react-agent-harness 0.5.0__tar.gz → 0.5.2__tar.gz

{react_agent_harness-0.5.0/react_agent_harness.egg-info → react_agent_harness-0.5.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: react-agent-harness
-Version: 0.5.0
+Version: 0.5.2
 Summary: Multi-agent LLM orchestration: hybrid DAG planning, two-tier memory, streaming
 Requires-Python: >=3.10
 License-File: LICENSE

{react_agent_harness-0.5.0 → react_agent_harness-0.5.2}/README.md

@@ -44,6 +44,7 @@ harness/steering.py         Async steering — agent.steer(text), StdinRouter pu
 harness/checkpoint.py       CheckpointStore + _ResumeHint + maybe_resume_key — pluggable run-state persistence (file + Redis); auto-resume built into dispatch_stream / run_stream
 harness/otel.py             OTELHook — OpenTelemetry span exporter (opt-in)
 harness/executor_bridge.py  ExecutorBridge + ExecutorTool — controlled subprocess launcher with optional Docker sandboxing
+harness/oauth_browser.py    Localhost OAuth callback server + open_or_print_url — shared by MCP browser-OAuth and LLM login flows
 orchestrator/planner.py     Hybrid DAG orchestrator — plan, replan, synthesize
 agents/base.py              Generic BaseAgent — ReAct loop, no subclassing needed
 memory/manager.py           MemoryManager — semantic KV + episodic vector
@@ -592,47 +593,78 @@ async with MCPServerConnection(params, server_name="filesystem") as conn:
     result = await runtime.run("list files in /tmp")
 ```
 
-Supports **stdio** and **SSE** transports. The `MCPServerConnection` context
-manager handles the full lifecycle — connect, discover, and cleanup.
+Supports **stdio**, **SSE**, and **streamable-HTTP** transports. The
+`MCPServerConnection` context manager handles the full lifecycle —
+connect, discover, and cleanup.
 
-Remote MCP servers can receive static headers or bearer tokens through an auth
-provider:
+### Auth options
+
+Pick the provider that matches how your MCP server authenticates:
+
+| Provider | When to use |
+|---|---|
+| `StaticMCPAuth` | Literal header/env values you have in hand |
+| `BearerMCPAuth` | A single bearer token string |
+| `ApiKeyMCPAuth` | API-key headers backed by environment variables |
+| `OAuthMCPAuth` | Bearer token cached in the shared `auth.json` file |
+| `BrowserOAuthMCPAuth` | Full OAuth 2.0 + PKCE flow with browser login |
+
+**API keys backed by env vars** — generic, no vendor coupling:
 
 ```python
 import os
-from tools.mcp import MCPServerConnection, StaticMCPAuth
+from tools.mcp.auth import ApiKeyMCPAuth, StreamableHttpServerParams
+from tools.mcp import MCPServerConnection
+
+auth = ApiKeyMCPAuth({
+    "DD-Api-Key": "DD_API_KEY",
+    "DD-Application-Key": "DD_APP_KEY",
+})
+params = StreamableHttpServerParams(url="https://mcp.datadoghq.com/")
+
+async with MCPServerConnection(params, server_name="datadog", auth=auth) as conn:
+    conn.register_tools(tool_registry)
+```
 
-auth = StaticMCPAuth(
-    headers={
-        "DD_API_KEY": os.environ["DD_API_KEY"],
-        "DD_APPLICATION_KEY": os.environ["DD_APPLICATION_KEY"],
-    }
+**Browser-based OAuth (PKCE) for hosted MCP servers**:
+
+```python
+from tools.mcp.auth import BrowserOAuthMCPAuth, StreamableHttpServerParams
+from tools.mcp import MCPServerConnection
+
+auth = BrowserOAuthMCPAuth(
+    server_url="https://mcp.example.com/",
+    provider_name="mcp:example",
+    client_id="abc123",         # from the provider's developer console
+    client_secret="shh",        # optional (PKCE-only flows omit)
+    scopes=["read", "write"],
 )
+params = StreamableHttpServerParams(url="https://mcp.example.com/")
 
-async with MCPServerConnection(
-    {"url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp"},
-    server_name="datadog",
-    auth=auth,
-) as conn:
+async with MCPServerConnection(params, auth=auth) as conn:
     conn.register_tools(tool_registry)
 ```
 
-OAuth-style auth files can be reused for MCP bearer auth:
+First connect opens the browser, captures the redirect on
+`http://127.0.0.1:8765/callback`, persists tokens to
+`~/.agent-harness/auth/auth.json` (chmod 0600), and refreshes them
+transparently on every subsequent run. Register your OAuth app with that
+redirect URI.
+
+Servers that support RFC 7591 dynamic client registration work without
+supplying `client_id` — the MCP SDK registers a fresh client on first
+connect.
+
+**Cached OAuth from the auth.json file** (for tokens you already minted
+elsewhere):
 
 ```python
-from tools.mcp import MCPServerConnection, OAuthMCPAuth
+from tools.mcp import OAuthMCPAuth, MCPServerConnection
 
 auth = OAuthMCPAuth.from_auth_file(
     "~/.agent-harness/auth/auth.json",
-    provider="datadog-mcp",
+    provider="my-service",
 )
-
-async with MCPServerConnection(
-    {"url": "https://mcp.datadoghq.com/api/unstable/mcp-server/mcp"},
-    server_name="datadog",
-    auth=auth,
-) as conn:
-    conn.register_tools(tool_registry)
 ```
 
 See `examples/mcp_demo.py` for local stdio MCP and `examples/mcp_auth_demo.py`

{react_agent_harness-0.5.0 → react_agent_harness-0.5.2}/harness/cli.py

@@ -79,11 +79,13 @@ def main() -> int:
 
 
 async def _login_openai_codex(path: Path) -> int:
+    from harness.oauth_browser import open_or_print_url
+
     client = OpenAICodexOAuthClient()
     try:
         device = await client.request_device_code()
         print("OpenAI Codex login")
-        print(f"Open: {device.verification_uri}")
+        open_or_print_url(device.verification_uri, prefix="Open:")
         print(f"Code: {device.user_code}")
         print("Waiting for authorization...")
         cred = await client.poll_device_code(device)
@@ -95,11 +97,16 @@ async def _login_openai_codex(path: Path) -> int:
 
 
 async def _login_claude_code(path: Path) -> int:
+    from harness.oauth_browser import open_or_print_url
+
     client = AnthropicClaudeCodeOAuthClient()
     try:
         login = client.begin_login()
         print("Claude Code login")
-        print(f"Open: {login.url}")
+        # Anthropic owns the redirect URI (console.anthropic.com), so we
+        # can't auto-capture the callback here. Best we can do is open the
+        # browser for the user and let them paste the result.
+        open_or_print_url(login.url, prefix="Open:")
         print("Paste the final callback URL, or the code#state value.")
         callback_input = input("Callback: ")
         cred = await client.finish_login(login, callback_input)

react_agent_harness-0.5.2/harness/oauth_browser.py

@@ -0,0 +1,150 @@
+"""Browser-based OAuth helpers shared across providers.
+
+Two utilities here:
+
+  - ``open_or_print_url(url)`` — try to open a URL in the user's default
+    browser; fall back to printing it so headless / SSH sessions still work.
+
+  - ``wait_for_oauth_callback(port, path, timeout)`` — spin up a one-shot
+    localhost HTTP server, block until the OAuth provider redirects the
+    browser back, and return the ``(code, state)`` pair from the query
+    string. Used by ``BrowserOAuthMCPAuth`` and any future browser-based
+    login flow whose redirect URI we control.
+
+Stdlib only — no new dependencies. The callback server uses
+``http.server.HTTPServer`` in a background thread so the asyncio caller can
+``await`` on a future that resolves when the request arrives.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import threading
+import urllib.parse
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from typing import Any
+
+logger = logging.getLogger(__name__)
+
+
+_HTML_OK = b"""<!doctype html>
+<html><body style="font-family:sans-serif;text-align:center;padding:3em">
+<h2>Authorization complete</h2>
+<p>You can close this tab and return to the terminal.</p>
+</body></html>
+"""
+
+_HTML_ERROR = b"""<!doctype html>
+<html><body style="font-family:sans-serif;text-align:center;padding:3em">
+<h2>Authorization failed</h2>
+<p>%s</p>
+<p>Check the terminal for details.</p>
+</body></html>
+"""
+
+
+def open_or_print_url(url: str, *, prefix: str = "Open in browser:") -> None:
+    """Try to open ``url`` in the default browser; always print it as a fallback."""
+    print(f"{prefix} {url}")
+    try:
+        webbrowser.open(url, new=2)
+    except Exception as e:  # noqa: BLE001 — best-effort UX nicety
+        logger.debug("webbrowser.open failed: %s", e)
+
+
+async def wait_for_oauth_callback(
+    *,
+    port: int = 0,
+    path: str = "/callback",
+    timeout: float = 300.0,
+    bind_host: str = "127.0.0.1",
+) -> tuple[str, str | None]:
+    """Run a localhost HTTP server until a redirect with ``code`` arrives.
+
+    Args:
+        port: Port to bind. ``0`` lets the OS pick a free port — read it back
+              from ``actual_port`` after construction if you need it (this
+              helper does not return the bound port; callers that need it
+              should use :func:`bind_callback_server` instead).
+        path: Expected redirect path. Other paths return 404.
+        timeout: Seconds to wait before raising :class:`TimeoutError`.
+        bind_host: Address to bind on. Keep ``127.0.0.1`` for security —
+                   anything else makes the auth code observable on the LAN.
+
+    Returns:
+        ``(code, state)`` from the query string. ``state`` is ``None`` when
+        the provider does not echo it back.
+
+    Raises:
+        TimeoutError: No callback arrived within ``timeout`` seconds.
+        RuntimeError: The redirect carried an ``error`` query parameter.
+    """
+    server, actual_port, future = bind_callback_server(port=port, path=path, bind_host=bind_host)
+    try:
+        return await asyncio.wait_for(future, timeout=timeout)
+    finally:
+        server.shutdown()
+
+
+def bind_callback_server(
+    *,
+    port: int = 0,
+    path: str = "/callback",
+    bind_host: str = "127.0.0.1",
+) -> tuple[HTTPServer, int, asyncio.Future[tuple[str, str | None]]]:
+    """Start the callback server and return (server, port, future).
+
+    Callers that need the bound port up front (to construct the redirect URI
+    before opening the browser) use this and then ``await future``. Callers
+    that already know the port should prefer :func:`wait_for_oauth_callback`.
+
+    The server runs in a daemon thread and shuts down on the first valid
+    callback or when ``server.shutdown()`` is called.
+    """
+    loop = asyncio.get_running_loop()
+    future: asyncio.Future[tuple[str, str | None]] = loop.create_future()
+
+    class _Handler(BaseHTTPRequestHandler):
+        def do_GET(self) -> None:  # noqa: N802 — stdlib API
+            parsed = urllib.parse.urlparse(self.path)
+            if parsed.path != path:
+                self.send_response(404)
+                self.end_headers()
+                return
+            qs = urllib.parse.parse_qs(parsed.query)
+            err = qs.get("error", [None])[0]
+            if err:
+                desc = qs.get("error_description", [""])[0]
+                msg = f"{err}: {desc}".strip(": ")
+                self.send_response(400)
+                self.send_header("Content-Type", "text/html")
+                self.end_headers()
+                self.wfile.write(_HTML_ERROR % msg.encode("utf-8", "replace"))
+                if not future.done():
+                    loop.call_soon_threadsafe(
+                        future.set_exception, RuntimeError(f"OAuth callback error: {msg}")
+                    )
+                return
+            code = qs.get("code", [None])[0]
+            state = qs.get("state", [None])[0]
+            if not code:
+                self.send_response(400)
+                self.end_headers()
+                return
+            self.send_response(200)
+            self.send_header("Content-Type", "text/html")
+            self.end_headers()
+            self.wfile.write(_HTML_OK)
+            if not future.done():
+                loop.call_soon_threadsafe(future.set_result, (code, state))
+
+        def log_message(self, *_args: Any) -> None:  # silence stdlib's stderr noise
+            return
+
+    server = HTTPServer((bind_host, port), _Handler)
+    actual_port = server.server_address[1]
+    thread = threading.Thread(target=server.serve_forever, daemon=True)
+    thread.start()
+    return server, actual_port, future

{react_agent_harness-0.5.0 → react_agent_harness-0.5.2}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "react-agent-harness"
-version = "0.5.0"
+version = "0.5.2"
 description = "Multi-agent LLM orchestration: hybrid DAG planning, two-tier memory, streaming"
 requires-python = ">=3.10"
 dependencies = [

{react_agent_harness-0.5.0 → react_agent_harness-0.5.2/react_agent_harness.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: react-agent-harness
-Version: 0.5.0
+Version: 0.5.2
 Summary: Multi-agent LLM orchestration: hybrid DAG planning, two-tier memory, streaming
 Requires-Python: >=3.10
 License-File: LICENSE

{react_agent_harness-0.5.0 → react_agent_harness-0.5.2}/react_agent_harness.egg-info/SOURCES.txt

@@ -11,6 +11,7 @@ harness/console.py
 harness/events.py
 harness/executor_bridge.py
 harness/hitl.py
+harness/oauth_browser.py
 harness/otel.py
 harness/runtime.py
 harness/steering.py
@@ -50,6 +51,7 @@ tests/test_llm_auth.py
 tests/test_mcp_adapter.py
 tests/test_mcp_auth.py
 tests/test_memory.py
+tests/test_oauth_browser.py
 tests/test_openai_codex_llm.py
 tests/test_openai_llm.py
 tests/test_orchestrator.py