-
Notifications
You must be signed in to change notification settings - Fork 211
Expand file tree
/
Copy pathdocs.go
More file actions
5933 lines (5928 loc) · 259 KB
/
docs.go
File metadata and controls
5933 lines (5928 loc) · 259 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Code generated by swaggo/swag. DO NOT EDIT.
package server
import "github.com/swaggo/swag/v2"
const docTemplate = `{
"schemes": {{ marshal .Schemes }},
"components": {
"schemas": {
"github_com_stacklok_toolhive-core_registry_types.Registry": {
"description": "Full registry data",
"properties": {
"groups": {
"description": "Groups is a slice of group definitions containing related MCP servers",
"items": {
"$ref": "#/components/schemas/registry.Group"
},
"type": "array",
"uniqueItems": false
},
"last_updated": {
"description": "LastUpdated is the timestamp when the registry was last updated, in RFC3339 format",
"type": "string"
},
"remote_servers": {
"additionalProperties": {
"$ref": "#/components/schemas/registry.RemoteServerMetadata"
},
"description": "RemoteServers is a map of server names to their corresponding remote server definitions\nThese are MCP servers accessed via HTTP/HTTPS using the thv proxy command",
"type": "object"
},
"servers": {
"additionalProperties": {
"$ref": "#/components/schemas/registry.ImageMetadata"
},
"description": "Servers is a map of server names to their corresponding server definitions",
"type": "object"
},
"version": {
"description": "Version is the schema version of the registry",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_cmd_thv-operator_api_v1alpha1.RateLimitBucket": {
"description": "Shared defines a token bucket shared across all users for this specific tool.\n+kubebuilder:validation:Required",
"properties": {
"maxTokens": {
"description": "MaxTokens is the maximum number of tokens (bucket capacity).\nThis is also the burst size: the maximum number of requests that can be served\ninstantaneously before the bucket is depleted.\n+kubebuilder:validation:Required\n+kubebuilder:validation:Minimum=1",
"type": "integer"
},
"refillPeriod": {
"$ref": "#/components/schemas/v1.Duration"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_cmd_thv-operator_api_v1alpha1.RateLimitConfig": {
"description": "RateLimitConfig contains the CRD rate limiting configuration.\nWhen set, rate limiting middleware is added to the proxy middleware chain.",
"properties": {
"shared": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_cmd_thv-operator_api_v1alpha1.RateLimitBucket"
},
"tools": {
"description": "Tools defines per-tool rate limit overrides.\nEach entry applies additional rate limits to calls targeting a specific tool name.\nA request must pass both the server-level limit and the per-tool limit.\n+listType=map\n+listMapKey=name\n+optional",
"items": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_cmd_thv-operator_api_v1alpha1.ToolRateLimitConfig"
},
"type": "array",
"uniqueItems": false
}
},
"type": "object"
},
"github_com_stacklok_toolhive_cmd_thv-operator_api_v1alpha1.ToolRateLimitConfig": {
"properties": {
"name": {
"description": "Name is the MCP tool name this limit applies to.\n+kubebuilder:validation:Required\n+kubebuilder:validation:MinLength=1",
"type": "string"
},
"shared": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_cmd_thv-operator_api_v1alpha1.RateLimitBucket"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_audit.Config": {
"description": "DEPRECATED: Middleware configuration.\nAuditConfig contains the audit logging configuration",
"properties": {
"component": {
"description": "Component is the component name to use in audit events.\n+optional",
"type": "string"
},
"enabled": {
"description": "Enabled controls whether audit logging is enabled.\nWhen true, enables audit logging with the configured options.\n+kubebuilder:default=false\n+optional",
"type": "boolean"
},
"eventTypes": {
"description": "EventTypes specifies which event types to audit. If empty, all events are audited.\n+optional",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"excludeEventTypes": {
"description": "ExcludeEventTypes specifies which event types to exclude from auditing.\nThis takes precedence over EventTypes.\n+optional",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"includeRequestData": {
"description": "IncludeRequestData determines whether to include request data in audit logs.\n+kubebuilder:default=false\n+optional",
"type": "boolean"
},
"includeResponseData": {
"description": "IncludeResponseData determines whether to include response data in audit logs.\n+kubebuilder:default=false\n+optional",
"type": "boolean"
},
"logFile": {
"description": "LogFile specifies the file path for audit logs. If empty, logs to stdout.\n+optional",
"type": "string"
},
"maxDataSize": {
"description": "MaxDataSize limits the size of request/response data included in audit logs (in bytes).\n+kubebuilder:default=1024\n+optional",
"type": "integer"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig": {
"description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration",
"properties": {
"allowPrivateIP": {
"description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses",
"type": "boolean"
},
"audience": {
"description": "Audience is the expected audience for the token",
"type": "string"
},
"authTokenFile": {
"description": "AuthTokenFile is the path to file containing bearer token for authentication",
"type": "string"
},
"cacertPath": {
"description": "CACertPath is the path to the CA certificate bundle for HTTPS requests",
"type": "string"
},
"clientID": {
"description": "ClientID is the OIDC client ID",
"type": "string"
},
"clientSecret": {
"description": "ClientSecret is the optional OIDC client secret for introspection",
"type": "string"
},
"insecureAllowHTTP": {
"description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production",
"type": "boolean"
},
"introspectionURL": {
"description": "IntrospectionURL is the optional introspection endpoint for validating tokens",
"type": "string"
},
"issuer": {
"description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)",
"type": "string"
},
"jwksurl": {
"description": "JWKSURL is the URL to fetch the JWKS from",
"type": "string"
},
"resourceURL": {
"description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)",
"type": "string"
},
"scopes": {
"description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]",
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_auth_awssts.Config": {
"description": "AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services",
"properties": {
"fallback_role_arn": {
"description": "FallbackRoleArn is the IAM role ARN to assume when no role mapping matches.",
"type": "string"
},
"region": {
"description": "Region is the AWS region for STS and SigV4 signing.",
"type": "string"
},
"role_claim": {
"description": "RoleClaim is the JWT claim to use for role mapping (default: \"groups\").",
"type": "string"
},
"role_mappings": {
"description": "RoleMappings maps JWT claim values to IAM roles with priority.",
"items": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth_awssts.RoleMapping"
},
"type": "array",
"uniqueItems": false
},
"service": {
"description": "Service is the AWS service name for SigV4 signing (default: \"aws-mcp\").",
"type": "string"
},
"session_duration": {
"description": "SessionDuration is the duration in seconds for assumed role credentials (default: 3600).",
"type": "integer"
},
"session_name_claim": {
"description": "SessionNameClaim is the JWT claim to use for role session name (default: \"sub\").",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_auth_awssts.RoleMapping": {
"properties": {
"claim": {
"description": "Claim is the simple claim value to match (e.g., group name).\nInternally compiles to a CEL expression: \"\u003cclaim_value\u003e\" in claims[\"\u003crole_claim\u003e\"]\nMutually exclusive with Matcher.",
"type": "string"
},
"matcher": {
"description": "Matcher is a CEL expression for complex matching against JWT claims.\nThe expression has access to a \"claims\" variable containing all JWT claims.\nExamples:\n - \"admins\" in claims[\"groups\"]\n - claims[\"sub\"] == \"user123\" \u0026\u0026 !(\"act\" in claims)\nMutually exclusive with Claim.",
"type": "string"
},
"priority": {
"description": "Priority determines selection order (lower number = higher priority).\nWhen multiple mappings match, the one with the lowest priority is selected.\nWhen nil (omitted), the mapping has the lowest possible priority, and\nconfiguration order acts as tie-breaker via stable sort.",
"type": "integer"
},
"role_arn": {
"description": "RoleArn is the IAM role ARN to assume when this mapping matches.",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_auth_remote.Config": {
"description": "RemoteAuthConfig contains OAuth configuration for remote MCP servers",
"properties": {
"authorize_url": {
"type": "string"
},
"bearer_token": {
"description": "Bearer token configuration (alternative to OAuth)",
"type": "string"
},
"bearer_token_file": {
"type": "string"
},
"cached_client_id": {
"description": "Cached DCR client credentials for persistence across restarts.\nThese are obtained during Dynamic Client Registration and needed to refresh tokens.\nClientID is stored as plain text since it's public information.",
"type": "string"
},
"cached_client_secret_ref": {
"type": "string"
},
"cached_refresh_token_ref": {
"description": "Cached OAuth token reference for persistence across restarts.\nThe refresh token is stored securely in the secret manager, and this field\ncontains the reference to retrieve it (e.g., \"OAUTH_REFRESH_TOKEN_workload\").\nThis enables session restoration without requiring a new browser-based login.",
"type": "string"
},
"cached_reg_token_ref": {
"description": "RegistrationAccessToken is used to update/delete the client registration.\nStored as a secret reference since it's sensitive.",
"type": "string"
},
"cached_secret_expiry": {
"description": "ClientSecretExpiresAt indicates when the client secret expires (if provided by the DCR server).\nA zero value means the secret does not expire.",
"type": "string"
},
"cached_token_expiry": {
"type": "string"
},
"callback_port": {
"type": "integer"
},
"client_id": {
"type": "string"
},
"client_secret": {
"type": "string"
},
"client_secret_file": {
"type": "string"
},
"issuer": {
"description": "OAuth endpoint configuration (from registry)",
"type": "string"
},
"oauth_params": {
"additionalProperties": {
"type": "string"
},
"description": "OAuth parameters for server-specific customization",
"type": "object"
},
"resource": {
"description": "Resource is the OAuth 2.0 resource indicator (RFC 8707).",
"type": "string"
},
"scopes": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"skip_browser": {
"type": "boolean"
},
"timeout": {
"example": "5m",
"type": "string"
},
"token_url": {
"type": "string"
},
"use_pkce": {
"type": "boolean"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config": {
"description": "TokenExchangeConfig contains token exchange configuration for external authentication",
"properties": {
"audience": {
"description": "Audience is the target audience for the exchanged token",
"type": "string"
},
"client_id": {
"description": "ClientID is the OAuth 2.0 client identifier",
"type": "string"
},
"client_secret": {
"description": "ClientSecret is the OAuth 2.0 client secret",
"type": "string"
},
"external_token_header_name": {
"description": "ExternalTokenHeaderName is the name of the custom header to use when HeaderStrategy is \"custom\"",
"type": "string"
},
"header_strategy": {
"description": "HeaderStrategy determines how to inject the token\nValid values: HeaderStrategyReplace (default), HeaderStrategyCustom",
"type": "string"
},
"scopes": {
"description": "Scopes is the list of scopes to request for the exchanged token",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"subject_token_type": {
"description": "SubjectTokenType specifies the type of the subject token being exchanged.\nCommon values: tokenTypeAccessToken (default), tokenTypeIDToken, tokenTypeJWT.\nIf empty, defaults to tokenTypeAccessToken.",
"type": "string"
},
"token_url": {
"description": "TokenURL is the OAuth 2.0 token endpoint URL",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_auth_upstreamswap.Config": {
"description": "UpstreamSwapConfig contains configuration for upstream token swap middleware.\nWhen set along with EmbeddedAuthServerConfig, this middleware exchanges ToolHive JWTs\nfor upstream IdP tokens before forwarding requests to the MCP server.",
"properties": {
"custom_header_name": {
"description": "CustomHeaderName is the header name when HeaderStrategy is \"custom\".",
"type": "string"
},
"header_strategy": {
"description": "HeaderStrategy determines how to inject the token: \"replace\" (default) or \"custom\".",
"type": "string"
},
"provider_name": {
"description": "ProviderName identifies which upstream provider's tokens to retrieve for injection.\nThis is required and must match a configured upstream provider name.",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.OAuth2UpstreamRunConfig": {
"description": "OAuth2Config contains OAuth 2.0-specific configuration.\nRequired when Type is \"oauth2\", must be nil when Type is \"oidc\".",
"properties": {
"authorization_endpoint": {
"description": "AuthorizationEndpoint is the URL for the OAuth authorization endpoint.",
"type": "string"
},
"client_id": {
"description": "ClientID is the OAuth 2.0 client identifier registered with the upstream IDP.",
"type": "string"
},
"client_secret_env_var": {
"description": "ClientSecretEnvVar is the name of an environment variable containing the client secret.\nMutually exclusive with ClientSecretFile. Optional for public clients using PKCE.",
"type": "string"
},
"client_secret_file": {
"description": "ClientSecretFile is the path to a file containing the OAuth 2.0 client secret.\nMutually exclusive with ClientSecretEnvVar. Optional for public clients using PKCE.",
"type": "string"
},
"redirect_uri": {
"description": "RedirectURI is the callback URL where the upstream IDP will redirect after authentication.\nWhen not specified, defaults to ` + "`" + `{issuer}/oauth/callback` + "`" + `.",
"type": "string"
},
"scopes": {
"description": "Scopes are the OAuth scopes to request from the upstream IDP.",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"token_endpoint": {
"description": "TokenEndpoint is the URL for the OAuth token endpoint.",
"type": "string"
},
"token_response_mapping": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenResponseMappingRunConfig"
},
"userinfo": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.UserInfoRunConfig"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.OIDCUpstreamRunConfig": {
"description": "OIDCConfig contains OIDC-specific configuration.\nRequired when Type is \"oidc\", must be nil when Type is \"oauth2\".",
"properties": {
"client_id": {
"description": "ClientID is the OAuth 2.0 client identifier registered with the upstream IDP.",
"type": "string"
},
"client_secret_env_var": {
"description": "ClientSecretEnvVar is the name of an environment variable containing the client secret.\nMutually exclusive with ClientSecretFile. Optional for public clients using PKCE.",
"type": "string"
},
"client_secret_file": {
"description": "ClientSecretFile is the path to a file containing the OAuth 2.0 client secret.\nMutually exclusive with ClientSecretEnvVar. Optional for public clients using PKCE.",
"type": "string"
},
"issuer_url": {
"description": "IssuerURL is the OIDC issuer URL for automatic endpoint discovery.\nMust be a valid HTTPS URL.",
"type": "string"
},
"redirect_uri": {
"description": "RedirectURI is the callback URL where the upstream IDP will redirect after authentication.\nWhen not specified, defaults to ` + "`" + `{issuer}/oauth/callback` + "`" + `.",
"type": "string"
},
"scopes": {
"description": "Scopes are the OAuth scopes to request from the upstream IDP.\nIf not specified, defaults to [\"openid\", \"offline_access\"].",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"userinfo_override": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.UserInfoRunConfig"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.RunConfig": {
"description": "EmbeddedAuthServerConfig contains configuration for the embedded OAuth2/OIDC authorization server.\nWhen set, the proxy runner will start an embedded auth server that delegates to upstream IDPs.\nThis is the serializable RunConfig; secrets are referenced by file paths or env var names.",
"properties": {
"allowed_audiences": {
"description": "AllowedAudiences is the list of valid resource URIs that tokens can be issued for.\nPer RFC 8707, the \"resource\" parameter in authorization and token requests is\nvalidated against this list. Required for MCP compliance.",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"authorization_endpoint_base_url": {
"description": "AuthorizationEndpointBaseURL overrides the base URL used for the authorization_endpoint\nin the OAuth discovery document. When set, the discovery document will advertise\n` + "`" + `{authorization_endpoint_base_url}/oauth/authorize` + "`" + ` instead of ` + "`" + `{issuer}/oauth/authorize` + "`" + `.\nAll other endpoints remain derived from the issuer.",
"type": "string"
},
"hmac_secret_files": {
"description": "HMACSecretFiles contains file paths to HMAC secrets for signing authorization codes\nand refresh tokens (opaque tokens).\nFirst file is the current secret (must be at least 32 bytes), subsequent files\nare for rotation/verification of existing tokens.\nIf empty, an ephemeral secret will be auto-generated (development only).",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"issuer": {
"description": "Issuer is the issuer identifier for this authorization server.\nThis will be included in the \"iss\" claim of issued tokens.\nMust be a valid HTTPS URL (or HTTP for localhost) without query, fragment, or trailing slash.",
"type": "string"
},
"schema_version": {
"description": "SchemaVersion is the version of the RunConfig schema.",
"type": "string"
},
"scopes_supported": {
"description": "ScopesSupported lists the OAuth 2.0 scope values advertised in discovery documents.\nIf empty, defaults to registration.DefaultScopes ([\"openid\", \"profile\", \"email\", \"offline_access\"]).",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"signing_key_config": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig"
},
"storage": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig"
},
"token_lifespans": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig"
},
"upstreams": {
"description": "Upstreams configures connections to upstream Identity Providers.\nAt least one upstream is required - the server delegates authentication to these providers.\nMultiple upstreams are supported for sequential authorization chains.",
"items": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.UpstreamRunConfig"
},
"type": "array",
"uniqueItems": false
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig": {
"description": "SigningKeyConfig configures the signing key provider for JWT operations.\nIf nil or empty, an ephemeral signing key will be auto-generated (development only).",
"properties": {
"fallback_key_files": {
"description": "FallbackKeyFiles are filenames of additional keys for verification (relative to KeyDir).\nThese keys are included in the JWKS endpoint for token verification but are NOT\nused for signing new tokens. Useful for key rotation.",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"key_dir": {
"description": "KeyDir is the directory containing PEM-encoded private key files.\nAll key filenames are relative to this directory.\nIn Kubernetes, this is typically a mounted Secret volume.",
"type": "string"
},
"signing_key_file": {
"description": "SigningKeyFile is the filename of the primary signing key (relative to KeyDir).\nThis key is used for signing new tokens.",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig": {
"description": "TokenLifespans configures the duration that various tokens are valid.\nIf nil, defaults are applied (access: 1h, refresh: 7d, authCode: 10m).",
"properties": {
"access_token_lifespan": {
"description": "AccessTokenLifespan is the duration that access tokens are valid.\nIf empty, defaults to 1 hour.",
"type": "string"
},
"auth_code_lifespan": {
"description": "AuthCodeLifespan is the duration that authorization codes are valid.\nIf empty, defaults to 10 minutes.",
"type": "string"
},
"refresh_token_lifespan": {
"description": "RefreshTokenLifespan is the duration that refresh tokens are valid.\nIf empty, defaults to 7 days (168h).",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.TokenResponseMappingRunConfig": {
"description": "TokenResponseMapping configures custom field extraction from non-standard token responses.\nWhen set, the token exchange bypasses golang.org/x/oauth2 and extracts fields using\nthe configured dot-notation paths.",
"properties": {
"access_token_path": {
"description": "AccessTokenPath is the dot-notation path to the access token (required).",
"type": "string"
},
"expires_in_path": {
"description": "ExpiresInPath is the dot-notation path to the expires_in value. Defaults to \"expires_in\".",
"type": "string"
},
"refresh_token_path": {
"description": "RefreshTokenPath is the dot-notation path to the refresh token. Defaults to \"refresh_token\".",
"type": "string"
},
"scope_path": {
"description": "ScopePath is the dot-notation path to the scope. Defaults to \"scope\".",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.UpstreamProviderType": {
"description": "Type specifies the provider type: \"oidc\" or \"oauth2\".",
"enum": [
"oidc",
"oauth2"
],
"type": "string",
"x-enum-varnames": [
"UpstreamProviderTypeOIDC",
"UpstreamProviderTypeOAuth2"
]
},
"github_com_stacklok_toolhive_pkg_authserver.UpstreamRunConfig": {
"properties": {
"name": {
"description": "Name uniquely identifies this upstream.\nUsed for routing decisions and session binding in multi-upstream scenarios.\nIf empty when only one upstream is configured, defaults to \"default\".",
"type": "string"
},
"oauth2_config": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.OAuth2UpstreamRunConfig"
},
"oidc_config": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.OIDCUpstreamRunConfig"
},
"type": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.UpstreamProviderType"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.UserInfoFieldMappingRunConfig": {
"description": "FieldMapping contains custom field mapping configuration for non-standard providers.\nIf nil, standard OIDC field names are used (\"sub\", \"name\", \"email\").",
"properties": {
"email_fields": {
"description": "EmailFields is an ordered list of field names to try for the email address.\nThe first non-empty value found will be used.\nDefault: [\"email\"]",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"name_fields": {
"description": "NameFields is an ordered list of field names to try for the display name.\nThe first non-empty value found will be used.\nDefault: [\"name\"]",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"subject_fields": {
"description": "SubjectFields is an ordered list of field names to try for the user ID.\nThe first non-empty value found will be used.\nDefault: [\"sub\"]",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver.UserInfoRunConfig": {
"description": "UserInfo contains configuration for fetching user information (required for OAuth2).",
"properties": {
"additional_headers": {
"additionalProperties": {
"type": "string"
},
"description": "AdditionalHeaders contains extra headers to include in the userinfo request.\nUseful for providers that require specific headers (e.g., GitHub's Accept header).",
"type": "object"
},
"endpoint_url": {
"description": "EndpointURL is the URL of the userinfo endpoint.",
"type": "string"
},
"field_mapping": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.UserInfoFieldMappingRunConfig"
},
"http_method": {
"description": "HTTPMethod is the HTTP method to use for the userinfo request.\nIf not specified, defaults to GET.",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig": {
"description": "ACLUserConfig contains ACL user authentication configuration.",
"properties": {
"password_env_var": {
"description": "PasswordEnvVar is the environment variable containing the Redis password.",
"type": "string"
},
"username_env_var": {
"description": "UsernameEnvVar is the environment variable containing the Redis username.",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig": {
"description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".",
"properties": {
"acl_user_config": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig"
},
"auth_type": {
"description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.",
"type": "string"
},
"dial_timeout": {
"description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").",
"type": "string"
},
"key_prefix": {
"description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".",
"type": "string"
},
"read_timeout": {
"description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").",
"type": "string"
},
"sentinel_config": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig"
},
"sentinel_tls": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig"
},
"tls": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig"
},
"write_timeout": {
"description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig": {
"description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.",
"properties": {
"ca_cert_file": {
"description": "CACertFile is the path to a PEM-encoded CA certificate file.",
"type": "string"
},
"insecure_skip_verify": {
"description": "InsecureSkipVerify skips certificate verification.",
"type": "boolean"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig": {
"description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.",
"properties": {
"redis_config": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig"
},
"type": {
"description": "Type specifies the storage backend type. Defaults to \"memory\".",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig": {
"description": "SentinelConfig contains Sentinel-specific configuration.",
"properties": {
"db": {
"description": "DB is the Redis database number (default: 0).",
"type": "integer"
},
"master_name": {
"description": "MasterName is the name of the Redis Sentinel master.",
"type": "string"
},
"sentinel_addrs": {
"description": "SentinelAddrs is the list of Sentinel addresses (host:port).",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_authz.Config": {
"description": "DEPRECATED: Middleware configuration.\nAuthzConfig contains the authorization configuration",
"properties": {
"type": {
"description": "Type is the type of authorization configuration (e.g., \"cedarv1\").",
"type": "string"
},
"version": {
"description": "Version is the version of the configuration format.",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_client.ClientApp": {
"description": "ClientType is the type of MCP client",
"enum": [
"roo-code",
"cline",
"cursor",
"vscode-insider",
"vscode",
"claude-code",
"windsurf",
"windsurf-jetbrains",
"amp-cli",
"amp-vscode",
"amp-cursor",
"amp-vscode-insider",
"amp-windsurf",
"lm-studio",
"goose",
"trae",
"continue",
"opencode",
"kiro",
"antigravity",
"zed",
"gemini-cli",
"vscode-server",
"mistral-vibe",
"codex"
],
"type": "string",
"x-enum-varnames": [
"RooCode",
"Cline",
"Cursor",
"VSCodeInsider",
"VSCode",
"ClaudeCode",
"Windsurf",
"WindsurfJetBrains",
"AmpCli",
"AmpVSCode",
"AmpCursor",
"AmpVSCodeInsider",
"AmpWindsurf",
"LMStudio",
"Goose",
"Trae",
"Continue",
"OpenCode",
"Kiro",
"Antigravity",
"Zed",
"GeminiCli",
"VSCodeServer",
"MistralVibe",
"Codex"
]
},
"github_com_stacklok_toolhive_pkg_client.ClientAppStatus": {
"properties": {
"client_type": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_client.ClientApp"
},
"installed": {
"description": "Installed indicates whether the client is installed on the system",
"type": "boolean"
},
"registered": {
"description": "Registered indicates whether the client is registered in the ToolHive configuration",
"type": "boolean"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_client.RegisteredClient": {
"properties": {
"groups": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"name": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_client.ClientApp"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus": {
"description": "Current status of the workload",
"enum": [
"running",
"stopped",
"error",
"starting",
"stopping",
"unhealthy",
"removing",
"unknown",
"unauthenticated",
"running",
"stopped",
"error",
"starting",
"stopping",
"unhealthy",
"removing",
"unknown",
"unauthenticated",
"running",
"stopped",
"error",
"starting",
"stopping",
"unhealthy",
"removing",
"unknown",
"unauthenticated"
],
"type": "string",
"x-enum-varnames": [
"WorkloadStatusRunning",
"WorkloadStatusStopped",
"WorkloadStatusError",
"WorkloadStatusStarting",
"WorkloadStatusStopping",
"WorkloadStatusUnhealthy",
"WorkloadStatusRemoving",
"WorkloadStatusUnknown",
"WorkloadStatusUnauthenticated"
]
},
"github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig": {
"description": "RuntimeConfig allows overriding the default runtime configuration\nfor this specific workload (base images and packages)",
"properties": {
"additional_packages": {
"description": "AdditionalPackages lists extra packages to install in the builder and\nruntime stages.\nExamples for Alpine: [\"git\", \"make\", \"gcc\"]\nExamples for Debian: [\"git\", \"build-essential\"]",
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": false
},
"builder_image": {
"description": "BuilderImage is the full image reference for the builder stage.\nAn empty string signals \"use the default for this transport type\" during config merging.\nExamples: \"golang:1.25-alpine\", \"node:22-alpine\", \"python:3.13-slim\"",
"type": "string"
}
},
"type": "object"
},
"github_com_stacklok_toolhive_pkg_core.Workload": {
"properties": {
"created_at": {
"description": "CreatedAt is the timestamp when the workload was created.",
"type": "string"
},
"group": {
"description": "Group is the name of the group this workload belongs to, if any.",
"type": "string"
},
"labels": {
"additionalProperties": {
"type": "string"
},
"description": "Labels are the container labels (excluding standard ToolHive labels)",
"type": "object"
},
"name": {
"description": "Name is the name of the workload.\nIt is used as a unique identifier.",
"type": "string"
},
"package": {
"description": "Package specifies the Workload Package used to create this Workload.",
"type": "string"
},
"port": {
"description": "Port is the port on which the workload is exposed.\nThis is embedded in the URL.",
"type": "integer"
},
"proxy_mode": {
"description": "ProxyMode is the proxy mode that clients should use to connect.\nFor stdio transports, this will be the proxy mode (sse or streamable-http).\nFor direct transports (sse/streamable-http), this will be the same as TransportType.",
"type": "string"
},
"remote": {
"description": "Remote indicates whether this is a remote workload (true) or a container workload (false).",
"type": "boolean"
},
"started_at": {
"description": "StartedAt is when the container was last started (changes on restart)",
"type": "string"
},
"status": {
"$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus"
},
"status_context": {
"description": "StatusContext provides additional context about the workload's status.\nThe exact meaning is determined by the status and the underlying runtime.",
"type": "string"
},
"tools": {
"description": "ToolsFilter is the filter on tools applied to the workload.",
"items": {
"type": "string"
},