Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
3f603a6
docs: add mcp-auth-proxy design spec
TarasSpashchenko Jul 3, 2026
294b9e5
docs: add mcp-auth-proxy implementation plan
TarasSpashchenko Jul 3, 2026
6202146
feat(proxy): add mcp-auth-proxy types and config validation
TarasSpashchenko Jul 3, 2026
a7dac1d
feat(proxy): add pure OAuth rewrite rules R1-R6 for mcp-auth-proxy
TarasSpashchenko Jul 3, 2026
259d3da
feat(proxy): add mcp-auth-proxy daemon state file helpers
TarasSpashchenko Jul 3, 2026
f440ed5
feat(proxy): add streaming upstream HTTP client for mcp-auth-proxy
TarasSpashchenko Jul 3, 2026
ca9c590
feat(proxy): add upstream OAuth metadata discovery and TTL cache
TarasSpashchenko Jul 3, 2026
76a65db
feat(proxy): add McpAuthProxy server with streaming pass-through and …
TarasSpashchenko Jul 3, 2026
7635a99
feat(proxy): add mcp-auth-proxy daemon runtime and detached entry point
TarasSpashchenko Jul 3, 2026
468160f
feat(cli): register codemie mcp-auth-proxy start/stop/status command
TarasSpashchenko Jul 3, 2026
2617124
docs: document codemie mcp-auth-proxy command
TarasSpashchenko Jul 3, 2026
62c4ac6
fix(proxy): harden mcp-auth-proxy request dispatch and PRM-hint disco…
TarasSpashchenko Jul 3, 2026
959da8b
docs: add mcp-auth-proxy spec and SDLC work item
TarasSpashchenko Jul 4, 2026
bfb7ed6
docs: delete superseded mcp-auth-proxy spec document
TarasSpashchenko Jul 5, 2026
d9421f9
fix(utils): hide detached daemon console window on Windows
TarasSpashchenko Jul 5, 2026
c5f3775
fix(proxy): treat EPERM as alive in mcp-auth-proxy liveness check
TarasSpashchenko Jul 5, 2026
6854257
feat(proxy): reserve 'shutdown' route id for the control endpoint
TarasSpashchenko Jul 5, 2026
d76e5f5
feat(proxy): add loopback POST /shutdown control endpoint
TarasSpashchenko Jul 5, 2026
125e673
feat(proxy): route graceful shutdown through endpoint and signals
TarasSpashchenko Jul 5, 2026
1d24eee
feat(cli): stop mcp-auth-proxy via graceful control endpoint first
TarasSpashchenko Jul 5, 2026
73d730f
refactor(cli): skip graceful poll when mcp-auth-proxy shutdown not acked
TarasSpashchenko Jul 5, 2026
24e3d58
docs: add mcp-auth-proxy-windows sdlc-light task artifacts
TarasSpashchenko Jul 5, 2026
05346d1
docs: add mcp-auth-proxy https design and work item
TarasSpashchenko Jul 5, 2026
741fd29
docs: add mcp-auth-proxy https implementation plan
TarasSpashchenko Jul 5, 2026
42619a4
feat(proxy): add opt-in tls flag to mcp-auth-proxy config
TarasSpashchenko Jul 5, 2026
6cfe172
feat(proxy): add local CA and leaf certificate lifecycle for mcp-auth…
TarasSpashchenko Jul 5, 2026
eb4f844
feat(proxy): serve mcp-auth-proxy over https when tls material is pro…
TarasSpashchenko Jul 5, 2026
f2d514a
feat(proxy): wire tls through mcp-auth-proxy runtime, daemon flag, an…
TarasSpashchenko Jul 5, 2026
ed5c550
feat(proxy): add ca-pinned loopback control-plane client for mcp-auth…
TarasSpashchenko Jul 5, 2026
ee2c24a
feat(proxy): add os trust-store command builders and runner for the l…
TarasSpashchenko Jul 5, 2026
1acf32e
feat(cli): add --tls start flag, trust subcommand, and https-aware st…
TarasSpashchenko Jul 5, 2026
6cc642d
docs: document mcp-auth-proxy --tls and trust subcommand
TarasSpashchenko Jul 5, 2026
7bc2cfe
fix(proxy): address https review findings CR-001..CR-008
TarasSpashchenko Jul 5, 2026
55a4403
docs: transition mcp-auth-proxy-https work item to ready for review
TarasSpashchenko Jul 5, 2026
097f3f0
fix(proxy): make mcp-auth-proxy suite pass on Windows CI
TarasSpashchenko Jul 5, 2026
528d80d
test(proxy): release logger handle before temp cleanup on Windows
TarasSpashchenko Jul 5, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions bin/mcp-auth-proxy-daemon.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/usr/bin/env node

/**
* CodeMie MCP Auth Proxy Daemon entry point
* Imports compiled daemon from dist/
*/
import('../dist/bin/mcp-auth-proxy-daemon.js').catch((error) => {
process.stderr.write(`[mcp-auth-proxy-daemon] Fatal: ${error.message}\n`);
process.exit(1);
});
37 changes: 37 additions & 0 deletions docs/COMMANDS.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ codemie self-update # Update CodeMie CLI itself
codemie doctor [options] # Health check and diagnostics
codemie plugin <command> # Manage native plugins
codemie mcp-proxy <url> # Stdio-to-HTTP MCP proxy with OAuth support
codemie mcp-auth-proxy <start|stop|status|trust> # OAuth-rewriting proxy daemon for remote MCP servers (client_name/scope/resource overrides; config: ~/.codemie/mcp-auth-proxy.json)
codemie codebase <command> # Manage Codebase Memory graph UI
codemie version # Show version information
```
Expand Down Expand Up @@ -138,6 +139,42 @@ CodeMie cannot forcibly log you out from Claude Desktop. It can only write the C
--version # Output the version number
```

## MCP Auth Proxy Commands

```bash
codemie mcp-auth-proxy start # Start the proxy daemon (detached by default)
codemie mcp-auth-proxy start --tls # Serve HTTPS with the locally-generated CodeMie CA
codemie mcp-auth-proxy status # Show daemon status and per-route health
codemie mcp-auth-proxy stop # Stop the daemon and remove its state file
codemie mcp-auth-proxy trust # Install the CodeMie CA in the OS user trust store
codemie mcp-auth-proxy trust --uninstall # Remove the CodeMie CA from the trust store
```

`start` options:

- `--config <path>` — config file path (default: `~/.codemie/mcp-auth-proxy.json`)
- `--port <port>` — override the configured listen port
- `--foreground` — run in the foreground (debugging; `CODEMIE_DEBUG=true` for verbose logs)
- `--tls` — serve the loopback listener over HTTPS using a locally-generated CA + leaf certificate (ECDSA P-256; CA stored under `~/.codemie/mcp-auth-proxy-tls/`). Config-file equivalent: `"tls": true` at the root of `mcp-auth-proxy.json`. Default is plain HTTP.

### `codemie mcp-auth-proxy trust`

Installs the locally-generated CA into the OS **user** trust store so browsers and Claude Desktop accept the proxy's HTTPS certificate:

- Windows: `certutil -addstore -user Root`
- macOS: login keychain via `security add-trusted-cert`
- Linux: NSS user DB (`~/.pki/nssdb`, requires the libnss3-tools `certutil`; this is what Chromium/Electron read)

Prints the CA path, subject CN, SHA-256 fingerprint, and validity. On unsupported systems or missing tools it prints manual instructions and exits non-zero. `--uninstall` removes only the CodeMie CA (matched by its exact subject CN).

### HTTPS / Claude Desktop

Claude Desktop refuses to open non-`https` OAuth authorize URLs. With TLS enabled the proxy advertises its OAuth endpoints as `https://127.0.0.1:<port>/...`, so the Desktop authorize flow works once the CA is trusted (`codemie mcp-auth-proxy trust`).

- With TLS enabled, the printed `claude mcp add` hints use `https://` URLs, and `start` warns that routes previously registered with `http://` URLs must be re-registered.
- `status` / `stop` are protocol-aware: they read the daemon state's `tls` flag and pin the local CA for control-plane requests (no certificate-check bypass).
- Node-based clients (e.g. Claude Code CLI) do not read the OS trust store — for TLS routes set `NODE_EXTRA_CA_CERTS=~/.codemie/mcp-auth-proxy-tls/ca.crt`, or keep the default plain-HTTP mode.

## Agent Shortcuts

Direct access to agents with automatic configuration.
Expand Down
Loading
Loading