r/pallas
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

refactor: remove forward_inbound_auth, add traceback capture patches

Browse Source 
Retire the per-turn bearer-token forwarding mechanism in favor of
transparent authentication via operator-configured headers in
fastagent.secrets.yaml. Agents now rely on long-lived team JWTs configured
per downstream MCP server.

Replace the token-forwarding patches with debug-only traceback-capture
wrappers around three opaque fast-agent catch-sites that previously
flattened exceptions to bare strings, making downstream transport errors
diagnosable.

Update README with authentication guidance and deprecation notice for
the retired `forward_inbound_auth: true` flag (now silently ignored).
This commit is contained in:
Robert Helewka
2026-05-10 14:46:39 -04:00
parent 49da024877
commit 2759c8428e
4 changed files with 94 additions and 490 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
README.md
View File

@@ -110,5 +110,43 @@ with fast-agent's `ModelDatabase`.
|---|---|
| `pallas.server` | CLI entry point and agent orchestration |
| `pallas.registry` | `GET /.well-known/mcp/server.json` registry server |
| `pallas.multimodal_server` | `MultimodalAgentMCPServer``AgentMCPServer` subclass with image support |
| `pallas.multimodal_server` | `MultimodalAgentMCPServer``AgentMCPServer` subclass with image + history support |
| `pallas.health` | LLM preflight validation + `get_health` MCP tool |
| `pallas._fastagent_patch` | Traceback-capture wrappers around three opaque fast-agent catch-sites (debug-only) |
---
## Authentication
Pallas is **transparent** to downstream authentication. Whatever the operator
places under each downstream MCP server's `headers:` block in
`fastagent.config.yaml` (typically loaded from `fastagent.secrets.yaml`) is what
fast-agent sends — Pallas does not intercept, rewrite, or forward the inbound
`Authorization` header of the MCP request that triggered the agent turn.
For agents that talk to Mnemosyne, the convention is a long-lived team JWT
minted from Mnemosyne's admin UI and pasted into the agent project's
`fastagent.secrets.yaml`:
```yaml
mcp:
servers:
mnemosyne:
transport: http
url: https://mnemosyne.example.com/mcp/
headers:
Authorization: "Bearer eyJ…team-jwt…"
```
See
[`mnemosyne/docs/DAEDALUS_PALLAS_INTEGRATION_v1.md`](https://git.helu.ca/r/mnemosyne/src/branch/main/docs/DAEDALUS_PALLAS_INTEGRATION_v1.md)
for the three credential types Mnemosyne recognises, how team JWTs are
minted and rotated, and the data model that ties a team to a set of
libraries.
> Earlier versions of Pallas shipped a `forward_inbound_auth: true`
> mechanism that captured the per-turn `Authorization` header and
> propagated it to opted-in downstream servers. That mechanism has been
> retired — opt-in flags in old `fastagent.config.yaml` files are now
> silently ignored and can be removed at your convenience.