index} (${serverLabel}) auth.tokenEnvVar must be a non-empty string`);
+                    }
+                    auth.tokenEnvVar = rawAuth.tokenEnvVar;
+                }
+                if ('headersEnvVar' in rawAuth) {
+                    if (typeof rawAuth.headersEnvVar !== 'string' || rawAuth.headersEnvVar.trim() === '') {
+                        throw new Error(`MCP server at index ${index} (${serverLabel}) auth.headersEnvVar must be a non-empty string`);
+                    }
+                    auth.headersEnvVar = rawAuth.headersEnvVar;
+                }
+                // M4: OAuth client_credentials config
+                if ('oauth' in rawAuth) {
+                    if (!rawAuth.oauth || typeof rawAuth.oauth !== 'object' || Array.isArray(rawAuth.oauth)) {
+                        throw new Error(`MCP server at index ${index} (${serverLabel}) auth.oauth must be an object`);
+                    }
+                    const rawOAuth = rawAuth.oauth;
+                    if (!rawOAuth.clientId || typeof rawOAuth.clientId !== 'string') {
+                        throw new Error(`MCP server at index ${index} (${serverLabel}) auth.oauth is missing required 'clientId' field`);
+                    }
+                    if (!rawOAuth.clientSecretEnvVar || typeof rawOAuth.clientSecretEnvVar !== 'string') {
+                        throw new Error(`MCP server at index ${index} (${serverLabel}) auth.oauth is missing required 'clientSecretEnvVar' field`);
+                    }
+                    if ('scope' in rawOAuth && (typeof rawOAuth.scope !== 'string' || rawOAuth.scope.trim() === '')) {
+                        throw new Error(`MCP server at index ${index} (${serverLabel}) auth.oauth.scope must be a non-empty string`);
+                    }
+                    auth.oauth = {
+                        clientId: rawOAuth.clientId,
+                        clientSecretEnvVar: rawOAuth.clientSecretEnvVar,
+                        scope: typeof rawOAuth.scope === 'string' ? rawOAuth.scope : undefined,
+                    };
+                }
+                // Fail-fast: auth block present but no valid fields configured
+                if (!auth.tokenEnvVar && !auth.headersEnvVar && !auth.oauth) {
+                    throw new Error(`MCP server at index ${index} (${serverLabel}) auth is present but contains no valid auth fields (tokenEnvVar, headersEnvVar, or oauth)`);
+                }
+                // Mutual exclusivity: tokenEnvVar and oauth cannot both be specified
+                // because both set authProvider — oauth would silently overwrite the static token
+                if (auth.tokenEnvVar && auth.oauth) {
+                    throw new Error(`MCP server at index ${index} (${serverLabel}) auth specifies both 'tokenEnvVar' and 'oauth' — these are mutually exclusive (both set authProvider)`);
+                }
+            }
             return {
                 name: s.name || `mcp-server-${index}`,
                 endpoint: s.endpoint,
                 attachTo: s.attachTo,
                 timeout: s.timeout,
+                auth,
             };
         });
     }
@@ -134,7 +320,10 @@ class McpClientManager {
             name: config.name,
             endpoint: config.endpoint,
             attachTo: config.attachTo,
+            hasAuth: !!config.auth,
         });
+        // Resolve authentication options from config + env vars (PRD #414)
+        const authOptions = resolveTransportAuth(config.auth, config.name, this.logger);
         const transport = new streamableHttp_js_1.StreamableHTTPClientTransport(new URL(config.endpoint), {
             reconnectionOptions: {
                 maxReconnectionDelay: 30_000,
@@ -142,6 +331,7 @@ class McpClientManager {
                 reconnectionDelayGrowFactor: 1.5,
                 maxRetries: 2,
             },
+            ...authOptions,
         });
         const client = new index_js_1.Client({ name: 'dot-ai', version: '1.0.0' }, { capabilities: {} });
         // Connect with timeout

package/dist/core/mcp-client-types.d.ts

@@ -6,11 +6,70 @@
  * that augment dot-ai's built-in kubectl/helm tools.
  *
  * PRD #358: MCP Server Integration
+ * PRD #414: MCP Client Outbound Authentication
  */
 /**
  * Valid dot-ai operations that MCP servers can attach to
  */
 export type McpAttachableOperation = 'remediate' | 'operate' | 'query';
+/**
+ * Authentication configuration for an MCP server connection.
+ *
+ * Four modes are supported:
+ * 1. Static token via `tokenEnvVar` — reads bearer token from env var, passed as authProvider
+ * 2. Custom headers via `headersEnvVar` — reads JSON headers from env var, passed as requestInit
+ * 3. OAuth via `oauth` — client_credentials grant using the MCP SDK's OAuthClientProvider
+ * 4. No auth (omit `auth`) — current behavior, backward compatible
+ *
+ * Credentials are injected via environment variables sourced from K8s Secrets.
+ * Never store tokens in ConfigMaps or Helm values.
+ *
+ * PRD #414: MCP Client Outbound Authentication
+ */
+export interface McpServerAuthConfig {
+    /**
+     * Environment variable name containing a bearer token for authProvider.
+     * The token is passed to StreamableHTTPClientTransport via a static authProvider
+     * that returns `{ access_token: tokenValue, token_type: 'bearer' }`.
+     *
+     * Example env var: MCP_AUTH_CONTEXT_FORGE=eyJhbGciOi...
+     */
+    tokenEnvVar?: string;
+    /**
+     * Environment variable name containing JSON-encoded HTTP headers for requestInit.
+     * Used for non-MCP-spec-compliant servers that require custom auth headers.
+     * The value must be a JSON object of header name → value pairs.
+     *
+     * Example env var: MCP_HEADERS_LEGACY_SERVER={"X-API-Key":"abc123"}
+     */
+    headersEnvVar?: string;
+    /**
+     * OAuth client_credentials configuration for MCP-spec-compliant servers.
+     * Uses the MCP SDK's OAuthClientProvider interface with client_credentials grant.
+     * The SDK handles discovery (RFC 9728), token exchange, and automatic refresh.
+     *
+     * PRD #414: MCP Client Outbound Authentication (M4)
+     */
+    oauth?: McpOAuthConfig;
+}
+/**
+ * OAuth client_credentials configuration for outbound MCP connections.
+ *
+ * dot-ai acts as an OAuth client authenticating to an MCP server's authorization
+ * server using the client_credentials grant (non-interactive, server-to-server).
+ * The MCP SDK discovers the authorization server via RFC 9728 metadata.
+ */
+export interface McpOAuthConfig {
+    /** OAuth client ID for this MCP server connection */
+    clientId: string;
+    /**
+     * Environment variable name containing the OAuth client secret.
+     * Example: MCP_OAUTH_SECRET_DOT_AI_UPSTREAM
+     */
+    clientSecretEnvVar: string;
+    /** Optional OAuth scope to request (e.g., "mcp:tools mcp:read") */
+    scope?: string;
+}
 /**
  * Configuration for an MCP server connection.
  * Loaded from /etc/dot-ai-mcp/mcp-servers.json (mounted via Helm ConfigMap).
@@ -24,6 +83,12 @@ export interface McpServerConfig {
     attachTo: McpAttachableOperation[];
     /** Optional timeout in milliseconds for MCP requests (default: 30000) */
     timeout?: number;
+    /**
+     * Optional authentication configuration for this MCP server.
+     * When omitted, no authentication is used (backward compatible).
+     * PRD #414: MCP Client Outbound Authentication
+     */
+    auth?: McpServerAuthConfig;
 }
 /**
  * Tool definition discovered from an MCP server via client.listTools()

package/dist/core/mcp-client-types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-client-types.d.ts","sourceRoot":"","sources":["../../src/core/mcp-client-types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG,WAAW,GAAG,SAAS,GAAG,OAAO,CAAC;AAEvE;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,IAAI,EAAE,MAAM,CAAC;IACb,uFAAuF;IACvF,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,QAAQ,EAAE,sBAAsB,EAAE,CAAC;IACnC,yEAAyE;IACzE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,yCAAyC;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,WAAW,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACrC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,0BAA0B;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,QAAQ,EAAE,sBAAsB,EAAE,CAAC;IACnC,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC3B,0BAA0B;IAC1B,YAAY,EAAE,IAAI,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,KAAK;aAGxB,aAAa,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;gBADrE,OAAO,EAAE,MAAM,EACC,aAAa,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CAKxE"}
+{"version":3,"file":"mcp-client-types.d.ts","sourceRoot":"","sources":["../../src/core/mcp-client-types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG,WAAW,GAAG,SAAS,GAAG,OAAO,CAAC;AAEvE;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,cAAc;IAC7B,qDAAqD;IACrD,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,kBAAkB,EAAE,MAAM,CAAC;IAE3B,mEAAmE;IACnE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,wDAAwD;IACxD,IAAI,EAAE,MAAM,CAAC;IACb,uFAAuF;IACvF,QAAQ,EAAE,MAAM,CAAC;IACjB,yEAAyE;IACzE,QAAQ,EAAE,sBAAsB,EAAE,CAAC;IACnC,yEAAyE;IACzE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;OAIG;IACH,IAAI,CAAC,EAAE,mBAAmB,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,yCAAyC;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,WAAW,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACrC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,0BAA0B;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,QAAQ,EAAE,sBAAsB,EAAE,CAAC;IACnC,sDAAsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC3B,0BAA0B;IAC1B,YAAY,EAAE,IAAI,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,KAAK;aAGxB,aAAa,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;gBADrE,OAAO,EAAE,MAAM,EACC,aAAa,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;CAKxE"}

package/dist/core/mcp-client-types.js

@@ -7,6 +7,7 @@
  * that augment dot-ai's built-in kubectl/helm tools.
  *
  * PRD #358: MCP Server Integration
+ * PRD #414: MCP Client Outbound Authentication
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.McpDiscoveryError = void 0;

package/dist/mcp/server.js

@@ -180,6 +180,9 @@ async function main() {
                 process.stderr.write(`MCP server discovery complete: ${stats.serverCount} server(s), ${stats.toolCount} tool(s)\n`);
             }
             catch (error) {
+                // Fail-fast: in Kubernetes, crash + backoff is easier to detect than a Running
+                // pod silently missing MCP tools. Config errors (bad endpoint, missing auth)
+                // surface immediately via CrashLoopBackOff events and alerts.
                 process.stderr.write(`FATAL: MCP server discovery failed: ${error instanceof Error ? error.message : String(error)}\n`);
                 process.exit(1);
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vfarcic/dot-ai",
-  "version": "1.14.1",
+  "version": "1.15.0",
   "description": "AI-powered development productivity platform that enhances software development workflows through intelligent automation and AI-driven assistance",
   "mcpName": "io.github.vfarcic/dot-ai",
   "main": "dist/index.js",