forked from molecule-ai/molecule-core
18c00726b8
Implements sub-issues #809 (MCPHandler), #810 (tool filtering), #811 (per-token rate limiting), #813 (opencode.json), #814 (docs). Routes (registered under wsAuth — bearer token binds to :id): GET /workspaces/:id/mcp/stream — SSE transport (backwards compat) POST /workspaces/:id/mcp — Streamable HTTP transport (primary) Security conditions from review (all mandatory): C1: WorkspaceAuth middleware rejects requests without valid bearer token C2: MCPRateLimiter (120 req/min/token, SHA-256 keyed) applied on both routes C3: commit_memory/recall_memory with scope=GLOBAL → permission error; send_message_to_user excluded unless MOLECULE_MCP_ALLOW_SEND_MESSAGE=true Tools: list_peers, get_workspace_info, delegate_task, delegate_task_async, check_task_status, send_message_to_user (opt-in), commit_memory, recall_memory. All mirror workspace-template/a2a_mcp_server.py TOOLS list. Also adds: org-templates/molecule-dev/opencode.json, docs/integrations/opencode.md, .env.example entries for MOLECULE_MCP_ALLOW_SEND_MESSAGE and MOLECULE_MCP_URL. Tests: 29 new tests (20 handler + 9 middleware). All passing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| admin_test_token_route_test.go | ||
| canvas_proxy_test.go | ||
| canvas_proxy.go | ||
| router.go | ||