From 7d57dee30fd55ad473743fa0f96e5264e24da56b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 16 Feb 2026 15:40:41 +0000 Subject: [PATCH] Update ToolHive reference docs for v0.9.4 --- docs/toolhive/reference/cli/thv_run.md | 3 +- docs/toolhive/reference/crd-spec.md | 160 ++++++++++++- static/api-specs/toolhive-api.yaml | 314 ++++++++++++++++++------- 3 files changed, 394 insertions(+), 83 deletions(-) diff --git a/docs/toolhive/reference/cli/thv_run.md b/docs/toolhive/reference/cli/thv_run.md index aa846573..21d1cb0d 100644 --- a/docs/toolhive/reference/cli/thv_run.md +++ b/docs/toolhive/reference/cli/thv_run.md @@ -148,8 +148,9 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...] --otel-insecure Connect to the OpenTelemetry endpoint using HTTP instead of HTTPS (default false) --otel-metrics-enabled Enable OTLP metrics export (when OTLP endpoint is configured) (default true) --otel-sampling-rate float OpenTelemetry trace sampling rate (0.0-1.0) (default 0.1) - --otel-service-name string OpenTelemetry service name (defaults to toolhive-mcp-proxy) + --otel-service-name string OpenTelemetry service name (defaults to thv-) --otel-tracing-enabled Enable distributed tracing (when OTLP endpoint is configured) (default true) + --otel-use-legacy-attributes Emit legacy attribute names alongside new OTEL semantic convention names (default true) (default true) --permission-profile string Permission profile to use (none, network, or path to JSON file) (default is to use the permission profile from the registry or "network" if not part of the registry) --print-resolved-overlays Debug: show resolved container paths for tmpfs overlays (default false) --proxy-mode string Proxy mode for stdio (streamable-http or sse (deprecated, will be removed)) (default "streamable-http") diff --git a/docs/toolhive/reference/crd-spec.md b/docs/toolhive/reference/crd-spec.md index 7437a8bc..27c9b168 100644 --- a/docs/toolhive/reference/crd-spec.md +++ b/docs/toolhive/reference/crd-spec.md @@ -650,6 +650,9 @@ _Appears in:_ | `enablePrometheusMetricsPath` _boolean_ | EnablePrometheusMetricsPath controls whether to expose Prometheus-style /metrics endpoint.
The metrics are served on the main transport port at /metrics.
This is separate from OTLP metrics which are sent to the Endpoint. | false | Optional: \{\}
| | `environmentVariables` _string array_ | EnvironmentVariables is a list of environment variable names that should be
included in telemetry spans as attributes. Only variables in this list will
be read from the host machine and included in spans for observability.
Example: ["NODE_ENV", "DEPLOYMENT_ENV", "SERVICE_VERSION"] | | Optional: \{\}
| | `customAttributes` _object (keys:string, values:string)_ | CustomAttributes contains custom resource attributes to be added to all telemetry signals.
These are parsed from CLI flags (--otel-custom-attributes) or environment variables
(OTEL_RESOURCE_ATTRIBUTES) as key=value pairs. | | Optional: \{\}
| +| `useLegacyAttributes` _boolean_ | UseLegacyAttributes controls whether legacy (pre-MCP OTEL semconv) attribute names
are emitted alongside the new standard attribute names. When true, spans include both
old and new attribute names for backward compatibility with existing dashboards.
Currently defaults to true; this will change to false in a future release. | true | Optional: \{\}
| + + @@ -742,6 +745,30 @@ _Appears in:_ | `readySince` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#time-v1-meta)_ | ReadySince is the timestamp when the API became ready | | Optional: \{\}
| +#### api.v1alpha1.AWSStsConfig + + + +AWSStsConfig holds configuration for AWS STS authentication with SigV4 request signing. +This configuration exchanges incoming authentication tokens (typically OIDC JWT) for AWS STS +temporary credentials, then signs requests to AWS services using SigV4. + + + +_Appears in:_ +- [api.v1alpha1.MCPExternalAuthConfigSpec](#apiv1alpha1mcpexternalauthconfigspec) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `region` _string_ | Region is the AWS region for the STS endpoint and service (e.g., "us-east-1", "eu-west-1") | | MinLength: 1
Pattern: `^[a-z]\{2\}(-[a-z]+)+-\d+$`
Required: \{\}
| +| `service` _string_ | Service is the AWS service name for SigV4 signing
Defaults to "aws-mcp" for AWS MCP Server endpoints | aws-mcp | Optional: \{\}
| +| `fallbackRoleArn` _string_ | FallbackRoleArn is the IAM role ARN to assume when no role mappings match
Used as the default role when RoleMappings is empty or no mapping matches
At least one of FallbackRoleArn or RoleMappings must be configured (enforced by webhook) | | Pattern: `^arn:(aws\|aws-cn\|aws-us-gov):iam::\d\{12\}:role/[\w+=,.@\-_/]+$`
Optional: \{\}
| +| `roleMappings` _[api.v1alpha1.RoleMapping](#apiv1alpha1rolemapping) array_ | RoleMappings defines claim-based role selection rules
Allows mapping JWT claims (e.g., groups, roles) to specific IAM roles
Lower priority values are evaluated first (higher priority) | | Optional: \{\}
| +| `roleClaim` _string_ | RoleClaim is the JWT claim to use for role mapping evaluation
Defaults to "groups" to match common OIDC group claims | groups | Optional: \{\}
| +| `sessionDuration` _integer_ | SessionDuration is the duration in seconds for the STS session
Must be between 900 (15 minutes) and 43200 (12 hours)
Defaults to 3600 (1 hour) if not specified | 3600 | Maximum: 43200
Minimum: 900
Optional: \{\}
| +| `sessionNameClaim` _string_ | SessionNameClaim is the JWT claim to use for role session name
Defaults to "sub" to use the subject claim | sub | Optional: \{\}
| + + #### api.v1alpha1.AuditConfig @@ -759,6 +786,40 @@ _Appears in:_ | `enabled` _boolean_ | Enabled controls whether audit logging is enabled
When true, enables audit logging with default configuration | false | Optional: \{\}
| +#### api.v1alpha1.AuthServerStorageConfig + + + +AuthServerStorageConfig configures the storage backend for the embedded auth server. + + + +_Appears in:_ +- [api.v1alpha1.EmbeddedAuthServerConfig](#apiv1alpha1embeddedauthserverconfig) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `type` _[api.v1alpha1.AuthServerStorageType](#apiv1alpha1authserverstoragetype)_ | Type specifies the storage backend type.
Valid values: "memory" (default), "redis". | memory | Enum: [memory redis]
| +| `redis` _[api.v1alpha1.RedisStorageConfig](#apiv1alpha1redisstorageconfig)_ | Redis configures the Redis storage backend.
Required when type is "redis". | | Optional: \{\}
| + + +#### api.v1alpha1.AuthServerStorageType + +_Underlying type:_ _string_ + +AuthServerStorageType represents the type of storage backend for the embedded auth server + + + +_Appears in:_ +- [api.v1alpha1.AuthServerStorageConfig](#apiv1alpha1authserverstorageconfig) + +| Field | Description | +| --- | --- | +| `memory` | AuthServerStorageTypeMemory is the in-memory storage backend (default)
| +| `redis` | AuthServerStorageTypeRedis is the Redis storage backend
| + + #### api.v1alpha1.AuthzConfigRef @@ -887,6 +948,7 @@ _Appears in:_ | `hmacSecretRefs` _[api.v1alpha1.SecretKeyRef](#apiv1alpha1secretkeyref) array_ | HMACSecretRefs references Kubernetes Secrets containing symmetric secrets for signing
authorization codes and refresh tokens (opaque tokens).
Current secret must be at least 32 bytes and cryptographically random.
Supports secret rotation via multiple entries (first is current, rest are for verification).
If not specified, an ephemeral secret will be auto-generated (development only -
auth codes and refresh tokens will be invalid after restart). | | Optional: \{\}
| | `tokenLifespans` _[api.v1alpha1.TokenLifespanConfig](#apiv1alpha1tokenlifespanconfig)_ | TokenLifespans configures the duration that various tokens are valid.
If not specified, defaults are applied (access: 1h, refresh: 7d, authCode: 10m). | | Optional: \{\}
| | `upstreamProviders` _[api.v1alpha1.UpstreamProviderConfig](#apiv1alpha1upstreamproviderconfig) array_ | UpstreamProviders configures connections to upstream Identity Providers.
The embedded auth server delegates authentication to these providers.
Currently only a single upstream provider is supported (validated at runtime). | | MinItems: 1
Required: \{\}
| +| `storage` _[api.v1alpha1.AuthServerStorageConfig](#apiv1alpha1authserverstorageconfig)_ | Storage configures the storage backend for the embedded auth server.
If not specified, defaults to in-memory storage. | | Optional: \{\}
| #### api.v1alpha1.EmbeddingResourceOverrides @@ -1092,6 +1154,7 @@ _Appears in:_ | `bearerToken` | ExternalAuthTypeBearerToken is the type for bearer token authentication
This allows authenticating to remote MCP servers using bearer tokens stored in Kubernetes Secrets
| | `unauthenticated` | ExternalAuthTypeUnauthenticated is the type for no authentication
This should only be used for backends on trusted networks (e.g., localhost, VPC)
or when authentication is handled by network-level security
| | `embeddedAuthServer` | ExternalAuthTypeEmbeddedAuthServer is the type for embedded OAuth2/OIDC authorization server
This enables running an embedded auth server that delegates to upstream IDPs
| +| `awsSts` | ExternalAuthTypeAWSSts is the type for AWS STS authentication
| #### api.v1alpha1.GitAuthConfig @@ -1334,11 +1397,12 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `type` _[api.v1alpha1.ExternalAuthType](#apiv1alpha1externalauthtype)_ | Type is the type of external authentication to configure | | Enum: [tokenExchange headerInjection bearerToken unauthenticated embeddedAuthServer]
Required: \{\}
| +| `type` _[api.v1alpha1.ExternalAuthType](#apiv1alpha1externalauthtype)_ | Type is the type of external authentication to configure | | Enum: [tokenExchange headerInjection bearerToken unauthenticated embeddedAuthServer awsSts]
Required: \{\}
| | `tokenExchange` _[api.v1alpha1.TokenExchangeConfig](#apiv1alpha1tokenexchangeconfig)_ | TokenExchange configures RFC-8693 OAuth 2.0 Token Exchange
Only used when Type is "tokenExchange" | | Optional: \{\}
| | `headerInjection` _[api.v1alpha1.HeaderInjectionConfig](#apiv1alpha1headerinjectionconfig)_ | HeaderInjection configures custom HTTP header injection
Only used when Type is "headerInjection" | | Optional: \{\}
| | `bearerToken` _[api.v1alpha1.BearerTokenConfig](#apiv1alpha1bearertokenconfig)_ | BearerToken configures bearer token authentication
Only used when Type is "bearerToken" | | Optional: \{\}
| | `embeddedAuthServer` _[api.v1alpha1.EmbeddedAuthServerConfig](#apiv1alpha1embeddedauthserverconfig)_ | EmbeddedAuthServer configures an embedded OAuth2/OIDC authorization server
Only used when Type is "embeddedAuthServer" | | Optional: \{\}
| +| `awsSts` _[api.v1alpha1.AWSStsConfig](#apiv1alpha1awsstsconfig)_ | AWSSts configures AWS STS authentication with SigV4 request signing
Only used when Type is "awsSts" | | Optional: \{\}
| #### api.v1alpha1.MCPExternalAuthConfigStatus @@ -2158,6 +2222,7 @@ _Appears in:_ | `insecure` _boolean_ | Insecure indicates whether to use HTTP instead of HTTPS for the OTLP endpoint | false | Optional: \{\}
| | `metrics` _[api.v1alpha1.OpenTelemetryMetricsConfig](#apiv1alpha1opentelemetrymetricsconfig)_ | Metrics defines OpenTelemetry metrics-specific configuration | | Optional: \{\}
| | `tracing` _[api.v1alpha1.OpenTelemetryTracingConfig](#apiv1alpha1opentelemetrytracingconfig)_ | Tracing defines OpenTelemetry tracing configuration | | Optional: \{\}
| +| `useLegacyAttributes` _boolean_ | UseLegacyAttributes controls whether legacy attribute names are emitted alongside
the new MCP OTEL semantic convention names. Defaults to true for backward compatibility.
This will change to false in a future release and eventually be removed. | true | Optional: \{\}
| #### api.v1alpha1.OpenTelemetryMetricsConfig @@ -2302,6 +2367,63 @@ _Appears in:_ | `imagePullSecrets` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#localobjectreference-v1-core) array_ | ImagePullSecrets allows specifying image pull secrets for the proxy runner
These are applied to both the Deployment and the ServiceAccount | | Optional: \{\}
| +#### api.v1alpha1.RedisACLUserConfig + + + +RedisACLUserConfig configures Redis ACL user authentication. + + + +_Appears in:_ +- [api.v1alpha1.RedisStorageConfig](#apiv1alpha1redisstorageconfig) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `usernameSecretRef` _[api.v1alpha1.SecretKeyRef](#apiv1alpha1secretkeyref)_ | UsernameSecretRef references a Secret containing the Redis ACL username. | | Required: \{\}
| +| `passwordSecretRef` _[api.v1alpha1.SecretKeyRef](#apiv1alpha1secretkeyref)_ | PasswordSecretRef references a Secret containing the Redis ACL password. | | Required: \{\}
| + + +#### api.v1alpha1.RedisSentinelConfig + + + +RedisSentinelConfig configures Redis Sentinel connection. + + + +_Appears in:_ +- [api.v1alpha1.RedisStorageConfig](#apiv1alpha1redisstorageconfig) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `masterName` _string_ | MasterName is the name of the Redis master monitored by Sentinel. | | Required: \{\}
| +| `sentinelAddrs` _string array_ | SentinelAddrs is a list of Sentinel host:port addresses.
Mutually exclusive with SentinelService. | | Optional: \{\}
| +| `sentinelService` _[api.v1alpha1.SentinelServiceRef](#apiv1alpha1sentinelserviceref)_ | SentinelService enables automatic discovery from a Kubernetes Service.
Mutually exclusive with SentinelAddrs. | | Optional: \{\}
| +| `db` _integer_ | DB is the Redis database number. | 0 | Optional: \{\}
| + + +#### api.v1alpha1.RedisStorageConfig + + + +RedisStorageConfig configures Redis connection for auth server storage. +Redis is deployed in Sentinel mode with ACL user authentication (the only supported configuration). + + + +_Appears in:_ +- [api.v1alpha1.AuthServerStorageConfig](#apiv1alpha1authserverstorageconfig) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `sentinelConfig` _[api.v1alpha1.RedisSentinelConfig](#apiv1alpha1redissentinelconfig)_ | SentinelConfig holds Redis Sentinel configuration. | | Required: \{\}
| +| `aclUserConfig` _[api.v1alpha1.RedisACLUserConfig](#apiv1alpha1redisacluserconfig)_ | ACLUserConfig configures Redis ACL user authentication. | | Required: \{\}
| +| `dialTimeout` _string_ | DialTimeout is the timeout for establishing connections.
Format: Go duration string (e.g., "5s", "1m"). | 5s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Optional: \{\}
| +| `readTimeout` _string_ | ReadTimeout is the timeout for socket reads.
Format: Go duration string (e.g., "3s", "1m"). | 3s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Optional: \{\}
| +| `writeTimeout` _string_ | WriteTimeout is the timeout for socket writes.
Format: Go duration string (e.g., "3s", "1m"). | 3s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Optional: \{\}
| + + #### api.v1alpha1.RegistryFilter @@ -2393,6 +2515,28 @@ _Appears in:_ | `requests` _[api.v1alpha1.ResourceList](#apiv1alpha1resourcelist)_ | Requests describes the minimum amount of compute resources required | | Optional: \{\}
| +#### api.v1alpha1.RoleMapping + + + +RoleMapping defines a rule for mapping JWT claims to IAM roles. +Mappings are evaluated in priority order (lower number = higher priority), and the first +matching rule determines which IAM role to assume. +Exactly one of Claim or Matcher must be specified. + + + +_Appears in:_ +- [api.v1alpha1.AWSStsConfig](#apiv1alpha1awsstsconfig) + +| Field | Description | Default | Validation | +| --- | --- | --- | --- | +| `claim` _string_ | Claim is a simple claim value to match against
The claim type is specified by AWSStsConfig.RoleClaim
For example, if RoleClaim is "groups", this would be a group name
Internally compiled to a CEL expression: "" in claims[""]
Mutually exclusive with Matcher | | MinLength: 1
Optional: \{\}
| +| `matcher` _string_ | Matcher is a CEL expression for complex matching against JWT claims
The expression has access to a "claims" variable containing all JWT claims as map[string]any
Examples:
- "admins" in claims["groups"]
- claims["sub"] == "user123" && !("act" in claims)
Mutually exclusive with Claim | | MinLength: 1
Optional: \{\}
| +| `roleArn` _string_ | RoleArn is the IAM role ARN to assume when this mapping matches | | Pattern: `^arn:(aws\|aws-cn\|aws-us-gov):iam::\d\{12\}:role/[\w+=,.@\-_/]+$`
Required: \{\}
| +| `priority` _integer_ | Priority determines evaluation order (lower values = higher priority)
Allows fine-grained control over role selection precedence
When omitted, this mapping has the lowest possible priority and
configuration order acts as tie-breaker via stable sort | | Minimum: 0
Optional: \{\}
| + + #### api.v1alpha1.SecretKeyRef @@ -2410,6 +2554,7 @@ _Appears in:_ - [api.v1alpha1.InlineOIDCConfig](#apiv1alpha1inlineoidcconfig) - [api.v1alpha1.OAuth2UpstreamConfig](#apiv1alpha1oauth2upstreamconfig) - [api.v1alpha1.OIDCUpstreamConfig](#apiv1alpha1oidcupstreamconfig) +- [api.v1alpha1.RedisACLUserConfig](#apiv1alpha1redisacluserconfig) - [api.v1alpha1.TokenExchangeConfig](#apiv1alpha1tokenexchangeconfig) | Field | Description | Default | Validation | @@ -2436,6 +2581,19 @@ _Appears in:_ | `targetEnvName` _string_ | TargetEnvName is the environment variable to be used when setting up the secret in the MCP server
If left unspecified, it defaults to the key | | Optional: \{\}
| +#### api.v1alpha1.SentinelServiceRef + +_Underlying type:_ _[api.v1alpha1.struct{Name string "json:\"name\""; Namespace string "json:\"namespace,omitempty\""; Port int32 "json:\"port,omitempty\""}](#apiv1alpha1struct{name string "json:\"name\""; namespace string "json:\"namespace,omitempty\""; port int32 "json:\"port,omitempty\""})_ + +SentinelServiceRef references a Kubernetes Service for Sentinel discovery. + + + +_Appears in:_ +- [api.v1alpha1.RedisSentinelConfig](#apiv1alpha1redissentinelconfig) + + + #### api.v1alpha1.StorageReference diff --git a/static/api-specs/toolhive-api.yaml b/static/api-specs/toolhive-api.yaml index 6f54fc26..fea9ffaf 100644 --- a/static/api-specs/toolhive-api.yaml +++ b/static/api-specs/toolhive-api.yaml @@ -228,7 +228,7 @@ components: scopes_supported: description: |- ScopesSupported lists the OAuth 2.0 scope values advertised in discovery documents. - If empty, defaults to ["openid", "offline_access"]. + If empty, defaults to ["openid", "profile", "email", "offline_access"]. items: type: string type: array @@ -385,6 +385,68 @@ components: description: Version is the version of the configuration format. type: string type: object + awssts.Config: + description: AWSStsConfig contains AWS STS token exchange configuration for + accessing AWS services + properties: + fallback_role_arn: + description: FallbackRoleArn is the IAM role ARN to assume when no role + mapping matches. + type: string + region: + description: Region is the AWS region for STS and SigV4 signing. + type: string + role_claim: + description: 'RoleClaim is the JWT claim to use for role mapping (default: + "groups").' + type: string + role_mappings: + description: RoleMappings maps JWT claim values to IAM roles with priority. + items: + $ref: '#/components/schemas/awssts.RoleMapping' + type: array + uniqueItems: false + service: + description: 'Service is the AWS service name for SigV4 signing (default: + "aws-mcp").' + type: string + session_duration: + description: 'SessionDuration is the duration in seconds for assumed role + credentials (default: 3600).' + type: integer + session_name_claim: + description: 'SessionNameClaim is the JWT claim to use for role session + name (default: "sub").' + type: string + type: object + awssts.RoleMapping: + properties: + claim: + description: |- + Claim is the simple claim value to match (e.g., group name). + Internally compiles to a CEL expression: "" in claims[""] + Mutually exclusive with Matcher. + type: string + matcher: + description: |- + Matcher is a CEL expression for complex matching against JWT claims. + The expression has access to a "claims" variable containing all JWT claims. + Examples: + - "admins" in claims["groups"] + - claims["sub"] == "user123" && !("act" in claims) + Mutually exclusive with Claim. + type: string + priority: + description: |- + Priority determines selection order (lower number = higher priority). + When multiple mappings match, the one with the lowest priority is selected. + When nil (omitted), the mapping has the lowest possible priority, and + configuration order acts as tie-breaker via stable sort. + type: integer + role_arn: + description: RoleArn is the IAM role ARN to assume when this mapping matches. + type: string + type: object client.ClientApp: description: ClientType is the type of MCP client enum: @@ -1137,6 +1199,8 @@ components: DEPRECATED: Middleware configuration. AuthzConfigPath is the path to the authorization configuration file type: string + aws_sts_config: + $ref: '#/components/schemas/awssts.Config' base_name: description: BaseName is the base name used for the container (without prefixes) type: string @@ -1339,6 +1403,18 @@ components: description: Reference is the OCI reference of the built skill artifact. type: string type: object + skills.Dependency: + properties: + digest: + description: Digest is the OCI digest for upgrade detection. + type: string + name: + description: Name is the dependency name. + type: string + reference: + description: Reference is the OCI reference for the dependency. + type: string + type: object skills.InstallStatus: description: Status is the current installation status. enum: @@ -1351,7 +1427,7 @@ components: - InstallStatusPending - InstallStatusFailed skills.InstalledSkill: - description: InstalledSkill is set if the skill is installed. + description: InstalledSkill contains the full installation record. properties: clients: description: |- @@ -1361,30 +1437,46 @@ components: type: string type: array uniqueItems: false + dependencies: + description: Dependencies is the list of external skill dependencies. + items: + $ref: '#/components/schemas/skills.Dependency' + type: array + uniqueItems: false + digest: + description: Digest is the OCI digest (sha256:...) for upgrade detection. + type: string installed_at: description: InstalledAt is the timestamp when the skill was installed. type: string metadata: $ref: '#/components/schemas/skills.SkillMetadata' + project_root: + description: ProjectRoot is the project root path for project-scoped skills. + Empty for user-scoped. + type: string + reference: + description: Reference is the full OCI reference (e.g. ghcr.io/org/skill:v1). + type: string scope: $ref: '#/components/schemas/skills.Scope' status: $ref: '#/components/schemas/skills.InstallStatus' + tag: + description: Tag is the OCI tag (e.g. v1.0.0). + type: string type: object skills.Scope: - description: Scope from which to uninstall + description: Scope for the installation enum: - user - - system + - project type: string x-enum-varnames: - ScopeUser - - ScopeSystem + - ScopeProject skills.SkillInfo: properties: - installed: - description: Installed indicates whether the skill is currently installed. - type: boolean installed_skill: $ref: '#/components/schemas/skills.InstalledSkill' metadata: @@ -1517,6 +1609,15 @@ components: +kubebuilder:default=false +optional type: boolean + useLegacyAttributes: + description: |- + UseLegacyAttributes controls whether legacy (pre-MCP OTEL semconv) attribute names + are emitted alongside the new standard attribute names. When true, spans include both + old and new attribute names for backward compatibility with existing dashboards. + Currently defaults to true; this will change to false in a future release. + +kubebuilder:default=true + +optional + type: boolean type: object templates.RuntimeConfig: description: |- @@ -2164,15 +2265,6 @@ components: description: Name of the tool type: string type: object - v1.uninstallSkillRequest: - description: Request to uninstall a skill - properties: - name: - description: Name of the skill to uninstall - type: string - scope: - $ref: '#/components/schemas/skills.Scope' - type: object v1.updateRequest: description: Request to update an existing workload (name cannot be changed) properties: @@ -3060,6 +3152,15 @@ paths: /api/v1beta/skills: get: description: Get a list of all installed skills + parameters: + - description: Filter by scope (user or project) + in: query + name: scope + schema: + enum: + - user + - project + type: string responses: "200": content: @@ -3067,16 +3168,107 @@ paths: schema: $ref: '#/components/schemas/v1.skillListResponse' description: OK - "501": + "500": content: application/json: schema: type: string - description: Not Implemented + description: Internal Server Error summary: List all installed skills tags: - skills + post: + description: Install a skill from a remote source + requestBody: + content: + application/json: + schema: + oneOf: + - type: object + - $ref: '#/components/schemas/v1.installSkillRequest' + description: Install request + summary: request + description: Install request + required: true + responses: + "201": + content: + application/json: + schema: + $ref: '#/components/schemas/v1.installSkillResponse' + description: Created + headers: + Location: + description: URI of the installed skill resource + schema: + type: string + "400": + content: + application/json: + schema: + type: string + description: Bad Request + "409": + content: + application/json: + schema: + type: string + description: Conflict + "500": + content: + application/json: + schema: + type: string + description: Internal Server Error + summary: Install a skill + tags: + - skills /api/v1beta/skills/{name}: + delete: + description: Remove an installed skill + parameters: + - description: Skill name + in: path + name: name + required: true + schema: + type: string + - description: Scope to uninstall from (user or project) + in: query + name: scope + schema: + enum: + - user + - project + type: string + responses: + "204": + content: + application/json: + schema: + type: string + description: No Content + "400": + content: + application/json: + schema: + type: string + description: Bad Request + "404": + content: + application/json: + schema: + type: string + description: Not Found + "500": + content: + application/json: + schema: + type: string + description: Internal Server Error + summary: Uninstall a skill + tags: + - skills get: description: Get detailed information about a specific skill parameters: @@ -3086,6 +3278,14 @@ paths: required: true schema: type: string + - description: Filter by scope (user or project) + in: query + name: scope + schema: + enum: + - user + - project + type: string responses: "200": content: @@ -3093,12 +3293,24 @@ paths: schema: $ref: '#/components/schemas/skills.SkillInfo' description: OK - "501": + "400": content: application/json: schema: type: string - description: Not Implemented + description: Bad Request + "404": + content: + application/json: + schema: + type: string + description: Not Found + "500": + content: + application/json: + schema: + type: string + description: Internal Server Error summary: Get skill details tags: - skills @@ -3132,36 +3344,6 @@ paths: summary: Build a skill tags: - skills - /api/v1beta/skills/install: - post: - description: Install a skill from a remote source - requestBody: - content: - application/json: - schema: - oneOf: - - type: object - - $ref: '#/components/schemas/v1.installSkillRequest' - description: Install request - summary: request - description: Install request - required: true - responses: - "201": - content: - application/json: - schema: - $ref: '#/components/schemas/v1.installSkillResponse' - description: Created - "501": - content: - application/json: - schema: - type: string - description: Not Implemented - summary: Install a skill - tags: - - skills /api/v1beta/skills/push: post: description: Push a built skill artifact to a remote registry @@ -3192,36 +3374,6 @@ paths: summary: Push a skill tags: - skills - /api/v1beta/skills/uninstall: - post: - description: Remove an installed skill - requestBody: - content: - application/json: - schema: - oneOf: - - type: object - - $ref: '#/components/schemas/v1.uninstallSkillRequest' - description: Uninstall request - summary: request - description: Uninstall request - required: true - responses: - "204": - content: - application/json: - schema: - type: string - description: No Content - "501": - content: - application/json: - schema: - type: string - description: Not Implemented - summary: Uninstall a skill - tags: - - skills /api/v1beta/skills/validate: post: description: Validate a skill definition