ca22df2d6a
Second port of the MCP chassis (gitea-mcp was first, commit 658f4ba). Closes the chassis-adoption loop on the two highest-LOC consumers. Changes: - Drop ingestion/internal/auth/ entirely (jwt.go + jwt_test.go + protected_resource.go + protected_resource_test.go) — chassis provides JWTValidator + ProtectedResourceHandler with identical semantics. - Drop ingestion/internal/mcp/auth.go (BearerAuth function, ~65 LOC) and the integration test auth_test.go (~200 LOC) — chassis BearerMiddleware replaces it. Static-Bearer-or-Dex-JWT precedence and RFC 9728 resource_metadata challenge behavior preserved 1:1. - cmd/server/main.go: import chassis as `chassisauth`, rewire the three call sites. Use realm="brain" in the BearerMiddleware call so a 401 challenge identifies the resource as the brain MCP. OAuth client_credentials handler (ingestion/internal/oauth) stays — chassis v0.1.0 covers only the JWT path; OAuth flow is a candidate for chassis v0.2.0 once a second MCP needs it (rule of three). Net delta: -~330 LOC of duplicated auth code; +1 import; +1 GOPRIVATE env requirement on dev machines (documented in the spike handoff 2026-05-22-mcp-chassis-spike.md). task check green (lint + test + vet + govulncheck). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4.7 KiB
4.7 KiB