Skip to content

feat(cli): MCP server management CLI + OAuth 2.1 PKCE auth#2465

Merged
teknium1 merged 1 commit intomainfrom
hermes/hermes-31d7db3b
Mar 22, 2026
Merged

feat(cli): MCP server management CLI + OAuth 2.1 PKCE auth#2465
teknium1 merged 1 commit intomainfrom
hermes/hermes-31d7db3b

Conversation

@teknium1
Copy link
Copy Markdown
Contributor

@teknium1 teknium1 commented Mar 22, 2026

Summary

Salvage of #2021 by @imnotdev25, rewritten against current main. Closes #497, #690.

hermes mcp CLI

  • hermes mcp add <name> --url/--command — discovery-first install: connect, discover tools, interactive selection via curses, save config
  • hermes mcp remove <name> — remove config + clean up OAuth tokens
  • hermes mcp list — table view with transport, tool count, status
  • hermes mcp test <name> — connection test with latency and tool listing
  • hermes mcp configure <name> — reconnect and toggle enabled tools

OAuth 2.1 PKCE for MCP HTTP servers

  • RFC 7636 PKCE with S256 challenge, zero external dependencies
  • RFC 9728 protected resource metadata + well-known + 401 header discovery
  • Browser-based callback + manual paste fallback (headless/SSH)
  • Token caching in ~/.hermes/mcp-tokens/ with 0600 permissions + auto-refresh

Env var interpolation

  • ${ENV_VAR} syntax in MCP server config values, resolved from os.environ + ~/.hermes/.env
  • Keeps API keys out of config.yaml

Changes from original PR

  • Dropped unrelated changes (plugins removal, context_length removal, stash simplification)
  • Kept _normalize_mcp_input_schema() (original PR removed it, breaking existing tests)
  • Fixed test for missing env var behavior (keep placeholder vs empty string)
  • OAuth module taken as-is (well-structured, zero-dep)
  • CLI and mcp_tool wiring written fresh against current main

205 MCP-specific tests pass. 5721 total pass.
@teknium1
feat(cli): MCP server management CLI + OAuth 2.1 PKCE auth
b7091f9 
Add hermes mcp add/remove/list/test/configure CLI for managing MCP
server connections interactively. Discovery-first 'add' flow connects,
discovers tools, and lets users select which to enable via curses checklist.

Add OAuth 2.1 PKCE authentication for MCP HTTP servers (RFC 7636).
Supports browser-based and manual (headless) authorization, token
caching with 0600 permissions, automatic refresh. Zero external deps.

Add ${ENV_VAR} interpolation in MCP server config values, resolved
from os.environ + ~/.hermes/.env at load time.

Core OAuth module from PR #2021 by @imnotdev25. CLI and mcp_tool
wiring rewritten against current main. Closes #497, #690.
@teknium1 teknium1 force-pushed the hermes/hermes-31d7db3b branch from 8afebf0 to b7091f9 Compare March 22, 2026 11:52
@teknium1 teknium1 merged commit c275aa4 into main Mar 22, 2026
1 check failed
@teknium1 teknium1 mentioned this pull request Mar 22, 2026
Closed
@TheSameCat2 TheSameCat2 mentioned this pull request Mar 22, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant

@teknium1