Add pluggable auth chain, session extensions, and lifecycle observabi…#30
Merged
ajit-zer07 merged 4 commits intomainfrom Apr 18, 2026
Merged
Add pluggable auth chain, session extensions, and lifecycle observabi…#30ajit-zer07 merged 4 commits intomainfrom
ajit-zer07 merged 4 commits intomainfrom
Conversation
…lity Replaces the dev sender header with a bearer-only auth pipeline (static + JWT/JWKS resolvers), adds a non-fatal session extensions framework, and exposes session lifecycle via ListSessions/WatchSessions RPCs. Tracks proto changes that split SessionStartPayload.context into context_id + extensions map.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/auth/) withStaticBearerResolverand
JwtBearerResolver(JWKS inline or URL with TTL cache; RS256 /ES256 / HS256). Bearer scheme only: removes
MACP_ALLOW_DEV_SENDER_HEADERand the
x-macp-agent-idheader; dev mode now accepts any bearertoken as the sender identity for tests.
src/extensions/):SessionExtensionProvidertrait with
on_session_start/on_session_terminalcallbacks, invokedper-session based on declared extension keys. Provider errors are
logged and non-fatal (invariant E-1).
ListSessionsandWatchSessionsRPCs, a lifecycle broadcast bus, and Created / Resolved / Expired
events emitted from runtime transitions (session start, resolve, TTL
expiry, cancellation, background cleanup).
SessionsCapabilitynowadvertises
list_sessions+watch_sessions.is_observerflag — observers can read any sessionvia
GetSessionwithout being inparticipants.macp-protochanges:SessionStartPayload.context: bytesis replaced by
context_id: string+extensions: map<string,bytes>;policy rules carried as a JSON string instead of bytes. Session /
persistence / replay / all mode tests updated accordingly.
MACP_AUTH_ISSUER,MACP_AUTH_AUDIENCE,MACP_AUTH_JWKS_JSON,MACP_AUTH_JWKS_URL,MACP_AUTH_JWKS_TTL_SECS.jsonwebtoken = "9"andreqwest = "0.12".Notes for reviewers
Cargo.tomltemporarily pointsmacp-protoat the local../multiagentcoordinationprotocol/packages/proto-rustpath tounblock development of the
WatchSessions/extensionsprotochanges. Must be switched back to a crates.io version (target:
macp-proto = "0.2.0") before this PR merges.SecurityLayer::authenticate_metadatacurrently bridges sync-to-asyncvia
block_in_place+Handle::current().block_onbecause the gRPCrequest auth path is sync. Worth reviewing whether that path should
become async instead.
Test plan
cargo buildandcargo clippycargo test(all unit + Rust integration tests)cd integration_tests && MACP_TEST_BINARY=../target/debug/macp-runtime cargo test -- --test-threads=1(Tier 1 gRPC + Tier 2 agents)MACP_AUTH_ISSUER+MACP_AUTH_JWKS_URL, issue JWT, verifysubbecomes senderWatchSessionsreceives initial CREATED burst then incremental CREATED/RESOLVED/EXPIRED eventsis_observer: true) canGetSessionfor a session it did not participate in