mathias/hyperguild
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(mcp): optional bearer-token auth via SUPERVISOR_MCP_TOKEN
All checks were successful
CI / Lint / Test / Vet (push) Successful in 10s
Details
CI / Mirror to GitHub (push) Successful in 3s
Details

Browse Source 
Enables exposing the supervisor MCP via Tailscale Funnel for claude.ai
custom-connector tests. Auth is opt-in: empty SUPERVISOR_MCP_TOKEN
preserves the existing unauthenticated behavior for tailnet-internal
callers and local dev.

When the token is set, every request must carry
"Authorization: Bearer <token>" or it is rejected with HTTP 401 and a
JSON-RPC -32001 error. Comparison uses crypto/subtle.ConstantTimeCompare;
the token value and the supplied header are never logged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mathias Bergqvist
2026-05-04 07:31:29 +02:00
parent 1b9c4905a5
commit 928f23ab1b
6 changed files with 93 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/config/config.go
View File

@@ -13,6 +13,7 @@ type Config struct {
KBRetrievalURL string // KB_RETRIEVAL_URL — base URL for brain_search
SessionsDir string // SUPERVISOR_SESSIONS_DIR, default ./brain/sessions
BrainDir string // SUPERVISOR_BRAIN_DIR, default ./brain
MCPAuthToken string // SUPERVISOR_MCP_TOKEN — optional bearer token for MCP HTTP; empty disables auth
}
func Load() (Config, error) {
@@ -28,6 +29,7 @@ func Load() (Config, error) {
cfg.KBRetrievalURL = envOr("KB_RETRIEVAL_URL", "")
cfg.SessionsDir = envOr("SUPERVISOR_SESSIONS_DIR", "./brain/sessions")
cfg.BrainDir = envOr("SUPERVISOR_BRAIN_DIR", "./brain")
cfg.MCPAuthToken = os.Getenv("SUPERVISOR_MCP_TOKEN")
return cfg, nil
}

4
internal/config/config_test.go
View File

@@ -16,6 +16,7 @@ func TestLoadDefaults(t *testing.T) {
t.Setenv("INGEST_BASE_URL", "")
t.Setenv("SUPERVISOR_SESSIONS_DIR", "")
t.Setenv("SUPERVISOR_BRAIN_DIR", "")
t.Setenv("SUPERVISOR_MCP_TOKEN", "")
cfg, err := config.Load()
require.NoError(t, err)
@@ -25,6 +26,7 @@ func TestLoadDefaults(t *testing.T) {
assert.Equal(t, "http://localhost:3300", cfg.IngestBaseURL)
assert.Equal(t, "./brain/sessions", cfg.SessionsDir)
assert.Equal(t, "./brain", cfg.BrainDir)
assert.Equal(t, "", cfg.MCPAuthToken)
}
func TestLoadFromEnv(t *testing.T) {
@@ -32,6 +34,7 @@ func TestLoadFromEnv(t *testing.T) {
t.Setenv("LITELLM_BASE_URL", "http://localhost:4000")
t.Setenv("LITELLM_API_KEY", "test-key")
t.Setenv("SUPERVISOR_CONFIG_DIR", "/etc/supervisor")
t.Setenv("SUPERVISOR_MCP_TOKEN", "secret-token")
cfg, err := config.Load()
require.NoError(t, err)
@@ -39,4 +42,5 @@ func TestLoadFromEnv(t *testing.T) {
assert.Equal(t, "http://localhost:4000", cfg.LiteLLMBaseURL)
assert.Equal(t, "test-key", cfg.LiteLLMAPIKey)
assert.Equal(t, "/etc/supervisor", cfg.ConfigDir)
assert.Equal(t, "secret-token", cfg.MCPAuthToken)
}