smart-mcp-proxy
diff --git a/‎specs/057-in-proxy-profiles/contracts/mcp-profile-endpoint.md‎
Lines changed: 42 additions & 0 deletions b/‎specs/057-in-proxy-profiles/contracts/mcp-profile-endpoint.md‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎specs/057-in-proxy-profiles/contracts/profiles-config.schema.json‎
Lines changed: 42 additions & 0 deletions b/‎specs/057-in-proxy-profiles/contracts/profiles-config.schema.json‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎specs/057-in-proxy-profiles/data-model.md‎
Lines changed: 66 additions & 0 deletions b/‎specs/057-in-proxy-profiles/data-model.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎specs/057-in-proxy-profiles/plan.md‎
Lines changed: 100 additions & 0 deletions b/‎specs/057-in-proxy-profiles/plan.md‎
Lines changed: 100 additions & 0 deletions
@@ -0,0 +1,42 @@
+# Contract: `/mcp/p/<slug>` profile-scoped MCP endpoint
+
+Stateless, pinned selector. Same MCP protocol surface as `/mcp`; the only difference is the effective server set. Reuses the retrieve_tools-mode MCP server instance; profile resolution is via `profileMiddleware` (runs **after** `mcpAuthMiddleware`).
+
+## Request resolution
+
+| Condition | Response |
+|-----------|----------|
+| `profiles` absent or empty, any `/mcp/p/<anything>` | **404** JSON `{"error":"no profiles configured"}` (FR-008) |
+| `profiles` non-empty, slug matches no profile | **404** JSON `{"error":"unknown profile '<slug>'","available":["research","deploy"]}` (FR-009) |
+| slug matches profile `P` | **200** — MCP surface identical to `/mcp`, effective server set restricted to `P.servers` (FR-002) |
+| `/mcp`, `/mcp/code`, `/mcp/call` | unchanged — full union, no profile applied (FR-010) |
+
+`/mcp/p/<slug>` is stateless: no global "active profile" is mutated; concurrent requests to different profile URLs from the same client each see only their own profile (FR-003).
+
+## Tool-surface behaviour at `/mcp/p/<slug>`
+
+- `retrieve_tools` returns only tools from servers in the **effective set** (profile ∩ token ∩ enabled ∩ not-quarantined ∩ user-visible). Tools the profile excludes MUST NOT appear (FR-004).
+- `call_tool_read` / `call_tool_write` / `call_tool_destructive` into an excluded server are rejected (FR-004).
+- Per-server `enabled_tools`/`disabled_tools` continue to apply inside the profile (FR-006); no profile-level tool list.
+
+## Scope composition & error attribution
+
+Effective allowed-servers = **intersection** of profile `servers` and (if an agent token is present) `AgentToken.AllowedServers`. A token wildcard `["*"]` is fully constrained by the profile (FR-005). The two checks are independent so errors name the responsible primitive (FR-012):
+
+| Caller | Server | Result |
+|--------|--------|--------|
+| token `{github,fs,web}` @ `/mcp/p/deploy` (`{github,k8s}`) | `github` | allowed (in both) |
+| same | `fs` | rejected — `"server 'fs' is not in profile 'deploy'"` |
+| same | `k8s` | rejected — `"Server 'k8s' is not in scope for this agent token"` |
+| **unauthenticated** @ `/mcp/p/research` | non-`research` server | **rejected by profile** (regression test — must hold even though unauth ⇒ AdminContext) |
+
+## Activity logging
+
+Tool-call activity records originating from `/mcp/p/<slug>` carry `metadata["profile"] = "<slug>"` (FR-011) in the existing `ActivityRecord.Metadata` map. Records from `/mcp` omit the field.
+
+## Edge cases
+
+- Profile references unknown server → warn at load, server omitted (FR-015).
+- Profile references quarantined/disabled server → excluded from effective set while in that state; appears once cleared (no file re-read).
+- Config hot-reload changes a profile mid-connection → in-flight session keeps its snapshot; new connections see the change.
+- Reserved slug defined as a profile (`all`/`code`/`call`/`p`) → rejected at load (never reaches routing).
@@ -0,0 +1,42 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://mcpproxy.app/schemas/057-profiles-config.json",
+  "title": "MCPProxy profiles config (Spec 057)",
+  "description": "Optional top-level `profiles` array. Absent/empty is fully supported (zero migration; /mcp unchanged).",
+  "type": "object",
+  "properties": {
+    "profiles": {
+      "type": "array",
+      "description": "Named, stateless, server-scoped views addressable at /mcp/p/<name>.",
+      "items": { "$ref": "#/definitions/profile" }
+    }
+  },
+  "definitions": {
+    "profile": {
+      "type": "object",
+      "required": ["name", "servers"],
+      "additionalProperties": false,
+      "properties": {
+        "name": {
+          "type": "string",
+          "description": "URL slug. Used verbatim as /mcp/p/<name>. Must be unique. Reserved slugs are rejected.",
+          "pattern": "^[a-z0-9][a-z0-9_-]{0,62}$",
+          "not": { "enum": ["all", "code", "call", "p"] }
+        },
+        "servers": {
+          "type": "array",
+          "description": "References to mcpServers[].name. Unknown names warn-and-skip (FR-015). Empty list is legal (warns; exposes zero tools).",
+          "items": { "type": "string" }
+        }
+      }
+    }
+  },
+  "examples": [
+    {
+      "profiles": [
+        { "name": "research", "servers": ["fs", "web"] },
+        { "name": "deploy", "servers": ["github", "k8s"] }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,66 @@
+# Phase 1 Data Model: In-Proxy Profiles
+
+No persistent storage entities. Two in-memory types + one derived set.
+
+## 1. ProfileConfig (config entity)
+
+Declared in `internal/config/profiles.go`, embedded in `Config.Profiles []ProfileConfig` (after `Servers`, `config.go:109`).
+
+```go
+type ProfileConfig struct {
+    Name    string   `json:"name"`              // URL slug, validated
+    Servers []string `json:"servers"`           // references to mcpServers[].name
+}
+```
+
+**Validation rules** (run in `Config.Validate()`, `loader.go:1521`):
+
+| Rule | Source | Severity |
+|------|--------|----------|
+| `Name` matches `^[a-z0-9][a-z0-9_-]{0,62}$` | FR-007 | **fatal** — reject load, point at offending entry |
+| `Name` ∉ reserved `{all, code, call, p}` | FR-007 | **fatal** |
+| `Name` unique across all profiles | FR-014 | **fatal** — diagnostic names both occurrences |
+| each `Servers[i]` exists in `mcpServers[].name` | FR-015 | **warning** — load, log, omit that server |
+| `Servers` empty | edge case | **warning** — legal "deny everything" placeholder |
+
+**Round-trip**: `omitempty` on `Config.Profiles` keeps SC-004 (absent ⇒ byte-identical via `json.MarshalIndent` in `SaveConfig`).
+
+## 2. ProfileScope (request entity)
+
+Declared in `internal/profile/context.go` (~30 LOC, peer of `internal/auth/context.go`). Immutable, request-scoped, injected by `profileMiddleware`.
+
+```go
+type ProfileScope struct {
+    Name    string              // resolved profile slug (for error messages + activity metadata)
+    servers map[string]struct{} // effective set after warn-skip of unknown servers
+}
+
+func (p *ProfileScope) Allows(serverName string) bool   // membership test; nil receiver ⇒ no profile ⇒ allow-all (the /mcp path)
+
+func WithProfileScope(ctx context.Context, p *ProfileScope) context.Context
+func ProfileScopeFromContext(ctx context.Context) *ProfileScope   // nil when request did not enter via /mcp/p/<slug>
+```
+
+`Allows` semantics: a **nil** `*ProfileScope` (request came through `/mcp`, `/mcp/code`, `/mcp/call`) means no profile filtering — preserves FR-010. A non-nil scope filters to its `servers` set.
+
+## 3. Effective Server Set (derived, per request)
+
+Computed at each scope site as the intersection of all active scoping primitives:
+
+```
+effective(server) =
+       ProfileScope.Allows(server)                      // FR-002/004  (nil scope ⇒ true)
+   AND (!enforceAgentScope OR authCtx.CanAccessServer)   // FR-005 Spec 028 token scope
+   AND server is enabled                                 // edge case: disabled excluded
+   AND server is not quarantined                         // edge case: quarantined excluded
+   AND server visible to this user                       // FR-013 Spec 029 per-user (server edition)
+```
+
+The two new conditions are the `ProfileScope.Allows` checks; the rest already exist. The profile and token checks are **independent** so the rejection error can name the responsible primitive (FR-012):
+
+- profile-blocked: `"server '<s>' is not in profile '<name>'"`
+- token-blocked: existing `"Server '<s>' is not in scope for this agent token"`
+
+## State transitions
+
+`ProfileScope` is immutable for a request's lifetime. Profiles change only via config hot-reload (`configsvc.Update`): in-flight sessions keep their resolved snapshot; new connections resolve against the new config. There is no runtime "active profile" mutation in the MVP (deferred — see spec Out of Scope).
@@ -0,0 +1,100 @@
+# Implementation Plan: In-Proxy Profiles + Permanent URLs
+
+**Branch**: `057-in-proxy-profiles` | **Date**: 2026-06-07 | **Spec**: [spec.md](./spec.md)
+**Input**: Feature specification from `/specs/057-in-proxy-profiles/spec.md`
+
+## Summary
+
+Add an optional top-level `profiles` array to the config. Each profile `{name, servers}` is exposed at a stateless, pinned URL `/mcp/p/<name>` whose protocol surface is identical to `/mcp` except the caller's effective server set is restricted to the profile's `servers`. Filtering composes by **intersection** with agent-token scope (Spec 028) and per-user visibility (Spec 029), and reuses the existing per-server `enabled_tools`/`disabled_tools` for tool-level granularity (Spec 049). No storage, index, or token-model changes.
+
+**Technical approach** (verified against current code, 2026-06-07):
+- A single `/mcp/p/` prefix handler + `profileMiddleware` (registered after `mcpAuthMiddleware`) strips the slug, resolves the profile from the **current** config snapshot (`runtime.Config()`, lock-free atomic read → hot-reload for free), and injects a `ProfileScope` into the request context. The existing retrieve_tools-mode MCP server instance (`p.server`) is reused — **no per-profile server instances** (http.ServeMux can't deregister routes at runtime).
+- Profile filtering runs as a **parallel, auth-type-independent** check at the two existing scope sites (`mcp.go:1113` retrieve_tools, `mcp.go:1529` call_tool_*). It MUST NOT ride the `enforceAgentScope` gate, because an unauthenticated `/mcp/p/...` connection gets `AdminContext()` (where `enforceAgentScope == false`). Two independent checks yield the FR-005 intersection and FR-012 distinct errors for free.
+- `metadata["profile"]` is attached to tool-call activity records originating from a profile URL via the existing `Metadata map[string]interface{}` field (no schema change).
+
+## Technical Context
+
+**Language/Version**: Go 1.24 (toolchain go1.24.10)
+**Primary Dependencies**: `net/http` (ServeMux), `github.com/mark3labs/mcp-go` (MCP protocol, `NewStreamableHTTPServer`), existing `internal/auth`, `internal/config`, `internal/runtime/configsvc` — **no new external dependencies**
+**Storage**: None new. Config lives in `mcp_config.json`; profiles are config-only. Activity metadata reuses existing BBolt `ActivityRecord.Metadata`.
+**Testing**: `go test` (unit), `internal/server` integration tests, `internal/server/e2e_test.go`-style E2E, `./scripts/test-api-e2e.sh`
+**Target Platform**: Linux/macOS/Windows server (personal + server editions, no build-tag divergence — FR-013)
+**Project Type**: Single Go project (`internal/...`)
+**Performance Goals**: Profile filtering is O(servers-in-profile) set lookup over an already-paginated result; below existing `retrieve_tools` E2E latency budget (SC-006). BM25 <100ms invariant (Constitution I) unaffected — index is **not** partitioned.
+**Constraints**: Zero migration; `profiles` absent ⇒ byte-identical config round-trip (SC-004) and unchanged `/mcp`/`/mcp/code`/`/mcp/call` behaviour (SC-002).
+**Scale/Scope**: Server cardinality typically ≤ a few dozen; handful of profiles. 4 files touched + 2 new small files.
+
+## Constitution Check
+
+*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
+
+| Principle | Assessment | Verdict |
+|-----------|-----------|---------|
+| **I. Performance at Scale** | Per-request set-intersection over paginated results; no index reshape; BM25 path untouched. | ✅ PASS |
+| **II. Actor-Based Concurrency** | No new shared mutable state. Profile resolution reads the lock-free `configsvc` atomic snapshot. `ProfileScope` is immutable per-request, injected via context (mirrors `AuthContext`). In-flight sessions keep their snapshot until reconnect. | ✅ PASS |
+| **III. Configuration-Driven Architecture** | Pure config feature: top-level `profiles` array, hot-reloaded via existing `configsvc`. No tray state. | ✅ PASS |
+| **IV. Security by Default** | Profiles only **narrow** access; never broaden. Quarantined/disabled servers excluded from a profile's effective set. Composes with agent tokens and per-user visibility by intersection. Unauth-at-profile-URL regression test mandated. | ✅ PASS |
+| **V. Test-Driven Development** | Spec mandates unit (config + filter), integration, E2E, and backward-compat tests, written red-first. Named regression test gate before merge. | ✅ PASS |
+| **VI. Documentation Hygiene** | Plan updates CLAUDE.md (MCP endpoints table + Built-in tools note), README (profiles section), `docs/`, and `oas/swagger.yaml` if any REST surface added (none in MVP). | ✅ PASS |
+
+**No violations. Complexity Tracking not required.**
+
+The one design choice worth recording (resolved in spec): profile filtering is a **parallel check**, not an `AuthContext.AllowedServers` overwrite. Rationale: an unauthenticated profile connection is `AdminContext()` with `enforceAgentScope=false`; stuffing servers into `AllowedServers` would be bypassed. This is the simpler-of-the-correct options (no `AuthContext`/token-bucket change), so it is not a constitution violation — it is the design that keeps token validation untouched.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/057-in-proxy-profiles/
+├── plan.md              # This file
+├── research.md          # Phase 0 output — design decisions (mostly pre-resolved in spec)
+├── data-model.md        # Phase 1 output — ProfileConfig, ProfileScope, Effective Server Set
+├── quickstart.md        # Phase 1 output — config + curl walkthrough
+├── contracts/           # Phase 1 output — config JSON schema + /mcp/p/ route contract
+│   ├── profiles-config.schema.json
+│   └── mcp-profile-endpoint.md
+└── tasks.md             # Phase 2 output (/speckit.tasks — separate command)
+```
+
+### Source Code (repository root) — verified file:line seams
+
+```text
+internal/
+├── config/
+│   ├── config.go              # Config struct (L101); add `Profiles []ProfileConfig` after Servers (L109)
+│   ├── loader.go              # Validate() (L1521) — call profile validation; SaveConfig() round-trip (L352)
+│   └── profiles.go            # NEW — ProfileConfig struct, slug regex, reserved-set, dup + unknown-server validation
+├── profile/
+│   └── context.go             # NEW (~30 LOC) — ProfileScope{Allows(server) bool}, WithProfileScope/FromContext (mirrors auth/context.go)
+└── server/
+    ├── server.go              # Register `/mcp/p/` prefix handler + profileMiddleware after mcpAuthMiddleware (near L1690)
+    └── mcp.go                 # Two parallel filter conditions: retrieve_tools (~L1113) + call_tool_* (~L1529); profile metadata write at emitActivity* call sites
+```
+
+**Structure Decision**: Single Go project, existing `internal/` layout. One new sub-package `internal/profile` (request-scoped scope type, peer of `internal/auth`) and one new file `internal/config/profiles.go`. No new top-level dirs, no frontend changes in the MVP (web-UI profile affordances are out of scope), no storage/index packages touched.
+
+## Phase 0 — Research
+
+The spec's *Resolved Design Decisions*, *Assumptions*, and *Implementation Design* sections already retire every open question. `research.md` consolidates them in decision/rationale/alternatives form. No outstanding NEEDS CLARIFICATION. Code-seam verification (2026-06-07) confirmed all 7 referenced seams MATCH current code (`GetMCPServerForMode`, `mcpAuthMiddleware`/`AuthContext`, the two `mcp.go` gates, `Config.Servers`, `ActivityRecord.Metadata`, `configsvc` lock-free snapshot).
+
+## Phase 1 — Design & Contracts
+
+- **data-model.md**: `ProfileConfig` (config entity), `ProfileScope` (request entity), and the *Effective Server Set* derivation (profile ∩ token ∩ not-disabled ∩ not-quarantined ∩ per-user-visible).
+- **contracts/profiles-config.schema.json**: JSON Schema for the `profiles` array (name slug pattern, reserved set, servers list).
+- **contracts/mcp-profile-endpoint.md**: behavioural contract for `/mcp/p/<slug>` (200 surface identical to `/mcp`; 404 bodies for no-profiles / unknown-slug; intersection + error-attribution rules).
+- **quickstart.md**: the two-profile config + curl walkthrough from the spec, runnable end-to-end.
+- **Agent context**: run `.specify/scripts/bash/update-agent-context.sh claude`.
+
+## Phase 2 — Tasks (separate command)
+
+`/speckit.tasks` will generate `tasks.md` from this plan, ordered TDD-first per the spec's Testing Strategy:
+1. Config: `ProfileConfig` + validation (slug/reserved/dup/unknown-server) — unit tests first.
+2. `internal/profile` context + `ProfileScope.Allows`.
+3. Routing: `/mcp/p/` handler + `profileMiddleware` (auth→profile order).
+4. Filter wiring: parallel checks at both `mcp.go` sites + the mandated unauth-at-profile-URL regression test.
+5. Activity `metadata["profile"]`.
+6. Integration + E2E (two-profile isolation, intersection, 404 paths, reserved slug) + backward-compat E2E (SC-002).
+7. Docs (CLAUDE.md, README, docs/).
+
+These tasks are sized for hand-off to Paperclip engineers after the plan is reviewed.