Skip to content

Add silverback-auth MCP proxy and CI workflow#11

Open
rossnelson wants to merge 6 commits intomainfrom
claude/1771274104-855549
Open

Add silverback-auth MCP proxy and CI workflow#11
rossnelson wants to merge 6 commits intomainfrom
claude/1771274104-855549

Conversation

@rossnelson
Copy link
Member

@rossnelson rossnelson commented Feb 17, 2026

Summary

  • silverback-auth: TypeScript MCP authentication proxy that sits between Claude Code CLI and any MCP server, providing JWT-based tool-level access control with glob pattern matching
  • CI workflow: GitHub Actions pipeline running typecheck (tsc --noEmit) and tests (vitest) on PRs and pushes to main
  • Pre-existing test fix: Updated stale process-executor tests to match current CLI args

What's included

MCP Auth Proxy (src/mcp-auth/)

  • JWT validation/generation with HMAC-SHA256, max 8h TTL, glob-based tool patterns
  • JSON-RPC 2.0 bidirectional proxy with tools/call blocking and tools/list filtering
  • Config wrapping: reads .silverback-auth.json from repo, wraps known MCP servers with auth proxy
  • Bypass mode when MCP_JWT_SECRET is not set
  • 75 new tests across 6 test files

Bot Integration

  • /sb-mcp-token Slack command for generating auth tokens
  • Workspace manager auto-wraps MCP servers at workspace creation time

CI (.github/workflows/ci.yml)

  • Parallel typecheck and test jobs
  • Node 22, pnpm via corepack, frozen lockfile

Test plan

  • pnpm build passes clean
  • pnpm test — 75 new tests passing, zero regressions
  • tsc --noEmit — zero type errors
  • No Go artifacts remain (deleted old Go scaffolding)
  • Architect review: approved

@Silverback
Add silverback-auth MCP authentication proxy
cd1c266 
Implement a JSON-RPC 2.0 proxy that sits between Claude Code CLI and
MCP servers, adding JWT-based authentication and glob-pattern tool
filtering. Replaces the previous Go scaffolding with a TypeScript
implementation co-located in the existing src/ tree.

Core modules: token validation/generation, JSON-RPC parsing, child
process management, bidirectional proxy with write serialization,
config wrapping for workspace setup, and /sb-mcp-token Slack command.

75 new tests covering all modules. Bypass mode when MCP_JWT_SECRET
is unset preserves backward compatibility.
@Silverback
Fix stale process-executor tests to match current CLI args
1dc19cb 
Update three tests that expected removed --allowedTools flag to
assert --model instead. Guard healthCheck credential test against
env tokens that short-circuit the file existence check.
@Silverback
Add CI workflow for typecheck and tests
50eb03d 
Runs tsc --noEmit and vitest on PRs and pushes to main,
using Node 22 and pnpm via corepack with frozen lockfile.
@Silverback
Restore Go tooling in Dockerfile
33a9254 
Go was incorrectly removed during silverback-auth work.
It's still needed since the bot works on Go applications.
@Silverback
Add MCP authentication proxy documentation
0e6f34d 
Step-by-step guide covering configuration, token generation,
tool pattern matching, runtime behavior, security considerations,
and troubleshooting.
@Silverback
Remove vendgogh references from MCP auth docs
340c80b 
Replace with generic example names since this project
is unrelated to vendgogh.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rossnelson @Silverback