Summary
Add an MCP (Model Context Protocol) server to Keyline that authenticates via the OIDC device flow. The MCP server acts as a bridge between AI agents and the existing Keyline REST API.
Design
- New
cmd/mcp/ entrypoint
- On startup, initiates device flow against the configured Keyline instance
- User approves in browser → MCP server receives access + refresh tokens
- All subsequent MCP tool calls are translated into REST API calls using the user's token
- Token refresh happens silently when the access token expires
- The user's existing RBAC permissions apply — no privilege escalation
Configuration
--issuer-url — Keyline OIDC issuer URL--client-id — OIDC client_id (must have device flow enabled)--virtual-server — virtual server name (default: keyline)
Acceptance Criteria
Summary
Add an MCP (Model Context Protocol) server to Keyline that authenticates via the OIDC device flow. The MCP server acts as a bridge between AI agents and the existing Keyline REST API.
Design
cmd/mcp/entrypointConfiguration
--issuer-url— Keyline OIDC issuer URL--client-id— OIDC client_id (must have device flow enabled)--virtual-server— virtual server name (default:keyline)Acceptance Criteria
cmd/mcp/main.gostarts an MCP server (stdio transport)