Skip to main content

mcp_authorization/
lib.rs

1//! # mcp-authorization
2//!
3//! Type-state authorization for MCP servers, built on top of
4//! [rmcp](https://docs.rs/rmcp) (the official Rust MCP SDK).
5//!
6//! ## Core idea
7//!
8//! In Ruby, `can?(:flag)` is a runtime policy check you could forget.
9//! In Rust, `Proof<C>` is a zero-sized token that can only be obtained
10//! by verifying a capability — if a function demands it, the compiler
11//! refuses to build code that skips the check.
12//!
13//! ## Three layers of authorization
14//!
15//! | Layer | Ruby gem | Rust crate |
16//! |-------|----------|-----------|
17//! | Tool visibility | `authorization :flag` | `authorize("tool", "flag")` |
18//! | Field shaping | `@requires(:flag)` on param | `#[requires("flag")]` on field |
19//! | Variant shaping | `@requires(:flag)` on variant | `#[requires("flag")]` on enum variant |
20//!
21//! ## Quick example
22//!
23//! ```rust
24//! use mcp_authorization::{Capability, Proof, AuthContext};
25//!
26//! // Define a capability as a zero-sized type
27//! struct Admin;
28//! impl Capability for Admin {
29//!     const NAME: &'static str = "admin";
30//! }
31//!
32//! // A function that REQUIRES admin proof to call
33//! fn delete_everything(_proof: Proof<Admin>) -> String {
34//!     "deleted".to_string()
35//! }
36//!
37//! // At runtime: the check happens once, the proof flows through
38//! let auth = AuthContext::new(vec!["admin"]);
39//! if let Some(proof) = auth.check::<Admin>() {
40//!     delete_everything(proof); // compiles
41//! }
42//!
43//! // Without the proof, this would not compile:
44//! // delete_everything(???); // error[E0061]: missing argument
45//! ```
46
47pub mod capability;
48pub mod metadata;
49pub mod provider;
50pub mod registry;
51pub mod schema;
52pub mod server;
53
54// Re-exports for convenience
55pub use capability::{AuthContext, Capability, Proof};
56pub use metadata::AuthSchemaMetadata;
57pub use provider::{AuthProvider, DenyByDefault};
58pub use registry::{AuthToolDef, AuthToolRegistry};
59pub use schema::SchemaShaper;
60pub use server::{Authorized, AuthorizedServer, NoAuth, ReadyToServe};
61
62// Re-export the derive macro
63pub use mcp_authorization_macros::AuthSchema;