jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/notes
History
jedarden 660a9401ef feat(pdftract-59zz): implement MCP bearer token ingress channels and TH-03 enforcement 
Implements secure MCP bearer-token ingress channels and TH-03 startup abort
enforcement per plan lines 874, 915-921, 922-924.

## Changes
- Add `--auth-token-file PATH` flag (RECOMMENDED channel)
- Add `PDFTRACT_MCP_TOKEN` env var support
- Reject `--auth-token VALUE` unless `PDFTRACT_INSECURE_CLI_TOKEN=1`
- Enforce TH-03: require token for non-loopback bind addresses (exit 78)
- Loopback exemption for 127.0.0.0/8 and ::1/128

## Files
- crates/pdftract-cli/src/mcp/auth.rs: Token resolution with priority order
- crates/pdftract-cli/src/mcp/bind.rs: TH-03 bind security check
- crates/pdftract-cli/src/mcp/server.rs: MCP server entry point
- crates/pdftract-cli/src/mcp/mod.rs: Module exports
- crates/pdftract-cli/src/main.rs: CLI arguments
- crates/pdftract-cli/Cargo.toml: Add secrecy, tempfile dependencies

## Acceptance Criteria
-  --auth-token-file PATH flag implemented
-  PDFTRACT_MCP_TOKEN env var resolved
-  --auth-token VALUE rejected (exit 64) unless PDFTRACT_INSECURE_CLI_TOKEN=1
-  mcp --bind ADDR with non-loopback ADDR and no token: aborts with exit 78
-  mcp --bind ADDR with loopback ADDR and no token: succeeds
-  mcp --bind ADDR with token: succeeds regardless of address
- ⏸️ Inspector token: Phase 7.9 (not yet implemented)
- ⏸️ TH-03 test: separate bead

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 02:47:54 -04:00
..
pdftract-1bn.md feat(pdftract-1bn): implement cross-compilation build matrix for 5 target triples 2026-05-18 00:06:55 -04:00
pdftract-1g87.md feat(pdftract-q15sh): implement v1 fingerprint algorithm 2026-05-18 01:02:30 -04:00
pdftract-1wqec.md docs(pdftract-1wqec): verify CI scaffolding acceptance criteria 2026-05-17 07:12:16 -04:00
pdftract-1yad.md fix(pdftract-1yad): enable proptest tests and update verification note 2026-05-18 00:15:00 -04:00
pdftract-2bpf6.md test(pdftract-2bpf6): add FlateDecode predictor tests and proptests 2026-05-18 01:08:21 -04:00
pdftract-2bsfc.md docs(pdftract-2bsfc): add verification note 2026-05-17 23:57:00 -04:00
pdftract-2hm4.md fix(pdftract-2hm4): fix keyword lexer to use Vec<u8> and improve diagnostics 2026-05-18 02:11:40 -04:00
pdftract-2ka7.md feat(pdftract-2ka7): implement secure password ingress channels 2026-05-18 02:20:02 -04:00
pdftract-2t9.md docs(pdftract-2t9): add verification note 2026-05-18 01:22:44 -04:00
pdftract-3gq3.md feat(pdftract-1534): complete Tera-template-driven code generator 2026-05-18 01:55:27 -04:00
pdftract-3nnqy.md feat(pdftract-3nnqy): implement StreamDecoder trait, filter pipeline, and bomb limit 2026-05-18 00:34:28 -04:00
pdftract-4hn1.md feat(pdftract-4hn1): use Cow<'static, str> for diagnostic messages 2026-05-17 23:23:38 -04:00
pdftract-4iier.md docs(pdftract-4iier): complete per-profile README documentation 2026-05-18 00:32:06 -04:00
pdftract-4ymy.md docs(pdftract-4ymy): add verification note for indirect object parser 2026-05-18 01:08:39 -04:00
pdftract-5dng.md docs(pdftract-5dng): add verification note for name object lexer 2026-05-18 02:00:14 -04:00
pdftract-5l9m.md docs(pdftract-5l9m): add CI validation script and verification note 2026-05-18 01:05:33 -04:00
pdftract-5omc.md feat(pdftract-5omc): implement per-language conformance test runner pattern 2026-05-18 01:32:24 -04:00
pdftract-5tmcg.md test(pdftract-5tmcg): add cycle detection test for page tree flattener 2026-05-18 00:38:44 -04:00
pdftract-5z5d8.md fix(pdftract-5z5d8): fix provenance validation script 2026-05-17 23:43:37 -04:00
pdftract-7nav.md docs(pdftract-2bsfc): add verification note 2026-05-17 23:57:00 -04:00
pdftract-59zz.md feat(pdftract-59zz): implement MCP bearer token ingress channels and TH-03 enforcement 2026-05-18 02:47:54 -04:00
pdftract-60h.md docs(pdftract-60h): update verification note with detailed acceptance criteria 2026-05-18 01:27:15 -04:00
pdftract-147a.md docs(pdftract-147a): author SDK contract specification 2026-05-17 23:13:55 -04:00
pdftract-469s.md feat(pdftract-59zz): implement MCP bearer token ingress channels and TH-03 enforcement 2026-05-18 02:47:54 -04:00
pdftract-1527.md test(pdftract-1527): add shared SDK conformance suite with 32 test cases 2026-05-18 01:17:42 -04:00
pdftract-1534.md feat(pdftract-1534): complete Tera-template-driven code generator 2026-05-18 01:48:27 -04:00
pdftract-l993m.md feat(pdftract-l993m): complete per-language Tera template scaffolding 2026-05-18 02:01:46 -04:00
pdftract-q15sh.md feat(pdftract-q15sh): implement v1 fingerprint algorithm 2026-05-18 01:02:30 -04:00