feat(mcp) : add stdio auth, dashboard stats PoC tool, and helper trait

- McpStdioAuthSubscriber for console transport auth via env vars - DashboardStatsTool as PoC (validates MCP protocol flow) - McpToolHelper trait for shared pagination/error utilities - Key learning: #[McpTool] must be on CLASS, not method for __invoke Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 14:18:09 +01:00
parent 46ea3ca8ad
commit e335f4c24c
4 changed files with 294 additions and 0 deletions
--- a/src/Mcp/Security/McpStdioAuthSubscriber.php
+++ b/src/Mcp/Security/McpStdioAuthSubscriber.php
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Mcp\Security;
+
+use App\Repository\ProfileRepository;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Console\ConsoleEvents;
+use Symfony\Component\Console\Event\ConsoleCommandEvent;
+use Symfony\Component\EventDispatcher\Attribute\AsEventListener;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+
+#[AsEventListener(event: ConsoleEvents::COMMAND)]
+final class McpStdioAuthSubscriber
+{
+    public function __construct(
+        private readonly ProfileRepository $profiles,
+        private readonly UserPasswordHasherInterface $passwordHasher,
+        private readonly TokenStorageInterface $tokenStorage,
+        private readonly LoggerInterface $logger,
+    ) {}
+
+    public function __invoke(ConsoleCommandEvent $event): void
+    {
+        $command = $event->getCommand();
+
+        if (!$command || !str_starts_with($command->getName() ?? '', 'mcp:')) {
+            return;
+        }
+
+        $profileId = $_ENV['MCP_PROFILE_ID'] ?? '';
+        $password  = $_ENV['MCP_PROFILE_PASSWORD'] ?? '';
+
+        if ('' === $profileId || '' === $password) {
+            $this->logger->error('MCP stdio: missing MCP_PROFILE_ID or MCP_PROFILE_PASSWORD env vars');
+            $event->disableCommand();
+            $event->getOutput()->writeln('<error>MCP auth: MCP_PROFILE_ID and MCP_PROFILE_PASSWORD env vars required</error>');
+
+            return;
+        }
+
+        $profile = $this->profiles->find($profileId);
+
+        if (!$profile || !$profile->isActive()) {
+            $this->logger->error('MCP stdio: profile not found or inactive', ['profileId' => $profileId]);
+            $event->disableCommand();
+            $event->getOutput()->writeln('<error>MCP auth: invalid profile</error>');
+
+            return;
+        }
+
+        if (!$this->passwordHasher->isPasswordValid($profile, $password)) {
+            $this->logger->error('MCP stdio: invalid password', ['profileId' => $profileId]);
+            $event->disableCommand();
+            $event->getOutput()->writeln('<error>MCP auth: invalid password</error>');
+
+            return;
+        }
+
+        $token = new UsernamePasswordToken($profile, 'mcp', $profile->getRoles());
+        $this->tokenStorage->setToken($token);
+
+        $this->logger->info('MCP stdio auth success', [
+            'profileId' => $profileId,
+            'roles'     => $profile->getRoles(),
+        ]);
+    }
+}