golf-mcp 0.2.0__tar.gz → 0.2.3__tar.gz

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/MANIFEST.in

@@ -1,6 +1,7 @@
 include README.md
 include LICENSE
 include pyproject.toml
+include src/golf/_endpoints.py.in
 graft .docs
 graft src/golf/examples
 

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: golf-mcp
-Version: 0.2.0
+Version: 0.2.3
 Summary: Framework for building MCP servers
 Author-email: Antoni Gmitruk <antoni@golf.dev>
 License-Expression: Apache-2.0

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "golf-mcp"
-version = "0.2.0"
+version = "0.2.3"
 description = "Framework for building MCP servers"
 authors = [
     {name = "Antoni Gmitruk", email = "antoni@golf.dev"}
@@ -66,7 +66,7 @@ golf = ["examples/**/*"]
 
 [tool.poetry]
 name = "golf-mcp"
-version = "0.1.20"
+version = "0.2.3"
 description = "Framework for building MCP servers with zero boilerplate"
 authors = ["Antoni Gmitruk <antoni@golf.dev>"]
 license = "Apache-2.0"

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/src/golf/__init__.py

@@ -1,4 +1,4 @@
-__version__ = "0.2.0"
+__version__ = "0.2.3"
 
 # Import endpoints with fallback for dev mode
 try:

golf_mcp-0.2.3/src/golf/_endpoints.py.in

@@ -0,0 +1,6 @@
+# Auto-generated at build time by setup.py:build_py
+# This template contains placeholders that are replaced during build
+
+# Platform endpoints
+PLATFORM_API_URL = "{PLATFORM_API_URL}"
+OTEL_ENDPOINT = "{OTEL_ENDPOINT}"

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/src/golf/auth/__init__.py

@@ -14,6 +14,7 @@ from .providers import (
     StaticTokenConfig,
     OAuthServerConfig,
     RemoteAuthConfig,
+    OAuthProxyConfig,
 )
 from .factory import (
     create_auth_provider,
@@ -44,6 +45,7 @@ __all__ = [
     "configure_auth",
     "configure_jwt_auth",
     "configure_dev_auth",
+    "configure_oauth_proxy",
     "get_auth_config",
     # Provider configurations
     "AuthConfig",
@@ -51,6 +53,7 @@ __all__ = [
     "StaticTokenConfig",
     "OAuthServerConfig",
     "RemoteAuthConfig",
+    "OAuthProxyConfig",
     # Factory functions
     "create_auth_provider",
     "create_simple_jwt_provider",
@@ -191,6 +194,51 @@ def configure_dev_auth(
     configure_auth(config)
 
 
+def configure_oauth_proxy(
+    upstream_authorization_endpoint: str,
+    upstream_token_endpoint: str,
+    upstream_client_id: str,
+    upstream_client_secret: str,
+    base_url: str,
+    token_verifier_config: JWTAuthConfig | StaticTokenConfig,
+    scopes_supported: list[str] | None = None,
+    upstream_revocation_endpoint: str | None = None,
+    redirect_path: str = "/oauth/callback",
+) -> None:
+    """Configure OAuth proxy authentication for non-DCR providers.
+
+    This sets up an OAuth proxy that bridges MCP clients (expecting DCR) with
+    traditional OAuth providers like GitHub, Google, Okta Web Apps that use
+    fixed client credentials.
+
+    Args:
+        upstream_authorization_endpoint: Provider's authorization URL
+        upstream_token_endpoint: Provider's token endpoint URL
+        upstream_client_id: Your client ID registered with the provider
+        upstream_client_secret: Your client secret from the provider
+        base_url: This proxy server's public URL
+        token_verifier_config: JWT or static token config for token verification
+        scopes_supported: Scopes to advertise to MCP clients
+        upstream_revocation_endpoint: Optional token revocation endpoint
+        redirect_path: OAuth callback path (default: /oauth/callback)
+
+    Note:
+        Requires golf-mcp-enterprise package for implementation.
+    """
+    config = OAuthProxyConfig(
+        upstream_authorization_endpoint=upstream_authorization_endpoint,
+        upstream_token_endpoint=upstream_token_endpoint,
+        upstream_client_id=upstream_client_id,
+        upstream_client_secret=upstream_client_secret,
+        upstream_revocation_endpoint=upstream_revocation_endpoint,
+        base_url=base_url,
+        redirect_path=redirect_path,
+        scopes_supported=scopes_supported or [],
+        token_verifier_config=token_verifier_config,
+    )
+    configure_auth(config)
+
+
 def get_auth_config() -> AuthConfig | None:
     """Get the current auth configuration.
 

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/src/golf/auth/factory.py

@@ -17,6 +17,7 @@ from .providers import (
     StaticTokenConfig,
     OAuthServerConfig,
     RemoteAuthConfig,
+    OAuthProxyConfig,
 )
 from .registry import (
     get_provider_registry,
@@ -55,6 +56,8 @@ def create_auth_provider(config: AuthConfig) -> "AuthProvider":
             return _create_oauth_server_provider(config)
         elif config.provider_type == "remote":
             return _create_remote_provider(config)
+        elif config.provider_type == "oauth_proxy":
+            return _create_oauth_proxy_provider(config)
         else:
             raise ValueError(f"Unknown provider type: {config.provider_type}") from None
 
@@ -238,6 +241,11 @@ def _create_remote_provider(config: RemoteAuthConfig) -> "AuthProvider":
     if not hasattr(token_verifier, "verify_token"):
         raise ValueError(f"Remote auth provider requires a TokenVerifier, got {type(token_verifier).__name__}")
 
+    # Update token verifier's required_scopes to match our scopes_supported for PRM
+    # RemoteAuthProvider uses token_verifier.required_scopes for scopes_supported in PRM
+    if config.scopes_supported and hasattr(token_verifier, "required_scopes"):
+        token_verifier.required_scopes = list(config.scopes_supported)
+
     return RemoteAuthProvider(
         token_verifier=token_verifier,
         authorization_servers=authorization_servers,
@@ -245,6 +253,22 @@ def _create_remote_provider(config: RemoteAuthConfig) -> "AuthProvider":
     )
 
 
+def _create_oauth_proxy_provider(config: OAuthProxyConfig) -> "AuthProvider":
+    """Create OAuth proxy provider - requires enterprise package."""
+    try:
+        # Try to import from enterprise package
+        from golf_enterprise import create_oauth_proxy_provider
+
+        return create_oauth_proxy_provider(config)
+    except ImportError as e:
+        raise ImportError(
+            "OAuth Proxy requires golf-mcp-enterprise package. "
+            "This feature provides OAuth proxy functionality for non-DCR providers "
+            "(GitHub, Google, Okta Web Apps, etc.). "
+            "Contact sales@golf.dev for enterprise licensing."
+        ) from e
+
+
 def create_simple_jwt_provider(
     *,
     jwks_uri: str | None = None,
@@ -319,6 +343,8 @@ def register_builtin_providers() -> None:
     - static: Static token verification (development)
     - oauth_server: Full OAuth authorization server
     - remote: Remote authorization server integration
+
+    Note: oauth_proxy provider is registered by the golf-mcp-enterprise package
     """
     registry = get_provider_registry()
 
@@ -327,6 +353,7 @@ def register_builtin_providers() -> None:
     registry.register_factory("static", _create_static_provider)
     registry.register_factory("oauth_server", _create_oauth_server_provider)
     registry.register_factory("remote", _create_remote_provider)
+    # oauth_proxy is registered by golf-mcp-enterprise package when installed
 
 
 # Register built-in providers when module is imported

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/src/golf/auth/providers.py

@@ -299,6 +299,12 @@ class RemoteAuthConfig(BaseModel):
     # This server's URL
     resource_server_url: str = Field(..., description="URL of this resource server")
 
+    # Scopes this resource supports (advertised via /.well-known/oauth-protected-resource)
+    scopes_supported: list[str] = Field(
+        default_factory=list,
+        description="Scopes this resource supports (advertised via /.well-known/oauth-protected-resource)",
+    )
+
     # Token verification (delegate to another config)
     token_verifier_config: JWTAuthConfig | StaticTokenConfig = Field(
         ..., description="Configuration for the underlying token verifier"
@@ -362,6 +368,45 @@ class RemoteAuthConfig(BaseModel):
 
         return url
 
+    @field_validator("scopes_supported")
+    @classmethod
+    def validate_scopes_supported(cls, v: list[str]) -> list[str]:
+        """Validate scopes_supported format and security."""
+        if not v:
+            return v
+
+        cleaned_scopes = []
+        for scope in v:
+            scope = scope.strip()
+            if not scope:
+                raise ValueError("Scopes cannot be empty or whitespace-only")
+
+            # OAuth 2.0 scope format validation (RFC 6749)
+            if not all(32 < ord(c) < 127 and c not in ' "\\' for c in scope):
+                raise ValueError(
+                    f"Invalid scope format: '{scope}' - must be ASCII printable without spaces, quotes, or backslashes"
+                )
+
+            # Reasonable length limit to prevent abuse
+            if len(scope) > 128:
+                raise ValueError(f"Scope too long: '{scope}' - maximum 128 characters")
+
+            # Warn about potentially dangerous scope names
+            dangerous_scopes = {"admin", "root", "superuser", "system", "*", "all"}
+            if scope.lower() in dangerous_scopes:
+                import warnings
+
+                warnings.warn(
+                    f"Potentially dangerous scope detected: '{scope}'. "
+                    "Consider using more specific, principle-of-least-privilege scopes.",
+                    UserWarning,
+                    stacklevel=2,
+                )
+
+            cleaned_scopes.append(scope)
+
+        return cleaned_scopes
+
     @model_validator(mode="after")
     def validate_token_verifier_compatibility(self) -> "RemoteAuthConfig":
         """Validate that the token verifier config is compatible with token verification."""
@@ -389,8 +434,181 @@ class RemoteAuthConfig(BaseModel):
         if isinstance(config, StaticTokenConfig) and not config.tokens:
             raise ValueError("Static token verifier config must provide at least one token")
 
+        # Convenience: if user didn't set scopes_supported, default to verifier.required_scopes
+        if not self.scopes_supported:
+            if hasattr(config, "required_scopes") and config.required_scopes:
+                self.scopes_supported = list(config.required_scopes)
+
+        return self
+
+
+class OAuthProxyConfig(BaseModel):
+    """Configuration for OAuth proxy functionality (requires golf-mcp-enterprise).
+
+    This configuration enables bridging MCP clients (which expect Dynamic Client
+    Registration) with OAuth providers that use fixed client credentials like
+    GitHub Apps, Google Cloud Console apps, Okta Web Applications, etc.
+
+    The proxy acts as a DCR-capable authorization server to MCP clients while
+    using your fixed upstream client credentials with the actual OAuth provider.
+
+    Note: This class provides configuration only. The actual implementation
+    requires the golf-mcp-enterprise package.
+    """
+
+    provider_type: Literal["oauth_proxy"] = "oauth_proxy"
+
+    # Upstream OAuth provider configuration
+    upstream_authorization_endpoint: str = Field(..., description="Upstream provider's authorization endpoint URL")
+    upstream_token_endpoint: str = Field(..., description="Upstream provider's token endpoint URL")
+    upstream_client_id: str = Field(..., description="Your registered client ID with the upstream provider")
+    upstream_client_secret: str = Field(..., description="Your registered client secret with the upstream provider")
+    upstream_revocation_endpoint: str | None = Field(None, description="Optional upstream token revocation endpoint")
+
+    # This proxy server configuration
+    base_url: str = Field(..., description="Public URL of this OAuth proxy server")
+    redirect_path: str = Field("/oauth/callback", description="OAuth callback path (must match provider registration)")
+
+    # Scopes and token verification
+    scopes_supported: list[str] = Field(default_factory=list, description="Scopes supported by this proxy")
+    token_verifier_config: JWTAuthConfig | StaticTokenConfig = Field(
+        ..., description="Token verifier configuration for validating upstream tokens"
+    )
+
+    # Environment variable names for runtime configuration
+    upstream_authorization_endpoint_env_var: str | None = Field(
+        None, description="Environment variable name for upstream authorization endpoint"
+    )
+    upstream_token_endpoint_env_var: str | None = Field(
+        None, description="Environment variable name for upstream token endpoint"
+    )
+    upstream_client_id_env_var: str | None = Field(None, description="Environment variable name for upstream client ID")
+    upstream_client_secret_env_var: str | None = Field(
+        None, description="Environment variable name for upstream client secret"
+    )
+    upstream_revocation_endpoint_env_var: str | None = Field(
+        None, description="Environment variable name for upstream revocation endpoint"
+    )
+    base_url_env_var: str | None = Field(None, description="Environment variable name for base URL")
+
+    @field_validator("upstream_authorization_endpoint", "upstream_token_endpoint", "base_url")
+    @classmethod
+    def validate_required_urls(cls, v: str) -> str:
+        """Validate required URLs are properly formatted."""
+        if not v or not v.strip():
+            raise ValueError("URL cannot be empty")
+
+        url = v.strip()
+        try:
+            from urllib.parse import urlparse
+
+            parsed = urlparse(url)
+            if not parsed.scheme or not parsed.netloc:
+                raise ValueError(f"Invalid URL format: '{url}' - must include scheme and netloc")
+            if parsed.scheme not in ("http", "https"):
+                raise ValueError(f"URL must use http or https scheme: '{url}'")
+        except Exception as e:
+            if isinstance(e, ValueError):
+                raise
+            raise ValueError(f"Invalid URL '{url}': {e}") from e
+
+        return url
+
+    @field_validator("upstream_revocation_endpoint")
+    @classmethod
+    def validate_optional_url(cls, v: str | None) -> str | None:
+        """Validate optional URLs are properly formatted."""
+        if not v:
+            return v
+
+        url = v.strip()
+        if not url:
+            return None
+
+        try:
+            from urllib.parse import urlparse
+
+            parsed = urlparse(url)
+            if not parsed.scheme or not parsed.netloc:
+                raise ValueError(f"Invalid URL format: '{url}' - must include scheme and netloc")
+            if parsed.scheme not in ("http", "https"):
+                raise ValueError(f"URL must use http or https scheme: '{url}'")
+        except Exception as e:
+            if isinstance(e, ValueError):
+                raise
+            raise ValueError(f"Invalid URL '{url}': {e}") from e
+
+        return url
+
+    @field_validator("scopes_supported")
+    @classmethod
+    def validate_scopes_supported(cls, v: list[str]) -> list[str]:
+        """Validate scopes_supported format and security."""
+        if not v:
+            return v
+
+        cleaned_scopes = []
+        for scope in v:
+            scope = scope.strip()
+            if not scope:
+                raise ValueError("Scopes cannot be empty or whitespace-only")
+
+            # OAuth 2.0 scope format validation (RFC 6749)
+            if not all(32 < ord(c) < 127 and c not in ' "\\' for c in scope):
+                raise ValueError(
+                    f"Invalid scope format: '{scope}' - must be ASCII printable without spaces, quotes, or backslashes"
+                )
+
+            # Reasonable length limit to prevent abuse
+            if len(scope) > 128:
+                raise ValueError(f"Scope too long: '{scope}' - maximum 128 characters")
+
+            cleaned_scopes.append(scope)
+
+        return cleaned_scopes
+
+    @model_validator(mode="after")
+    def validate_oauth_proxy_config(self) -> "OAuthProxyConfig":
+        """Validate OAuth proxy configuration consistency."""
+        # Validate token verifier config is compatible
+        if not isinstance(self.token_verifier_config, JWTAuthConfig | StaticTokenConfig):
+            raise ValueError(
+                f"token_verifier_config must be JWTAuthConfig or StaticTokenConfig, got {type(self.token_verifier_config).__name__}"
+            )
+
+        # Warn about HTTPS requirements in production
+        is_production = (
+            os.environ.get("GOLF_ENV", "").lower() in ("prod", "production")
+            or os.environ.get("NODE_ENV", "").lower() == "production"
+            or os.environ.get("ENVIRONMENT", "").lower() in ("prod", "production")
+        )
+
+        if is_production:
+            from urllib.parse import urlparse
+
+            urls_to_check = [
+                ("base_url", self.base_url),
+                ("upstream_authorization_endpoint", self.upstream_authorization_endpoint),
+                ("upstream_token_endpoint", self.upstream_token_endpoint),
+            ]
+
+            if self.upstream_revocation_endpoint:
+                urls_to_check.append(("upstream_revocation_endpoint", self.upstream_revocation_endpoint))
+
+            for field_name, url in urls_to_check:
+                parsed = urlparse(url)
+                if parsed.scheme == "http":
+                    import warnings
+
+                    warnings.warn(
+                        f"OAuth proxy {field_name} '{url}' uses HTTP in production environment. "
+                        "HTTPS is strongly recommended for OAuth endpoints to prevent token interception.",
+                        UserWarning,
+                        stacklevel=2,
+                    )
+
         return self
 
 
 # Union type for all auth configurations
-AuthConfig = JWTAuthConfig | StaticTokenConfig | OAuthServerConfig | RemoteAuthConfig
+AuthConfig = JWTAuthConfig | StaticTokenConfig | OAuthServerConfig | RemoteAuthConfig | OAuthProxyConfig

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/src/golf/core/builder_auth.py

@@ -52,7 +52,7 @@ def generate_auth_code(
         "import os",
         "import sys",
         "from golf.auth.factory import create_auth_provider",
-        "from golf.auth.providers import RemoteAuthConfig, JWTAuthConfig, StaticTokenConfig, OAuthServerConfig",
+        "from golf.auth.providers import RemoteAuthConfig, JWTAuthConfig, StaticTokenConfig, OAuthServerConfig, OAuthProxyConfig",
     ]
 
     # Embed the auth configuration directly in the generated code
@@ -64,7 +64,7 @@ def generate_auth_code(
         f"auth_config = {auth_config_repr}",
         "try:",
         "    auth_provider = create_auth_provider(auth_config)",
-        "    print(f'Authentication configured with {auth_config.provider_type} provider')",
+        "    # Authentication configured with {auth_config.provider_type} provider",
         "except Exception as e:",
         "    print(f'Authentication setup failed: {e}', file=sys.stderr)",
         "    auth_provider = None",
@@ -203,7 +203,7 @@ if auth_provider and hasattr(auth_provider, 'get_routes'):
         # Add routes to FastMCP's additional HTTP routes list
         try:
             mcp._additional_http_routes.extend(auth_routes)
-            print(f"Added {len(auth_routes)} OAuth metadata routes")
+            # Added {len(auth_routes)} OAuth metadata routes
         except Exception as e:
             print(f"Warning: Failed to add OAuth routes: {e}")
 """

{golf_mcp-0.2.0 → golf_mcp-0.2.3}/src/golf_mcp.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: golf-mcp
-Version: 0.2.0
+Version: 0.2.3
 Summary: Framework for building MCP servers
 Author-email: Antoni Gmitruk <antoni@golf.dev>
 License-Expression: Apache-2.0

golf_mcp-0.2.3/src/golf_mcp.egg-info/SOURCES.txt

@@ -0,0 +1,63 @@
+LICENSE
+MANIFEST.in
+README.md
+pyproject.toml
+setup.py
+.docs/docs.md
+.docs/fastmcp-diff.md
+.docs/mcp.md
+src/golf/__init__.py
+src/golf/_endpoints.py.in
+src/golf/_endpoints_fallback.py
+src/golf/auth/__init__.py
+src/golf/auth/api_key.py
+src/golf/auth/factory.py
+src/golf/auth/helpers.py
+src/golf/auth/providers.py
+src/golf/auth/registry.py
+src/golf/cli/__init__.py
+src/golf/cli/branding.py
+src/golf/cli/main.py
+src/golf/commands/__init__.py
+src/golf/commands/build.py
+src/golf/commands/init.py
+src/golf/commands/run.py
+src/golf/core/__init__.py
+src/golf/core/builder.py
+src/golf/core/builder_auth.py
+src/golf/core/builder_metrics.py
+src/golf/core/builder_telemetry.py
+src/golf/core/config.py
+src/golf/core/parser.py
+src/golf/core/platform.py
+src/golf/core/telemetry.py
+src/golf/core/transformer.py
+src/golf/examples/__init__.py
+src/golf/examples/basic/.env.example
+src/golf/examples/basic/README.md
+src/golf/examples/basic/auth.py
+src/golf/examples/basic/golf.json
+src/golf/examples/basic/prompts/welcome.py
+src/golf/examples/basic/resources/current_time.py
+src/golf/examples/basic/resources/info.py
+src/golf/examples/basic/resources/weather/city.py
+src/golf/examples/basic/resources/weather/common.py
+src/golf/examples/basic/resources/weather/current.py
+src/golf/examples/basic/resources/weather/forecast.py
+src/golf/examples/basic/tools/calculator.py
+src/golf/examples/basic/tools/say/hello.py
+src/golf/metrics/__init__.py
+src/golf/metrics/collector.py
+src/golf/metrics/registry.py
+src/golf/telemetry/__init__.py
+src/golf/telemetry/instrumentation.py
+src/golf/utilities/__init__.py
+src/golf/utilities/context.py
+src/golf/utilities/elicitation.py
+src/golf/utilities/sampling.py
+src/golf_mcp.egg-info/PKG-INFO
+src/golf_mcp.egg-info/SOURCES.txt
+src/golf_mcp.egg-info/dependency_links.txt
+src/golf_mcp.egg-info/entry_points.txt
+src/golf_mcp.egg-info/requires.txt
+src/golf_mcp.egg-info/top_level.txt

golf_mcp-0.2.0/src/golf/examples/basic/htmlcov/.gitignore

@@ -1,2 +0,0 @@
-# Created by coverage.py
-*