mcp-hydrolix 0.1.4__tar.gz → 0.1.6__tar.gz

mcp_hydrolix-0.1.6/.dockerignore

@@ -0,0 +1,13 @@
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+*.db
+*.sqlite3
+.env
+.venv/
+.envrc
+.DS_Store
+tests/
+.pytest_cache/
+.ruff_cache/

mcp_hydrolix-0.1.6/.github/pull_request_template.md

@@ -0,0 +1,26 @@
+What does this MR do?
+-----------------------
+
+Does this MR meet the acceptance criteria?
+--------------------------------------------
+
+* [ ] Documentation created/updated
+* [ ] Tests added for this feature/bug
+* [ ] Does this change request have any security impacts?
+
+Release Notes
+---------------------------------------------------
+
+* Major changes:
+    *
+* Minor changes:
+    *
+* Bugfixes:
+    *
+* Issues Closed:
+    *
+* Security impacts identified:
+    *
+
+Testing
+--------------------------------------------

mcp_hydrolix-0.1.6/.github/workflows/publish.yml

@@ -0,0 +1,67 @@
+on:
+  workflow_dispatch:
+    inputs:
+      publish_pypi:
+        description: "Include a pypi push in this publish"
+        required: true
+        type: boolean
+        default: true
+      publish_docker:
+        description: "Include a docker push in this publish"
+        required: true
+        type: boolean
+        default: true
+
+jobs:
+  publish:
+    name: Upload release to PyPI
+    runs-on: ubuntu-latest
+    if: ${{ inputs.publish_pypi }}
+    environment:
+      name: pypi
+      url: "https://pypi.org/p/mcp-hydrolix"
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: astral-sh/setup-uv@v5
+      - run: uv python install
+      - run: uv build
+      - uses: pypa/gh-action-pypi-publish@release/v1
+  publish-docker:
+    name: Upload release to GAR
+    runs-on: ubuntu-latest
+    if: ${{ inputs.publish_docker }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v5
+      - name: Authenticate GAR
+        uses: google-github-actions/auth@v3
+        with:
+          # Key ID: 98941823000cead5a61777398bd450e3e19539c3
+          credentials_json: ${{ secrets.GCP_GKE_CI_KEY }}
+      - name: "Set up GCP SDK" # needs to be done after google-github-actions/auth but before `gcloud auth configure-docker`
+        uses: google-github-actions/setup-gcloud@v3
+      - name: Configure GAR for docker
+        run: gcloud auth configure-docker us-docker.pkg.dev --quiet
+      - name: Get tag
+        id: get_tag
+        shell: bash
+        run: |
+          tag="v$(uv version --short)"
+          echo "::notice::Tag is $tag"
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+      - name: Build docker image for MCP
+        shell: bash
+        run: |
+          docker buildx build \
+            -t us-docker.pkg.dev/hdx-art/t/mcp-hydrolix:${{ steps.get_tag.outputs.tag }} \
+            -t us-docker.pkg.dev/hdx-art/t/mcp-hydrolix:latest \
+            .
+      - name: Push docker image
+        shell: bash
+        run: |
+          docker push us-docker.pkg.dev/hdx-art/t/mcp-hydrolix:${{ steps.get_tag.outputs.tag }}
+          docker push us-docker.pkg.dev/hdx-art/t/mcp-hydrolix:latest

mcp_hydrolix-0.1.6/.github/workflows/tests.yaml

@@ -0,0 +1,40 @@
+name: Tests Pipeline
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/tests.yml'
+      - 'mcp_hydrolix/**'
+      - 'mcp_hydrolix/tests/**'
+      - 'mcp_hydrolix/pyproject.toml'
+      - 'mcp_hydrolix/ruff.toml'
+      - 'mcp_hydrolix/uv.lock'
+      - 'mcp_hydrolix/Dockerfile'
+      - 'mcp_hydrolix/docker-compose.yaml'
+  workflow_dispatch:
+
+jobs:
+  core-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.13'
+      - name: Pre-commit
+        uses: pre-commit/action@v3.0.1
+        with:
+          extra_args: --all-files
+      - name: Build and run Docker Compose services
+        run: docker compose up -d --wait --wait-timeout 300
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Run tests
+        working-directory: .
+        run: |
+          uv sync --frozen --no-editable
+          uv pip install '.[dev]'
+          uv run pytest
+      - name: Stop Docker Compose services
+        if: always()
+        run: docker compose down

mcp_hydrolix-0.1.6/Dockerfile

@@ -0,0 +1,49 @@
+# use the official uv image (with matching python/alpine version) to construct the venv
+FROM ghcr.io/astral-sh/uv:0.9.4-python3.13-alpine AS builder
+# # Install `cc` (to build lz4 from source)
+RUN apk add build-base
+
+WORKDIR /app
+
+# dependencies specifications
+COPY pyproject.toml /app/
+COPY uv.lock /app/
+# And because uv sync likes to verify the README... for some reason...
+COPY README.md /app/
+
+# produce .venv
+RUN uv sync --locked
+
+# begin definition of runtime container, relying on the venv made in builder
+FROM python:3.13-alpine
+
+# don't buffer log streams (docker adds enough delay)
+ENV PYTHONUNBUFFERED=1
+
+# don't cache pyc bytecode, since the container fs isn't persisted across restarts anyways
+ENV PYTHONDONTWRITEBYTECODE=1
+
+# Bind HTTP transport to all interfaces
+ENV HYDROLIX_MCP_BIND_HOST=0.0.0.0
+ENV HYDROLIX_MCP_SERVER_TRANSPORT=http
+
+# declare that we expose port 8000
+EXPOSE 8000
+
+# Got a health check too
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
+  CMD [ "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:8000/health" ]
+
+RUN addgroup -g 1000 -S appgroup && \
+  adduser -u 1000 -S appuser -G appgroup -h /app -s /sbin/nologin
+USER appuser
+
+WORKDIR /app
+
+
+COPY --from=builder --chown=appuser:appgroup /app/.venv/ /app/.venv
+
+COPY --chown=appuser:appgroup mcp_hydrolix/ /app/mcp_hydrolix
+COPY --chown=appuser:appgroup pyproject.toml /app/
+
+ENTRYPOINT [".venv/bin/python", "-m", "mcp_hydrolix.main"]

mcp_hydrolix-0.1.4/README.md → mcp_hydrolix-0.1.6/PKG-INFO

@@ -1,3 +1,28 @@
+Metadata-Version: 2.4
+Name: mcp-hydrolix
+Version: 0.1.6
+Summary: An MCP server for Hydrolix.
+Project-URL: Home, https://github.com/hydrolix/mcp-hydrolix
+License-Expression: Apache-2.0
+License-File: LICENSE
+Requires-Python: >=3.13
+Requires-Dist: clickhouse-connect<0.11,>=0.10
+Requires-Dist: fastmcp<2.15,>=2.14
+Requires-Dist: gunicorn<24.0,>=23.0
+Requires-Dist: pip-system-certs<5.0,>=4.0
+Requires-Dist: pyjwt<2.11,>=2.10
+Requires-Dist: python-dotenv<1.2,>=1.1
+Provides-Extra: dev
+Requires-Dist: fastapi>=0.124; extra == 'dev'
+Requires-Dist: mcp-clickhouse==0.1.13; extra == 'dev'
+Requires-Dist: pre-commit; extra == 'dev'
+Requires-Dist: pytest; extra == 'dev'
+Requires-Dist: pytest-asyncio; extra == 'dev'
+Requires-Dist: pytest-repeat; extra == 'dev'
+Requires-Dist: pytest-xdist; extra == 'dev'
+Requires-Dist: ruff; extra == 'dev'
+Description-Content-Type: text/markdown
+
 # Hydrolix MCP Server
 
 [![PyPI - Version](https://img.shields.io/pypi/v/mcp-hydrolix)](https://pypi.org/project/mcp-hydrolix)
@@ -45,6 +70,18 @@ The Hydrolix MCP server is configured using a standard MCP server entry. Consult
 
 The recommended way to launch the Hydrolix MCP server is via the [`uv` project manager](https://github.com/astral-sh/uv), which will manage installing all other dependencies in an isolated environment.
 
+### Authentication
+
+The server supports multiple authentication methods with the following precedence (highest to lowest):
+
+1. **Per-request Bearer token**: Service account token provided via `Authorization: Bearer <token>` header
+2. **Per-request GET parameter**: Service account token provided via `?token=<token>` query parameter
+3. **Environment-based credentials**: Credentials configured via environment variables
+   - Service account token (`HYDROLIX_TOKEN`), or
+   - Username and password (`HYDROLIX_USER` and `HYDROLIX_PASSWORD`)
+
+When multiple authentication methods are configured, the server will use the first available method in the precedence order above. Per-request authentication is only available when using HTTP or SSE transport modes.
+
 MCP Server definition using username and password (JSON):
 
 ```json
@@ -180,17 +217,37 @@ To leverage service account use the following config block:
 
 5. Restart Claude Desktop to apply the changes. If you are using Windows, ensure Claude is stopped completely by closing the client using the system tray icon.
 
+### Configuration Example (Claude Code)
+
+To configure the Hydrolix MCP server for Claude Code, run the following command:
+
+```bash
+claude mcp add --transport stdio hydrolix \
+  --env HYDROLIX_USER=<hydrolix-user> \
+  --env HYDROLIX_PASSWORD=<hydrolix-password> \
+  --env HYDROLIX_HOST=<hydrolix-host> \
+  --env HYDROLIX_MCP_SERVER_TRANSPORT=stdio \
+  -- uv run --with mcp-hydrolix --python 3.13 mcp-hydrolix
+```
+
 ### Environment Variables
 
 The following variables are used to configure the Hydrolix connection. These variables may be provided via the MCP config block (as shown above), a `.env` file, or traditional environment variables.
 
 #### Required Variables
 * `HYDROLIX_HOST`: The hostname of your Hydrolix server
-* `HYDROLIX_TOKEN`: The Hydrolix service account token (omit if using username/password)
-* `HYDROLIX_USER`: The username for authentication (omit if using service account)
-* `HYDROLIX_PASSWORD`: The password for authentication (omit if using service account)
 
-**Authentication precedence:** If both `HYDROLIX_TOKEN` and `HYDROLIX_USER`/`HYDROLIX_PASSWORD` are provided, the service account token takes precedence and username/password authentication will be ignored.
+#### Authentication Variables
+At least one authentication method must be configured when using the stdio transport:
+
+* `HYDROLIX_TOKEN`: Service account token for environment-based authentication
+* `HYDROLIX_USER` and `HYDROLIX_PASSWORD`: Username and password for environment-based authentication (both must be provided together)
+
+In summary:
+- For stdio, you MUST use HYDROLIX_TOKEN or HYDROLIX_USER+HYDROLIX_PASS (environmental credentials)
+- For http/sse, you MAY use HYDROLIX_TOKEN or HYDROLIX_USER+HYDROLIX_PASS (environmental credentials), but you may instead use per-request credentials.
+
+If no credentials are provided via the environment or the request, the request will fail.
 
 #### Optional Variables
 * `HYDROLIX_PORT`: The port number of your Hydrolix server
@@ -229,4 +286,29 @@ When using HTTP transport, the server will run on the configured port (default 8
 - MCP endpoint: `http://localhost:4200/mcp`
 - Health check: `http://localhost:4200/health`
 
+#### Using Per-Request Authentication with HTTP Transport
+
+When using HTTP or SSE transport, you can omit environment-based credentials and instead provide authentication per-request. This is useful for multi-user scenarios or with clients that don't support running MCP servers locally.
+
+Example `mcpServers` configuration connecting to a remote HTTP server with per-request authentication:
+
+```json
+{
+  "mcpServers": {
+    "mcp-hydrolix-remote": {
+      "url": "http://my-hydrolix-mcp.example.com:8000/mcp?token=<service-account-token>"
+    }
+  }
+}
+```
+
+Example minimal `.env` configuration for running your own HTTP server without environment credentials:
+
+```env
+HYDROLIX_HOST=my-cluster.hydrolix.net
+HYDROLIX_MCP_SERVER_TRANSPORT=http
+```
+
+Though not part of the MCP specification, many MCP clients allow adding headers to MCP-issued requests. When this is possible, we recommend configuring the MCP client to pass a service account token via the `Authorization: Bearer <sa-token-here>` header instead of as a query parameter for greater security.
+
 Note: The bind host and port settings are only used when transport is set to "http" or "sse".

mcp_hydrolix-0.1.4/PKG-INFO → mcp_hydrolix-0.1.6/README.md

@@ -1,22 +1,3 @@
-Metadata-Version: 2.4
-Name: mcp-hydrolix
-Version: 0.1.4
-Summary: An MCP server for Hydrolix.
-Project-URL: Home, https://github.com/hydrolix/mcp-hydrolix
-License-Expression: Apache-2.0
-License-File: LICENSE
-Requires-Python: >=3.13
-Requires-Dist: clickhouse-connect>=0.8.16
-Requires-Dist: fastmcp>=2.0.0
-Requires-Dist: pip-system-certs>=4.0
-Requires-Dist: python-dotenv>=1.0.1
-Provides-Extra: dev
-Requires-Dist: pre-commit; extra == 'dev'
-Requires-Dist: pytest; extra == 'dev'
-Requires-Dist: pytest-asyncio; extra == 'dev'
-Requires-Dist: ruff; extra == 'dev'
-Description-Content-Type: text/markdown
-
 # Hydrolix MCP Server
 
 [![PyPI - Version](https://img.shields.io/pypi/v/mcp-hydrolix)](https://pypi.org/project/mcp-hydrolix)
@@ -64,6 +45,18 @@ The Hydrolix MCP server is configured using a standard MCP server entry. Consult
 
 The recommended way to launch the Hydrolix MCP server is via the [`uv` project manager](https://github.com/astral-sh/uv), which will manage installing all other dependencies in an isolated environment.
 
+### Authentication
+
+The server supports multiple authentication methods with the following precedence (highest to lowest):
+
+1. **Per-request Bearer token**: Service account token provided via `Authorization: Bearer <token>` header
+2. **Per-request GET parameter**: Service account token provided via `?token=<token>` query parameter
+3. **Environment-based credentials**: Credentials configured via environment variables
+   - Service account token (`HYDROLIX_TOKEN`), or
+   - Username and password (`HYDROLIX_USER` and `HYDROLIX_PASSWORD`)
+
+When multiple authentication methods are configured, the server will use the first available method in the precedence order above. Per-request authentication is only available when using HTTP or SSE transport modes.
+
 MCP Server definition using username and password (JSON):
 
 ```json
@@ -199,17 +192,37 @@ To leverage service account use the following config block:
 
 5. Restart Claude Desktop to apply the changes. If you are using Windows, ensure Claude is stopped completely by closing the client using the system tray icon.
 
+### Configuration Example (Claude Code)
+
+To configure the Hydrolix MCP server for Claude Code, run the following command:
+
+```bash
+claude mcp add --transport stdio hydrolix \
+  --env HYDROLIX_USER=<hydrolix-user> \
+  --env HYDROLIX_PASSWORD=<hydrolix-password> \
+  --env HYDROLIX_HOST=<hydrolix-host> \
+  --env HYDROLIX_MCP_SERVER_TRANSPORT=stdio \
+  -- uv run --with mcp-hydrolix --python 3.13 mcp-hydrolix
+```
+
 ### Environment Variables
 
 The following variables are used to configure the Hydrolix connection. These variables may be provided via the MCP config block (as shown above), a `.env` file, or traditional environment variables.
 
 #### Required Variables
 * `HYDROLIX_HOST`: The hostname of your Hydrolix server
-* `HYDROLIX_TOKEN`: The Hydrolix service account token (omit if using username/password)
-* `HYDROLIX_USER`: The username for authentication (omit if using service account)
-* `HYDROLIX_PASSWORD`: The password for authentication (omit if using service account)
 
-**Authentication precedence:** If both `HYDROLIX_TOKEN` and `HYDROLIX_USER`/`HYDROLIX_PASSWORD` are provided, the service account token takes precedence and username/password authentication will be ignored.
+#### Authentication Variables
+At least one authentication method must be configured when using the stdio transport:
+
+* `HYDROLIX_TOKEN`: Service account token for environment-based authentication
+* `HYDROLIX_USER` and `HYDROLIX_PASSWORD`: Username and password for environment-based authentication (both must be provided together)
+
+In summary:
+- For stdio, you MUST use HYDROLIX_TOKEN or HYDROLIX_USER+HYDROLIX_PASS (environmental credentials)
+- For http/sse, you MAY use HYDROLIX_TOKEN or HYDROLIX_USER+HYDROLIX_PASS (environmental credentials), but you may instead use per-request credentials.
+
+If no credentials are provided via the environment or the request, the request will fail.
 
 #### Optional Variables
 * `HYDROLIX_PORT`: The port number of your Hydrolix server
@@ -248,4 +261,29 @@ When using HTTP transport, the server will run on the configured port (default 8
 - MCP endpoint: `http://localhost:4200/mcp`
 - Health check: `http://localhost:4200/health`
 
+#### Using Per-Request Authentication with HTTP Transport
+
+When using HTTP or SSE transport, you can omit environment-based credentials and instead provide authentication per-request. This is useful for multi-user scenarios or with clients that don't support running MCP servers locally.
+
+Example `mcpServers` configuration connecting to a remote HTTP server with per-request authentication:
+
+```json
+{
+  "mcpServers": {
+    "mcp-hydrolix-remote": {
+      "url": "http://my-hydrolix-mcp.example.com:8000/mcp?token=<service-account-token>"
+    }
+  }
+}
+```
+
+Example minimal `.env` configuration for running your own HTTP server without environment credentials:
+
+```env
+HYDROLIX_HOST=my-cluster.hydrolix.net
+HYDROLIX_MCP_SERVER_TRANSPORT=http
+```
+
+Though not part of the MCP specification, many MCP clients allow adding headers to MCP-issued requests. When this is possible, we recommend configuring the MCP client to pass a service account token via the `Authorization: Bearer <sa-token-here>` header instead of as a query parameter for greater security.
+
 Note: The bind host and port settings are only used when transport is set to "http" or "sse".

mcp_hydrolix-0.1.6/docker-compose.yaml

@@ -0,0 +1,56 @@
+version: '3.8'
+
+services:
+  clickhouse:
+    image: clickhouse/clickhouse-server:latest
+    container_name: hydrolix-test-clickhouse
+    ports:
+      - "9000:9000"   # Native protocol
+      - "8123:8123"   # HTTP interface
+    environment:
+      CLICKHOUSE_DB: default
+      CLICKHOUSE_USER: default
+      CLICKHOUSE_PASSWORD: clickhouse
+      CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
+      TEST_CONFIG: |+
+        <?xml version="1.0" ?>
+        <clickhouse>
+            <max_connections>4096</max_connections>
+            <logger>
+                <console>1</console>
+            </logger>
+            <timezone>UTC</timezone>
+            <custom_settings_prefixes replace="replace">SQL_,hdx_</custom_settings_prefixes>
+        </clickhouse>
+    entrypoint:
+      - /bin/bash
+      - -c
+      - |
+        $(echo "$$TEST_CONFIG" > /etc/clickhouse-server/config.d/tcconfig.xml)
+        exec /entrypoint.sh "$@"
+    volumes:
+      - clickhouse_data:/var/lib/clickhouse
+      - clickhouse_logs:/var/log/clickhouse-server
+      # Optional: mount custom config
+      # - ./clickhouse-config.xml:/etc/clickhouse-server/config.d/custom.xml
+    ulimits:
+      nofile:
+        soft: 262144
+        hard: 262144
+    healthcheck:
+      test: ["CMD", "clickhouse-client", "--query", "SELECT 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - hydrolix-test
+
+volumes:
+  clickhouse_data:
+    driver: local
+  clickhouse_logs:
+    driver: local
+
+networks:
+  hydrolix-test:
+    driver: bridge

mcp_hydrolix-0.1.6/fastmcp.json

@@ -0,0 +1,13 @@
+{
+  "$schema": "https://gofastmcp.com/public/schemas/fastmcp.json/v1.json",
+  "source": {
+    "type": "filesystem",
+    "path": "mcp_hydrolix/mcp_server.py",
+    "entrypoint": "mcp"
+  },
+  "environment": {
+    "type": "uv",
+    "python": ">=3.13",
+    "editable": ["."]
+  }
+}

mcp_hydrolix-0.1.6/mcp_hydrolix/auth/__init__.py

@@ -0,0 +1,29 @@
+"""Authentication package for MCP Hydrolix.
+
+This package contains authentication-related types used to define hydrolix auth
+in terms of FastMCP infrastructure
+"""
+
+from mcp_hydrolix.auth.credentials import (
+    HydrolixCredential,
+    ServiceAccountToken,
+    UsernamePassword,
+)
+from mcp_hydrolix.auth.mcp_providers import (
+    TOKEN_PARAM,
+    AccessToken,
+    ChainedAuthBackend,
+    GetParamAuthBackend,
+    HydrolixCredentialChain,
+)
+
+__all__ = [
+    "HydrolixCredential",
+    "ServiceAccountToken",
+    "UsernamePassword",
+    "AccessToken",
+    "ChainedAuthBackend",
+    "GetParamAuthBackend",
+    "HydrolixCredentialChain",
+    "TOKEN_PARAM",
+]

mcp_hydrolix-0.1.6/mcp_hydrolix/auth/credentials.py

@@ -0,0 +1,63 @@
+"""Hydrolix credential types for authentication."""
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from typing import Optional
+import jwt
+
+
+class HydrolixCredential(ABC):
+    @abstractmethod
+    def clickhouse_config_entries(self) -> dict:
+        """
+        Returns the entries needed for a ClickHouse client config to use this credential.
+        This will typically add `access_token` or (`username` and `password`)
+        """
+        ...
+
+
+@dataclass
+class ServiceAccountToken(HydrolixCredential):
+    """Hydrolix credentials using a service account token."""
+
+    def __init__(self, token: str, expected_iss: Optional[str]):
+        """
+        Initialize a ServiceAccountToken from a token JWT (or raise an error if the claims are invalid).
+        NB the claims' signatures are NOT checked by this function -- these validations MUST NOT be considered
+        authoritative.
+        """
+
+        claims = jwt.decode(
+            token,
+            key="",  # NB service account signing key is not publicly-hosted, so we can't verify the signature
+            options={
+                "verify_signature": False,
+                "verify_iss": True,
+                "verify_iat": True,
+                "verify_exp": True,
+            },
+            issuer=expected_iss,
+        )
+        self.token = token
+        self.service_account_id = claims["sub"]
+        self.issued_at = claims["iss"]
+        self.expires_at = claims["exp"]
+
+    def clickhouse_config_entries(self) -> dict:
+        return {"access_token": self.token}
+
+    token: str
+    service_account_id: str
+    issued_at: int
+    expires_at: int
+
+
+@dataclass
+class UsernamePassword(HydrolixCredential):
+    """Hydrolix credentials using username and password."""
+
+    def clickhouse_config_entries(self) -> dict:
+        return {"username": self.username, "password": self.password}
+
+    username: str
+    password: str