Skip to content

Route all MCP clients through a uniform ucode mcp-proxy stdio bridge#201

Open
sunishsheth2009 wants to merge 2 commits into
databricks:mainfrom
sunishsheth2009:sunish-sheth_data/mcp-proxy
Open

Route all MCP clients through a uniform ucode mcp-proxy stdio bridge#201
sunishsheth2009 wants to merge 2 commits into
databricks:mainfrom
sunishsheth2009:sunish-sheth_data/mcp-proxy

Conversation

@sunishsheth2009

Copy link
Copy Markdown

Summary

Replaces the per-client MCP authentication with one uniform mechanism: every coding agent registers Databricks MCP servers as an identical local stdio command — ucode mcp-proxy --url <endpoint> --host <workspace> --profile <profile> — and a small bridge (shipped in ucode) forwards to the Databricks streamable-HTTP MCP endpoint, minting a fresh OAuth token from the CLI profile on every request.

Why

Previously each client got a different HTTP-bearer registration (Bearer ${OAUTH_TOKEN} header for claude/gemini/copilot, --bearer-token-env-var for codex, {env:OAUTH_TOKEN} for opencode). The token was frozen at launch and expired (~1h) mid-session, and the clients disagree on auth config with only Claude exposing a per-request hook. This was the source of the inconsistency and the refresh problem raised in review.

A stdio proxy resolves all of it in one place:

  • Uniform — the same registration for claude, codex, gemini, opencode, copilot (and cursor, in the follow-up). No per-client auth logic.
  • Self-refreshing — the proxy mints a fresh token per upstream request; never stale mid-session.
  • Clean lifecycle — the client spawns the proxy as a child process and reaps it on exit. ucode owns no long-lived process and no background refresh thread. The proxy is an invisible implementation detail baked into config; users never run it.
  • No external package — ucode ships its own proxy (built on the official mcp SDK), rather than depending on uvx uc-mcp-proxy fetched at runtime.

Changes

  • src/ucode/mcp_proxy.py (new) — stdio↔streamable-HTTP bridge. An httpx.Auth injects a fresh get_databricks_token(...) bearer per request; a transport-level message pump forwards both directions, so new MCP methods/capabilities pass through untouched.
  • cli.py — hidden ucode mcp-proxy --url --host --profile --use-pat command.
  • databricks.pybuild_mcp_proxy_argv(...), mirroring build_auth_token_argv.
  • mcp.pyadd_{claude,codex,gemini}_mcp_server and the opencode/copilot config writers now register the stdio proxy argv; removed build_mcp_http_entry and the ${OAUTH_TOKEN} header wiring. add_claude_mcp_server stays polymorphic so the existing web_search stdio server (a dict entry with its own env) still registers via add-json.
  • pyproject.toml — adds mcp>=1.28.0.

Verification

Against a live workspace: ucode mcp-proxy completes the MCP stdio handshake (initialize OK, tools/list returns the endpoint's 4 tools); ucode's real codex registration lists the proxy as an enabled stdio server with the expected argv. Tests: 864 pass (the 2 test_e2e_user_agent failures are pre-existing, network-dependent, unrelated); ruff and ty clean.

Relationship to other PRs

This supersedes the per-client auth approaches:

This pull request and its description were written by Isaac.

Every coding agent now registers Databricks MCP servers as one identical local
stdio command — `ucode mcp-proxy --url <endpoint> --host <ws> --profile <p>` —
instead of per-client HTTP-bearer entries. This replaces five divergent auth
paths (claude `${OAUTH_TOKEN}` header, codex `--bearer-token-env-var`, gemini
`--header`, opencode `{env:OAUTH_TOKEN}`, copilot `Bearer ${OAUTH_TOKEN}`), none
of which refreshed the token mid-session, with a single mechanism.

Why a proxy: MCP clients disagree on HTTP-auth config and none expose a
per-request auth hook (except Claude's headersHelper), so a static bearer froze
at launch and expired after ~1h. A local stdio proxy sidesteps all of that: the
client spawns it as a child process (and reaps it — ucode owns no long-lived
process or refresh thread), and the proxy mints a fresh OAuth token from the
Databricks CLI profile on every upstream request. The proxy is an invisible
implementation detail baked into each client's config; users never invoke it.

- src/ucode/mcp_proxy.py (new): stdio<->streamable-HTTP bridge built on the
  official `mcp` SDK. `httpx.Auth` injects a fresh `get_databricks_token(...)`
  bearer per request; a transport-level pump forwards messages both ways, so new
  MCP methods/capabilities pass through untouched.
- cli.py: hidden `ucode mcp-proxy --url --host --profile --use-pat` command.
- databricks.py: `build_mcp_proxy_argv(...)` (mirrors build_auth_token_argv).
- mcp.py: add_{claude,codex,gemini}_mcp_server + opencode/copilot writers now
  register the stdio proxy argv; removed build_mcp_http_entry / OAUTH_TOKEN
  header. add_claude_mcp_server stays polymorphic so the web_search stdio entry
  (a dict with its own env) still registers via add-json.
- pyproject: add `mcp>=1.28.0`.

Verified against a live workspace: `ucode mcp-proxy` handshakes stdio and returns
the endpoint's tools (initialize OK, tools/list OK); ucode's real codex
registration lists the proxy as an enabled stdio server. Tests: 864 pass
(2 pre-existing e2e network failures unrelated); ruff + ty clean.

Co-authored-by: Isaac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant