Pass mode, backend-tls, and tls cert/key through route add

The --mode flag was defined but never wired through to the RPC.
Add tls_cert and tls_key fields to AddProxyRouteRequest so L7
routes can be created via mcp route add.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/mcp/route.go

@@ -28,17 +28,26 @@ func routeCmd() *cobra.Command {
 		},
 	}
 
+	var (
+		routeMode  string
+		backendTLS bool
+		tlsCert    string
+		tlsKey     string
+	)
+
 	add := &cobra.Command{
 		Use:   "add <listener> <hostname> <backend>",
 		Short: "Add a route to mc-proxy",
-		Long:  "Add a route. Example: mcp route add -n rift :443 mcq.metacircular.net 100.95.252.120:443",
+		Long:  "Add a route. Example: mcp route add -n rift :443 mcq.svc.mcp.metacircular.net 127.0.0.1:48080 --mode l7 --tls-cert /srv/mc-proxy/certs/mcq.pem --tls-key /srv/mc-proxy/certs/mcq.key",
 		Args:  cobra.ExactArgs(3),
 		RunE: func(_ *cobra.Command, args []string) error {
-			return runRouteAdd(nodeName, args)
+			return runRouteAdd(nodeName, args, routeMode, backendTLS, tlsCert, tlsKey)
 		},
 	}
-	add.Flags().String("mode", "l4", "route mode (l4 or l7)")
-	add.Flags().Bool("backend-tls", false, "re-encrypt traffic to backend")
+	add.Flags().StringVar(&routeMode, "mode", "l4", "route mode (l4 or l7)")
+	add.Flags().BoolVar(&backendTLS, "backend-tls", false, "re-encrypt traffic to backend")
+	add.Flags().StringVar(&tlsCert, "tls-cert", "", "path to TLS cert on the node (required for l7)")
+	add.Flags().StringVar(&tlsKey, "tls-key", "", "path to TLS key on the node (required for l7)")
 
 	remove := &cobra.Command{
 		Use:   "remove <listener> <hostname>",
@@ -138,7 +147,7 @@ func printRoutes(nodeName string, resp *mcpv1.ListProxyRoutesResponse) {
 	}
 }
 
-func runRouteAdd(nodeName string, args []string) error {
+func runRouteAdd(nodeName string, args []string, mode string, backendTLS bool, tlsCert, tlsKey string) error {
 	if nodeName == "" {
 		return fmt.Errorf("--node is required")
 	}
@@ -166,12 +175,16 @@ func runRouteAdd(nodeName string, args []string) error {
 		ListenerAddr: args[0],
 		Hostname:     args[1],
 		Backend:      args[2],
+		Mode:         mode,
+		BackendTls:   backendTLS,
+		TlsCert:      tlsCert,
+		TlsKey:       tlsKey,
 	})
 	if err != nil {
 		return fmt.Errorf("add route: %w", err)
 	}
 
-	fmt.Printf("Added route: %s → %s on %s (%s)\n", args[1], args[2], args[0], nodeName)
+	fmt.Printf("Added route: %s %s → %s on %s (%s)\n", mode, args[1], args[2], args[0], nodeName)
 	return nil
 }
 

gen/mcp/v1/mcp.pb.go

@@ -2815,6 +2815,8 @@ type AddProxyRouteRequest struct {
 	Backend       string                 `protobuf:"bytes,3,opt,name=backend,proto3" json:"backend,omitempty"`
 	Mode          string                 `protobuf:"bytes,4,opt,name=mode,proto3" json:"mode,omitempty"` // "l4" or "l7"
 	BackendTls    bool                   `protobuf:"varint,5,opt,name=backend_tls,json=backendTls,proto3" json:"backend_tls,omitempty"`
+	TlsCert       string                 `protobuf:"bytes,6,opt,name=tls_cert,json=tlsCert,proto3" json:"tls_cert,omitempty"` // path to TLS cert (required for l7)
+	TlsKey        string                 `protobuf:"bytes,7,opt,name=tls_key,json=tlsKey,proto3" json:"tls_key,omitempty"`    // path to TLS key (required for l7)
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -2884,6 +2886,20 @@ func (x *AddProxyRouteRequest) GetBackendTls() bool {
 	return false
 }
 
+func (x *AddProxyRouteRequest) GetTlsCert() string {
+	if x != nil {
+		return x.TlsCert
+	}
+	return ""
+}
+
+func (x *AddProxyRouteRequest) GetTlsKey() string {
+	if x != nil {
+		return x.TlsKey
+	}
+	return ""
+}
+
 type AddProxyRouteResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
@@ -3198,14 +3214,16 @@ const file_proto_mcp_v1_mcp_proto_rawDesc = "" +
 	"\x11total_connections\x18\x02 \x01(\x03R\x10totalConnections\x129\n" +
 	"\n" +
 	"started_at\x18\x03 \x01(\v2\x1a.google.protobuf.TimestampR\tstartedAt\x127\n" +
-	"\tlisteners\x18\x04 \x03(\v2\x19.mcp.v1.ProxyListenerInfoR\tlisteners\"\xa6\x01\n" +
+	"\tlisteners\x18\x04 \x03(\v2\x19.mcp.v1.ProxyListenerInfoR\tlisteners\"\xda\x01\n" +
 	"\x14AddProxyRouteRequest\x12#\n" +
 	"\rlistener_addr\x18\x01 \x01(\tR\flistenerAddr\x12\x1a\n" +
 	"\bhostname\x18\x02 \x01(\tR\bhostname\x12\x18\n" +
 	"\abackend\x18\x03 \x01(\tR\abackend\x12\x12\n" +
 	"\x04mode\x18\x04 \x01(\tR\x04mode\x12\x1f\n" +
 	"\vbackend_tls\x18\x05 \x01(\bR\n" +
-	"backendTls\"\x17\n" +
+	"backendTls\x12\x19\n" +
+	"\btls_cert\x18\x06 \x01(\tR\atlsCert\x12\x17\n" +
+	"\atls_key\x18\a \x01(\tR\x06tlsKey\"\x17\n" +
 	"\x15AddProxyRouteResponse\"Z\n" +
 	"\x17RemoveProxyRouteRequest\x12#\n" +
 	"\rlistener_addr\x18\x01 \x01(\tR\flistenerAddr\x12\x1a\n" +

internal/agent/proxy_rpc.go

@@ -69,6 +69,8 @@ func (a *Agent) AddProxyRoute(ctx context.Context, req *mcpv1.AddProxyRouteReque
 		Backend:    req.GetBackend(),
 		Mode:       req.GetMode(),
 		BackendTLS: req.GetBackendTls(),
+		TLSCert:    req.GetTlsCert(),
+		TLSKey:     req.GetTlsKey(),
 	}
 
 	if err := a.Proxy.AddRoute(ctx, req.GetListenerAddr(), route); err != nil {

proto/mcp/v1/mcp.proto

@@ -362,6 +362,8 @@ message AddProxyRouteRequest {
   string backend = 3;
   string mode = 4;           // "l4" or "l7"
   bool backend_tls = 5;
+  string tls_cert = 6;       // path to TLS cert (required for l7)
+  string tls_key = 7;        // path to TLS key (required for l7)
 }
 
 message AddProxyRouteResponse {}