merge remote into local

Author: amirejaz

.github/workflows/image-build-and-publish.yml

@@ -39,7 +39,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Push Image to GHCR
         env:
@@ -103,7 +103,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |
@@ -125,7 +125,7 @@ jobs:
 
       - name: Install Cosign
         if: startsWith(github.ref, 'refs/tags/')
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign container image
         if: startsWith(github.ref, 'refs/tags/')
@@ -182,18 +182,19 @@ jobs:
 
       - name: Extract UBI metadata
         id: ubi-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |
             type=raw,value=${{ steps.version-string.outputs.tag }}-ubi
+            type=raw,value=latest-ubi,enable=${{ startsWith(github.ref, 'refs/tags/') }}
           labels: |
             name=toolhive-operator
             vendor=Stacklok
             maintainer=Stacklok
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Push Image to GHCR
         env:
@@ -240,6 +241,7 @@ jobs:
           # Sign the latest tag if building from a tag
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
             cosign sign -y $BASE_REPO:latest
+            cosign sign -y $BASE_REPO:latest-ubi
           fi
 
   proxyrunner-image-build-and-publish:
@@ -281,11 +283,12 @@ jobs:
 
       - name: Extract UBI metadata
         id: ubi-meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |
             type=raw,value=${{ steps.version-string.outputs.tag }}-ubi
+            type=raw,value=latest-ubi,enable=${{ startsWith(github.ref, 'refs/tags/') }}
           labels: |
             name=toolhive-proxyrunner
             vendor=Stacklok
@@ -337,6 +340,7 @@ jobs:
           # Sign the latest tag if building from a tag
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
             cosign sign -y $BASE_REPO:latest
+            cosign sign -y $BASE_REPO:latest-ubi
           fi
 
   vmcp-image-build-and-publish:
@@ -386,7 +390,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Push Image to GHCR
         env:

.github/workflows/releaser-helm-charts.yml

@@ -43,7 +43,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Publish and Sign OCI Charts
         run: |

.github/workflows/releaser.yml

@@ -75,7 +75,7 @@ jobs:
         uses: anchore/sbom-action/download-syft@8e94d75ddd33f69f691467e42275782e4bfefe84 # v0.20.9
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Build and Verify Binary Version
         env:

.github/workflows/test-helm-charts.yml

@@ -26,7 +26,7 @@ jobs:
           python-version: 3.13
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@6ec842c01de15ebb84c8627d2744a0c2f2755c9f # v2.8.0
 
       - name: Run chart-testing (lint)
         run: ct lint --config ct.yaml

.goreleaser.yaml

@@ -106,6 +106,7 @@ signs:
       - "sign-blob"
       - "--output-signature=${signature}"
       - "--output-certificate=${certificate}"
+      - "--bundle=${signature}" # added for cosign v3: required when using --output-signature or --signing-config
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: archive

CLAUDE.md

@@ -88,6 +88,23 @@ The test framework uses Ginkgo and Gomega for BDD-style testing.
    - `transport/`: Communication protocols (HTTP, SSE, stdio, streamable)
    - `workloads/`: Workload lifecycle management
 
+4. **Virtual MCP Server (`cmd/vmcp/`)**
+   - Core packages in `pkg/vmcp/`:
+     - `aggregator/`: Backend discovery (CLI/K8s), capability querying, conflict resolution (prefix/priority/manual)
+     - `router/`: Routes MCP requests (tools/resources/prompts) to backends
+     - `auth/`: Two-boundary auth model (incoming: clients→vMCP; outgoing: vMCP→backends)
+     - `composer/`: Multi-step workflow execution with DAG-based parallel/sequential support
+     - `config/`: Platform-agnostic config model (works for CLI YAML and K8s CRDs)
+     - `server/`: HTTP server implementation with session management and auth middleware
+     - `client/`: Backend MCP client using mark3labs/mcp-go SDK
+     - `cache/`: Token caching with pluggable backends
+   - K8s CRDs in `cmd/thv-operator/api/v1alpha1/`:
+     - `VirtualMCPServer`: Main vMCP server resource (GroupRef, auth configs, aggregation, composite tools)
+     - `VirtualMCPCompositeToolDefinition`: Reusable composite tool workflows
+     - `MCPGroup`: Defines backend workload collections
+     - `MCPServer`, `MCPRegistry`, `MCPRemoteProxy`: Backend workload types
+     - `MCPExternalAuthConfig`, `ToolConfig`: Supporting config resources
+
 ### Key Design Patterns
 
 - **Factory Pattern**: Used extensively for creating runtime-specific implementations (Docker/Colima/Podman vs Kubernetes)

cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go

@@ -42,6 +42,12 @@ type VirtualMCPServerSpec struct {
 	// +optional
 	Operational *OperationalConfig `json:"operational,omitempty"`
 
+	// ServiceType specifies the Kubernetes service type for the Virtual MCP server
+	// +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer
+	// +kubebuilder:default=ClusterIP
+	// +optional
+	ServiceType string `json:"serviceType,omitempty"`
+
 	// PodTemplateSpec defines the pod template to use for the Virtual MCP server
 	// This allows for customizing the pod configuration beyond what is provided by the other fields.
 	// Note that to modify the specific container the Virtual MCP server runs in, you must specify
@@ -62,6 +68,11 @@ type GroupRef struct {
 
 // IncomingAuthConfig configures authentication for clients connecting to the Virtual MCP server
 type IncomingAuthConfig struct {
+	// Type defines the authentication type: anonymous, local, or oidc
+	// +kubebuilder:validation:Enum=anonymous;local;oidc
+	// +optional
+	Type string `json:"type,omitempty"`
+
 	// OIDCConfig defines OIDC authentication configuration
 	// Reuses MCPServer OIDC patterns
 	// +optional
@@ -426,14 +437,6 @@ type VirtualMCPServerStatus struct {
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 
-	// DiscoveredBackends lists discovered backend configurations when source=discovered
-	// +optional
-	DiscoveredBackends []DiscoveredBackend `json:"discoveredBackends,omitempty"`
-
-	// Capabilities summarizes aggregated capabilities from all backends
-	// +optional
-	Capabilities *CapabilitiesSummary `json:"capabilities,omitempty"`
-
 	// ObservedGeneration is the most recent generation observed for this VirtualMCPServer
 	// +optional
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
@@ -452,54 +455,6 @@ type VirtualMCPServerStatus struct {
 	URL string `json:"url,omitempty"`
 }
 
-// DiscoveredBackend represents a discovered backend MCPServer
-type DiscoveredBackend struct {
-	// Name is the name of the backend MCPServer
-	// +kubebuilder:validation:Required
-	Name string `json:"name"`
-
-	// AuthConfigRef is the name of the discovered MCPExternalAuthConfig
-	// Empty if backend has no external auth config
-	// +optional
-	AuthConfigRef string `json:"authConfigRef,omitempty"`
-
-	// AuthType is the type of authentication configured
-	// +optional
-	AuthType string `json:"authType,omitempty"`
-
-	// Status is the current status of the backend
-	// +kubebuilder:validation:Enum=ready;degraded;unavailable
-	// +optional
-	Status string `json:"status,omitempty"`
-
-	// LastHealthCheck is the timestamp of the last health check
-	// +optional
-	LastHealthCheck *metav1.Time `json:"lastHealthCheck,omitempty"`
-
-	// URL is the URL of the backend MCPServer
-	// +optional
-	URL string `json:"url,omitempty"`
-}
-
-// CapabilitiesSummary summarizes aggregated capabilities
-type CapabilitiesSummary struct {
-	// ToolCount is the total number of tools exposed
-	// +optional
-	ToolCount int `json:"toolCount,omitempty"`
-
-	// ResourceCount is the total number of resources exposed
-	// +optional
-	ResourceCount int `json:"resourceCount,omitempty"`
-
-	// PromptCount is the total number of prompts exposed
-	// +optional
-	PromptCount int `json:"promptCount,omitempty"`
-
-	// CompositeToolCount is the number of composite tools defined
-	// +optional
-	CompositeToolCount int `json:"compositeToolCount,omitempty"`
-}
-
 // VirtualMCPServerPhase represents the lifecycle phase of a VirtualMCPServer
 // +kubebuilder:validation:Enum=Pending;Ready;Degraded;Failed
 type VirtualMCPServerPhase string
@@ -524,36 +479,18 @@ const (
 	// ConditionTypeVirtualMCPServerReady indicates whether the VirtualMCPServer is ready
 	ConditionTypeVirtualMCPServerReady = "Ready"
 
-	// ConditionTypeBackendsDiscovered indicates whether backends have been discovered
-	ConditionTypeBackendsDiscovered = "BackendsDiscovered"
-
 	// ConditionTypeVirtualMCPServerGroupRefValidated indicates whether the GroupRef is valid
 	ConditionTypeVirtualMCPServerGroupRefValidated = "GroupRefValidated"
 )
 
 // Condition reasons for VirtualMCPServer
 const (
-	// ConditionReasonAllBackendsReady indicates all backends are ready
-	ConditionReasonAllBackendsReady = "AllBackendsReady"
-
-	// ConditionReasonSomeBackendsUnavailable indicates some backends are unavailable
-	ConditionReasonSomeBackendsUnavailable = "SomeBackendsUnavailable"
-
-	// ConditionReasonNoBackends indicates no backends were discovered
-	ConditionReasonNoBackends = "NoBackends"
-
 	// ConditionReasonIncomingAuthValid indicates incoming auth is valid
 	ConditionReasonIncomingAuthValid = "IncomingAuthValid"
 
 	// ConditionReasonIncomingAuthInvalid indicates incoming auth is invalid
 	ConditionReasonIncomingAuthInvalid = "IncomingAuthInvalid"
 
-	// ConditionReasonDiscoveryComplete indicates backend discovery is complete
-	ConditionReasonDiscoveryComplete = "DiscoveryComplete"
-
-	// ConditionReasonDiscoveryFailed indicates backend discovery failed
-	ConditionReasonDiscoveryFailed = "DiscoveryFailed"
-
 	// ConditionReasonGroupRefValid indicates the GroupRef is valid
 	ConditionReasonVirtualMCPServerGroupRefValid = "GroupRefValid"
 
@@ -604,8 +541,6 @@ const (
 //+kubebuilder:subresource:status
 //+kubebuilder:resource:shortName=vmcp;virtualmcp
 //+kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase",description="The phase of the VirtualMCPServer"
-//+kubebuilder:printcolumn:name="Tools",type="integer",JSONPath=".status.capabilities.toolCount",description="Total tools"
-//+kubebuilder:printcolumn:name="Backends",type="integer",JSONPath=".status.discoveredBackends[*]",description="Backends"
 //+kubebuilder:printcolumn:name="URL",type="string",JSONPath=".status.url",description="Virtual MCP server URL"
 //+kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="Age"
 //+kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type=='Ready')].status"