Skip to content

feat: flag-gated playground-token mint for local MCP testing#87

Merged
kaje94 merged 5 commits into
aep-rewrite-kajfrom
playground-token
Jul 6, 2026
Merged

feat: flag-gated playground-token mint for local MCP testing#87
kaje94 merged 5 commits into
aep-rewrite-kajfrom
playground-token

Conversation

@kaje94

@kaje94 kaje94 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Gives the agents playground a way to authenticate with aep-api's MCP discovery endpoint for local testing only — closing the "no way to run the playground against real catalogs" gap without prejudging the open agent→BFF authentication decision (#85 open question 1).

Stacked on #85 (the MCP surface it authenticates against lives there); GitHub will retarget this to aep-rewrite when #85 merges.

How it works

sequenceDiagram
    participant P as Playground TUI (host)
    participant A as aep-api :9090
    Note over P,A: every design turn
    P->>A: POST /internal/v1/mcp/playground-token {orgHandle}
    A-->>P: {token, expiresInSeconds: 300}
    P->>A: POST /internal/v1/mcp (Bearer token) — tools/list, tools/call
    A-->>P: catalogs (external resources, org endpoints, resource types)
Loading
  • POST /internal/v1/mcp/playground-token — mints a fresh 5-minute MCP token ({orgHandle} optional, default "default"). The route is only mounted when PLAYGROUND_TOKEN_ENABLED=true: default is false, only docker-compose.yml sets it, helm pins it false explicitly, and when disabled the path 404s by absence. Registered as a raw mux handler beside the MCP mount, so it structurally cannot appear in the generated OpenAPI contract. No caller auth by design — the flag (plus local reachability) is the gate, and the endpoint comment documents that the production posture remains an open decision.
  • Playground: when AEP_MCP_URL is set and AEP_MCP_TOKEN is not, it mints a fresh token per turn (no caching — the 5-minute TTL can never expire mid-session). An explicit AEP_MCP_TOKEN is used verbatim and skips minting. Mint failure warns once and the session continues without discovery tools. The /tasks breakdown command does not touch MCP at all — discovery is a design-turn concern; the planner reads the published bundle.
  • Also fixes the TUI rendering successful MCP tool results as ✗ error (it assumed the file tools' result shape; MCP results are bare strings).

Verified live

All four dependency checks pass on the real TUI (driven end-to-end): external-kind discovery reusing a registered resource by exact name and schema keys; org-service resolution to the exact catalog name; platform-resource emitting postgres-cnpg from the type catalog; /tasks flagging the provisioning gate in its rationale. Per-turn minting confirmed at the wire (mints on design turns only; zero MCP traffic from /tasks).

🤖 Generated with Claude Code

https://claude.ai/code/session_01HaM9hGtqua4ZC2bKD2d2Fq

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9e14cf66-f20c-4510-977d-9cadc2c5e643

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch playground-token

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@kaje94 kaje94 requested a review from xlight05 July 6, 2026 10:00
@kaje94 kaje94 marked this pull request as ready for review July 6, 2026 10:01
kaje94 and others added 5 commits July 6, 2026 15:32
…turn playground minting

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HaM9hGtqua4ZC2bKD2d2Fq
…view minors)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HaM9hGtqua4ZC2bKD2d2Fq
…playground TUI

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HaM9hGtqua4ZC2bKD2d2Fq
…helm pin

Playground discovery is now on by default for local dev (AEP_MCP_URL=""
disables it); PLAYGROUND_TOKEN_ENABLED's Go default is false so the helm
explicit pin was redundant.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HaM9hGtqua4ZC2bKD2d2Fq
@kaje94 kaje94 force-pushed the playground-token branch from 527211d to dbab12c Compare July 6, 2026 10:03
@kaje94 kaje94 merged commit 51ae89b into aep-rewrite-kaj Jul 6, 2026
2 checks passed
xlight05 added a commit to xlight05/labs-agentic-engineer that referenced this pull request Jul 6, 2026
…so2#87/wso2#89) into rewrite-improve

Second upstream sync after the dependency-management merge. Mostly net-new
(take-theirs); a handful of shared files resolved keep-ours + graft-their-additive.

TAKE-THEIRS (net-new, clean):
- services/collab — Yjs collaboration server skeleton for Tiptap collaborative
  markdown spec editing (PR wso2#86, phases 1-6) + apps/console/src/features/spec/collab/*.
- playground-token: internal/feature/dependencies/playground_token.go +
  /internal/v1/mcp/playground-token surface (flag-gated on PLAYGROUND_TOKEN_ENABLED,
  off by default; docker-compose sets it) + services/agents/playground/mcp.ts
  (MCP discovery resolver) + config.PlaygroundTokenEnabled.

RESOLVE-UNION (both added, keep both):
- deployments/docker-compose.yml (AEP_WORKSPACE_ROOT + PLAYGROUND_TOKEN_ENABLED).
- services/agents/.env.example (our agents config + the AEP_MCP_* discovery vars).
- CONTEXT.md (our GitHub-native glossary + the new "Playground token" entry).
- pnpm-lock.yaml (regenerated from the merged package.json set).

KEEP-OURS + graft their additive bits:
- surfaces.go — keep our /internal/v1/executions/ model; take the new MCP +
  playground-token doc rows; drop their stale /internal/v1/tasks/ row.
- services/agents/AGENTS.md — keep our accurate per-turn-key/workspace model doc;
  drop their boot-time-ANTHROPIC_API_KEY line; graft the playground-MCP bullet.
- services/agents/playground/playground.ts — keep our committed-truth workspace
  turn shape (workspaceRef/EvalWorkspace/evalTurnHeaders); add the mcpResolver +
  `mcp` on the turn body; SKIP their /tasks command (the structured task-planner
  we don't have) + its `model` field.

SKIP (consciously not adopted): the structured task-planner glossary entry +
the /tasks playground command (task-planner is the SKIP'd structured agent).

Validation: aep-api go build/vet/tests green (incl. the new playground-token
surface test); pnpm turbo typecheck 12/13 green (@aep/collab net-new, @aep/agents,
@aep/agent-stream all green). @aep/console fails ONLY on pre-existing gaps
(verify-2 CreateProjectRequest.prompt + the two-console convergence deferral) —
not introduced by this merge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant