Skip to content

refactor(mcp): extract transport-security concern and rename identity modules#400

Draft
gbrlcustodio wants to merge 2 commits into
devfrom
refactor/mcp-named-concerns
Draft

refactor(mcp): extract transport-security concern and rename identity modules#400
gbrlcustodio wants to merge 2 commits into
devfrom
refactor/mcp-named-concerns

Conversation

@gbrlcustodio

Copy link
Copy Markdown
Member

Follow-up to #397, split out per the earlier call to keep the core/ to named-concern migration in its own reviewable change. Two atomic commits, no behavior change.

What

  • Promote build_transport_security out of core/ into a package-root transport_security module, a peer of auth/ rather than a module under the composition tier. It imports only auth (ResourceServer) and settings and is consumed by the runtime, so it slots into the import-linter layer contract between core and auth (composition root > adapters > core > transport_security > auth > settings).
  • Rename request_identity.py to inbound_identity.py (it extracts the inbound bearer a caller presents) and session_identity.py to outbound_identity.py (it resolves the outbound httpx.Auth each session binds). The names state the axis the docstrings already framed; the auth facade re-exports the same contract symbols, so no importer outside auth/ changes shape.

Why

This is the incremental app-level step toward the target architecture, where core/ dissolves into named concerns. Transport security ultimately belongs in the monorepo infra/ package; this root module is the interim home until that package exists.

Verification

  • 1485 passed, 9 skipped.
  • import-linter contract KEPT.
  • ruff clean.

Base

Targets feat/303-transport-host-allowlist (PR #397). Retarget onto dev once #397 merges.

Move build_transport_security out of core/ into a package-root transport_security module, a peer of auth/ rather than a module under the composition tier. It imports only auth (ResourceServer) and settings and is consumed by the runtime, so it slots into the layering contract between core and auth. This is the incremental app-level step toward the target architecture, where core/ dissolves into named concerns.
request_identity.py becomes inbound_identity.py (it extracts the inbound bearer a caller presents) and session_identity.py becomes outbound_identity.py (it resolves the outbound httpx.Auth each session binds). The names now state the axis the docstrings already framed, so the pair reads as counterparts. No behavior change; the auth facade re-exports the same contract symbols.
Base automatically changed from feat/303-transport-host-allowlist to dev July 14, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant