PyPI - golf-mcp - Versions diffs - 0.2.16__py3-none-any.whl - Mend

golf-mcp 0.2.16__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

golf/__init__.py +1 -0
golf/auth/__init__.py +277 -0
golf/auth/api_key.py +73 -0
golf/auth/factory.py +360 -0
golf/auth/helpers.py +175 -0
golf/auth/providers.py +586 -0
golf/auth/registry.py +256 -0
golf/cli/__init__.py +1 -0
golf/cli/branding.py +191 -0
golf/cli/main.py +377 -0
golf/commands/__init__.py +5 -0
golf/commands/build.py +81 -0
golf/commands/init.py +290 -0
golf/commands/run.py +137 -0
golf/core/__init__.py +1 -0
golf/core/builder.py +1884 -0
golf/core/builder_auth.py +209 -0
golf/core/builder_metrics.py +221 -0
golf/core/builder_telemetry.py +99 -0
golf/core/config.py +199 -0
golf/core/parser.py +1085 -0
golf/core/telemetry.py +492 -0
golf/core/transformer.py +231 -0
golf/examples/__init__.py +0 -0
golf/examples/basic/.env.example +4 -0
golf/examples/basic/README.md +133 -0
golf/examples/basic/auth.py +76 -0
golf/examples/basic/golf.json +5 -0
golf/examples/basic/prompts/welcome.py +27 -0
golf/examples/basic/resources/current_time.py +34 -0
golf/examples/basic/resources/info.py +28 -0
golf/examples/basic/resources/weather/city.py +46 -0
golf/examples/basic/resources/weather/client.py +48 -0
golf/examples/basic/resources/weather/current.py +36 -0
golf/examples/basic/resources/weather/forecast.py +36 -0
golf/examples/basic/tools/calculator.py +94 -0
golf/examples/basic/tools/say/hello.py +65 -0
golf/metrics/__init__.py +10 -0
golf/metrics/collector.py +320 -0
golf/metrics/registry.py +12 -0
golf/telemetry/__init__.py +23 -0
golf/telemetry/instrumentation.py +1402 -0
golf/utilities/__init__.py +12 -0
golf/utilities/context.py +53 -0
golf/utilities/elicitation.py +170 -0
golf/utilities/sampling.py +221 -0
golf_mcp-0.2.16.dist-info/METADATA +262 -0
golf_mcp-0.2.16.dist-info/RECORD +52 -0
golf_mcp-0.2.16.dist-info/WHEEL +5 -0
golf_mcp-0.2.16.dist-info/entry_points.txt +2 -0
golf_mcp-0.2.16.dist-info/licenses/LICENSE +201 -0
golf_mcp-0.2.16.dist-info/top_level.txt +1 -0

golf/auth/factory.py ADDED Viewed

@@ -0,0 +1,360 @@
+"""Factory functions for creating FastMCP authentication providers."""
+import os
+from typing import Any
+# Import these at runtime to avoid import errors during Golf installation
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from fastmcp.server.auth.auth import AuthProvider
+    from fastmcp.server.auth import JWTVerifier, StaticTokenVerifier
+from mcp.server.auth.settings import RevocationOptions
+from .providers import (
+    AuthConfig,
+    JWTAuthConfig,
+    StaticTokenConfig,
+    OAuthServerConfig,
+    RemoteAuthConfig,
+    OAuthProxyConfig,
+)
+from .registry import (
+    get_provider_registry,
+    create_auth_provider_from_registry,
+)
+def create_auth_provider(config: AuthConfig) -> "AuthProvider":
+    """Create a FastMCP AuthProvider from Golf auth configuration.
+    This function uses the provider registry system to allow extensibility.
+    Built-in providers are automatically registered, and custom providers
+    can be added via the registry system.
+    Args:
+        config: Golf authentication configuration
+    Returns:
+        Configured FastMCP AuthProvider instance
+    Raises:
+        ValueError: If configuration is invalid
+        ImportError: If required dependencies are missing
+        KeyError: If provider type is not registered
+    """
+    try:
+        return create_auth_provider_from_registry(config)
+    except KeyError:
+        # Fall back to legacy dispatch for backward compatibility
+        # This ensures existing code continues to work during transition
+        if config.provider_type == "jwt":
+            return _create_jwt_provider(config)
+        elif config.provider_type == "static":
+            return _create_static_provider(config)
+        elif config.provider_type == "oauth_server":
+            return _create_oauth_server_provider(config)
+        elif config.provider_type == "remote":
+            return _create_remote_provider(config)
+        elif config.provider_type == "oauth_proxy":
+            return _create_oauth_proxy_provider(config)
+        else:
+            raise ValueError(f"Unknown provider type: {config.provider_type}") from None
+def _create_jwt_provider(config: JWTAuthConfig) -> "JWTVerifier":
+    """Create JWT token verifier from configuration."""
+    # Resolve runtime values from environment variables
+    public_key = config.public_key
+    if config.public_key_env_var:
+        env_value = os.environ.get(config.public_key_env_var)
+        if env_value:
+            public_key = env_value
+    jwks_uri = config.jwks_uri
+    if config.jwks_uri_env_var:
+        env_value = os.environ.get(config.jwks_uri_env_var)
+        if env_value:
+            jwks_uri = env_value
+    issuer = config.issuer
+    if config.issuer_env_var:
+        env_value = os.environ.get(config.issuer_env_var)
+        if env_value:
+            issuer = env_value
+    audience = config.audience
+    if config.audience_env_var:
+        env_value = os.environ.get(config.audience_env_var)
+        if env_value:
+            # Handle both string and comma-separated list
+            if "," in env_value:
+                audience = [s.strip() for s in env_value.split(",")]
+            else:
+                audience = env_value
+    # Validate configuration
+    if not public_key and not jwks_uri:
+        raise ValueError("Either public_key or jwks_uri must be provided for JWT verification")
+    if public_key and jwks_uri:
+        raise ValueError("Provide either public_key or jwks_uri, not both")
+    try:
+        from fastmcp.server.auth import JWTVerifier
+    except ImportError as e:
+        raise ImportError("JWTVerifier not available. Please install fastmcp>=2.11.0") from e
+    return JWTVerifier(
+        public_key=public_key,
+        jwks_uri=jwks_uri,
+        issuer=issuer,
+        audience=audience,
+        algorithm=config.algorithm,
+        required_scopes=config.required_scopes,
+    )
+def _create_static_provider(config: StaticTokenConfig) -> "StaticTokenVerifier":
+    """Create static token verifier from configuration."""
+    if not config.tokens:
+        raise ValueError("Static token provider requires at least one token")
+    try:
+        from fastmcp.server.auth import StaticTokenVerifier
+    except ImportError as e:
+        raise ImportError("StaticTokenVerifier not available. Please install fastmcp>=2.11.0") from e
+    return StaticTokenVerifier(
+        tokens=config.tokens,
+        required_scopes=config.required_scopes,
+    )
+def _create_oauth_server_provider(config: OAuthServerConfig) -> "AuthProvider":
+    """Create OAuth authorization server provider from configuration."""
+    try:
+        from fastmcp.server.auth import OAuthProvider
+    except ImportError as e:
+        raise ImportError(
+            "OAuthProvider not available in this FastMCP version. Please upgrade to FastMCP 2.11.0 or later."
+        ) from e
+    # Resolve runtime values from environment variables with validation
+    base_url = config.base_url
+    if config.base_url_env_var:
+        env_value = os.environ.get(config.base_url_env_var)
+        if env_value:
+            # Apply the same validation as the config field to env var value
+            try:
+                from urllib.parse import urlparse
+                env_value = env_value.strip()
+                parsed = urlparse(env_value)
+                if not parsed.scheme or not parsed.netloc:
+                    raise ValueError(
+                        f"Invalid base URL from environment variable {config.base_url_env_var}: '{env_value}'"
+                    )
+                if parsed.scheme not in ("http", "https"):
+                    raise ValueError(f"Base URL from environment must use http/https: '{env_value}'")
+                # Production HTTPS check
+                is_production = (
+                    os.environ.get("GOLF_ENV", "").lower() in ("prod", "production")
+                    or os.environ.get("NODE_ENV", "").lower() == "production"
+                    or os.environ.get("ENVIRONMENT", "").lower() in ("prod", "production")
+                )
+                if is_production and parsed.scheme == "http":
+                    raise ValueError(f"Base URL must use HTTPS in production: '{env_value}'")
+                base_url = env_value
+            except Exception as e:
+                raise ValueError(f"Invalid base URL from environment variable {config.base_url_env_var}: {e}") from e
+    # Additional security validations before creating provider
+    from urllib.parse import urlparse
+    # Validate final base_url
+    parsed_base = urlparse(base_url)
+    if not parsed_base.scheme or not parsed_base.netloc:
+        raise ValueError(f"Invalid base URL: '{base_url}'")
+    # Security check: prevent localhost in production
+    is_production = (
+        os.environ.get("GOLF_ENV", "").lower() in ("prod", "production")
+        or os.environ.get("NODE_ENV", "").lower() == "production"
+        or os.environ.get("ENVIRONMENT", "").lower() in ("prod", "production")
+    )
+    if is_production and parsed_base.hostname in ("localhost", "127.0.0.1", "0.0.0.0"):
+        raise ValueError(f"Cannot use localhost/loopback addresses in production: '{base_url}'")
+    # Client registration options - always disabled for security
+    client_reg_options = None
+    # Create revocation options
+    revocation_options = None
+    if config.allow_token_revocation:
+        revocation_options = RevocationOptions(enabled=True)
+    return OAuthProvider(
+        base_url=base_url,
+        issuer_url=config.issuer_url,
+        service_documentation_url=config.service_documentation_url,
+        client_registration_options=client_reg_options,
+        revocation_options=revocation_options,
+        required_scopes=config.required_scopes,
+    )
+def _create_remote_provider(config: RemoteAuthConfig) -> "AuthProvider":
+    """Create remote auth provider from configuration."""
+    try:
+        from fastmcp.server.auth import RemoteAuthProvider
+    except ImportError as e:
+        raise ImportError(
+            "RemoteAuthProvider not available in this FastMCP version. Please upgrade to FastMCP 2.11.0 or later."
+        ) from e
+    # Resolve runtime values from environment variables
+    authorization_servers = config.authorization_servers
+    if config.authorization_servers_env_var:
+        env_value = os.environ.get(config.authorization_servers_env_var)
+        if env_value:
+            # Split comma-separated values and strip whitespace
+            authorization_servers = [s.strip() for s in env_value.split(",")]
+    resource_server_url = config.resource_server_url
+    if config.resource_server_url_env_var:
+        env_value = os.environ.get(config.resource_server_url_env_var)
+        if env_value:
+            resource_server_url = env_value
+    # Create the underlying token verifier
+    token_verifier = create_auth_provider(config.token_verifier_config)
+    # Ensure it's actually a TokenVerifier
+    if not hasattr(token_verifier, "verify_token"):
+        raise ValueError(f"Remote auth provider requires a TokenVerifier, got {type(token_verifier).__name__}")
+    # Update token verifier's required_scopes to match our scopes_supported for PRM
+    # RemoteAuthProvider uses token_verifier.required_scopes for scopes_supported in PRM
+    if config.scopes_supported and hasattr(token_verifier, "required_scopes"):
+        token_verifier.required_scopes = list(config.scopes_supported)
+    return RemoteAuthProvider(
+        token_verifier=token_verifier,
+        authorization_servers=authorization_servers,
+        resource_server_url=resource_server_url,
+    )
+def _create_oauth_proxy_provider(config: OAuthProxyConfig) -> "AuthProvider":
+    """Create OAuth proxy provider - requires enterprise package."""
+    try:
+        # Try to import from enterprise package
+        from golf_enterprise import create_oauth_proxy_provider
+        return create_oauth_proxy_provider(config)
+    except ImportError as e:
+        raise ImportError(
+            "OAuth Proxy requires golf-mcp-enterprise package. "
+            "This feature provides OAuth proxy functionality for non-DCR providers "
+            "(GitHub, Google, Okta Web Apps, etc.). "
+            "Contact sales@golf.dev for enterprise licensing."
+        ) from e
+def create_simple_jwt_provider(
+    *,
+    jwks_uri: str | None = None,
+    public_key: str | None = None,
+    issuer: str | None = None,
+    audience: str | list[str] | None = None,
+    required_scopes: list[str] | None = None,
+) -> "JWTVerifier":
+    """Create a simple JWT provider for common use cases.
+    This is a convenience function for creating JWT providers without
+    having to construct the full configuration objects.
+    Args:
+        jwks_uri: JWKS URI for key fetching
+        public_key: Static public key (PEM format)
+        issuer: Expected issuer claim
+        audience: Expected audience claim(s)
+        required_scopes: Required scopes for all requests
+    Returns:
+        Configured JWTVerifier instance
+    """
+    config = JWTAuthConfig(
+        jwks_uri=jwks_uri,
+        public_key=public_key,
+        issuer=issuer,
+        audience=audience,
+        required_scopes=required_scopes or [],
+    )
+    return _create_jwt_provider(config)
+def create_dev_token_provider(
+    tokens: dict[str, Any] | None = None,
+    required_scopes: list[str] | None = None,
+) -> "StaticTokenVerifier":
+    """Create a static token provider for development.
+    Args:
+        tokens: Token dictionary or None for default dev tokens
+        required_scopes: Required scopes for all requests
+    Returns:
+        Configured StaticTokenVerifier instance
+    """
+    if tokens is None:
+        # Default development tokens
+        tokens = {
+            "dev-token-123": {
+                "client_id": "dev-client",
+                "scopes": ["read", "write"],
+            },
+            "admin-token-456": {
+                "client_id": "admin-client",
+                "scopes": ["read", "write", "admin"],
+            },
+        }
+    config = StaticTokenConfig(
+        tokens=tokens,
+        required_scopes=required_scopes or [],
+    )
+    return _create_static_provider(config)
+def register_builtin_providers() -> None:
+    """Register built-in authentication providers in the registry.
+    This function registers the standard Golf authentication providers:
+    - jwt: JWT token verification
+    - static: Static token verification (development)
+    - oauth_server: Full OAuth authorization server
+    - remote: Remote authorization server integration
+    Note: oauth_proxy provider is registered by the golf-mcp-enterprise package
+    """
+    registry = get_provider_registry()
+    # Register built-in provider factories
+    registry.register_factory("jwt", _create_jwt_provider)
+    registry.register_factory("static", _create_static_provider)
+    registry.register_factory("oauth_server", _create_oauth_server_provider)
+    registry.register_factory("remote", _create_remote_provider)
+    # oauth_proxy is registered by golf-mcp-enterprise package when installed
+# Register built-in providers when module is imported
+register_builtin_providers()

golf/auth/helpers.py ADDED Viewed

@@ -0,0 +1,175 @@
+"""Helper functions for working with authentication in MCP context."""
+from contextvars import ContextVar
+# Context variable to store the current request's API key
+_current_api_key: ContextVar[str | None] = ContextVar("current_api_key", default=None)
+def extract_token_from_header(auth_header: str) -> str | None:
+    """Extract bearer token from Authorization header.
+    Args:
+        auth_header: Authorization header value
+    Returns:
+        Bearer token or None if not present/valid
+    """
+    if not auth_header:
+        return None
+    parts = auth_header.split()
+    if len(parts) != 2 or parts[0].lower() != "bearer":
+        return None
+    return parts[1]
+def set_api_key(api_key: str | None) -> None:
+    """Set the API key for the current request context.
+    This is an internal function used by the middleware.
+    Args:
+        api_key: The API key to store in the context
+    """
+    _current_api_key.set(api_key)
+def get_api_key() -> str | None:
+    """Get the API key from the current request context.
+    This function should be used in tools to retrieve the API key
+    that was sent in the request headers.
+    Returns:
+        The API key if available, None otherwise
+    Example:
+        # In a tool file
+        from golf.auth import get_api_key
+        async def call_api():
+            api_key = get_api_key()
+            if not api_key:
+                return {"error": "No API key provided"}
+            # Use the API key in your request
+            headers = {"Authorization": f"Bearer {api_key}"}
+            ...
+    """
+    # Try to get directly from HTTP request if available (FastMCP pattern)
+    try:
+        # This follows the FastMCP pattern for accessing HTTP requests
+        from fastmcp.server.dependencies import get_http_request
+        request = get_http_request()
+        if request and hasattr(request, "state") and hasattr(request.state, "api_key"):
+            api_key = request.state.api_key
+            return api_key
+        # Get the API key configuration
+        from golf.auth.api_key import get_api_key_config
+        api_key_config = get_api_key_config()
+        if api_key_config and request:
+            # Extract API key from headers
+            header_name = api_key_config.header_name
+            header_prefix = api_key_config.header_prefix
+            # Case-insensitive header lookup
+            api_key = None
+            for k, v in request.headers.items():
+                if k.lower() == header_name.lower():
+                    api_key = v
+                    break
+            # Strip prefix if configured
+            if api_key and header_prefix and api_key.startswith(header_prefix):
+                api_key = api_key[len(header_prefix) :]
+            if api_key:
+                return api_key
+    except (ImportError, RuntimeError):
+        # FastMCP not available or not in HTTP context
+        pass
+    except Exception:
+        pass
+    # Final fallback: environment variable (for development/testing)
+    import os
+    env_api_key = os.environ.get("API_KEY")
+    if env_api_key:
+        return env_api_key
+    return None
+def get_auth_token() -> str | None:
+    """Get the authorization token from the current request context.
+    This function should be used in tools to retrieve the authorization token
+    (typically a JWT or OAuth token) that was sent in the request headers.
+    Unlike get_api_key(), this function extracts the raw token from the Authorization
+    header without stripping any prefix, making it suitable for passing through
+    to upstream APIs that expect the full Authorization header value.
+    Returns:
+        The authorization token if available, None otherwise
+    Example:
+        # In a tool file
+        from golf.auth import get_auth_token
+        async def call_upstream_api():
+            auth_token = get_auth_token()
+            if not auth_token:
+                return {"error": "No authorization token provided"}
+            # Use the full token in upstream request
+            headers = {"Authorization": f"Bearer {auth_token}"}
+            async with httpx.AsyncClient() as client:
+                response = await client.get("https://api.example.com/data", headers=headers)
+            ...
+    """
+    # Try to get directly from HTTP request if available (FastMCP pattern)
+    try:
+        # This follows the FastMCP pattern for accessing HTTP requests
+        from fastmcp.server.dependencies import get_http_request
+        request = get_http_request()
+        if request and hasattr(request, "state") and hasattr(request.state, "auth_token"):
+            return request.state.auth_token
+        if request:
+            # Extract authorization token from Authorization header
+            auth_header = None
+            for k, v in request.headers.items():
+                if k.lower() == "authorization":
+                    auth_header = v
+                    break
+            if auth_header:
+                # Extract the token part (everything after "Bearer ")
+                token = extract_token_from_header(auth_header)
+                if token:
+                    return token
+                # If not Bearer format, return the whole header value minus "Bearer " prefix if present
+                if auth_header.lower().startswith("bearer "):
+                    return auth_header[7:]  # Remove "Bearer " prefix
+                return auth_header
+    except (ImportError, RuntimeError):
+        # FastMCP not available or not in HTTP context
+        pass
+    except Exception:
+        pass
+    return None