feat(harness): auth mode + container path on the registry (phase 2) #16

Merged
pti merged 1 commit from feat-harness-registry-p2 into main 2026-07-07 16:37:31 +02:00
Owner

Phase 2 of design/harness-descriptor.md — auth + the container path onto the shared registry.

What

  • AuthMode per descriptor: AuthUnverified (default) / AuthHeader (claude) / AuthNone. harness.Write fails loudly if a token is supplied for an AuthUnverified harness — no more silently emitting a config that 401s. Localhost/stdio (no token) is unaffected, so wraptool init behaviour is unchanged.
  • Params.Dir (write location) + Token/CWD wired: claude renders Authorization: Bearer <token> when a token is set.
  • bringUpGuixContainer writes .mcp.json via harness.Write("claude", …) — deletes the claude-only writeMCPConfig. Bonus: the container now gets merge-preserving writes (keeps your other MCP servers), matching connect.sh.
  • Parity test retargeted to harness.Write(claude)connect.sh (in the harness package); added auth-header, Dir-resolution, and fail-loud tests.

Verified

E2E up --runtime=guix with an auth_token_file: .mcp.json = type:sse + ?cwd=<host path> + Authorization: Bearer <token>. Full go test ./... + golangci-lint clean.

Next (phase 3): verify + set AuthMode for the other harnesses, up --harness, add pi. (Phase 4: connect.sh shells out to wraptool init.)

🤖 Generated with Claude Code

Phase 2 of `design/harness-descriptor.md` — auth + the container path onto the shared registry. ## What - **`AuthMode`** per descriptor: `AuthUnverified` (default) / `AuthHeader` (claude) / `AuthNone`. `harness.Write` **fails loudly** if a token is supplied for an `AuthUnverified` harness — no more silently emitting a config that 401s. Localhost/stdio (no token) is unaffected, so `wraptool init` behaviour is unchanged. - **`Params.Dir`** (write location) + `Token`/`CWD` wired: claude renders `Authorization: Bearer <token>` when a token is set. - **`bringUpGuixContainer`** writes `.mcp.json` via `harness.Write("claude", …)` — deletes the claude-only `writeMCPConfig`. Bonus: the container now gets **merge-preserving** writes (keeps your other MCP servers), matching `connect.sh`. - Parity test **retargeted** to `harness.Write(claude)` ↔ `connect.sh` (in the harness package); added auth-header, `Dir`-resolution, and fail-loud tests. ## Verified E2E `up --runtime=guix` with an `auth_token_file`: `.mcp.json` = `type:sse` + `?cwd=<host path>` + `Authorization: Bearer <token>`. Full `go test ./...` + golangci-lint clean. Next (phase 3): verify + set `AuthMode` for the other harnesses, `up --harness`, add `pi`. (Phase 4: `connect.sh` shells out to `wraptool init`.) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
feat(harness): auth mode + container path on the registry (phase 2)
All checks were successful
Lint / lint (pull_request) Successful in 15s
fdeb19fdf1
Phase 2 of design/harness-descriptor.md. Add a per-harness AuthMode
(AuthUnverified default, AuthHeader for claude) and a Params.Dir (write
location) / Token / CWD so harness.Write serves the networked container, not
just localhost init. claude renders an Authorization: Bearer header when a token
is set; Write fails loudly if a token is supplied for an AuthUnverified harness
(instead of silently emitting a config that 401s).

bringUpGuixContainer now writes .mcp.json via harness.Write("claude", ...) —
deleting the claude-only writeMCPConfig reimplementation. The container gains
merge-preserving writes (keeps other MCP servers) for free, matching connect.sh.

The writeMCPConfig↔connect.sh parity test retargets to harness.Write(claude)↔
connect.sh in the harness package; added auth-header, Dir-resolution, and
fail-loud tests. Verified e2e: `up --runtime=guix` writes type:sse + ?cwd= +
Bearer from auth_token_file. Full go test ./... + golangci-lint clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
pti merged commit ec417786bf into main 2026-07-07 16:37:31 +02:00
pti deleted branch feat-harness-registry-p2 2026-07-07 16:37:32 +02:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pti/wraptool!16
No description provided.