feat(mcp): direct HTTP transport with env-var auth for flags MCP#42
Closed
vahidlazio wants to merge 3 commits into
Closed
feat(mcp): direct HTTP transport with env-var auth for flags MCP#42vahidlazio wants to merge 3 commits into
vahidlazio wants to merge 3 commits into
Conversation
The confidence-flags MCP server now authenticates through a bundled
stdio proxy (scripts/confidence-mcp-proxy.mjs) with two modes:
- Session mode: reads the token the onboard-confidence skill persists
to $TMPDIR/confidence_token on every request. Once the user logs in
via the onboarding flow, flag tools appear automatically within
seconds (tools/list_changed) — no manual authenticate or reconnect.
- OAuth mode: when no skill token exists, delegates to mcp-remote,
which runs the standard MCP OAuth browser flow once and silently
refreshes cached credentials on later sessions.
If the user logs in mid-session, the proxy switches from OAuth to
session mode transparently. A present-but-expired token hints to re-run
the onboarding login instead of popping a browser.
Wired for all agents: Claude Code/Cursor/Codex via .mcp.json
(${CLAUDE_PLUGIN_ROOT:-.} so it also works as a project config) and
Gemini CLI via ${extensionPath} in gemini-extension.json.
confidence-docs needs no auth and stays direct HTTP.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sessions now survive restarts. The onboarding skill persists
{access_token, refresh_token, client_id} to ~/.confidence/session.json
(0600) in addition to the $TMPDIR working cache, and tries a silent
refresh-token exchange before falling back to browser auth.
The MCP proxy resolves tokens in order: $TMPDIR cache, persisted
session, refresh grant against auth.confidence.dev/oauth/token (with
rotation handling and a failure cooldown). Refreshed tokens are synced
back to both stores, so a new agent session starts already logged in
with working flag tools and the skill's curl calls reuse the same
refreshed token.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Collaborator
Author
|
Added in 507c45c: persistent sessions with automatic token refresh — you stay logged in across new agent sessions and restarts.
Verified: session.json → bearer resolution + |
Switch confidence-flags from stdio proxy to direct HTTP connection to mcp.confidence.dev using CONFIDENCE_API_KEY env var as Bearer token. This eliminates the proxy for the MCP connection, simplifies auth to a single env var, and works in both local and remote agents. The skill now writes the token to settings.local.json env after auth and reads CONFIDENCE_API_KEY first on startup and in curl calls. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mcp.confidence.devfor theconfidence-flagsMCP serverCONFIDENCE_API_KEYenv var (Bearer token in header) — works in local clients and remote agents.claude/settings.local.jsonenv after auth, reads it back on startup and in curl callsconfidence-mcp-proxy.mjs) kept in repo but no longer used by.mcp.json— can be removed in a follow-upHow it works
CONFIDENCE_API_KEYenv var → MCP uses itCONFIDENCE_API_KEYenv var in routine config → both skill and MCP authenticatedTest plan
/confidence:onboard-confidence→ verify token written to settings.local.json env/mcp→ verify confidence-flags connects with tools after auth🤖 Generated with Claude Code