feat(auth): add Dex JWT middleware to supervisor, routing pod, and brain MCP

Closes #6 on gitea.d-ma.be/mathias/hyperguild. Dex is deployed at auth.d-ma.be. All three MCP servers now accept JWTs issued by Dex in addition to static bearer tokens, enabling claude.ai OAuth 2.0 integration without abandoning backward-compat CLI auth. Changes: - internal/auth/: new Validator (JWKS auto-refresh via lestrrat-go/jwx/v2), ProtectedResourceHandler (RFC 9728 /.well-known/oauth-protected-resource) - internal/mcp/Server: adds optional *auth.Validator; checkAuth tries JWT first, then static token fallback; both-nil = auth disabled (unchanged default) - cmd/supervisor, cmd/routing: construct Validator from DEX_ISSUER_URL + MCP_AUDIENCE env vars; register protected-resource handler when set - ingestion/internal/auth/: same Validator + handler (separate module) - ingestion/internal/mcp/BearerAuth: same JWT-or-static chain - ingestion/cmd/server: same wiring pattern New env vars (all optional; absent = static-token-only, same as before): DEX_ISSUER_URL — Dex issuer URL (e.g. https://auth.d-ma.be) MCP_AUDIENCE — expected aud claim (e.g. brain, supervisor) MCP_RESOURCE_URL — resource identifier for RFC 9728 metadata response Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-11 20:10:05 +02:00
parent 1c3c9de550
commit c7e0192486
19 changed files with 934 additions and 53 deletions
--- a/cmd/routing/main.go
+++ b/cmd/routing/main.go
@@ -14,6 +14,7 @@ import (
 	"os"
 	"time"

+	"github.com/mathiasbq/supervisor/internal/auth"
 	"github.com/mathiasbq/supervisor/internal/config"
 	iexec "github.com/mathiasbq/supervisor/internal/exec"
 	"github.com/mathiasbq/supervisor/internal/mcp"
@@ -98,13 +99,31 @@ func main() {
 		CompleteFunc: trainer.CompleteFunc(wrap("trainer")),
 	}))

-	srv := mcp.NewServer(reg, cfg.MCPAuthToken)
+	var validator *auth.Validator
+	if dexURL := os.Getenv("DEX_ISSUER_URL"); dexURL != "" {
+		audience := os.Getenv("MCP_AUDIENCE")
+		v, err := auth.NewValidator(dexURL, audience)
+		if err != nil {
+			logger.Error("build jwt validator", "err", err)
+			os.Exit(1)
+		}
+		validator = v
+		logger.Info("jwt auth enabled", "issuer", dexURL)
+	}
+
+	srv := mcp.NewServer(reg, cfg.MCPAuthToken, validator)
 	mux := http.NewServeMux()
 	mux.Handle("/mcp", srv)
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	})

+	if dexURL := os.Getenv("DEX_ISSUER_URL"); dexURL != "" {
+		resourceURL := os.Getenv("MCP_RESOURCE_URL")
+		mux.HandleFunc("GET /.well-known/oauth-protected-resource",
+			auth.ProtectedResourceHandler(resourceURL, dexURL))
+	}
+
 	addr := ":" + cfg.Port
 	logger.Info("routing pod starting", "addr", addr,
 		"fast", cfg.FastModel, "thinking", cfg.ThinkingModel,