fast-agent-mcp 0.3.4__py3-none-any.whl → 0.3.5__py3-none-any.whl

fast_agent/cli/__main__.py

@@ -13,14 +13,17 @@ def main():
         # Check if first arg is not already a subcommand
         first_arg = sys.argv[1]
 
-        if first_arg not in KNOWN_SUBCOMMANDS and any(
-            arg in sys.argv or any(arg.startswith(opt + "=") for opt in GO_SPECIFIC_OPTIONS)
-            for arg in sys.argv
-        ):
+        # Only auto-route if any known go-specific options are present
+        has_go_options = any(
+            (arg in GO_SPECIFIC_OPTIONS) or any(arg.startswith(opt + "=") for opt in GO_SPECIFIC_OPTIONS)
+            for arg in sys.argv[1:]
+        )
+
+        if first_arg not in KNOWN_SUBCOMMANDS and has_go_options:
             # Find where to insert 'go' - before the first go-specific option
             insert_pos = 1
             for i, arg in enumerate(sys.argv[1:], 1):
-                if arg in GO_SPECIFIC_OPTIONS or any(
+                if (arg in GO_SPECIFIC_OPTIONS) or any(
                     arg.startswith(opt + "=") for opt in GO_SPECIFIC_OPTIONS
                 ):
                     insert_pos = i

fast_agent/cli/commands/auth.py

@@ -0,0 +1,370 @@
+"""Authentication management commands for fast-agent.
+
+Shows keyring backend, per-server OAuth token status, and provides a way to clear tokens.
+"""
+
+from __future__ import annotations
+
+from typing import Dict, List, Optional
+
+import typer
+from rich.table import Table
+
+from fast_agent.config import Settings, get_settings
+from fast_agent.mcp.oauth_client import (
+    _derive_base_server_url,
+    clear_keyring_token,
+    compute_server_identity,
+    list_keyring_tokens,
+)
+from fast_agent.ui.console import console
+
+app = typer.Typer(help="Manage OAuth authentication state for MCP servers")
+
+
+def _get_keyring_backend_name() -> str:
+    try:
+        import keyring
+
+        kr = keyring.get_keyring()
+        return getattr(kr, "name", kr.__class__.__name__)
+    except Exception:
+        return "unavailable"
+
+
+def _keyring_get_password(service: str, username: str) -> str | None:
+    try:
+        import keyring
+
+        return keyring.get_password(service, username)
+    except Exception:
+        return None
+
+
+def _keyring_delete_password(service: str, username: str) -> bool:
+    try:
+        import keyring
+
+        keyring.delete_password(service, username)
+        return True
+    except Exception:
+        return False
+
+
+def _server_rows_from_settings(settings: Settings):
+    rows = []
+    mcp = getattr(settings, "mcp", None)
+    servers = getattr(mcp, "servers", {}) if mcp else {}
+    for name, cfg in servers.items():
+        transport = getattr(cfg, "transport", "")
+        if transport == "stdio":
+            # STDIO servers do not use OAuth; skip in auth views
+            continue
+        url = getattr(cfg, "url", None)
+        auth = getattr(cfg, "auth", None)
+        oauth_enabled = getattr(auth, "oauth", True) if auth is not None else True
+        persist = getattr(auth, "persist", "keyring") if auth is not None else "keyring"
+        identity = compute_server_identity(cfg)
+        # token presence only meaningful if persist is keyring and transport is http/sse
+        has_token = False
+        if persist == "keyring" and transport in ("http", "sse") and oauth_enabled:
+            has_token = (
+                _keyring_get_password("fast-agent-mcp", f"oauth:tokens:{identity}") is not None
+            )
+        rows.append(
+            {
+                "name": name,
+                "transport": transport,
+                "url": url or "",
+                "persist": persist,
+                "oauth": oauth_enabled and transport in ("http", "sse"),
+                "has_token": has_token,
+                "identity": identity,
+            }
+        )
+    return rows
+
+
+def _servers_by_identity(settings: Settings) -> Dict[str, List[str]]:
+    """Group configured server names by derived identity (base URL)."""
+    mapping: Dict[str, List[str]] = {}
+    mcp = getattr(settings, "mcp", None)
+    servers = getattr(mcp, "servers", {}) if mcp else {}
+    for name, cfg in servers.items():
+        try:
+            identity = compute_server_identity(cfg)
+        except Exception:
+            identity = name
+        mapping.setdefault(identity, []).append(name)
+    return mapping
+
+
+@app.command()
+def status(
+    target: Optional[str] = typer.Argument(None, help="Identity (base URL) or server name"),
+    config_path: Optional[str] = typer.Option(None, "--config-path", "-c"),
+) -> None:
+    """Show keyring backend and token status for configured MCP servers."""
+    settings = get_settings(config_path)
+    backend = _get_keyring_backend_name()
+
+    # Single-target view if target provided
+    if target:
+        settings = get_settings(config_path)
+        identity = _derive_base_server_url(target) if "://" in target else None
+        if not identity:
+            servers = getattr(getattr(settings, "mcp", None), "servers", {}) or {}
+            cfg = servers.get(target)
+            if not cfg:
+                typer.echo(f"Server '{target}' not found in config; treating as identity")
+                identity = target
+            else:
+                identity = compute_server_identity(cfg)
+
+        # Direct presence check
+        present = False
+        try:
+            import keyring
+
+            present = keyring.get_password("fast-agent-mcp", f"oauth:tokens:{identity}") is not None
+        except Exception:
+            present = False
+
+        table = Table(show_header=True, box=None)
+        table.add_column("Identity", header_style="bold")
+        table.add_column("Token", header_style="bold")
+        table.add_column("Servers", header_style="bold")
+        by_id = _servers_by_identity(settings)
+        servers_for_id = ", ".join(by_id.get(identity, [])) or "[dim]None[/dim]"
+        token_disp = "[bold green]✓[/bold green]" if present else "[dim]✗[/dim]"
+        table.add_row(identity, token_disp, servers_for_id)
+
+        console.print(f"Keyring backend: [green]{backend}[/green]")
+        console.print(table)
+        console.print(
+            "\n[dim]Run 'fast-agent auth clear --identity "
+            f"{identity}[/dim][dim]' to remove this token, or 'fast-agent auth clear --all' to remove all.[/dim]"
+        )
+        return
+
+    # Full status view
+    console.print(f"Keyring backend: [green]{backend}[/green]")
+
+    tokens = list_keyring_tokens()
+    token_table = Table(show_header=True, box=None)
+    token_table.add_column("Stored Tokens (Identity)", header_style="bold")
+    token_table.add_column("Present", header_style="bold")
+    if tokens:
+        for ident in tokens:
+            token_table.add_row(ident, "[bold green]✓[/bold green]")
+    else:
+        token_table.add_row("[dim]None[/dim]", "[dim]✗[/dim]")
+
+    console.print(token_table)
+
+    rows = _server_rows_from_settings(settings)
+    if rows:
+        map_table = Table(show_header=True, box=None)
+        map_table.add_column("Server", header_style="bold")
+        map_table.add_column("Transport", header_style="bold")
+        map_table.add_column("OAuth", header_style="bold")
+        map_table.add_column("Persist", header_style="bold")
+        map_table.add_column("Token", header_style="bold")
+        map_table.add_column("Identity", header_style="bold")
+        for row in rows:
+            oauth_status = "[green]on[/green]" if row["oauth"] else "[dim]off[/dim]"
+            persist = row["persist"]
+            persist_disp = (
+                f"[green]{persist}[/green]"
+                if persist == "keyring"
+                else f"[yellow]{persist}[/yellow]"
+            )
+            # Direct presence check for each identity so status works even without index
+            has_token = False
+            if persist == "keyring" and row["oauth"]:
+                try:
+                    import keyring
+
+                    has_token = (
+                        keyring.get_password("fast-agent-mcp", f"oauth:tokens:{row['identity']}")
+                        is not None
+                    )
+                except Exception:
+                    has_token = False
+            token_disp = (
+                "[bold green]✓[/bold green]"
+                if has_token
+                else (
+                    "[yellow]memory[/yellow]"
+                    if persist == "memory" and row["oauth"]
+                    else "[dim]✗[/dim]"
+                )
+            )
+            map_table.add_row(
+                row["name"],
+                row["transport"].upper(),
+                oauth_status,
+                persist_disp,
+                token_disp,
+                row["identity"],
+            )
+        console.print(map_table)
+
+    console.print(
+        "\n[dim]Run 'fast-agent auth clear --identity <identity>' to remove a token, or 'fast-agent auth clear --all' to remove all.[/dim]"
+    )
+
+
+@app.command()
+def clear(
+    server: Optional[str] = typer.Argument(None, help="Server name to clear (from config)"),
+    identity: Optional[str] = typer.Option(
+        None, "--identity", help="Token identity (base URL) to clear"
+    ),
+    all: bool = typer.Option(False, "--all", help="Clear tokens for all identities in keyring"),
+    config_path: Optional[str] = typer.Option(None, "--config-path", "-c"),
+) -> None:
+    """Clear stored OAuth tokens from the keyring."""
+    targets_identities: list[str] = []
+    if all:
+        targets_identities = list_keyring_tokens()
+    elif identity:
+        targets_identities = [identity]
+    elif server:
+        settings = get_settings(config_path)
+        rows = _server_rows_from_settings(settings)
+        match = next((r for r in rows if r["name"] == server), None)
+        if not match:
+            typer.echo(f"Server '{server}' not found in config")
+            raise typer.Exit(1)
+        targets_identities = [match["identity"]]
+    else:
+        typer.echo("Provide --identity, a server name, or use --all")
+        raise typer.Exit(1)
+
+    # Confirm destructive action
+    if not typer.confirm("Remove tokens for the selected server(s) from keyring?", default=False):
+        raise typer.Exit()
+
+    removed_any = False
+    for ident in targets_identities:
+        if clear_keyring_token(ident):
+            removed_any = True
+    if removed_any:
+        typer.echo("Tokens removed.")
+    else:
+        typer.echo("No tokens found or nothing removed.")
+
+
+@app.callback(invoke_without_command=True)
+def main(
+    ctx: typer.Context, config_path: Optional[str] = typer.Option(None, "--config-path", "-c")
+) -> None:
+    """Default to showing status if no subcommand is provided."""
+    if ctx.invoked_subcommand is None:
+        try:
+            status(target=None, config_path=config_path)
+        except Exception as e:
+            typer.echo(f"Error showing auth status: {e}")
+
+
+@app.command()
+def login(
+    target: str = typer.Argument(..., help="Server name (from config) or identity (base URL)"),
+    transport: Optional[str] = typer.Option(
+        None, "--transport", help="Transport for identity mode: http or sse"
+    ),
+    config_path: Optional[str] = typer.Option(None, "--config-path", "-c"),
+) -> None:
+    """Start OAuth flow and store tokens for a server.
+
+    Accepts either a configured server name or an identity (base URL).
+    For identity mode, default transport is 'http' (uses <identity>/mcp).
+    """
+    # Resolve to a minimal MCPServerSettings
+    from fast_agent.config import MCPServerAuthSettings, MCPServerSettings
+    from fast_agent.mcp.oauth_client import build_oauth_provider
+
+    cfg = None
+    resolved_transport = None
+
+    if "://" in target:
+        # Identity mode
+        base = _derive_base_server_url(target)
+        if not base:
+            typer.echo("Invalid identity URL")
+            raise typer.Exit(1)
+        resolved_transport = (transport or "http").lower()
+        if resolved_transport not in ("http", "sse"):
+            typer.echo("--transport must be 'http' or 'sse'")
+            raise typer.Exit(1)
+        endpoint = base + ("/mcp" if resolved_transport == "http" else "/sse")
+        cfg = MCPServerSettings(
+            name=base,
+            transport=resolved_transport,
+            url=endpoint,
+            auth=MCPServerAuthSettings(),
+        )
+    else:
+        # Server name mode
+        settings = get_settings(config_path)
+        servers = getattr(getattr(settings, "mcp", None), "servers", {}) or {}
+        cfg = servers.get(target)
+        if not cfg:
+            typer.echo(f"Server '{target}' not found in config")
+            raise typer.Exit(1)
+        resolved_transport = getattr(cfg, "transport", "")
+        if resolved_transport == "stdio":
+            typer.echo("STDIO servers do not support OAuth")
+            raise typer.Exit(1)
+
+    # Build OAuth provider
+    provider = build_oauth_provider(cfg)
+    if provider is None:
+        typer.echo("OAuth is disabled or misconfigured for this server/identity")
+        raise typer.Exit(1)
+
+    async def _run_login():
+        try:
+            # Use appropriate transport; connect and initialize a minimal session
+            if resolved_transport == "http":
+                from mcp.client.session import ClientSession
+                from mcp.client.streamable_http import streamablehttp_client
+
+                async with streamablehttp_client(
+                    cfg.url or "",
+                    getattr(cfg, "headers", None),
+                    auth=provider,
+                ) as (read_stream, write_stream, _get_session_id):
+                    async with ClientSession(read_stream, write_stream) as session:
+                        await session.initialize()
+                        return True
+            elif resolved_transport == "sse":
+                from mcp.client.session import ClientSession
+                from mcp.client.sse import sse_client
+
+                async with sse_client(
+                    cfg.url or "",
+                    getattr(cfg, "headers", None),
+                    auth=provider,
+                ) as (read_stream, write_stream):
+                    async with ClientSession(read_stream, write_stream) as session:
+                        await session.initialize()
+                        return True
+            else:
+                return False
+        except Exception as e:
+            # Surface concise error; detailed logging is in the library
+            typer.echo(f"Login failed: {e}")
+            return False
+
+    import asyncio
+
+    ok = asyncio.run(_run_login())
+    if ok:
+        from fast_agent.mcp.oauth_client import compute_server_identity
+
+        ident = compute_server_identity(cfg)
+        typer.echo(f"Authenticated. Tokens stored for identity: {ident}")
+    else:
+        raise typer.Exit(1)

fast_agent/cli/commands/check_config.py

@@ -8,18 +8,17 @@ from typing import Optional
 
 import typer
 import yaml
-from rich.console import Console
 from rich.table import Table
 from rich.text import Text
 
 from fast_agent.llm.provider_key_manager import API_KEY_HINT_TEXT, ProviderKeyManager
 from fast_agent.llm.provider_types import Provider
+from fast_agent.ui.console import console
 
 app = typer.Typer(
     help="Check and diagnose FastAgent configuration",
     no_args_is_help=False,  # Allow showing our custom help instead
 )
-console = Console()
 
 
 def find_config_files(start_path: Path) -> dict[str, Optional[Path]]:
@@ -305,6 +304,16 @@ def show_check_summary() -> None:
     env_table.add_column("Setting", style="white")
     env_table.add_column("Value")
 
+    # Determine keyring backend early so it can appear in the top section
+    try:
+        import keyring  # type: ignore
+
+        keyring_backend = keyring.get_keyring()
+        keyring_name = getattr(keyring_backend, "name", keyring_backend.__class__.__name__)
+    except Exception:
+        keyring = None  # type: ignore
+        keyring_name = "unavailable"
+
     # Python info (highlight version and path in green)
     env_table.add_row(
         "Python Version", f"[green]{'.'.join(system_info['python_version'].split('.')[:3])}[/green]"
@@ -339,6 +348,9 @@ def show_check_summary() -> None:
         default_model_value = config_summary.get("default_model", "haiku (system default)")
         env_table.add_row("Default Model", f"[green]{default_model_value}[/green]")
 
+    # Keyring backend (always shown in application-level settings)
+    env_table.add_row("Keyring Backend", f"[green]{keyring_name}[/green]")
+
     console.print(env_table)
 
     # Logger Settings panel with two-column layout
@@ -470,10 +482,15 @@ def show_check_summary() -> None:
     if config_summary.get("status") == "parsed":
         mcp_servers = config_summary.get("mcp_servers", [])
         if mcp_servers:
+            from fast_agent.config import MCPServerSettings
+            from fast_agent.mcp.oauth_client import compute_server_identity
+
             servers_table = Table(show_header=True, box=None)
             servers_table.add_column("Name", style="white", header_style="bold bright_white")
             servers_table.add_column("Transport", style="white", header_style="bold bright_white")
             servers_table.add_column("Command/URL", header_style="bold bright_white")
+            servers_table.add_column("OAuth", header_style="bold bright_white")
+            servers_table.add_column("Token", header_style="bold bright_white")
 
             for server in mcp_servers:
                 name = server["name"]
@@ -489,7 +506,41 @@ def show_check_summary() -> None:
                 if "Not configured" not in command_url:
                     command_url = f"[green]{command_url}[/green]"
 
-                servers_table.add_row(name, transport, command_url)
+                # OAuth status and token presence
+                # Default for unsupported transports (e.g., STDIO): show "-" rather than "off"
+                oauth_status = "[dim]-[/dim]"
+                token_status = "[dim]n/a[/dim]"
+                # Attempt to reconstruct minimal server settings for identity check
+                try:
+                    cfg = MCPServerSettings(
+                        name=name,
+                        transport="sse" if transport == "SSE" else ("stdio" if transport == "STDIO" else "http"),
+                        url=(server.get("url") or None),
+                        auth=server.get("auth") if isinstance(server.get("auth"), dict) else None,
+                    )
+                except Exception:
+                    cfg = None
+
+                if cfg and cfg.transport in ("http", "sse"):
+                    # Determine if OAuth is enabled for this server
+                    oauth_enabled = True
+                    if cfg.auth is not None and hasattr(cfg.auth, "oauth"):
+                        oauth_enabled = bool(getattr(cfg.auth, "oauth"))
+                    oauth_status = "[green]on[/green]" if oauth_enabled else "[dim]off[/dim]"
+
+                    # Only check token presence when using keyring persist
+                    persist = "keyring"
+                    if cfg.auth is not None and hasattr(cfg.auth, "persist"):
+                        persist = getattr(cfg.auth, "persist") or "keyring"
+                    if keyring and persist == "keyring" and oauth_enabled:
+                        identity = compute_server_identity(cfg)
+                        tkey = f"oauth:tokens:{identity}"
+                        has = keyring.get_password("fast-agent-mcp", tkey) is not None
+                        token_status = "[bold green]✓[/bold green]" if has else "[dim]✗[/dim]"
+                    elif persist == "memory" and oauth_enabled:
+                        token_status = "[yellow]memory[/yellow]"
+
+                servers_table.add_row(name, transport, command_url, oauth_status, token_status)
 
             _print_section_header("MCP Servers", color="blue")
             console.print(servers_table)

fast_agent/cli/commands/quickstart.py

@@ -8,11 +8,13 @@ from rich.console import Console
 from rich.panel import Panel
 from rich.table import Table
 
+from fast_agent.ui.console import console as shared_console
+
 app = typer.Typer(
     help="Create fast-agent quickstarts",
     no_args_is_help=False,  # Allow showing our custom help instead
 )
-console = Console()
+console = shared_console
 
 EXAMPLE_TYPES = {
     "workflow": {

fast_agent/cli/commands/server_helpers.py

@@ -89,7 +89,7 @@ async def add_servers_to_config(fast_app: Any, servers: Dict[str, Dict[str, Any]
     ):
         fast_app.app.context.config.mcp.servers = {}
 
-    # Add each server to the config
+    # Add each server to the config (and keep the runtime registry in sync)
     for server_name, server_config in servers.items():
         # Build server settings based on transport type
         server_settings = {"transport": server_config["transport"]}
@@ -103,4 +103,12 @@ async def add_servers_to_config(fast_app: Any, servers: Dict[str, Dict[str, Any]
             if "headers" in server_config:
                 server_settings["headers"] = server_config["headers"]
 
-        fast_app.app.context.config.mcp.servers[server_name] = MCPServerSettings(**server_settings)
+        mcp_server = MCPServerSettings(**server_settings)
+        # Update config model
+        fast_app.app.context.config.mcp.servers[server_name] = mcp_server
+        # Ensure ServerRegistry sees dynamic additions even when no config file exists
+        if (
+            hasattr(fast_app.app.context, "server_registry")
+            and fast_app.app.context.server_registry is not None
+        ):
+            fast_app.app.context.server_registry.registry[server_name] = mcp_server

fast_agent/cli/commands/setup.py

@@ -1,11 +1,12 @@
 from pathlib import Path
 
 import typer
-from rich.console import Console
 from rich.prompt import Confirm
 
+from fast_agent.ui.console import console as shared_console
+
 app = typer.Typer()
-console = Console()
+console = shared_console
 
 
 def load_template_text(filename: str) -> str:

fast_agent/cli/constants.py

@@ -22,4 +22,4 @@ GO_SPECIFIC_OPTIONS = {
 }
 
 # Known subcommands that should not trigger auto-routing
-KNOWN_SUBCOMMANDS = {"go", "setup", "check", "bootstrap", "quickstart", "--help", "-h", "--version"}
+KNOWN_SUBCOMMANDS = {"go", "setup", "check", "auth", "bootstrap", "quickstart", "--help", "-h", "--version"}

fast_agent/cli/main.py

@@ -3,7 +3,7 @@
 import typer
 from rich.table import Table
 
-from fast_agent.cli.commands import check_config, go, quickstart, setup
+from fast_agent.cli.commands import auth, check_config, go, quickstart, setup
 from fast_agent.cli.terminal import Application
 from fast_agent.ui.console import console as shared_console
 
@@ -16,6 +16,7 @@ app = typer.Typer(
 app.add_typer(go.app, name="go", help="Run an interactive agent directly from the command line")
 app.add_typer(setup.app, name="setup", help="Set up a new agent project")
 app.add_typer(check_config.app, name="check", help="Show or diagnose fast-agent configuration")
+app.add_typer(auth.app, name="auth", help="Manage OAuth authentication for MCP servers")
 app.add_typer(quickstart.app, name="bootstrap", help="Create example applications")
 app.add_typer(quickstart.app, name="quickstart", help="Create example applications")
 
@@ -62,6 +63,7 @@ def show_welcome() -> None:
 
     table.add_row("[bold]go[/bold]", "Start an interactive session")
     table.add_row("check", "Show current configuration")
+    table.add_row("auth", "Manage OAuth tokens and keyring")
     table.add_row("setup", "Create agent template and configuration")
     table.add_row("quickstart", "Create example applications (workflow, researcher, etc.)")