einherjar/mcp
2
0
Fork 0
Code Issues Pull Requests Packages Releases 2 Activity
Files
main
mcp/internal/index/builtins/README.md

339 lines
10 KiB
Markdown
Raw Permalink Normal View History

feat(mcp): initial implementation — MCP server, framework indexer, 10 tools, 8 validation rules (v0.1.0) Introduces code.nochebuena.dev/einherjar/mcp — the Einherjar Model Context Protocol server. A remote, streamable-HTTP service that teaches AI assistants about every other module of the framework: which package exposes which type, what each module guarantees through its compliance tests, the canonical wiring shape for a service, and whether a Go snippet follows the conventions. Indexes the framework on disk at build time and ships a self-contained binary via go:embed; imports nothing from other einherjar/* modules at compile time. server (cmd/server): - Streamable-HTTP MCP server built on github.com/modelcontextprotocol/go-sdk v1.0.0 - mcp.NewServer + mcp.NewStreamableHTTPHandler, served via net/http on EINHERJAR_MCP_ADDR (default :8080) and EINHERJAR_MCP_PATH (default /mcp) - /healthz liveness endpoint; structured JSON logging via log/slog - Loads the embedded data/index.json once at startup; in-memory for the process lifetime indexer (cmd/indexer): - Walks an Einherjar repository checkout (default ../), parses every sibling module's go.mod, README.md, CHANGELOG.md, docs/adr/ADR-*.md, doc.go package comments, every exported type/interface/func/method/const/var (via go/doc on go/parser ASTs), and compliance_test.go - Captures module dependency edges by regex over each go.mod's require lines (einherjar/* paths only; self-reference filtered) - Appends a synthetic "wire" module documenting canonical application wiring conventions, authored at internal/index/builtins/README.md and embedded via go:embed; participates in list_modules / get_module / get_example like a real module internal/index: - Schema einherjar.mcp/index/v1; types: Index, Module, SubPackage, Symbol, ADR, Example, Compliance, InterfaceAssert, ComplianceTest - Build(repoRoot) → *Index walks the repo; BuildBuiltins() returns the synthetic wire module from the embedded markdown - Load([]byte) → *Index validates the schema version on read - FindModule, SearchSymbols helpers used by tools internal/tools (10 tools): - list_modules — enumerate every module with purpose + sub-packages - get_module — package doc, dependencies, sub-packages, key symbols, ADRs, compliance counts; optional embedded README - search_symbols — full-text across name, doc, sub-package, module; filterable by module and kind - get_symbol — full signature, doc comment, source file:line for one symbol - list_adrs — list ADRs across the framework or within one module - get_adr — fetch one ADR's markdown body - get_example — canonical usage snippets extracted from module READMEs and from the synthetic wire conventions - get_compliance — interface assertions (var _ Iface = impl) and structural test names from a module's compliance_test.go - get_changelog — full CHANGELOG.md markdown for one module - validate_snippet — pattern-match a Go snippet against framework conventions internal/rules (8 rules, registered via init() against a single registered slice): - launcher.missing-run — launcher constructed but Run() never called - launcher.no-components — launcher.New() called without any .Append(...) - launcher.run-error-discarded — lc.Run() invoked as an ExprStmt (return ignored) - logz.direct-env-read — os.Getenv("EINHERJAR_LOG_*") bypassing logz config - web.server-not-appended — web/server constructed but not added to the launcher - wire.hook-bad-signature — with<Feature>(...) first param is not launcher.Launcher - wire.hook-outside-beforestart — repo/service/handler construction or route registration at the top level of a hook (outside lc.BeforeStart) - wire.route-specific-after-param — /users/{id} registered before a sibling /users/me of the same length and method (chi would shadow the literal route) Synthetic wire module (internal/index/builtins/README.md): - Project layout (cmd/<app>/main.go + internal/wire/*.go + per-feature domain dirs) - Canonical Run() shape: config → logger → infra (db, cache, pool, mc, srv) → cross- cutting (validator, permission provider) → launcher.New → lc.Append(infra...) → withMigrations / withSuperAdminSeed / withHealth / withFeature hooks → return lc.Run() - Canonical with<Feature> hook shape: signature (launcher.Launcher first, server.Server second, deps last), single lc.BeforeStart closure containing all construction + route registration - chi route ordering, srv.With(authz(...)) authorization, middleware helpers (authz / skipPublicPaths / skipMethodPath), tokenSignerAdapter pattern showing that the framework exposes Signer.Sign as a primitive and the application owns the access/refresh response shape Packaging: - Multi-stage Dockerfile that builds from the einherjar repository root (docker build -f mcp/Dockerfile .) so cmd/indexer can walk every sibling module at image-build time; runtime layer is gcr.io/distroless/static-debian12:nonroot - 86-byte placeholder data/index.json committed once with `git add -f`; subsequent indexer runs overwrite it locally but the file is .gitignored - .gitea/CODEOWNERS and pull_request_template.md mirror the sibling layout Design notes: - mcp depends on nothing in einherjar/* — it reads the framework via the filesystem at index time. This keeps mcp outside the framework dependency graph and lets it index any version of einherjar without versioning itself in lock-step. - All structured-output tool responses initialise empty slices ([]Type{}) rather than relying on Go's nil-marshals-to-null default, so the SDK's JSON-schema output validator never rejects a tools/call result.
2026-05-29 18:12:45 +00:00
# Wiring Conventions
> Forging a service is mostly wiring. Do it the same way every time.
This is not an Einherjar *module* — it is the canonical *application* shape
that uses Einherjar modules. Apps live in their own repository with an
`internal/wire/` package that mirrors this template. The conventions here are
distilled from a production service that has shipped on the predecessor
micro-libs (`code.nochebuena.dev/go/*`) and have been re-mapped to the
einherjar import paths.
## Project layout
```
cmd/<app>/main.go one-line entrypoint that calls wire.Run()
internal/wire/launcher.go Run() — builds infra and registers feature hooks
internal/wire/<feature>.go one file per feature, hosts a with<Feature> hook
internal/wire/middleware.go authz, skipPublicPaths, skipMethodPath helpers
internal/wire/migrations.go withMigrations hook
internal/wire/seed.go withSuperAdminSeed and other startup seeds
internal/<feature>/dto/ request/response DTOs
internal/<feature>/handler/ HTTP handlers
internal/<feature>/repository/ data access
internal/<feature>/service/ domain logic
```
`cmd/<app>/main.go` must contain nothing but the call to `wire.Run()` and an
`os.Exit(1)` on error. Everything else lives in `internal/wire/`.
## Run
The application entry point. The order below is load-bearing: configuration
first, observability second, infrastructure third, cross-cutting helpers
fourth, then the launcher with every component appended, then feature hooks,
then `lc.Run()`.
```go
package wire
import (
"strings"
"github.com/google/uuid"
authjwt "code.nochebuena.dev/einherjar/auth-jwt"
"code.nochebuena.dev/einherjar/auth/authmw"
"code.nochebuena.dev/einherjar/auth/rbac"
"code.nochebuena.dev/einherjar/cache-valkey"
"code.nochebuena.dev/einherjar/core/launcher"
"code.nochebuena.dev/einherjar/core/logz"
"code.nochebuena.dev/einherjar/core/valid"
"code.nochebuena.dev/einherjar/db-postgres"
"code.nochebuena.dev/einherjar/storage-minio"
"code.nochebuena.dev/einherjar/web/mw"
"code.nochebuena.dev/einherjar/web/server"
"code.nochebuena.dev/einherjar/worker"
"myapp/internal/config"
)
func Run() error {
cfg, err := config.Load()
if err != nil {
return err
}
logger := logz.New(logz.Config{
JSON: !strings.EqualFold(cfg.AppEnv, "local"),
StaticArgs: []any{"service", "myapp", "env", cfg.AppEnv},
})
signer := authjwt.NewHMACSigner([]byte(cfg.JWT.Secret))
publicPaths := []string{
"/health",
"/api/v1/auth/login",
"/api/v1/auth/refresh",
}
db := postgres.New(logger, cfg.PG)
cache := valkey.New(logger, cfg.VK)
pool := worker.New(logger, cfg.Worker)
mc := minio.New(logger, cfg.MinIO)
srv := server.New(logger, cfg.Server,
server.WithMiddleware(
mw.RequestID(uuid.NewString),
mw.Recover(logger),
mw.CORS(cfg.CORSOrigins),
mw.RequestLogger(logger),
authjwt.AuthMiddleware(logger, signer, publicPaths),
authmw.EnrichmentMiddleware(logger, &claimsEnricher{}),
),
)
v := valid.New(valid.WithMessageProvider(valid.SpanishMessages))
provider := rbac.NewClaimsPermissionProvider("masks", claimsFromCtx)
lc := launcher.New(logger)
lc.Append(db, cache, pool, mc, srv)
withMigrations(lc, logger, cfg)
withSuperAdminSeed(lc, db, logger, cfg)
withHealth(lc, srv, logger, db, cache, mc)
withUsers(lc, srv, db, logger, provider, v)
// … one withFeature(...) call per feature in your domain.
return lc.Run()
}
```
## Feature hook
One file per feature in `internal/wire/`. The function signature is fixed:
`launcher.Launcher` first, `server.Server` second when registering routes,
deps last. The body is *one* call to `lc.BeforeStart`. Everything else —
repository construction, service construction, handler construction, route
registration — lives inside the closure.
```go
package wire
import (
"code.nochebuena.dev/einherjar/contracts/security"
"code.nochebuena.dev/einherjar/core/launcher"
"code.nochebuena.dev/einherjar/core/logz"
"code.nochebuena.dev/einherjar/core/valid"
"code.nochebuena.dev/einherjar/db-postgres"
"code.nochebuena.dev/einherjar/web/server"
"myapp/internal/domains"
userhandler "myapp/internal/user/handler"
userrepo "myapp/internal/user/repository"
usersvc "myapp/internal/user/service"
)
func withUsers(
lc launcher.Launcher,
srv server.Server,
db postgres.Component,
logger logz.Logger,
provider security.PermissionProvider,
v valid.Validator,
) {
lc.BeforeStart(func() error {
repo := userrepo.New(db)
uow := postgres.NewUnitOfWork(logger, db)
svc := usersvc.New(repo, uow)
h := userhandler.New(svc, v)
// Literal-segment routes register BEFORE parametrised siblings.
// chi matches the first registered route that fits; if /users/{id}
// came first, "me" would bind to {id} and /users/me/password would
// never be reached.
srv.Put("/api/v1/users/me/password", h.ChangeOwnPassword)
srv.With(authz(provider, domains.ResourceUsers, domains.GrantReadUser)).
Get("/api/v1/users", h.ListUsers)
srv.With(authz(provider, domains.ResourceUsers, domains.GrantCreateUser)).
Post("/api/v1/users", h.CreateUser)
srv.With(authz(provider, domains.ResourceUsers, domains.GrantUpdateUser)).
Put("/api/v1/users/{user_id}", h.UpdateUser)
srv.With(authz(provider, domains.ResourceUsers, domains.GrantDeleteUser)).
Delete("/api/v1/users/{user_id}", h.DeleteUser)
return nil
})
}
```
## Route ordering
chi matches paths in registration order. Always register literal-segment
routes before parametrised-segment routes that share the same prefix.
✅ Correct:
```go
srv.Put("/api/v1/users/me/password", h.ChangeOwnPassword)
srv.Put("/api/v1/users/{user_id}", h.UpdateUser)
```
❌ Wrong — chi binds `me` to `{user_id}` and the literal route is unreachable:
```go
srv.Put("/api/v1/users/{user_id}", h.UpdateUser)
srv.Put("/api/v1/users/me/password", h.ChangeOwnPassword)
```
## Authorization
Every protected route registers with `.With(authz(provider, resource, grant))`:
```go
srv.With(authz(provider, domains.ResourceUsers, domains.GrantReadUser)).
Get("/api/v1/users", h.ListUsers)
```
Resource constants and grant bits live in `internal/domains/`. Routes that
the caller owns (`/me/...`) intentionally skip authz — they are reachable to
any authenticated user.
## Middleware helpers
These belong in `internal/wire/middleware.go` and are used across every
feature hook.
```go
// authz returns a per-route authorization middleware that checks one bit.
func authz(p security.PermissionProvider, resource string, bit int) func(http.Handler) http.Handler {
return authmw.AuthzMiddleware(nil, p, resource, security.Permission(bit))
}
// skipPublicPaths wraps mw so it is bypassed for any path that matches publicPaths.
// Use this for middleware that must not run on unauthenticated endpoints
// (e.g. EnrichmentMiddleware).
func skipPublicPaths(publicPaths []string, mw func(http.Handler) http.Handler) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
inner := mw(next)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
for _, p := range publicPaths {
if matched, _ := path.Match(p, r.URL.Path); matched {
next.ServeHTTP(w, r)
return
}
}
inner.ServeHTTP(w, r)
})
}
}
// skipMethodPath bypasses mw only when BOTH method and path match. Use this
// to expose ONE method on an otherwise-authenticated path (e.g. GET
// /api/v1/config public while PUT is not). Adding such a path to
// publicPaths would silently strip identity from context on the protected
// methods, breaking authz().
func skipMethodPath(method, pathPattern string, mw func(http.Handler) http.Handler) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
inner := mw(next)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == method {
if matched, _ := path.Match(pathPattern, r.URL.Path); matched {
next.ServeHTTP(w, r)
return
}
}
inner.ServeHTTP(w, r)
})
}
}
```
## Adapters at the wire boundary
When a framework type does not match a service-layer port, write a small
typed adapter in `internal/wire/`. Always compile-time assert with
`var _ TargetIface = (*adapter)(nil)`.
The framework intentionally exposes only `Signer.Sign(claims) (string, error)`
— **the framework gives you a signing primitive; the access/refresh strategy,
claim layout, and response shape are application concerns.** A "helper" that
returned a fixed `{access, refresh, type, expiresIn}` struct would silently
decide for every app whether refresh tokens exist, what fields to expose,
and what casing to use. Those are wire-format choices the app owns.
```go
import (
"time"
"github.com/golang-jwt/jwt/v5"
"github.com/google/uuid"
authjwt "code.nochebuena.dev/einherjar/auth-jwt"
)
type tokenSignerAdapter struct {
signer authjwt.Signer
cfg authjwt.TokenConfig
}
var _ authsvc.TokenSigner = (*tokenSignerAdapter)(nil)
func (a *tokenSignerAdapter) IssueTokenPair(subject string, custom map[string]any) (authdto.TokenPairResponse, error) {
now := time.Now()
access := jwt.MapClaims{
"sub": subject,
"iss": a.cfg.Issuer,
"iat": now.Unix(),
"exp": now.Add(a.cfg.AccessTTL).Unix(),
}
for k, v := range custom {
access[k] = v
}
accessToken, err := a.signer.Sign(access)
if err != nil {
return authdto.TokenPairResponse{}, err
}
refreshToken, err := a.signer.Sign(jwt.MapClaims{
"sub": subject,
"jti": uuid.NewString(),
"iat": now.Unix(),
"exp": now.Add(a.cfg.RefreshTTL).Unix(),
})
if err != nil {
return authdto.TokenPairResponse{}, err
}
return authdto.TokenPairResponse{
AccessToken: accessToken,
RefreshToken: refreshToken,
TokenType: "Bearer",
ExpiresIn: int(a.cfg.AccessTTL.Seconds()),
}, nil
}
```
## Migrations and seeds
Migrations and seeds register as `BeforeStart` hooks too. They run after all
components have initialised but before any of them have started, so the
database is reachable and the server is not yet accepting traffic.
```go
func withMigrations(lc launcher.Launcher, logger logz.Logger, cfg config.Config) {
lc.BeforeStart(func() error {
if err := migrations.RunMigrations(context.Background(), logger, cfg); err != nil {
logger.Error("migrations: failed to apply", err)
return err
}
return nil
})
}
```
Seeds must be **idempotent**: count first, only mutate when needed, log the
skip when nothing was done.
Reference in New Issue Copy Permalink