Skip to content

feat(mcp): direct HTTP transport with env-var auth for flags MCP#42

Closed
vahidlazio wants to merge 3 commits into
mainfrom
feat/mcp-auto-auth
Closed

feat(mcp): direct HTTP transport with env-var auth for flags MCP#42
vahidlazio wants to merge 3 commits into
mainfrom
feat/mcp-auto-auth

Conversation

@vahidlazio

@vahidlazio vahidlazio commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Replace stdio proxy with direct HTTP connection to mcp.confidence.dev for the confidence-flags MCP server
  • Auth via CONFIDENCE_API_KEY env var (Bearer token in header) — works in local clients and remote agents
  • Skill writes token to .claude/settings.local.json env after auth, reads it back on startup and in curl calls
  • Proxy (confidence-mcp-proxy.mjs) kept in repo but no longer used by .mcp.json — can be removed in a follow-up

How it works

  • Local: skill authenticates via browser OAuth → writes token to CONFIDENCE_API_KEY env var → MCP uses it
  • Remote: set CONFIDENCE_API_KEY env var in routine config → both skill and MCP authenticated
  • Token refresh: skill handles refresh silently, updates the env var in settings.local.json

Test plan

  • Run /confidence:onboard-confidence → verify token written to settings.local.json env
  • Check /mcp → verify confidence-flags connects with tools after auth
  • Test MCP tool calls (list flags, resolve flag) work with the token
  • Test expired token → skill refresh → MCP reconnects with new token

🤖 Generated with Claude Code

The confidence-flags MCP server now authenticates through a bundled
stdio proxy (scripts/confidence-mcp-proxy.mjs) with two modes:

- Session mode: reads the token the onboard-confidence skill persists
  to $TMPDIR/confidence_token on every request. Once the user logs in
  via the onboarding flow, flag tools appear automatically within
  seconds (tools/list_changed) — no manual authenticate or reconnect.
- OAuth mode: when no skill token exists, delegates to mcp-remote,
  which runs the standard MCP OAuth browser flow once and silently
  refreshes cached credentials on later sessions.

If the user logs in mid-session, the proxy switches from OAuth to
session mode transparently. A present-but-expired token hints to re-run
the onboarding login instead of popping a browser.

Wired for all agents: Claude Code/Cursor/Codex via .mcp.json
(${CLAUDE_PLUGIN_ROOT:-.} so it also works as a project config) and
Gemini CLI via ${extensionPath} in gemini-extension.json.
confidence-docs needs no auth and stays direct HTTP.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vahidlazio vahidlazio marked this pull request as draft July 7, 2026 12:55
Sessions now survive restarts. The onboarding skill persists
{access_token, refresh_token, client_id} to ~/.confidence/session.json
(0600) in addition to the $TMPDIR working cache, and tries a silent
refresh-token exchange before falling back to browser auth.

The MCP proxy resolves tokens in order: $TMPDIR cache, persisted
session, refresh grant against auth.confidence.dev/oauth/token (with
rotation handling and a failure cooldown). Refreshed tokens are synced
back to both stores, so a new agent session starts already logged in
with working flag tools and the skill's curl calls reuse the same
refreshed token.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vahidlazio

Copy link
Copy Markdown
Collaborator Author

Added in 507c45c: persistent sessions with automatic token refresh — you stay logged in across new agent sessions and restarts.

  • The onboarding skill now persists {access_token, refresh_token, client_id} to ~/.confidence/session.json (0600) alongside the $TMPDIR cache, and tries a silent refresh-token exchange (auth.confidence.dev/oauth/token, grant_type=refresh_token) before falling back to browser auth. Client IDs recorded per auth step since Auth0 rejects cross-client refresh.
  • The proxy resolves tokens: $TMPDIR cache → persisted session → refresh grant (handles Auth0 refresh-token rotation, 60s cooldown after failure). Refreshed tokens sync back to both stores so the skill's curls reuse them.
  • New-session cold start with only session.json present: proxy refreshes and the flag tools are live immediately — no login, no browser, no /mcp.

Verified: session.json → bearer resolution + $TMPDIR sync, expired-token + failed-refresh degradation (empty tools + login hint, no browser popup), mode selection with only session.json present. The successful-refresh path needs a live refresh token — added to the test plan.

@vahidlazio vahidlazio changed the title feat(mcp): automatic auth for the flags MCP server on all agents feat(mcp): automatic auth with persistent sessions for the flags MCP server on all agents Jul 7, 2026
Switch confidence-flags from stdio proxy to direct HTTP connection
to mcp.confidence.dev using CONFIDENCE_API_KEY env var as Bearer token.
This eliminates the proxy for the MCP connection, simplifies auth to
a single env var, and works in both local and remote agents.

The skill now writes the token to settings.local.json env after auth
and reads CONFIDENCE_API_KEY first on startup and in curl calls.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vahidlazio vahidlazio changed the title feat(mcp): automatic auth with persistent sessions for the flags MCP server on all agents feat(mcp): direct HTTP transport with env-var auth for flags MCP Jul 7, 2026
@vahidlazio vahidlazio closed this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant