Skip to content

refactor(storage): extract registry.Store and vault.Backend interfaces#1

Draft
doramirdor wants to merge 1 commit into
mainfrom
claude/hosted-mcp-auth-uF72t
Draft

refactor(storage): extract registry.Store and vault.Backend interfaces#1
doramirdor wants to merge 1 commit into
mainfrom
claude/hosted-mcp-auth-uF72t

Conversation

@doramirdor

@doramirdor doramirdor commented Apr 25, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Turns the gateway's storage seams into interfaces so alternative implementations — notably a private hosted/multi-tenant build in a separate repo — can plug in without forking. No behavior change for the OSS binary.

This PR replaces the earlier WorkOS-AuthKit auth scaffolding (force-pushed away). All hosted-flavored code (OAuth/JWT, web UI, multi-tenant impls) will live in a separate private repo (nucleus-hosted) that vendors this module. The OSS gateway keeps stdio + the existing --token static-bearer HTTP path only.

What's in this PR

  • internal/registry/store.go — new Store interface mirroring *registry.Registry's full method set. SQLite remains the default impl.
  • internal/vault/backend.go — new Backend interface mirroring *vault.Vault's full method set. OS keychain remains the default impl.
  • internal/server.Gateway, internal/workspace.Resolver, internal/supervisor.Supervisor now depend on the interfaces. CLI commands keep using concrete types directly.
  • Compile-time var _ Store = (*Registry)(nil) / var _ Backend = (*Vault)(nil) checks pin the contract.
  • CONTRIBUTING.md documents the seams.

Design note

Interfaces are deliberately tenant-agnostic. A multi-tenant implementation is expected to bind the tenant via construction (a per-request wrapper that filters by user_id), not by adding a parameter to every method. This keeps the contract stable for the OSS use case while letting the hosted side do whatever it needs.

Test plan

  • go build ./..., go vet ./..., go test ./... — all green
  • Compile-time interface assertions ensure SQLite/keychain types still satisfy the contracts
  • Manual: run nucleus serve (stdio) on a workspace with profiles and confirm tools appear unchanged
  • Manual: run nucleus serve --http 127.0.0.1:8787 --token foo and confirm the existing static-token path still works

https://claude.ai/code/session_01RacGUaDSFGTSwwvtTBxF5X

@claude
refactor(storage): extract registry.Store and vault.Backend interfaces
228a3e8 
Turn the gateway's storage seams into interfaces so alternative
implementations (notably a multi-tenant deployment that lives in a
separate repo) can plug in without forking.

  - registry.Store mirrors *registry.Registry's full method set; the
    SQLite-backed Registry remains the default OSS impl.
  - vault.Backend mirrors *vault.Vault's full method set; the
    OS-keychain-backed Vault remains the default OSS impl.
  - Gateway, Supervisor, and Resolver depend on the interfaces; CLI
    commands keep using the concrete types directly.

Interfaces are deliberately tenant-agnostic. A multi-tenant impl is
expected to bind the tenant via construction (per-request wrapper that
filters by user_id), not by adding a parameter to every method.

No behavior change. Compile-time `var _ Store = (*Registry)(nil)` and
`var _ Backend = (*Vault)(nil)` checks ensure the OSS impls keep
satisfying the contract.
@doramirdor doramirdor force-pushed the claude/hosted-mcp-auth-uF72t branch from c1b1fd7 to 228a3e8 Compare April 25, 2026 12:27
@doramirdor doramirdor changed the title feat(auth): hosted MCP via OAuth 2.1 + WorkOS AuthKit refactor(storage): extract registry.Store and vault.Backend interfaces Apr 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@doramirdor @claude