Rene Nochebuena
cc62906c6f
Introduces code.nochebuena.dev/einherjar/mcp — the Einherjar Model Context Protocol
server. A remote, streamable-HTTP service that teaches AI assistants about every
other module of the framework: which package exposes which type, what each module
guarantees through its compliance tests, the canonical wiring shape for a service,
and whether a Go snippet follows the conventions. Indexes the framework on disk at
build time and ships a self-contained binary via go:embed; imports nothing from
other einherjar/* modules at compile time.
server (cmd/server):
- Streamable-HTTP MCP server built on github.com/modelcontextprotocol/go-sdk v1.0.0
- mcp.NewServer + mcp.NewStreamableHTTPHandler, served via net/http on EINHERJAR_MCP_ADDR
(default :8080) and EINHERJAR_MCP_PATH (default /mcp)
- /healthz liveness endpoint; structured JSON logging via log/slog
- Loads the embedded data/index.json once at startup; in-memory for the process lifetime
indexer (cmd/indexer):
- Walks an Einherjar repository checkout (default ../), parses every sibling
module's go.mod, README.md, CHANGELOG.md, docs/adr/ADR-*.md, doc.go package
comments, every exported type/interface/func/method/const/var (via go/doc on
go/parser ASTs), and compliance_test.go
- Captures module dependency edges by regex over each go.mod's require lines
(einherjar/* paths only; self-reference filtered)
- Appends a synthetic "wire" module documenting canonical application wiring
conventions, authored at internal/index/builtins/README.md and embedded via
go:embed; participates in list_modules / get_module / get_example like a real module
internal/index:
- Schema einherjar.mcp/index/v1; types: Index, Module, SubPackage, Symbol, ADR,
Example, Compliance, InterfaceAssert, ComplianceTest
- Build(repoRoot) → *Index walks the repo; BuildBuiltins() returns the synthetic
wire module from the embedded markdown
- Load([]byte) → *Index validates the schema version on read
- FindModule, SearchSymbols helpers used by tools
internal/tools (10 tools):
- list_modules — enumerate every module with purpose + sub-packages
- get_module — package doc, dependencies, sub-packages, key symbols, ADRs,
compliance counts; optional embedded README
- search_symbols — full-text across name, doc, sub-package, module; filterable by
module and kind
- get_symbol — full signature, doc comment, source file:line for one symbol
- list_adrs — list ADRs across the framework or within one module
- get_adr — fetch one ADR's markdown body
- get_example — canonical usage snippets extracted from module READMEs and from
the synthetic wire conventions
- get_compliance — interface assertions (var _ Iface = impl) and structural test
names from a module's compliance_test.go
- get_changelog — full CHANGELOG.md markdown for one module
- validate_snippet — pattern-match a Go snippet against framework conventions
internal/rules (8 rules, registered via init() against a single registered slice):
- launcher.missing-run — launcher constructed but Run() never called
- launcher.no-components — launcher.New() called without any .Append(...)
- launcher.run-error-discarded — lc.Run() invoked as an ExprStmt (return ignored)
- logz.direct-env-read — os.Getenv("EINHERJAR_LOG_*") bypassing logz config
- web.server-not-appended — web/server constructed but not added to the launcher
- wire.hook-bad-signature — with<Feature>(...) first param is not launcher.Launcher
- wire.hook-outside-beforestart — repo/service/handler construction or route
registration at the top level of a hook (outside lc.BeforeStart)
- wire.route-specific-after-param — /users/{id} registered before a sibling
/users/me of the same length and method (chi would shadow the literal route)
Synthetic wire module (internal/index/builtins/README.md):
- Project layout (cmd/<app>/main.go + internal/wire/*.go + per-feature domain dirs)
- Canonical Run() shape: config → logger → infra (db, cache, pool, mc, srv) → cross-
cutting (validator, permission provider) → launcher.New → lc.Append(infra...) →
withMigrations / withSuperAdminSeed / withHealth / withFeature hooks → return lc.Run()
- Canonical with<Feature> hook shape: signature (launcher.Launcher first, server.Server
second, deps last), single lc.BeforeStart closure containing all construction +
route registration
- chi route ordering, srv.With(authz(...)) authorization, middleware helpers
(authz / skipPublicPaths / skipMethodPath), tokenSignerAdapter pattern showing
that the framework exposes Signer.Sign as a primitive and the application owns
the access/refresh response shape
Packaging:
- Multi-stage Dockerfile that builds from the einherjar repository root
(docker build -f mcp/Dockerfile .) so cmd/indexer can walk every sibling module
at image-build time; runtime layer is gcr.io/distroless/static-debian12:nonroot
- 86-byte placeholder data/index.json committed once with `git add -f`; subsequent
indexer runs overwrite it locally but the file is .gitignored
- .gitea/CODEOWNERS and pull_request_template.md mirror the sibling layout
Design notes:
- mcp depends on nothing in einherjar/* — it reads the framework via the filesystem
at index time. This keeps mcp outside the framework dependency graph and lets it
index any version of einherjar without versioning itself in lock-step.
- All structured-output tool responses initialise empty slices ([]Type{}) rather
than relying on Go's nil-marshals-to-null default, so the SDK's JSON-schema
output validator never rejects a tools/call result.
339 lines
10 KiB
Markdown
339 lines
10 KiB
Markdown
# Wiring Conventions
|
|
|
|
> Forging a service is mostly wiring. Do it the same way every time.
|
|
|
|
This is not an Einherjar *module* — it is the canonical *application* shape
|
|
that uses Einherjar modules. Apps live in their own repository with an
|
|
`internal/wire/` package that mirrors this template. The conventions here are
|
|
distilled from a production service that has shipped on the predecessor
|
|
micro-libs (`code.nochebuena.dev/go/*`) and have been re-mapped to the
|
|
einherjar import paths.
|
|
|
|
## Project layout
|
|
|
|
```
|
|
cmd/<app>/main.go one-line entrypoint that calls wire.Run()
|
|
internal/wire/launcher.go Run() — builds infra and registers feature hooks
|
|
internal/wire/<feature>.go one file per feature, hosts a with<Feature> hook
|
|
internal/wire/middleware.go authz, skipPublicPaths, skipMethodPath helpers
|
|
internal/wire/migrations.go withMigrations hook
|
|
internal/wire/seed.go withSuperAdminSeed and other startup seeds
|
|
internal/<feature>/dto/ request/response DTOs
|
|
internal/<feature>/handler/ HTTP handlers
|
|
internal/<feature>/repository/ data access
|
|
internal/<feature>/service/ domain logic
|
|
```
|
|
|
|
`cmd/<app>/main.go` must contain nothing but the call to `wire.Run()` and an
|
|
`os.Exit(1)` on error. Everything else lives in `internal/wire/`.
|
|
|
|
## Run
|
|
|
|
The application entry point. The order below is load-bearing: configuration
|
|
first, observability second, infrastructure third, cross-cutting helpers
|
|
fourth, then the launcher with every component appended, then feature hooks,
|
|
then `lc.Run()`.
|
|
|
|
```go
|
|
package wire
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
authjwt "code.nochebuena.dev/einherjar/auth-jwt"
|
|
"code.nochebuena.dev/einherjar/auth/authmw"
|
|
"code.nochebuena.dev/einherjar/auth/rbac"
|
|
"code.nochebuena.dev/einherjar/cache-valkey"
|
|
"code.nochebuena.dev/einherjar/core/launcher"
|
|
"code.nochebuena.dev/einherjar/core/logz"
|
|
"code.nochebuena.dev/einherjar/core/valid"
|
|
"code.nochebuena.dev/einherjar/db-postgres"
|
|
"code.nochebuena.dev/einherjar/storage-minio"
|
|
"code.nochebuena.dev/einherjar/web/mw"
|
|
"code.nochebuena.dev/einherjar/web/server"
|
|
"code.nochebuena.dev/einherjar/worker"
|
|
|
|
"myapp/internal/config"
|
|
)
|
|
|
|
func Run() error {
|
|
cfg, err := config.Load()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
logger := logz.New(logz.Config{
|
|
JSON: !strings.EqualFold(cfg.AppEnv, "local"),
|
|
StaticArgs: []any{"service", "myapp", "env", cfg.AppEnv},
|
|
})
|
|
|
|
signer := authjwt.NewHMACSigner([]byte(cfg.JWT.Secret))
|
|
|
|
publicPaths := []string{
|
|
"/health",
|
|
"/api/v1/auth/login",
|
|
"/api/v1/auth/refresh",
|
|
}
|
|
|
|
db := postgres.New(logger, cfg.PG)
|
|
cache := valkey.New(logger, cfg.VK)
|
|
pool := worker.New(logger, cfg.Worker)
|
|
mc := minio.New(logger, cfg.MinIO)
|
|
srv := server.New(logger, cfg.Server,
|
|
server.WithMiddleware(
|
|
mw.RequestID(uuid.NewString),
|
|
mw.Recover(logger),
|
|
mw.CORS(cfg.CORSOrigins),
|
|
mw.RequestLogger(logger),
|
|
authjwt.AuthMiddleware(logger, signer, publicPaths),
|
|
authmw.EnrichmentMiddleware(logger, &claimsEnricher{}),
|
|
),
|
|
)
|
|
|
|
v := valid.New(valid.WithMessageProvider(valid.SpanishMessages))
|
|
provider := rbac.NewClaimsPermissionProvider("masks", claimsFromCtx)
|
|
|
|
lc := launcher.New(logger)
|
|
lc.Append(db, cache, pool, mc, srv)
|
|
|
|
withMigrations(lc, logger, cfg)
|
|
withSuperAdminSeed(lc, db, logger, cfg)
|
|
|
|
withHealth(lc, srv, logger, db, cache, mc)
|
|
withUsers(lc, srv, db, logger, provider, v)
|
|
// … one withFeature(...) call per feature in your domain.
|
|
|
|
return lc.Run()
|
|
}
|
|
```
|
|
|
|
## Feature hook
|
|
|
|
One file per feature in `internal/wire/`. The function signature is fixed:
|
|
`launcher.Launcher` first, `server.Server` second when registering routes,
|
|
deps last. The body is *one* call to `lc.BeforeStart`. Everything else —
|
|
repository construction, service construction, handler construction, route
|
|
registration — lives inside the closure.
|
|
|
|
```go
|
|
package wire
|
|
|
|
import (
|
|
"code.nochebuena.dev/einherjar/contracts/security"
|
|
"code.nochebuena.dev/einherjar/core/launcher"
|
|
"code.nochebuena.dev/einherjar/core/logz"
|
|
"code.nochebuena.dev/einherjar/core/valid"
|
|
"code.nochebuena.dev/einherjar/db-postgres"
|
|
"code.nochebuena.dev/einherjar/web/server"
|
|
|
|
"myapp/internal/domains"
|
|
userhandler "myapp/internal/user/handler"
|
|
userrepo "myapp/internal/user/repository"
|
|
usersvc "myapp/internal/user/service"
|
|
)
|
|
|
|
func withUsers(
|
|
lc launcher.Launcher,
|
|
srv server.Server,
|
|
db postgres.Component,
|
|
logger logz.Logger,
|
|
provider security.PermissionProvider,
|
|
v valid.Validator,
|
|
) {
|
|
lc.BeforeStart(func() error {
|
|
repo := userrepo.New(db)
|
|
uow := postgres.NewUnitOfWork(logger, db)
|
|
svc := usersvc.New(repo, uow)
|
|
h := userhandler.New(svc, v)
|
|
|
|
// Literal-segment routes register BEFORE parametrised siblings.
|
|
// chi matches the first registered route that fits; if /users/{id}
|
|
// came first, "me" would bind to {id} and /users/me/password would
|
|
// never be reached.
|
|
srv.Put("/api/v1/users/me/password", h.ChangeOwnPassword)
|
|
|
|
srv.With(authz(provider, domains.ResourceUsers, domains.GrantReadUser)).
|
|
Get("/api/v1/users", h.ListUsers)
|
|
srv.With(authz(provider, domains.ResourceUsers, domains.GrantCreateUser)).
|
|
Post("/api/v1/users", h.CreateUser)
|
|
srv.With(authz(provider, domains.ResourceUsers, domains.GrantUpdateUser)).
|
|
Put("/api/v1/users/{user_id}", h.UpdateUser)
|
|
srv.With(authz(provider, domains.ResourceUsers, domains.GrantDeleteUser)).
|
|
Delete("/api/v1/users/{user_id}", h.DeleteUser)
|
|
|
|
return nil
|
|
})
|
|
}
|
|
```
|
|
|
|
## Route ordering
|
|
|
|
chi matches paths in registration order. Always register literal-segment
|
|
routes before parametrised-segment routes that share the same prefix.
|
|
|
|
✅ Correct:
|
|
|
|
```go
|
|
srv.Put("/api/v1/users/me/password", h.ChangeOwnPassword)
|
|
srv.Put("/api/v1/users/{user_id}", h.UpdateUser)
|
|
```
|
|
|
|
❌ Wrong — chi binds `me` to `{user_id}` and the literal route is unreachable:
|
|
|
|
```go
|
|
srv.Put("/api/v1/users/{user_id}", h.UpdateUser)
|
|
srv.Put("/api/v1/users/me/password", h.ChangeOwnPassword)
|
|
```
|
|
|
|
## Authorization
|
|
|
|
Every protected route registers with `.With(authz(provider, resource, grant))`:
|
|
|
|
```go
|
|
srv.With(authz(provider, domains.ResourceUsers, domains.GrantReadUser)).
|
|
Get("/api/v1/users", h.ListUsers)
|
|
```
|
|
|
|
Resource constants and grant bits live in `internal/domains/`. Routes that
|
|
the caller owns (`/me/...`) intentionally skip authz — they are reachable to
|
|
any authenticated user.
|
|
|
|
## Middleware helpers
|
|
|
|
These belong in `internal/wire/middleware.go` and are used across every
|
|
feature hook.
|
|
|
|
```go
|
|
// authz returns a per-route authorization middleware that checks one bit.
|
|
func authz(p security.PermissionProvider, resource string, bit int) func(http.Handler) http.Handler {
|
|
return authmw.AuthzMiddleware(nil, p, resource, security.Permission(bit))
|
|
}
|
|
|
|
// skipPublicPaths wraps mw so it is bypassed for any path that matches publicPaths.
|
|
// Use this for middleware that must not run on unauthenticated endpoints
|
|
// (e.g. EnrichmentMiddleware).
|
|
func skipPublicPaths(publicPaths []string, mw func(http.Handler) http.Handler) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
inner := mw(next)
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
for _, p := range publicPaths {
|
|
if matched, _ := path.Match(p, r.URL.Path); matched {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
}
|
|
inner.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// skipMethodPath bypasses mw only when BOTH method and path match. Use this
|
|
// to expose ONE method on an otherwise-authenticated path (e.g. GET
|
|
// /api/v1/config public while PUT is not). Adding such a path to
|
|
// publicPaths would silently strip identity from context on the protected
|
|
// methods, breaking authz().
|
|
func skipMethodPath(method, pathPattern string, mw func(http.Handler) http.Handler) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
inner := mw(next)
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == method {
|
|
if matched, _ := path.Match(pathPattern, r.URL.Path); matched {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
}
|
|
inner.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
```
|
|
|
|
## Adapters at the wire boundary
|
|
|
|
When a framework type does not match a service-layer port, write a small
|
|
typed adapter in `internal/wire/`. Always compile-time assert with
|
|
`var _ TargetIface = (*adapter)(nil)`.
|
|
|
|
The framework intentionally exposes only `Signer.Sign(claims) (string, error)`
|
|
— **the framework gives you a signing primitive; the access/refresh strategy,
|
|
claim layout, and response shape are application concerns.** A "helper" that
|
|
returned a fixed `{access, refresh, type, expiresIn}` struct would silently
|
|
decide for every app whether refresh tokens exist, what fields to expose,
|
|
and what casing to use. Those are wire-format choices the app owns.
|
|
|
|
```go
|
|
import (
|
|
"time"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/google/uuid"
|
|
|
|
authjwt "code.nochebuena.dev/einherjar/auth-jwt"
|
|
)
|
|
|
|
type tokenSignerAdapter struct {
|
|
signer authjwt.Signer
|
|
cfg authjwt.TokenConfig
|
|
}
|
|
|
|
var _ authsvc.TokenSigner = (*tokenSignerAdapter)(nil)
|
|
|
|
func (a *tokenSignerAdapter) IssueTokenPair(subject string, custom map[string]any) (authdto.TokenPairResponse, error) {
|
|
now := time.Now()
|
|
|
|
access := jwt.MapClaims{
|
|
"sub": subject,
|
|
"iss": a.cfg.Issuer,
|
|
"iat": now.Unix(),
|
|
"exp": now.Add(a.cfg.AccessTTL).Unix(),
|
|
}
|
|
for k, v := range custom {
|
|
access[k] = v
|
|
}
|
|
accessToken, err := a.signer.Sign(access)
|
|
if err != nil {
|
|
return authdto.TokenPairResponse{}, err
|
|
}
|
|
|
|
refreshToken, err := a.signer.Sign(jwt.MapClaims{
|
|
"sub": subject,
|
|
"jti": uuid.NewString(),
|
|
"iat": now.Unix(),
|
|
"exp": now.Add(a.cfg.RefreshTTL).Unix(),
|
|
})
|
|
if err != nil {
|
|
return authdto.TokenPairResponse{}, err
|
|
}
|
|
|
|
return authdto.TokenPairResponse{
|
|
AccessToken: accessToken,
|
|
RefreshToken: refreshToken,
|
|
TokenType: "Bearer",
|
|
ExpiresIn: int(a.cfg.AccessTTL.Seconds()),
|
|
}, nil
|
|
}
|
|
```
|
|
|
|
## Migrations and seeds
|
|
|
|
Migrations and seeds register as `BeforeStart` hooks too. They run after all
|
|
components have initialised but before any of them have started, so the
|
|
database is reachable and the server is not yet accepting traffic.
|
|
|
|
```go
|
|
func withMigrations(lc launcher.Launcher, logger logz.Logger, cfg config.Config) {
|
|
lc.BeforeStart(func() error {
|
|
if err := migrations.RunMigrations(context.Background(), logger, cfg); err != nil {
|
|
logger.Error("migrations: failed to apply", err)
|
|
return err
|
|
}
|
|
return nil
|
|
})
|
|
}
|
|
```
|
|
|
|
Seeds must be **idempotent**: count first, only mutate when needed, log the
|
|
skip when nothing was done.
|