Servant oauth extraction

.claude/hooks/check-haskell.sh

@@ -11,7 +11,7 @@ if [[ ! "$file_path" == *.hs ]]; then
   exit 0
 fi
 
-cd "$CLAUDE_PROJECT_DIR" || exit 1
+cd "$CLAUDE_PROJECT_DIR" || exit 0
 
 output=$(cabal build 2>&1)
 result=$?

.gitignore

@@ -28,3 +28,9 @@ core-reviews
 cabal.project.freeze
 code-reviews
 *.log
+.env*
+.DS_Store
+Thumbs.db
+.vscode/
+.idea/
+*.tix

.hlint.yaml

@@ -132,7 +132,7 @@
     - package base
     rules:
 
-    - warn: {lhs: unsafeCoerce, rhs: coerce, name: Avoid unsafeCoerce}
+    - error: {lhs: unsafeCoerce, rhs: coerce, name: Avoid unsafeCoerce}
 
     # Data.Bifoldable
 

.specify/memory/constitution.md

@@ -1,11 +1,13 @@
 <!--
 SYNC IMPACT REPORT
 ===================
-Version: 1.0.0 (initial ratification)
+Version: 1.0.2 (smart constructor hygiene)
 Changes:
 - Initial constitution creation from typed functional design skills
-- 6 core principles distilled from: functional-domain-modeling, haskell-design,
+- 6 core principles distilled from: typed-domain-modeling, haskell-design,
   architecture-patterns, testing-strategies, code-review-standards, error-handling-strategies
+- 1.0.1: Added domain-centric type naming convention (types denote what they ARE, not field names)
+- 1.0.2: Added smart constructor export rule (MUST NOT export type constructors, use pattern synonyms for matching)
 Added sections:
 - Core Principles (6 principles)
 - Development Standards
@@ -46,6 +48,10 @@ implementation complexity determines module quality.
 - Public interfaces MUST be minimal—export only what users need
 - Implementation details MUST be hidden through module exports and opaque types
 - Smart constructors MUST be the only way to create validated domain types
+- Type constructors for smart-constructor types MUST NOT be exported—not even for tests
+  - Export pattern: `module Foo (FooType, mkFooType, unFooType)` — never `FooType(..)`
+  - If pattern matching is needed, export pattern synonyms instead of raw constructors
+  - This allows proving correct construction by construction
 - Common cases MUST be simple; rare cases MAY be harder
 - Complexity MUST be pulled downward into implementations, not pushed to callers
 
@@ -125,6 +131,9 @@ provide a specification that tests verify.
 - Smart constructors: mk prefix (mkEmail, mkUserId)
 - Predicates: is/has prefix
 - Conversions: to/from (emailToText, textToEmail)
+- Type names MUST denote what they ARE (domain concept), not what field they populate:
+  - Good: `TokenValidity`, `ClientName` (describes the concept)
+  - Bad: `ExpiresIn`, `NameField` (mirrors field/wire format names)
 
 ### Error Handling
 
@@ -171,4 +180,4 @@ This constitution supersedes all other coding practices in this project. Amendme
 - MINOR: New principle added or existing principle materially expanded
 - PATCH: Clarifications, wording improvements, non-semantic changes
 
-**Version**: 1.0.0 | **Ratified**: 2025-12-08 | **Last Amended**: 2025-12-08
+**Version**: 1.0.2 | **Ratified**: 2025-12-08 | **Last Amended**: 2025-12-19

README.md

@@ -101,9 +101,10 @@ main = do
         , httpServerInfo = serverInfo
         , httpCapabilities = capabilities
         , httpEnableLogging = False
-        , httpOAuthConfig = Nothing  -- No OAuth
+        , httpMCPOAuthConfig = Nothing  -- No OAuth
         , httpJWK = Nothing  -- Auto-generated
         , httpProtocolVersion = "2025-06-18"  -- MCP protocol version
+        , httpProtectedResourceMetadata = Nothing
         }
   runServerHTTP config
 ```
@@ -247,10 +248,14 @@ runHTTP :: IO ()
 runHTTP = do
   let config = HTTPServerConfig
         { httpPort = 8080
+        , httpBaseUrl = "http://localhost:8080"
         , httpServerInfo = Implementation "my-server" "1.0.0"
         , httpCapabilities = serverCapabilities
         , httpEnableLogging = False
-        , httpOAuthConfig = Nothing  -- or Just oauthConfig for OAuth
+        , httpMCPOAuthConfig = Nothing  -- or Just mcpOAuthConfig for OAuth
+        , httpJWK = Nothing
+        , httpProtocolVersion = "2025-06-18"
+        , httpProtectedResourceMetadata = Nothing
         }
   runServerHTTP config
 ```
@@ -310,15 +315,32 @@ src/
 │   ├── Types.hs          # Core MCP data types
 │   ├── Protocol.hs       # JSON-RPC protocol messages
 │   ├── Server.hs         # Core server infrastructure
-│   └── Server/
-│       ├── StdIO.hs      # StdIO transport implementation
-│       └── HTTP.hs       # HTTP transport implementation
+│   ├── Server/
+│   │   ├── StdIO.hs      # StdIO transport implementation
+│   │   ├── HTTP.hs       # HTTP transport implementation
+│   │   ├── HTTP/
+│   │   │   └── AppEnv.hs # Composite environment and error types
+│   │   └── Auth.hs       # MCP-specific OAuth configuration
+│   └── Trace/
+│       └── HTTP.hs       # HTTP tracing types
+├── Servant/
+│   └── OAuth2/
+│       └── IDP/          # Reusable OAuth 2.1 library (MCP-independent)
+│           ├── Types.hs      # Core domain newtypes
+│           ├── Config.hs     # OAuthEnv configuration
+│           ├── Errors.hs     # Error types and conversions
+│           ├── PKCE.hs       # RFC 7636 PKCE implementation
+│           ├── Metadata.hs   # RFC 8414/9728 metadata types
+│           ├── Store.hs      # OAuthStateStore typeclass
+│           ├── Trace.hs      # OAuthTrace ADT
+│           ├── Server.hs     # OAuth API composition
+│           └── Handlers/     # OAuth endpoint handlers
 
 app/
 └── Main.hs               # Example MCP server (StdIO mode)
 
-test/
-└── Main.hs               # Test suite (placeholder)
+examples/
+└── http-server.hs        # HTTP server example with OAuth
 ```
 
 ## Development

examples/http-server.hs

@@ -47,8 +47,9 @@ import System.IO (hFlush, stdout)
 import MCP.Protocol
 import MCP.Server
 import MCP.Server.Auth
-import MCP.Server.HTTP
+import MCP.Server.HTTP (DemoOAuthBundle (..), HTTPServerConfig (..), mcpAppWithOAuth, mkDemoOAuthBundleFromText, runServerHTTP)
 import MCP.Server.HTTP.AppEnv (AppEnv (..), runAppM)
+import MCP.Trace.HTTP (HTTPTrace (..))
 import MCP.Trace.Types (MCPTrace (..), isOAuthTrace, renderMCPTrace)
 import MCP.Types
 import Servant.Auth.Server (defaultJWTSettings, generateKey)
@@ -204,37 +205,38 @@ main = do
                 }
 
     let baseUrl = T.pack $ fromMaybe ("http://localhost:" ++ show optPort) optBaseUrl
-        oauthConfig =
+        mcpOAuthConfig =
             if optEnableOAuth
                 then
-                    Just $
-                        defaultDemoOAuthConfig
-                            { oauthProviders =
-                                [ OAuthProvider
-                                    { providerName = "demo"
-                                    , clientId = "demo-client"
-                                    , clientSecret = Just "demo-secret"
-                                    , authorizationEndpoint = baseUrl <> "/authorize"
-                                    , tokenEndpoint = baseUrl <> "/token"
-                                    , userInfoEndpoint = Nothing
-                                    , scopes = ["mcp:read", "mcp:write"]
-                                    , grantTypes = [AuthorizationCode]
-                                    , requiresPKCE = True -- MCP requires PKCE
-                                    , metadataEndpoint = Nothing
-                                    }
-                                ]
-                            , -- Override demo defaults for example
-                              authCodeExpirySeconds = 600 -- 10 minutes
-                            , accessTokenExpirySeconds = 3600 -- 1 hour
-                            , demoUserIdTemplate = Just "demo-user-{clientId}"
-                            , demoEmailDomain = "demo.example.com"
-                            , demoUserName = "Demo User"
-                            , authorizationSuccessTemplate =
-                                Just $
+                    let bundle = case mkDemoOAuthBundleFromText baseUrl of
+                            Just b -> b
+                            Nothing -> Prelude.error $ "Invalid base URL: " ++ T.unpack baseUrl
+                        baseMCPConfig = bundleMCPConfig bundle
+                     in Just $
+                            baseMCPConfig
+                                { oauthProviders =
+                                    [ OAuthProvider
+                                        { providerName = "demo"
+                                        , clientId = "demo-client"
+                                        , clientSecret = Just "demo-secret"
+                                        , authorizationEndpoint = baseUrl <> "/authorize"
+                                        , tokenEndpoint = baseUrl <> "/token"
+                                        , userInfoEndpoint = Nothing
+                                        , scopes = ["mcp:read", "mcp:write"]
+                                        , grantTypes = [OAuthAuthorizationCode]
+                                        , requiresPKCE = True -- MCP requires PKCE
+                                        , metadataEndpoint = Nothing
+                                        }
+                                    ]
+                                , -- Override demo defaults for example
+                                  demoUserIdTemplate = Just "demo-user-{clientId}"
+                                , demoEmailDomain = "demo.example.com"
+                                , demoUserName = "Demo User"
+                                , authorizationSuccessTemplate =
                                     "Demo Authorization Successful!\n\n"
                                         <> "Redirect to: {redirectUri}?code={code}{state}\n\n"
                                         <> "This is a demo server. In production, this would redirect automatically."
-                            }
+                                }
                 else Nothing
 
     let config =
@@ -244,7 +246,7 @@ main = do
                 , httpServerInfo = serverInfo
                 , httpCapabilities = capabilities
                 , httpEnableLogging = optEnableLogging
-                , httpOAuthConfig = oauthConfig
+                , httpMCPOAuthConfig = mcpOAuthConfig
                 , httpJWK = Nothing -- Will be auto-generated
                 , httpProtocolVersion = mcpProtocolVersion -- Current MCP protocol version
                 , httpProtectedResourceMetadata = Nothing -- Will be auto-generated from baseUrl
@@ -312,12 +314,19 @@ main = do
                 stateVar <- newTVarIO $ initialServerState (httpCapabilities config)
 
                 -- Create AppEnv with configured settings (including stateVar)
-                let appEnv =
+                let bundle = case mkDemoOAuthBundleFromText baseUrl of
+                        Just b -> b
+                        Nothing -> Prelude.error $ "Invalid base URL: " ++ T.unpack baseUrl
+                    oauthCfgEnv = bundleEnv bundle -- Use OAuthEnv from bundle
+                    oauthTracer = contramap HTTPOAuth httpTracer -- Route OAuth traces through HTTP tracer
+                    appEnv =
                         AppEnv
                             { envOAuth = oauthEnv
                             , envAuth = authEnv
                             , envConfig = config
                             , envTracer = httpTracer
+                            , envOAuthEnv = oauthCfgEnv
+                            , envOAuthTracer = oauthTracer
                             , envJWT = jwtSettings
                             , envServerState = stateVar
                             , envTimeProvider = Nothing -- Use real IO time

mcp.cabal

@@ -95,16 +95,18 @@ library
         MCP.Server.Auth
         MCP.Server.Time
         Servant.OAuth2.IDP.API
+        Servant.OAuth2.IDP.Config
         Servant.OAuth2.IDP.Types
+        Servant.OAuth2.IDP.Metadata
+        Servant.OAuth2.IDP.PKCE
         Servant.OAuth2.IDP.Store
         Servant.OAuth2.IDP.Store.InMemory
-        Servant.OAuth2.IDP.Boundary
+        Servant.OAuth2.IDP.Errors
+        Servant.OAuth2.IDP.Trace
         Servant.OAuth2.IDP.Server
         Servant.OAuth2.IDP.Handlers
         Servant.OAuth2.IDP.Handlers.HTML
-        Servant.OAuth2.IDP.Handlers.Helpers
         Servant.OAuth2.IDP.Handlers.Metadata
-        Servant.OAuth2.IDP.LoginFlowError
         Servant.OAuth2.IDP.Handlers.Registration
         Servant.OAuth2.IDP.Handlers.Authorization
         Servant.OAuth2.IDP.Handlers.Login
@@ -114,14 +116,13 @@ library
         Servant.OAuth2.IDP.Auth.Demo
         MCP.Trace.Types
         MCP.Trace.HTTP
-        MCP.Trace.OAuth
         MCP.Trace.Operation
         MCP.Trace.Protocol
         MCP.Trace.Server
         MCP.Trace.StdIO
 
     -- Modules included in this library but not exported.
-    -- other-modules:
+    other-modules:
 
     -- LANGUAGE extensions used by modules in this package.
     -- other-extensions:
@@ -158,7 +159,8 @@ library
         hspec >= 2.10 && < 2.12,
         hspec-wai >= 0.11 && < 0.12,
         lucid >= 2.11 && < 2.12,
-        servant-lucid >= 0.9 && < 0.10
+        servant-lucid >= 0.9 && < 0.10,
+        QuickCheck >= 2.14 && < 2.16
 
     -- Directories containing source files.
     hs-source-dirs:   src
@@ -266,7 +268,6 @@ test-suite mcp-test
 
     -- Modules included in this executable, other than Main.
     other-modules:
-        Generators
         TestMonad
         Laws.AuthCodeFunctorSpec
         Laws.ConsumeAuthCodeSpec
@@ -279,20 +280,29 @@ test-suite mcp-test
         Laws.ErrorBoundarySecuritySpec
         Trace.FilterSpec
         Trace.GoldenSpec
-        Trace.OAuthSpec
         Trace.RenderSpec
         Functional.OAuthFlowSpec
         MCP.Server.OAuth.Test.Fixtures
         MCP.Server.OAuth.TypesSpec
         MCP.Server.OAuth.BoundarySpec
         MCP.Server.OAuth.AppSpec
+        MCP.Server.HTTP.AppEnvSpec
         MCP.Server.HTTP.McpAuthSpec
+        MCP.Server.AuthSpec
         Security.SessionCookieSpec
         Servant.OAuth2.IDP.APISpec
+        Servant.OAuth2.IDP.BrandingSpec
+        Servant.OAuth2.IDP.ConfigSpec
         Servant.OAuth2.IDP.TokenRequestSpec
         Servant.OAuth2.IDP.LucidRenderingSpec
         Servant.OAuth2.IDP.TypesSpec
         Servant.OAuth2.IDP.CryptoEntropySpec
+        Servant.OAuth2.IDP.BearerMethodSpec
+        Servant.OAuth2.IDP.ErrorsSpec
+        Servant.OAuth2.IDP.Handlers.MetadataSpec
+        Servant.OAuth2.IDP.MetadataSpec
+        Servant.OAuth2.IDP.PKCESpec
+        Servant.OAuth2.IDP.TraceSpec
 
     -- LANGUAGE extensions used by modules in this package.
     -- other-extensions: