v2.5.0
MCP Auth Bridge — ASAP Host/Agent JWT and capability grants as an opt-in
authorization layer for native stdio MCP tools/call (Mode A). Unprotected
MCPServer usage is unchanged. No wire-protocol or manifest schema breaking
changes.
Added
- feat(adapters): MCP Auth Bridge (
asap.adapters.mcp)protect_server(server, config)— wrapsMCPServervia
ProtectedMCPServer; intercepts_handle_tools_callonly (MCP-AUTH-006).MCPAuthConfig(config.py) —host_store,agent_store,
capability_registry,tool_capability_map,public_tools,
enforce_grants,jwt_extractor,jti_replay_cache,expected_audience.- Token carriage (stdio) — Agent JWT in
tools/callparams
_meta.asap_agent_jwt; optional dev-onlyASAP_AGENT_JWTwhen
allow_env_jwt_fallback=True. - Grant enforcement —
verify_agent_jwt+CapabilityRegistry.check_grant
with constraint validation on tool arguments; MCP-safeasap:*error codes
(asap:auth_required,asap:invalid_token,asap:capability_denied,
asap:constraint_violation). - Tool → capability mapping — explicit
tool_capability_map, register-time
metadata, or default identity (tool name == capability); optional startup
validation (validate_tools_at_startup). - Reference example —
examples/mcp_auth_bridge/(protected stdio server +
client, smoke tests intests/examples/test_mcp_auth_bridge_example.py). - Docs — MCP Auth Bridge adapter;
MCP integration distinguishes Mode A (native MCP +
bridge) vs Mode B (MCP-over-ASAP envelope).
- feat(compliance):
mcp-auth-bridgeprofile (asap-compliance) — stdio MCP
release gate: auth paths, grants, constraints, manifest tools ⊆ registered
tools (MCP-DISC-003). Requiresasap-protocol>=2.5.0. - test(adapters/mcp) — unit, grant, startup, and stdio integration coverage
(≥90% onasap.adapters.mcp).
Deferred (not in v2.5.0)
hide_unauthorized_tools/tools/listfiltering (MCP-MAP-004) — no
standard JWT carriage on stdiotools/listtoday; see
design lock.initializesession-token handshake (PRD §4.3 SHOULD) — clients pass JWT
on each protectedtools/callin v2.5.0.
TypeScript
@asap-protocol/mcp-authdeferred to v2.5.0.1 — MCP-TS-001..003 (HTTP/SSE
Bearer middleware) are SHOULD-scope; v2.5.0 ships the Python stdio bridge as the
release gate. Rationale and implementation checklist:
typescript-mcp-auth-spike.md;
carry-over tracked in
PRD v2.5.1 §3.
Existing@asap-protocol/*npm packages remain at 2.4.1 until a separate
publish.
Migration
- v2.4.1 → v2.5.0: No breaking changes. MCP servers without
protect_serverbehave as before. To enforce Agent JWT + capabilities on native
MCP, wrap your server withprotect_serverand configure grants — see
MCP Auth Bridge adapter.
Full Changelog: v0.1.0...v2.5.0