mc/mcq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sso: public MCIAS authorize URL + docs

Browse Source 
Add [sso].public_url so the browser SSO authorize redirect uses the
public MCIAS hostname while the code exchange stays on the internal
address (mcdsl v1.9.0). Document the SSO URL split and the rootless-podman
/ unikernel-eligibility rules in CLAUDE.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-06-11 11:20:50 -07:00
parent 5122e9cd87
commit b48fcc8465
6 changed files with 53 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
CLAUDE.md
View File

@@ -67,3 +67,34 @@ template rendering).
3. **No test frameworks**: stdlib `testing` only, real SQLite in t.TempDir().
4. **CSRF on all web mutations**: double-submit cookie pattern.
5. **Session cookies**: HttpOnly, Secure, SameSite=Strict.
## SSO (public vs internal MCIAS URLs)
MCQ is reachable publicly (`mcq.metacircular.net`), so its SSO uses **two**
MCIAS URLs (via `mcdsl/sso` ≥ v1.9.0):
- `[mcias].server_url` — the **internal** address (`https://mcias.svc.mcp.metacircular.net:8443`)
used for the server-to-server authorization-code exchange. Efficient and
does not depend on the public edge.
- `[sso].public_url` — the **public, browser-facing** MCIAS base URL
(`https://mcias.metacircular.net`) used to build the authorize redirect, so
end-user browsers (which can't resolve the internal name) can reach it.
- `[sso].redirect_uri` must be the **public** callback
(`https://mcq.metacircular.net/sso/callback`) and must match the
`redirect_uri` registered for the `mcq` SSO client in MCIAS
(`mciasctl sso update --client-id mcq --redirect-uri ...`).
If `public_url` is empty the authorize redirect falls back to `server_url`
(tailnet-only SSO). The startup log prints both `authorize_url` and
`exchange_url` so you can confirm the split.
## Deployment / runtime
- **Containers run rootless under MCP.** Dockerfiles must NOT declare
`VOLUME /srv/mcq`, pre-create/chown the data dir, or set `USER` — MCP
bind-mounts `/srv/mcq` and runs `--user 0:0`. See
`../engineering-standards.md` → Containerization.
- **Not unikernel-eligible (yet).** MCQ writes a SQLite DB to `/srv/mcq`;
the unikernel runtime currently bakes config/certs read-only and has no
writable host mount, so MCQ stays a container until 9p/virtio-blk storage
lands. See `docs/unikernels.md` in the workspace root.