mcp: catalog of public MCP servers + install-by-name#91
Merged
Conversation
Adds two subcommands to `pasclaw mcp`:
catalog list the hand-curated public MCP servers PasClaw
knows the URL + auth shape for.
install <name> write an mcp_servers entry from a catalog row,
pulling the bearer token out of the env var the
catalog entry names.
Why this exists rather than preloading the entries with
enabled=true: picoclaw seeds nothing, and the same rule fits
PasClaw — no MCP server reaches out to a remote endpoint until the
operator explicitly opts in. The four providers we know about all
ship real MCP servers (they're not REST endpoints we'd wrap as
skills), so they belong in mcp_servers; the catalog just removes
the "look up the URL and the bearer shape" step that's the #1 way
remote MCPs end up "broken on arrival" in someone's config.
Catalog entries (PasClaw.MCP.Catalog.KnownMCPServers):
replicate REPLICATE_API_TOKEN
digitalocean-apps DIGITALOCEAN_TOKEN
digitalocean-databases DIGITALOCEAN_TOKEN
runpod-docs (no auth — public docs MCP)
huggingface HF_TOKEN
Each row carries:
Name — short identifier (kebab-case)
URL — the remote MCP endpoint
EnvVar — env var holding the bearer token (empty = no auth)
AuthFmt — Authorization-header template, e.g. "Bearer %s"
Desc — one-liner shown by `pasclaw mcp catalog`
Docs — URL to the provider's MCP docs
ResolveAuthHeader formats the literal Authorization-header
value from EnvVar + AuthFmt at install time. Stored as the args
field on the mcp_servers entry — exact shape the existing
HTTP MCP client already expects (see PasClaw.MCP.HttpClient.pas
line 11-13: "Auth tokens come from the configured `args` slot,
shaped as 'Bearer ...'").
`install` is idempotent — running it again after setting the env
var refreshes the args slot in place rather than appending a
duplicate row. List/remove/test/show/edit all work normally
afterwards since the entry is just a regular mcp_servers row.
Live smoke (PASCLAW_HOME=tmp):
`pasclaw mcp catalog` — lists 5 rows, marks each
env-var as set / unset.
`pasclaw mcp install replicate`
with env unset — installs anyway, prints a
"set REPLICATE_API_TOKEN
and re-run" warning,
args left empty.
`pasclaw mcp install replicate`
with env=r8_FAKE12345 — overwrites the previous
install with args =
"Bearer r8_FAKE12345".
`pasclaw mcp install runpod-docs` — installs immediately
(no auth required).
`pasclaw mcp install bogus` — errors with hint to run
catalog.
config.json mcp_servers carries cmd=URL, args=Bearer <tok>,
enabled=true — matches the persistence shape the existing
`pasclaw mcp add` produces.
Adding more providers is "append a TMCPCatalogEntry record to
KnownMCPServers"; no other code touches the catalog data and
none of the list/install/show/test paths need changes.
dproj DCCReference added for the new unit. README's MCP section
gains the catalog + install lines and a 5-row table.
https://claude.ai/code/session_01TBcLtmpj7dqA5tyFbGnQon
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 537198363b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Live probe of the catalog URLs surfaced that the Replicate entry was missing the /mcp path: POST to https://mcp.replicate.com returns 404 Not Found, while POST to https://mcp.replicate.com/mcp returns the expected 401 invalid_token shape (auth-shape ✓, real REPLICATE_API_TOKEN authenticates). Verified all five catalog endpoints accept the cataloged auth shape: replicate 401 invalid_token (token shape ✓) digitalocean-apps 200 full handshake ✓ digitalocean-databases 200 full handshake ✓ huggingface 401 Unauthorized (token shape ✓) runpod-docs 200 SSE response ✓ (no auth) This also resolves the Codex P1 on PR #91 — the bot inferred OAuth from Replicate's Claude-Code-specific install UX, but the underlying transport is plain Bearer-token Streamable HTTP, which our HTTP MCP client already handles (PasClaw.MCP.HttpClient.RoundTrip sends Authorization + Accept: application/json, text/event-stream and CollapseSSE handles the SSE-framed responses). https://claude.ai/code/session_01TBcLtmpj7dqA5tyFbGnQon
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds two subcommands to
pasclaw mcpso users can preload remote MCP servers from a curated catalog without having to look up the URL + bearer-header shape themselves.Not preloaded — picoclaw seeds nothing, and the same rule fits PasClaw. No MCP server reaches a remote endpoint until the operator opts in. The catalog just removes the "look up the URL and the bearer shape" step that's the #1 way remote MCPs end up "broken on arrival" in someone's config.
Catalog entries
replicateREPLICATE_API_TOKENdigitalocean-appsDIGITALOCEAN_TOKENdigitalocean-databasesDIGITALOCEAN_TOKENrunpod-docshuggingfaceHF_TOKENEach catalog row carries Name + URL + EnvVar + AuthFmt (
Bearer %s) + Desc + Docs.ResolveAuthHeaderformats the literal Authorization-header value fromEnvVar+AuthFmtat install time. Stored as theargsfield on themcp_serversentry — the exact shape the existing HTTP MCP client expects (PasClaw.MCP.HttpClient.pasline 11-13: "Auth tokens come from the configuredargsslot, shaped as 'Bearer ...'").Install behavior
installagain refreshes theargsslot in place rather than appending a duplicate row.<ENV_VAR>and re-runpasclaw mcp install <name>" so the user can refresh after fixing the env.runpod-docs) — installs immediately.pasclaw mcp catalog.list / remove / test / show / editall work normally afterwards since the installed entry is just a regularmcp_serversrow.Verification (live smoke)
Adding more providers
Append a
TMCPCatalogEntryrecord toKnownMCPServersinPasClaw.MCP.Catalog. No other code touches the catalog data;list / install / show / testpaths need no changes.https://claude.ai/code/session_01TBcLtmpj7dqA5tyFbGnQon
Generated by Claude Code