Add Virtual MCP Server architecture documentation

[JAORMX]

Summary

• Add new docs/arch/10-virtual-mcp-architecture.md with comprehensive vMCP architecture documentation
• Update existing architecture docs to fix outdated "upcoming feature" references for vMCP
• Add VirtualMCPCompositeToolDefinition CRD documentation to operator architecture doc

Details

The Virtual MCP Server (vMCP) was previously described as "proposed" or "upcoming" in the architecture documentation, but it is now fully implemented. This PR brings the documentation up to date.

New document (10-virtual-mcp-architecture.md) covers:

• Core concepts: routing, aggregation, authentication, composition, caching
• Backend discovery from MCPGroups
• Aggregation pipeline (discovery → query → resolve → merge)
• Conflict resolution strategies (prefix, priority, manual)
• Composite tools with DAG-based execution
• Two-boundary authentication model (incoming and outgoing)
• Health monitoring

Updated documents:

• README.md - Added vMCP to index and architecture map
• 07-groups.md - Changed "Future Features" to "Virtual MCP Integration"
• 00-overview.md - Added vmcp binary as key component Implement secret injection #5
• 09-operator-architecture.md - Added VirtualMCPCompositeToolDefinition CRD
• 02-core-concepts.md - Added cross-reference to new doc

Test plan

• Verify all internal links work correctly
• Review diagrams render properly in GitHub markdown
• Confirm accuracy of implementation file paths

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.65%. Comparing base (dae3b2b) to head (a6b8882).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3272   +/-   ##
=======================================
  Coverage   63.65%   63.65%           
=======================================
  Files         357      357           
  Lines       35156    35156           
=======================================
  Hits        22379    22379           
  Misses      10974    10974           
  Partials     1803     1803           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[JAORMX]

@claude please review this and cross reference with the code

[claude]

Claude finished @JAORMX's task in 2m 26s —— View job

---

Documentation Review Complete ✅

I've thoroughly reviewed the Virtual MCP Server architecture documentation and cross-referenced it with the actual implementation. Here's my comprehensive feedback:

---

Overall Assessment

Excellent work! The documentation is comprehensive, well-structured, and accurately reflects the implementation. The vMCP architecture is clearly explained with appropriate diagrams and implementation references.

---

✅ Strengths

1. Accurate Implementation References

   • All documented packages exist and match the described functionality
   • File paths are correct: pkg/vmcp/aggregator/, pkg/vmcp/composer/, pkg/vmcp/auth/, pkg/vmcp/cache/, pkg/vmcp/health/, pkg/vmcp/router/, pkg/vmcp/server/, pkg/vmcp/client/
   • CRD types match: VirtualMCPServer and VirtualMCPCompositeToolDefinition in cmd/thv-operator/api/v1alpha1/
   • Controller implementation verified: cmd/thv-operator/controllers/virtualmcpserver_controller.go

2. Code-Documentation Alignment

   • Aggregation Pipeline: The 4-stage process (Discovery → Query → Resolve → Merge) matches pkg/vmcp/aggregator/aggregator.go
   • Conflict Resolution Strategies: All three strategies (prefix, priority, manual) are implemented in separate resolver files
   • Composite Tools: DAG-based execution matches pkg/vmcp/composer/dag_executor.go and pkg/vmcp/composer/composer.go
   • Two-Boundary Authentication: Correctly describes incoming (OIDC/anonymous) and outgoing (token exchange/headers/unauthenticated) auth in pkg/vmcp/auth/
   • Token Caching: Interface and implementation match pkg/vmcp/cache/cache.go
   • Health Monitoring: Monitor implementation verified in pkg/vmcp/health/monitor.go
   • Router: Tool/resource/prompt routing matches pkg/vmcp/router/router.go

3. Well-Integrated Documentation Updates

   • Successfully updated existing docs to reference vMCP as "implemented" rather than "upcoming"
   • Added appropriate cross-references throughout the documentation set
   • VirtualMCPCompositeToolDefinition CRD now documented in operator architecture

4. Clear Architecture Diagrams

   • Mermaid diagrams effectively illustrate component relationships
   • Request flow sequence diagram accurately represents the routing process
   • Backend discovery diagram clearly shows MCPGroup relationship

---

✅ Internal Links Verification

All internal documentation links are valid:

• 02-core-concepts.md ✓
• 07-groups.md ✓
• 09-operator-architecture.md ✓
• 03-transport-architecture.md ✓

---

📝 Minor Observations (Not Issues)

1. Implementation Detail: The documentation states backends are discovered from MCPGroup, which is accurate. The implementation in pkg/vmcp/workloads/discoverer.go and controller logic confirms this.

2. Deployment Note: The doc correctly states "Kubernetes only" for VirtualMCPServer, though there is a cmd/vmcp/ binary. This is accurate - the binary runs inside the operator-managed deployment, not standalone for users.

3. Health Implementation: The doc mentions pkg/vmcp/health/ which exists. The actual implementation includes sophisticated status tracking with consecutive failure counting and configurable thresholds.

4. Server Implementation: The doc references pkg/vmcp/server/ - verified this exists with the main HTTP server and MCP protocol handling (server.go is 37KB, indicating substantial implementation).

5. Config Package: The documentation correctly references pkg/vmcp/config/ for platform-agnostic configuration - verified this includes YAML loading, validation, and CRD↔CLI roundtrip support.

---

🎯 Technical Accuracy Verification

Cross-referenced key claims with implementation:

Documentation Claim	Implementation Status	Location
Backend discovery from MCPGroups	✅ Confirmed	pkg/vmcp/aggregator/discoverer.go, pkg/vmcp/workloads/
Three conflict resolution strategies	✅ All implemented	prefix_resolver.go, priority_resolver.go, manual_resolver.go
DAG-based composite tool execution	✅ Confirmed	pkg/vmcp/composer/dag_executor.go
Two-boundary auth model	✅ Confirmed	pkg/vmcp/auth/factory/incoming.go, factory/outgoing.go
Token exchange with caching	✅ Confirmed	pkg/vmcp/auth/strategies/tokenexchange.go, pkg/vmcp/cache/
Health monitoring with intervals	✅ Confirmed	pkg/vmcp/health/monitor.go with MonitorConfig
Routing with tool name translation	✅ Confirmed	pkg/vmcp/router/ with BackendTarget
VirtualMCPCompositeToolDefinition CRD	✅ Confirmed	cmd/thv-operator/api/v1alpha1/virtualmcpcompositetooldefinition_types.go

---

🔍 Key Documentation Features

1. Core Concepts Section: Excellent 5-item summary table covering routing, aggregation, authentication, composition, and caching
2. Request Flow Diagram: Accurately shows the critical insight about tool name translation during routing
3. Deployment Section: Correctly distinguishes K8s vs CLI deployment modes
4. Related Documentation: Comprehensive cross-references to other architecture docs

---

✨ Recommendations for Future Enhancements (Optional)

These are suggestions for potential future additions, not issues with the current PR:

1. Consider adding a "Common Use Cases" section with concrete examples (similar to Groups doc)
2. Could add performance characteristics (e.g., "aggregation happens at startup vs per-request")
3. Might benefit from troubleshooting section for common vMCP deployment issues

---

Final Verdict

APPROVED ✅

The documentation accurately represents the Virtual MCP Server implementation, all file paths are correct, internal links work, and the content successfully transitions vMCP from "proposed" to "fully implemented" status. This is production-ready documentation.

The PR successfully achieves its stated goals:

• ✅ New comprehensive vMCP architecture documentation
• ✅ Updated existing docs to fix "upcoming feature" references
• ✅ Added VirtualMCPCompositeToolDefinition CRD documentation
• ✅ All implementation references are accurate

---

Todo List

• Read the new Virtual MCP architecture documentation
• Review the updated architecture documentation files
• Cross-reference documentation with actual code implementation
• Verify all file paths referenced in documentation are correct
• Check internal links between documentation files
• Provide comprehensive review feedback

--- | View branch: docs/vmcp-architecture-updates

[jhrozek]

this is true as of now, but work is being done to move the watching of the resources to the vmcp binary and make the operator reconcile just vmcp resources (this might be too much of a nitpick and maybe it's OK to leave as-is in the overview and dive into the details in the architecture)

[jhrozek]

let's explicitly say access token management or authnz management, token is a loaded word in the LLM space

[jhrozek]

I'm not sure we should mention implementation, this is going to drift over time, but if we do let's also mention pkg/vmcp/discovery.

[jhrozek]

nit: we also have unauthenticated