MCP-03: Phase 3 — HTTP transport and API key authentication

[Chris0Jeky]

Overview

Phase 3 of MCP server implementation. Remote MCP access with authentication for cloud deployment.

Tracker: #648 | Spike: docs/spikes/SPIKE_619_COMPLETED.md §13 Phase 3

Deliverables

1. Add ModelContextProtocol.AspNetCore NuGet package
2. Add ApiKeys database table and EF Core migration (key hash, user mapping, name, created/revoked timestamps)
3. Implement ApiKeyMiddleware for Bearer token validation (tdsk_ prefix, SHA-256 hashed)
4. Implement HttpUserContextProvider (maps API key → user for claims-first identity)
5. Add taskdeck api-key create/list/revoke CLI commands
6. Configure MapMcp() alongside existing REST endpoints on same Kestrel instance
7. Add --mcp --transport http --port 5001 startup option
8. Test with remote Claude Code connection
9. Update Docker compose to expose MCP port
10. Rate limiting per API key (reuse existing rate-limiting infrastructure)

Auth Design (from spike §9)

• Local (stdio): OS process identity mapped to default local user — no explicit auth needed
• Remote (HTTP): API keys with tdsk_ prefix
  • Keys generated via CLI: taskdeck api-key create --name "claude-code"
  • SHA-256 hashed at rest (plain key shown only at creation)
  • Each key bound to a user ID for claims-first identity mapping
  • Key rotation: create new → revoke old (no in-place rotation)
  • OAuth 2.1 deferred to Phase 4

Client Config (Remote)

{
  "mcpServers": {
    "taskdeck-cloud": {
      "url": "https://taskdeck.example.com/mcp",
      "headers": {
        "Authorization": "Bearer tdsk_abc123..."
      }
    }
  }
}

Estimated Scope

1–2 weeks

Blocked By

• MCP-02 (#TBD — full resource + tool inventory)

Unblocks

• Cloud deployment MCP access
• MCP-04 (production hardening, deferred)