PyPI - clsplusplus - Versions diffs - 7.2.3__tar.gz → 7.2.4__tar.gz - Mend

clsplusplus 7.2.3tar.gz → 7.2.4tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

{clsplusplus-7.2.3 → clsplusplus-7.2.4}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: clsplusplus
-Version: 7.2.3
+Version: 7.2.4
 Summary: Brain-inspired, model-agnostic persistent memory for LLMs. Learn, recall, forget — like a brain. Works with OpenAI, Claude, Gemini, Llama.
 Author-email: AlphaForge AI Labs <contact@alphaforge.ai>
 Maintainer-email: Rajamohan Jabbala <contact@alphaforge.ai>
@@ -61,6 +61,7 @@ Requires-Dist: httpx>=0.26.0; extra == "dev"
 Requires-Dist: locust>=2.20.0; extra == "dev"
 Dynamic: license-file
+<!-- mcp-name: io.github.rajamohan1950/cls-memory -->
 <p align="center">
   <img src="https://img.shields.io/badge/CLS%2B%2B-Memory%20for%20LLMs-6366f1?style=for-the-badge&logo=github" alt="CLS++" />
 </p>

{clsplusplus-7.2.3 → clsplusplus-7.2.4}/README.md RENAMED Viewed

@@ -1,3 +1,4 @@
+<!-- mcp-name: io.github.rajamohan1950/cls-memory -->
 <p align="center">
   <img src="https://img.shields.io/badge/CLS%2B%2B-Memory%20for%20LLMs-6366f1?style=for-the-badge&logo=github" alt="CLS++" />
 </p>

{clsplusplus-7.2.3 → clsplusplus-7.2.4}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "clsplusplus"
-version = "7.2.3"
+version = "7.2.4"
 description = "Brain-inspired, model-agnostic persistent memory for LLMs. Learn, recall, forget — like a brain. Works with OpenAI, Claude, Gemini, Llama."
 readme = "README.md"
 requires-python = ">=3.9"
@@ -74,6 +74,7 @@ dev = [
 [project.scripts]
 cls = "clsplusplus.cli:main"
+cls-mcp = "clsplusplus.mcp_server:main"
 [project.urls]
 Homepage = "https://github.com/rajamohan1950/CLSplusplus"

{clsplusplus-7.2.3 → clsplusplus-7.2.4}/src/clsplusplus/api.py RENAMED Viewed

@@ -146,6 +146,14 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
     from clsplusplus.namespace_resolver import NamespaceResolver
     _namespace_resolver = NamespaceResolver(settings)
+    # ── Remote MCP server + OAuth 2.1 — claude.ai custom connector ──
+    # Shared OAuth store (clients/codes/tokens). The MCP transport at /mcp and
+    # the OAuth endpoints are mounted near the end of create_app() so they can
+    # reuse the same service instances. Both are gated by a human security
+    # review before they go live — see the PR.
+    from clsplusplus.stores.oauth_store import OAuthStore
+    _oauth_store = OAuthStore(settings)
     app = FastAPI(
         title="CLS++ API",
         description="Brain-inspired, model-agnostic persistent memory for LLMs",
@@ -2043,6 +2051,26 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
             ),
         }
+    # ── Remote MCP server + OAuth 2.1 for claude.ai custom connectors ──
+    # The OAuth authorization server (DCR, authorize, token, metadata) and the
+    # Streamable-HTTP MCP transport at /mcp. Access tokens map to a CLS API key
+    # so /mcp resolves the user's namespace through the same path as direct
+    # API-key auth. These endpoints are added to the middleware allowlist so
+    # AuthMiddleware does not 401 them before they validate their own bearer.
+    from clsplusplus.oauth_server import mount_oauth_routes
+    from clsplusplus.mcp_http import mount_mcp_http
+    mount_oauth_routes(
+        app, settings,
+        oauth_store=_oauth_store,
+        integration_service=integration_service,
+        user_service=user_service,
+    )
+    mount_mcp_http(
+        app, settings,
+        oauth_store=_oauth_store,
+        memory_service=memory_service,
+    )
     @app.patch("/v1/user/profile")
     async def update_profile(req: UserProfileUpdateRequest, request: Request):
         """Update user profile (name, email, password)."""
@@ -3811,6 +3839,10 @@ def create_app(settings: Optional[Settings] = None) -> FastAPI:
             await integration_service.close()
         except Exception:
             pass
+        try:
+            await _oauth_store.close()
+        except Exception:
+            pass
         # Close the shared httpx client used by LLM proxy routes
         try:
             http_client = getattr(_local_router, "_http_client", None)

clsplusplus-7.2.4/src/clsplusplus/mcp_http.py ADDED Viewed

@@ -0,0 +1,235 @@
+"""Remote MCP server — Streamable-HTTP transport for claude.ai.
+Exposes the same three tools as the stdio server (recall_memories,
+store_memory, who_am_i) over the MCP Streamable-HTTP transport at POST /mcp.
+Requests are authenticated with an OAuth 2.1 Bearer access token (issued by
+oauth_server.py); the token resolves to the user's namespace, and every tool
+call operates only on that namespace.
+Transport notes:
+  * POST /mcp carries one JSON-RPC request/response per call. We return
+    application/json (the spec permits a JSON body when no server-initiated
+    streaming is needed). Notifications get HTTP 202 with no body.
+  * GET /mcp would open an SSE stream for server→client messages. This server
+    has no server-initiated traffic, so GET returns 405 (allowed by spec).
+  * Unauthenticated requests get 401 with a WWW-Authenticate header pointing at
+    the protected-resource metadata, so claude.ai can discover the auth server.
+"""
+from __future__ import annotations
+import logging
+from typing import Optional
+from fastapi import FastAPI, Request
+from fastapi.responses import JSONResponse, Response
+from clsplusplus.auth import extract_bearer_token
+from clsplusplus.config import Settings
+from clsplusplus.mcp_server import TOOLS
+from clsplusplus.models import ReadRequest, WriteRequest
+logger = logging.getLogger(__name__)
+PROTOCOL_VERSION = "2025-06-18"
+SERVER_INFO = {"name": "cls-memory", "version": "1.0.0"}
+# who_am_i fans out across these queries to assemble a profile, mirroring the
+# stdio server's behaviour.
+_WHO_AM_I_QUERIES = [
+    "user identity name who preferences likes dislikes",
+    "relationships family friends people",
+    "recent work project decisions current status",
+    "movies music hobbies interests favorites perfume",
+]
+def _is_schema_garbage(text: str) -> bool:
+    if not text.startswith("[Schema:"):
+        return False
+    return len(text.split("]", 1)[-1].strip().split()) < 4
+def _jsonrpc_result(req_id, result) -> dict:
+    return {"jsonrpc": "2.0", "id": req_id, "result": result}
+def _jsonrpc_error(req_id, code: int, message: str) -> dict:
+    return {"jsonrpc": "2.0", "id": req_id, "error": {"code": code, "message": message}}
+def _tool_text_result(text: str) -> dict:
+    return {"content": [{"type": "text", "text": text}], "isError": False}
+def mount_mcp_http(app: FastAPI, settings: Settings, *, oauth_store, memory_service) -> None:
+    """Register the Streamable-HTTP MCP endpoints on the given app."""
+    def _unauthorized(request: Request) -> JSONResponse:
+        issuer = (settings.site_base_url or str(request.base_url).rstrip("/")).rstrip("/")
+        resource_metadata = f"{issuer}/.well-known/oauth-protected-resource"
+        return JSONResponse(
+            status_code=401,
+            content={"error": "invalid_token",
+                     "error_description": "A valid OAuth access token is required."},
+            headers={
+                "WWW-Authenticate": (
+                    f'Bearer resource_metadata="{resource_metadata}"'
+                ),
+            },
+        )
+    async def _resolve_identity(request: Request) -> Optional[dict]:
+        token = extract_bearer_token(request.headers.get("Authorization"))
+        if not token:
+            return None
+        return await oauth_store.resolve_access_token(token)
+    # ── Tool handlers (operate strictly on the authenticated namespace) ──
+    async def _recall_memories(namespace: str, args: dict) -> str:
+        query = (args.get("query") or "").strip()
+        if not query:
+            return "No query provided."
+        limit = int(args.get("limit", 5) or 5)
+        result = await memory_service.read(
+            ReadRequest(query=query, namespace=namespace, limit=limit)
+        )
+        items = result.items or []
+        lines = []
+        for item in items:
+            text = item.text or ""
+            if _is_schema_garbage(text):
+                continue
+            lines.append(f"- {text}")
+        if not lines:
+            return "No relevant memories found."
+        return "Memories about this user:\n" + "\n".join(lines)
+    async def _store_memory(namespace: str, args: dict) -> str:
+        text = (args.get("text") or "").strip()
+        if not text:
+            return "No text provided to store."
+        await memory_service.write(
+            WriteRequest(text=text, namespace=namespace, source="mcp")
+        )
+        return f'Memory stored: "{text}"'
+    async def _who_am_i(namespace: str, args: dict) -> str:
+        all_facts: list[str] = []
+        seen: set[str] = set()
+        for q in _WHO_AM_I_QUERIES:
+            result = await memory_service.read(
+                ReadRequest(query=q, namespace=namespace, limit=5)
+            )
+            for item in (result.items or []):
+                text = item.text or ""
+                if text in seen or _is_schema_garbage(text):
+                    continue
+                seen.add(text)
+                all_facts.append(text)
+        if not all_facts:
+            return ("No memories stored about this user yet. As they share "
+                    "information, it will be remembered across all AI models.")
+        lines = ["Here is everything known about this user from their "
+                 "conversations across all AI models:"]
+        lines.extend(f"- {f}" for f in all_facts)
+        return "\n".join(lines)
+    _HANDLERS = {
+        "recall_memories": _recall_memories,
+        "store_memory": _store_memory,
+        "who_am_i": _who_am_i,
+    }
+    async def _dispatch(identity: dict, payload: dict):
+        """Handle one JSON-RPC message. Returns a dict, or None for notifications."""
+        method = payload.get("method", "")
+        req_id = payload.get("id")
+        params = payload.get("params") or {}
+        if method == "initialize":
+            return _jsonrpc_result(req_id, {
+                "protocolVersion": PROTOCOL_VERSION,
+                "capabilities": {"tools": {"listChanged": False}},
+                "serverInfo": SERVER_INFO,
+            })
+        if method in ("notifications/initialized", "notifications/cancelled"):
+            return None  # notification: no response
+        if method == "ping":
+            return _jsonrpc_result(req_id, {})
+        if method == "tools/list":
+            return _jsonrpc_result(req_id, {"tools": TOOLS})
+        if method == "tools/call":
+            tool_name = params.get("name", "")
+            arguments = params.get("arguments") or {}
+            handler = _HANDLERS.get(tool_name)
+            if not handler:
+                return _jsonrpc_error(req_id, -32601, f"Unknown tool: {tool_name}")
+            try:
+                text = await handler(identity["namespace"], arguments)
+            except Exception as exc:  # surface as an MCP tool error, not transport error
+                logger.warning("mcp tool %s failed: %s", tool_name, exc)
+                return _jsonrpc_result(req_id, {
+                    "content": [{"type": "text", "text": f"Error: {exc}"}],
+                    "isError": True,
+                })
+            return _jsonrpc_result(req_id, _tool_text_result(text))
+        return _jsonrpc_error(req_id, -32601, f"Method not found: {method}")
+    @app.post("/mcp", include_in_schema=False)
+    async def mcp_endpoint(request: Request):
+        identity = await _resolve_identity(request)
+        if not identity:
+            return _unauthorized(request)
+        try:
+            payload = await request.json()
+        except Exception:
+            return JSONResponse(
+                status_code=400,
+                content=_jsonrpc_error(None, -32700, "Parse error: body is not JSON."),
+            )
+        # A JSON-RPC batch is an array; handle each and return the array of
+        # non-null responses.
+        if isinstance(payload, list):
+            responses = []
+            for msg in payload:
+                r = await _dispatch(identity, msg)
+                if r is not None:
+                    responses.append(r)
+            if not responses:
+                return Response(status_code=202)
+            return JSONResponse(content=responses)
+        if not isinstance(payload, dict):
+            return JSONResponse(
+                status_code=400,
+                content=_jsonrpc_error(None, -32600, "Invalid Request."),
+            )
+        result = await _dispatch(identity, payload)
+        if result is None:
+            return Response(status_code=202)
+        return JSONResponse(content=result)
+    @app.get("/mcp", include_in_schema=False)
+    async def mcp_get(request: Request):
+        # Auth is still required so probes reveal the protected-resource hint.
+        identity = await _resolve_identity(request)
+        if not identity:
+            return _unauthorized(request)
+        # No server-initiated streaming — SSE GET stream is not offered.
+        return JSONResponse(
+            status_code=405,
+            content={"error": "method_not_allowed",
+                     "error_description": "This MCP server has no server-initiated "
+                                          "stream; use POST /mcp."},
+            headers={"Allow": "POST"},
+        )

{clsplusplus-7.2.3 → clsplusplus-7.2.4}/src/clsplusplus/middleware.py RENAMED Viewed

@@ -45,6 +45,16 @@ _PUBLIC_PATHS = frozenset({
     "/v1/waitlist/verify",
     "/v1/waitlist/stats",
     "/v1/waitlist/accept",
+    # Remote MCP server + OAuth 2.1 (claude.ai custom connector). These do
+    # their OWN auth — the OAuth endpoints validate client/PKCE/session, and
+    # /mcp validates the OAuth bearer token — so AuthMiddleware must not 401
+    # them first. The /mcp and /oauth/* prefixes are matched in _is_public().
+    "/mcp",
+    "/oauth/register",
+    "/oauth/authorize",
+    "/oauth/token",
+    "/.well-known/oauth-protected-resource",
+    "/.well-known/oauth-authorization-server",
     "/docs",
     "/redoc",
     "/openapi.json",
@@ -92,7 +102,13 @@ def _is_public(path: str, method: str) -> bool:
     if dot_idx != -1 and path[dot_idx:].split("?")[0].lower() in _STATIC_EXTENSIONS:
         return True
     return (normalized in _PUBLIC_PATHS
-            or path.startswith("/docs") or path.startswith("/redoc"))
+            or path.startswith("/docs") or path.startswith("/redoc")
+            # Remote MCP + OAuth: the prefix forms (e.g. the path-suffixed
+            # protected-resource probe) all self-authenticate, so they bypass
+            # the API-key/JWT gate here.
+            or path.startswith("/mcp")
+            or path.startswith("/oauth/")
+            or path.startswith("/.well-known/oauth"))
 def _requires_admin(path: str) -> bool:

clsplusplus 7.2.3__tar.gz → 7.2.4__tar.gz

clsplusplus 7.2.3tar.gz → 7.2.4tar.gz