Add MCPAuthzConfig CRD for backend-agnostic authorization (#4777)

* Add MCPAuthzConfig CRD for backend-agnostic authz

Introduce a namespace-scoped MCPAuthzConfig CRD so authorization
policy can be defined once and shared across MCPServer,
MCPRemoteProxy, and VirtualMCPServer workloads, mirroring the
existing MCPOIDCConfig sharing pattern.

The spec carries a backend Type plus an opaque Config RawExtension.
A ConfigKey() method on AuthorizerFactory (cedar->"cedar",
http->"pdp") lets the controller reconstruct the full authorizer
config and validate it via the factory registry, keeping the
controller backend-agnostic; the backends are registered through
blank imports in the operator entrypoint.

The controller validates the spec, computes a config hash, manages a
finalizer, tracks referencing workloads, and blocks deletion while
referenced. AuthzConfigRef fields are added to the three workload
specs with CEL XValidation enforcing mutual exclusivity against the
existing inline authzConfig, matching the oidcConfig/oidcConfigRef
pattern.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add mcpauthzconfigs to RBAC E2E golden fixtures

The chainsaw operator RBAC assertions compare the live
toolhive-operator-manager-role ClusterRole against a hardcoded
expected manifest. Adding the MCPAuthzConfig CRD introduced new
mcpauthzconfigs rules in the generated ClusterRole, making the
fixtures stale and failing E2E on all kind versions.

Add the mcpauthzconfigs, mcpauthzconfigs/finalizers, and
mcpauthzconfigs/status entries in the same alphabetical position the
generated role uses (after embeddingservers*, before
mcpexternalauthconfigs*) to both the multi-tenancy and single-tenancy
setup fixtures.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Guard reserved ConfigKey values and tighten MCPAuthzConfig.Validate

Register() now panics if a factory's ConfigKey() returns one of the
reserved envelope keys ("", "version", "type"). BuildFullAuthzConfigJSON
assembles its config with a Go map literal where those two keys are
fixed metadata; a factory returning a reserved key would silently
overwrite the envelope. Catching this at startup makes the
misconfiguration impossible to ship.

MCPAuthzConfig.Validate() now consults authorizers.IsRegistered so any
caller (CLI tooling, future webhook, defense-in-depth fallback) fails
closed on an unknown spec.type rather than deferring entirely to the
controller. The unit tests blank-import the cedar backend so the
existing "cedarv1" cases continue to pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Canonicalize MCPAuthzConfig spec before hashing

The config hash is computed via ctrlutil.CalculateConfigHash, which walks
the spec struct including Spec.Config.Raw. RawExtension preserves the
user's raw bytes verbatim, so two semantically-equal configs that differ
only in whitespace or JSON key order produced different hashes and flipped
status on every noop kubectl-apply round-trip.

canonicalizeSpecForHash returns a copy of the spec whose Config.Raw has
been re-marshalled (Go's encoding/json sorts map keys), giving a stable
hash for the same logical config regardless of source formatting.
Malformed JSON is returned unchanged so Validate / validateAuthzConfig
remain the source of the user-facing error.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Use MutateAndPatchStatus/Spec in MCPAuthzConfig controller

Status writes now flow through controllerutil.MutateAndPatchStatus and
finalizer writes through controllerutil.MutateAndPatchSpec, per the
operator rule (.claude/rules/operator.md). The previous r.Status().Update
calls sent full PUT bodies that would clobber conditions written by any
disjoint owner of Status.Conditions on this CRD; the previous r.Update
calls had no optimistic-lock guard around finalizer arrays.

Condition and field mutations have moved inside the helper closures so
the pre-mutate snapshot reflects the live state rather than already
containing the change — a MutateAndPatchStatus prerequisite. A small
helper, setValidTrueCondition, factors out the Valid=True transition so
the success path doesn't duplicate the metav1.Condition literal.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Tighten MCPAuthzConfig reconcile flow

Collapses the previously-separate hash-change branch and steady-state
status update into a single MutateAndPatchStatus call on the success
path. Side effects of doing so:

- F4: ReferencingWorkloads / ReferenceCount now refresh in the same
  reconcile that writes a new ConfigHash, so the print column doesn't
  lag a workload event behind.
- F8: The success path explicitly removes the DeletionBlocked
  condition. A user who cancels a deletion (e.g., by removing the
  finalizer manually after observing the block) no longer carries a
  stale DeletionBlocked=True forward across reconciles.
- F9: findReferencingWorkloads errors now return up to controller-
  runtime instead of being logged and swallowed, so a transient
  apiserver hiccup is retried with backoff rather than silently
  writing an empty references list.

Two new tests exercise the F4 (one-reconcile property) and F8
(condition-clear) paths.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Unexport buildFullAuthzConfigJSON

No out-of-package caller exists for this helper today. PR #4778 will
need it once workload controllers resolve AuthzConfigRef, and the
cleaner home at that point will be cmd/thv-operator/pkg/controllerutil/
alongside BuildInlineCedarAuthzConfig. Until then keep the signature
package-private so the contract can evolve without breaking external
consumers.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Declare mcpservers RBAC marker on MCPAuthzConfig controller

findReferencingWorkloads lists MCPServer alongside VirtualMCPServer and
MCPRemoteProxy, but the kubebuilder marker only declared the latter
two. The clusterrole currently works because mcpserver_controller's
markers cover get;list;watch on mcpservers, so the rendered output is
unchanged here — but a future regeneration that reshuffles those
declarations could silently strip the permission the MCPAuthzConfig
controller actually depends on.

Verified the rendered clusterrole and chainsaw asserts are unchanged
after task operator-manifests.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Test condition preservation and last-ref finalizer transition

Two new tests for MCPAuthzConfig reconciler coverage:

- FinalizerRemovedAfterLastRefDropped: exercises the N→0 transition
  in handleDeletion. The existing static-state cases cover "blocked"
  and "no refs" endpoints but not the flip between them, which is the
  user-observed behaviour for policy rotation.

- PreservesForeignConditions: the canary for the merge-patch
  conditions-array semantic. JSON merge-patch on CRDs replaces the
  conditions array wholesale (the +listType=map marker only matters to
  strategic-merge-patch), so a regression that re-introduces
  r.Status().Update on this resource — or that pre-mutates Status
  outside a MutateAndPatchStatus closure — would erase any concurrently-
  set foreign condition. This test fails in that scenario.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Add envtest for authzConfig/authzConfigRef mutual exclusion

CEL XValidation rules run at API admission, which unit tests with the
fake client cannot exercise. The three workload specs (MCPServer,
MCPRemoteProxy, VirtualMCPServer.IncomingAuth) each declare the same
mutex rule between the legacy inline authzConfig and the new
authzConfigRef — without envtest coverage the rules could silently
regress on a CRD regeneration.

For each spec, the new tests apply only-inline, only-ref, and both-set
CRs and assert (c) is rejected with the expected message. They follow
the existing pattern in cmd/thv-operator/test-integration/.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Reframe AuthzConfigRef as part 1 of 2 in godocs

The new AuthzConfigRef field on MCPServer, MCPRemoteProxy, and
VirtualMCPServer.IncomingAuth is wired into the MCPAuthzConfig
controller's reference tracking (status.referenceCount, deletion
protection) but no workload controller actually resolves the ref into a
runtime authz config in this PR. That wiring lands in a follow-up.

The previous godocs marked the inline AuthzConfig field "Deprecated:
Use AuthzConfigRef" — which pointed users at a non-functional field
and risked workloads running with no authorization enforced. Drop the
premature Deprecated annotation and add an explicit NOTE on
AuthzConfigRef so adopters know to stick with the inline form until
the consumer-side wiring lands.

The CEL mutex rule and the controller's reference tracking are
unchanged; only the descriptive godocs move.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Regenerate CRD manifests and reference docs

Picks up the F1 godoc edits: the CRD YAML descriptions and the
generated CRD API reference (docs/operator/crd-api.md) now match the
authoritative godoc on AuthzConfigRef / AuthzConfig (no premature
Deprecated annotation; explicit "consumed in a follow-up PR" note on
AuthzConfigRef).

Generated by task operator-generate + task operator-manifests +
task crdref-gen.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Use compound (kind, name) listMapKey on ReferencingWorkloads

The original review of this PR flagged that +listMapKey=name alone is
insufficient: two workloads of different kinds that share a name (an
MCPServer "foo" and a VirtualMCPServer "foo") would collide under
merge-patch semantics, with the second-applied entry silently
overwriting the first. Adding +listMapKey=kind makes the map key the
(kind, name) pair so cross-kind name reuse stays distinct.

Limited to MCPAuthzConfig here. The two sibling controllers
(MCPOIDCConfig, MCPExternalAuthConfig) share the same WorkloadReference
type and have the same listMapKey=name asymmetry — filed as a parity
follow-up rather than expanding this PR's scope.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Refresh validateAuthzConfig doc comment

The prior comment said backend validation lived in the controller "because
the API types package must not import the authorizer backends" — but the
types package now imports pkg/authz/authorizers to call IsRegistered in
Validate(). Restate the real reason: type-level Validate handles structural
+ registration checks; backend ValidateConfig requires the full
reconstructed JSON envelope that only the controller builds.

Drive-by: gitignore .pr-review/ so PR-review skill scratch dirs don't
pollute git status in worktrees.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Thread factory through buildFullAuthzConfigJSON, drop redundant lookups

buildFullAuthzConfigJSON now returns the resolved AuthorizerFactory
alongside the envelope JSON, so validateAuthzConfig can dispatch
ValidateConfig directly without a second GetFactory call and without
re-Unmarshalling the JSON it just built.

Before: Validate() ran IsRegistered, buildFullAuthzConfigJSON ran
GetFactory, validateAuthzConfig re-Unmarshalled the envelope and ran
GetFactory again — three near-identical lookups for the same key on
every reconcile, with three slightly different error messages.

The authzConfigEnvelope struct is removed; nothing else consumed it.
Tests updated to assert the returned factory's ConfigKey matches the
expected nested envelope key, locking in the bidirectional contract.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Drop marshalJSONString in favor of strconv.Quote

json.Marshal of a Go string cannot fail at runtime — encoding/json's
stringEncoder has no error path for valid Go strings. The helper existed
to placate errcheck rather than to catch a real failure mode, adding two
unreachable error branches per call site. strconv.Quote produces the
same JSON-encoded bytes with no error-checking overhead, and the call
sites become readable single expressions.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Demote hash-change log to DEBUG

Silent-success per .claude/rules/go-style.md: routine state transitions
log at DEBUG, INFO is reserved for long-running operations. A noisy
INFO on every kubectl-apply that bumps a hash is exactly the case the
rule was written to prevent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Mark AuthzConfigRef staging NOTE with TODO(#4778)

The staging note on AuthzConfigRef becomes inaccurate the moment the
workload-controller wiring lands. A grep-able TODO(#4778) marker
in the Go source ensures whoever lands #4778 finds the stale text
without manually scanning three type files. controller-gen strips
TODO lines from the rendered CRD description, so the user-facing
schema stays clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Lock ConfigKey()/struct tag contract per backend

Factory.ConfigKey() returns a string ("cedar" / "pdp") that must match
the json tag on the backend's Config.Options field — otherwise the
controller will emit envelope JSON the backend's own Unmarshal cannot
parse. A new TestFactory_ConfigKeyMatchesStructTag per backend builds
an envelope around ConfigKey() and asserts it deserialises with
Options populated. A future rename of either string in isolation will
fail the test.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Tighten test docstrings, fixtures, and assertions

PreservesForeignConditions: docstring reframed to describe the property
it actually guards (snapshot-and-diff doesn't erase foreign conditions
during patch construction) and to be explicit about what it does NOT
catch (r.Status().Update under the fake client — requires a
WithInterceptorFuncs-backed concurrent-writer scenario).

HashAndRefsLandInOneReconcile: the MCPServer fixture now sets the
required Image field so the test remains portable to envtest. Added an
ObservedGeneration assertion so all four fields written in the single
MutateAndPatchStatus closure are pinned (previously hash, references,
referencingWorkloads.name were locked but ObservedGeneration was not).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* Update cmd/thv-operator/controllers/mcpauthzconfig_controller.go

Co-authored-by: Jakub Hrozek <jakub.hrozek@posteo.se>

* Remove unused strconv import

Cascade fix from the web-UI edit that replaced strconv.Quote with
json.Marshal: the import was left in place, breaking compilation and
every downstream CI job (lint, tests, govulncheck x2, helm lint, e2e
lifecycle x3).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Co-authored-by: Jakub Hrozek <jakub.hrozek@posteo.se>

Author: 4 people

.gitignore

@@ -50,3 +50,4 @@ cmd/vmcp/__debug_bin*
 
 # Superpowers planning artifacts
 docs/superpowers/
+.pr-review/

cmd/thv-operator/api/v1alpha1/types.go

@@ -126,6 +126,35 @@ type MCPOIDCConfigList struct {
 	Items           []MCPOIDCConfig `json:"items"`
 }
 
+// ─── MCPAuthzConfig ──────────────────────────────────────────────────────────
+
+//+kubebuilder:object:root=true
+//+kubebuilder:deprecatedversion:warning="toolhive.stacklok.dev/v1alpha1 is deprecated; use v1beta1"
+//+kubebuilder:subresource:status
+//+kubebuilder:resource:shortName=authzcfg,categories=toolhive
+//+kubebuilder:printcolumn:name="Type",type=string,JSONPath=`.spec.type`
+//+kubebuilder:printcolumn:name="Valid",type=string,JSONPath=`.status.conditions[?(@.type=='Valid')].status`
+//+kubebuilder:printcolumn:name="References",type=integer,JSONPath=`.status.referenceCount`
+//+kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// MCPAuthzConfig is the deprecated v1alpha1 version of the MCPAuthzConfig resource.
+type MCPAuthzConfig struct {
+	metav1.TypeMeta   `json:",inline"` // nolint:revive
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   v1beta1.MCPAuthzConfigSpec   `json:"spec,omitempty"`
+	Status v1beta1.MCPAuthzConfigStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// MCPAuthzConfigList contains a list of MCPAuthzConfig.
+type MCPAuthzConfigList struct {
+	metav1.TypeMeta `json:",inline"` // nolint:revive
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []MCPAuthzConfig `json:"items"`
+}
+
 // ─── MCPRegistry ─────────────────────────────────────────────────────────────
 
 // MCPRegistry is the deprecated v1alpha1 version of the MCPRegistry resource.
@@ -402,6 +431,7 @@ type VirtualMCPServerList struct {
 func init() {
 	SchemeBuilder.Register(
 		&EmbeddingServer{}, &EmbeddingServerList{},
+		&MCPAuthzConfig{}, &MCPAuthzConfigList{},
 		&MCPExternalAuthConfig{}, &MCPExternalAuthConfigList{},
 		&MCPGroup{}, &MCPGroupList{},
 		&MCPOIDCConfig{}, &MCPOIDCConfigList{},

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,147 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/stacklok/toolhive/pkg/authz/authorizers"
+)
+
+// Condition type and reasons for MCPAuthzConfig status (RFC-0023)
+const (
+	// ConditionTypeAuthzConfigValid indicates whether the MCPAuthzConfig configuration is valid
+	ConditionTypeAuthzConfigValid = ConditionTypeValid
+
+	// ConditionReasonAuthzConfigValid indicates spec validation passed
+	ConditionReasonAuthzConfigValid = "ConfigValid"
+
+	// ConditionReasonAuthzConfigInvalid indicates spec validation failed
+	ConditionReasonAuthzConfigInvalid = "ConfigInvalid"
+)
+
+// MCPAuthzConfigSpec defines the desired state of MCPAuthzConfig.
+// MCPAuthzConfig resources are namespace-scoped and can only be referenced by
+// MCPServer, MCPRemoteProxy, or VirtualMCPServer resources in the same namespace.
+type MCPAuthzConfigSpec struct {
+	// Type identifies the authorizer backend (e.g., "cedarv1", "httpv1").
+	// Must match a registered authorizer type in the factory registry.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	Type string `json:"type"`
+
+	// Config contains the backend-specific authorization configuration.
+	// The structure depends on the Type field:
+	//   - cedarv1: policies ([]string), entities_json (string), primary_upstream_provider (string), group_claim_name (string)
+	//   - httpv1: http ({url, timeout, insecure_skip_verify}), context ({include_args, include_operation}), claim_mapping (string)
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Type=object
+	Config runtime.RawExtension `json:"config"`
+}
+
+// MCPAuthzConfigStatus defines the observed state of MCPAuthzConfig
+type MCPAuthzConfigStatus struct {
+	// Conditions represent the latest available observations of the MCPAuthzConfig's state
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+
+	// ObservedGeneration is the most recent generation observed for this MCPAuthzConfig.
+	// +optional
+	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
+
+	// ConfigHash is a hash of the current configuration for change detection
+	// +optional
+	ConfigHash string `json:"configHash,omitempty"`
+
+	// ReferenceCount is the number of workloads referencing this config.
+	// +optional
+	ReferenceCount int32 `json:"referenceCount,omitempty"`
+
+	// ReferencingWorkloads is a list of workload resources that reference this MCPAuthzConfig.
+	// Each entry identifies the workload by kind and name. The map key is the
+	// (kind, name) pair so two workloads of different kinds that share a name
+	// (e.g., an MCPServer "foo" and a VirtualMCPServer "foo") are distinct
+	// entries rather than colliding under merge-patch semantics.
+	// +listType=map
+	// +listMapKey=kind
+	// +listMapKey=name
+	// +optional
+	ReferencingWorkloads []WorkloadReference `json:"referencingWorkloads,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels=toolhive.stacklok.dev/auto-migrate-storage-version=true
+// +kubebuilder:resource:shortName=authzcfg,categories=toolhive
+// +kubebuilder:printcolumn:name="Type",type=string,JSONPath=`.spec.type`
+// +kubebuilder:printcolumn:name="Valid",type=string,JSONPath=`.status.conditions[?(@.type=='Valid')].status`
+// +kubebuilder:printcolumn:name="References",type=integer,JSONPath=`.status.referenceCount`
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+
+// MCPAuthzConfig is the Schema for the mcpauthzconfigs API.
+// MCPAuthzConfig resources are namespace-scoped and can only be referenced by
+// MCPServer, MCPRemoteProxy, or VirtualMCPServer resources within the same namespace.
+// Cross-namespace references are not supported for security and isolation reasons.
+type MCPAuthzConfig struct {
+	metav1.TypeMeta   `json:",inline"` // nolint:revive
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   MCPAuthzConfigSpec   `json:"spec,omitempty"`
+	Status MCPAuthzConfigStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// MCPAuthzConfigList contains a list of MCPAuthzConfig
+type MCPAuthzConfigList struct {
+	metav1.TypeMeta `json:",inline"` // nolint:revive
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []MCPAuthzConfig `json:"items"`
+}
+
+// MCPAuthzConfigReference references a shared MCPAuthzConfig resource.
+// The referenced MCPAuthzConfig must be in the same namespace as the referencing workload.
+type MCPAuthzConfigReference struct {
+	// Name is the name of the MCPAuthzConfig resource in the same namespace.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+}
+
+// Validate performs structural validation on the MCPAuthzConfig spec.
+// This method is called by the controller during reconciliation.
+//
+// Validate provides defense-in-depth alongside CEL validation rules: CEL catches
+// issues at API admission time, but this method also validates stored objects to
+// catch any that bypassed CEL or were stored before CEL rules were added.
+//
+// Validate consults the authorizer factory registry (pkg/authz/authorizers) to
+// reject spec.type values that no backend has registered. Backend-specific
+// schema validation (interpreting spec.config) still lives in the controller,
+// where the registered factory's ValidateConfig is invoked.
+func (r *MCPAuthzConfig) Validate() error {
+	if r.Spec.Type == "" {
+		return fmt.Errorf("type must not be empty")
+	}
+	if !authorizers.IsRegistered(r.Spec.Type) {
+		return fmt.Errorf(
+			"type %q is not a registered authorizer backend (registered: %v)",
+			r.Spec.Type, authorizers.RegisteredTypes(),
+		)
+	}
+	if len(r.Spec.Config.Raw) == 0 {
+		return fmt.Errorf("config must not be empty")
+	}
+	return nil
+}
+
+func init() {
+	SchemeBuilder.Register(&MCPAuthzConfig{}, &MCPAuthzConfigList{})
+}

cmd/thv-operator/api/v1beta1/mcpauthzconfig_types.go

@@ -0,0 +1,89 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1beta1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+
+	// Blank-imported so authorizers.IsRegistered("cedarv1") returns true
+	// inside Validate(). Without this, every test case using a real backend
+	// type would hit the unregistered-type branch.
+	_ "github.com/stacklok/toolhive/pkg/authz/authorizers/cedar"
+)
+
+func TestMCPAuthzConfig_Validate(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name        string
+		spec        MCPAuthzConfigSpec
+		expectError bool
+		errContains string
+	}{
+		{
+			name: "valid spec passes",
+			spec: MCPAuthzConfigSpec{
+				Type:   "cedarv1",
+				Config: runtime.RawExtension{Raw: []byte(`{"policies":[]}`)},
+			},
+			expectError: false,
+		},
+		{
+			name: "empty type fails",
+			spec: MCPAuthzConfigSpec{
+				Type:   "",
+				Config: runtime.RawExtension{Raw: []byte(`{}`)},
+			},
+			expectError: true,
+			errContains: "type must not be empty",
+		},
+		{
+			name: "unregistered type fails",
+			spec: MCPAuthzConfigSpec{
+				Type:   "nope",
+				Config: runtime.RawExtension{Raw: []byte(`{"policies":[]}`)},
+			},
+			expectError: true,
+			errContains: `"nope" is not a registered authorizer backend`,
+		},
+		{
+			name: "empty config raw fails",
+			spec: MCPAuthzConfigSpec{
+				Type:   "cedarv1",
+				Config: runtime.RawExtension{Raw: []byte{}},
+			},
+			expectError: true,
+			errContains: "config must not be empty",
+		},
+		{
+			name: "nil config raw fails",
+			spec: MCPAuthzConfigSpec{
+				Type:   "cedarv1",
+				Config: runtime.RawExtension{Raw: nil},
+			},
+			expectError: true,
+			errContains: "config must not be empty",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg := &MCPAuthzConfig{Spec: tt.spec}
+			err := cfg.Validate()
+			if tt.expectError {
+				assert.Error(t, err)
+				if tt.errContains != "" {
+					assert.ErrorContains(t, err, tt.errContains)
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

cmd/thv-operator/api/v1beta1/mcpauthzconfig_types_test.go

@@ -36,6 +36,10 @@ type HeaderFromSecret struct {
 }
 
 // MCPRemoteProxySpec defines the desired state of MCPRemoteProxy
+//
+// +kubebuilder:validation:XValidation:rule="!(has(self.authzConfig) && has(self.authzConfigRef))",message="authzConfig and authzConfigRef are mutually exclusive; use authzConfigRef to reference a shared MCPAuthzConfig"
+//
+//nolint:lll // CEL validation rules exceed line length limit
 type MCPRemoteProxySpec struct {
 	// RemoteURL is the URL of the remote MCP server to proxy
 	// +kubebuilder:validation:Required
@@ -83,10 +87,26 @@ type MCPRemoteProxySpec struct {
 	// +optional
 	HeaderForward *HeaderForwardConfig `json:"headerForward,omitempty"`
 
-	// AuthzConfig defines authorization policy configuration for the proxy
+	// AuthzConfig defines authorization policy configuration for the proxy.
+	// AuthzConfig and AuthzConfigRef are mutually exclusive.
 	// +optional
 	AuthzConfig *AuthzConfigRef `json:"authzConfig,omitempty"`
 
+	// AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
+	// The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
+	// Mutually exclusive with authzConfig.
+	//
+	// TODO(#4778): remove the staging NOTE below once workload controllers
+	// resolve AuthzConfigRef into a runtime authz config.
+	//
+	// NOTE: this field is consumed by workload controllers in a follow-up PR.
+	// Until that lands, AuthzConfigRef is reference-tracked by the
+	// MCPAuthzConfig controller (deletion protection, status.referenceCount)
+	// but does NOT apply authorization to this MCPRemoteProxy. Use the
+	// inline AuthzConfig field in the meantime.
+	// +optional
+	AuthzConfigRef *MCPAuthzConfigReference `json:"authzConfigRef,omitempty"`
+
 	// Audit defines audit logging configuration for the proxy
 	// +optional
 	Audit *AuditConfig `json:"audit,omitempty"`