MCP Bridge (ctxce) + Optional Auth: single MCP server (HTTP/stdio) for Indexer & Memory, VS Code auto‑wiring, backend auth endpoints

.env

@@ -128,13 +128,15 @@ REFRAG_RUNTIME=llamacpp
 REFRAG_ENCODER_MODEL=BAAI/bge-base-en-v1.5
 REFRAG_PHI_PATH=/work/models/refrag_phi_768_to_dmodel.bin
 REFRAG_SENSE=heuristic
+REFRAG_PSEUDO_DESCRIBE=1
 GLM_API_KEY=
 # Llama.cpp sidecar (optional)
 # Use docker network hostname from containers; localhost remains ok for host-side runs if LLAMACPP_URL not exported
 LLAMACPP_URL=http://host.docker.internal:8081
 LLAMACPP_TIMEOUT_SEC=300
 DECODER_MAX_TOKENS=4000
 REFRAG_DECODER_MODE=prompt  # prompt|soft
+REFRAG_COMMIT_DESCRIBE=1
 
 REFRAG_SOFT_SCALE=1.0
 LLAMACPP_USE_GPU=1
@@ -149,6 +151,8 @@ MAX_MICRO_CHUNKS_PER_FILE=500
 QDRANT_TIMEOUT=20
 MEMORY_AUTODETECT=1
 MEMORY_COLLECTION_TTL_SECS=300
+SMART_SYMBOL_REINDEXING=1
+MAX_CHANGED_SYMBOLS_RATIO=0.6
 
 
 # Watcher-safe defaults (recommended)
@@ -196,4 +200,9 @@ INFO_REQUEST_LIMIT=10
 INFO_REQUEST_CONTEXT_LINES=5
 # INFO_REQUEST_EXPLAIN_DEFAULT=0
 # INFO_REQUEST_RELATIONSHIPS=0
+GLM_API_BASE=https://api.z.ai/api/coding/paas/v4/
+GLM_MODEL=glm-4.6
 COMMIT_VECTOR_SEARCH=0
+STRICT_MEMORY_RESTORE=1
+CTXCE_AUTH_ENABLED=0
+CTXCE_AUTH_ADMIN_TOKEN=change-me-admin-token

.env.example

@@ -152,7 +152,7 @@ REFRAG_PHI_PATH=/work/models/refrag_phi_768_to_dmodel.json
 REFRAG_SENSE=heuristic
 
 # Enable index-time pseudo descriptions for micro-chunks (requires REFRAG_DECODER)
-# REFRAG_PSEUDO_DESCRIBE=1
+REFRAG_PSEUDO_DESCRIBE=1
 
 # Llama.cpp sidecar (optional)
 # Docker CPU-only (stable): http://llamacpp:8080
@@ -189,7 +189,8 @@ MEMORY_AUTODETECT=1
 MEMORY_COLLECTION_TTL_SECS=300
 
 # Smarter re-indexing for symbol cache, reuse embeddings and reduce decoder/pseudo tags to re-index
-SMART_SYMBOL_REINDEXING=0
+SMART_SYMBOL_REINDEXING=1
+MAX_CHANGED_SYMBOLS_RATIO=0.6
 
 # Watcher-safe defaults (recommended)
 # Applied to watcher via compose; uncomment to apply globally.
@@ -226,7 +227,7 @@ SMART_SYMBOL_REINDEXING=0
 REFRAG_COMMIT_DESCRIBE=1
 COMMIT_VECTOR_SEARCH=0
 
-STRICT_MEMORY_RESTORE=0
+STRICT_MEMORY_RESTORE=1
 
 # info_request() tool settings (simplified codebase retrieval)
 # Default result limit for info_request queries
@@ -237,3 +238,60 @@ INFO_REQUEST_CONTEXT_LINES=5
 # INFO_REQUEST_EXPLAIN_DEFAULT=0
 # Enable relationship mapping by default (imports_from, calls, related_paths)
 # INFO_REQUEST_RELATIONSHIPS=0
+
+
+# ---------------------------------------------------------------------------
+# Optional Auth & Bridge Configuration (OFF by default)
+# ---------------------------------------------------------------------------
+
+# Global auth toggle for backend services (upload_service, MCP indexer/memory).
+# When set to 1, services will require a valid session for protected operations.
+# When unset or 0, auth is disabled and behavior matches previous versions.
+# CTXCE_AUTH_ENABLED=0
+
+# Shared token used by /auth/login for the bridge and other service clients.
+# When CTXCE_AUTH_ENABLED=1 and this is set, /auth/login will only issue
+# sessions when the provided token matches this value.
+# CTXCE_AUTH_SHARED_TOKEN=change-me-dev-token
+
+# Create "open-dev" tokens when a shared token is unset, basically allows requesting a session with no real auth
+# CTXCE_AUTH_ALLOW_OPEN_TOKEN_LOGIN=0
+
+# Optional admin token for creating additional users via /auth/users once the
+# first user has been bootstrapped. If unset, only the initial user can be
+# created (no additional users).
+# CTXCE_AUTH_ADMIN_TOKEN=change-me-admin-token
+
+# Auth database location (default: sqlite file under WORK_DIR/.codebase).
+# Use a SQLite URL for local/dev, or point to a different path.
+# CTXCE_AUTH_DB_URL=sqlite:////work/.codebase/ctxce_auth.sqlite
+
+# Session TTL (seconds) for issued auth sessions.
+# 0 or negative values disable expiry (sessions do not expire). When >0,
+# active sessions are extended with a sliding window whenever they are used.
+# CTXCE_AUTH_SESSION_TTL_SECONDS=0
+
+# Collection registry & ACL (only used when CTXCE_AUTH_ENABLED=1).
+# When enabled, infrastructure/health checks may populate an internal SQLite
+# registry of known Qdrant collections, and ACL rules can be applied by services.
+
+# ACL bypass (dev/early deployments): allow all users to access all collections.
+# CTXCE_ACL_ALLOW_ALL=0
+
+# MCP boundary enforcement (OFF by default).
+# When enabled, MCP servers will enforce collection ACLs using the auth DB.
+# Requires CTXCE_AUTH_ENABLED=1. If CTXCE_ACL_ALLOW_ALL=1, enforcement is bypassed.
+# This is intended for gradually rolling out collection-level permissions without
+# changing existing client auth/session mechanisms.
+# CTXCE_MCP_ACL_ENFORCE=0
+
+# Bridge-side configuration (ctx-mcp-bridge):
+# The bridge will POST to this URL for auth login and store the returned
+# session id, then inject it into all MCP tool calls as the `session` field.
+# CTXCE_AUTH_BACKEND_URL=http://localhost:8004
+
+# Optional defaults for bridge CLI (env) auth:
+# CTXCE_AUTH_TOKEN=dev-shared-token
+# CTXCE_AUTH_USERNAME=you@example.com
+# CTXCE_AUTH_PASSWORD=your-password
+

.github/workflows/publish-cli.yml

@@ -0,0 +1,34 @@
+name: Publish ctxce CLI to npm
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to publish (ensure package.json is updated)"
+        required: false
+  push:
+    tags:
+      - "ctxce-cli-v*"
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Install dependencies
+        working-directory: ctx-mcp-bridge
+        run: npm install
+
+      - name: Publish to npm
+        working-directory: ctx-mcp-bridge
+        run: npm publish --access public --provenance

.gitignore

@@ -3,6 +3,9 @@
 # Model artifacts
 models/
 
+# Node
+node_modules/
+
 # Qdrant snapshots
 qdrant/snapshots/
 

ctx-mcp-bridge/.gitignore

@@ -0,0 +1 @@
+*.tgz

ctx-mcp-bridge/README.md

@@ -0,0 +1,212 @@
+# Context Engine MCP Bridge
+
+`@context-engine-bridge/context-engine-mcp-bridge` provides the `ctxce` CLI, a
+Model Context Protocol (MCP) bridge that speaks to the Context Engine indexer
+and memory servers and exposes them as a single MCP server.
+
+It is primarily used by the VS Code **Context Engine Uploader** extension,
+available on the Marketplace:
+
+- <https://marketplace.visualstudio.com/items?itemName=context-engine.context-engine-uploader>
+
+The bridge can also be run standalone (e.g. from a terminal, or wired into
+other MCP clients) as long as the Context Engine stack is running.
+
+## Prerequisites
+
+- Node.js **>= 18** (see `engines` in `package.json`).
+- A running Context Engine stack (e.g. via `docker-compose.dev-remote.yml`) with:
+  - MCP indexer HTTP endpoint (default: `http://localhost:8003/mcp`).
+  - MCP memory HTTP endpoint (optional, default: `http://localhost:8002/mcp`).
+- For optional auth:
+  - The upload/auth services must be configured with `CTXCE_AUTH_ENABLED=1` and
+    a reachable auth backend URL (e.g. `http://localhost:8004`).
+
+## Installation
+
+You can install the package globally, or run it via `npx`.
+
+### Global install
+
+```bash
+npm install -g @context-engine-bridge/context-engine-mcp-bridge
+```
+
+This installs the `ctxce` (and `ctxce-bridge`) CLI in your PATH.
+
+### Using npx (no global install)
+
+```bash
+npx @context-engine-bridge/context-engine-mcp-bridge ctxce --help
+```
+
+The examples below assume `ctxce` is available on your PATH; if you use `npx`,
+just prefix commands with `npx @context-engine-bridge/context-engine-mcp-bridge`.
+
+## CLI overview
+
+The main entrypoint is:
+
+```bash
+ctxce <command> [...args]
+```
+
+Supported commands (from `src/cli.js`):
+
+- `ctxce mcp-serve`        – stdio MCP bridge (for stdio-based MCP clients).
+- `ctxce mcp-http-serve`   – HTTP MCP bridge (for HTTP-based MCP clients).
+- `ctxce auth <subcmd>`    – auth helper commands (`login`, `status`, `logout`).
+
+### Environment variables
+
+These environment variables are respected by the bridge:
+
+- `CTXCE_INDEXER_URL` – MCP indexer URL (default: `http://localhost:8003/mcp`).
+- `CTXCE_MEMORY_URL`  – MCP memory URL, or empty/omitted to disable memory
+  (default: `http://localhost:8002/mcp`).
+- `CTXCE_HTTP_PORT`   – port for `mcp-http-serve` (default: `30810`).
+
+For auth (optional, shared with the upload/auth backend):
+
+- `CTXCE_AUTH_ENABLED`       – whether auth is enabled in the backend.
+- `CTXCE_AUTH_BACKEND_URL`   – auth backend URL (e.g. `http://localhost:8004`).
+- `CTXCE_AUTH_TOKEN`         – dev/shared token for `ctxce auth login`.
+- `CTXCE_AUTH_SESSION_TTL_SECONDS` – session TTL / sliding expiry (seconds).
+
+The CLI also stores auth sessions in `~/.ctxce/auth.json`, keyed by backend URL.
+
+## Running the MCP bridge (stdio)
+
+The stdio bridge is suitable for MCP clients that speak stdio directly (for
+example, certain editors or tools that expect an MCP server on stdin/stdout).
+
+```bash
+ctxce mcp-serve \
+  --workspace /path/to/your/workspace \
+  --indexer-url http://localhost:8003/mcp \
+  --memory-url http://localhost:8002/mcp
+```
+
+Flags:
+
+- `--workspace` / `--path` – workspace root (default: current working directory).
+- `--indexer-url`          – override indexer URL (default: `CTXCE_INDEXER_URL` or
+  `http://localhost:8003/mcp`).
+- `--memory-url`           – override memory URL (default: `CTXCE_MEMORY_URL` or
+  disabled when empty).
+
+## Running the MCP bridge (HTTP)
+
+The HTTP bridge exposes the MCP server via an HTTP endpoint (default
+`http://127.0.0.1:30810/mcp`) and is what the VS Code extension uses in its
+`http` transport mode.
+
+```bash
+ctxce mcp-http-serve \
+  --workspace /path/to/your/workspace \
+  --indexer-url http://localhost:8003/mcp \
+  --memory-url http://localhost:8002/mcp \
+  --port 30810
+```
+
+Flags:
+
+- `--workspace` / `--path` – workspace root (default: current working directory).
+- `--indexer-url`          – MCP indexer URL.
+- `--memory-url`           – MCP memory URL (or omit/empty to disable memory).
+- `--port`                 – HTTP port for the bridge (default: `CTXCE_HTTP_PORT`
+  or `30810`).
+
+Once running, you can point an MCP client at:
+
+```text
+http://127.0.0.1:<port>/mcp
+```
+
+## Auth helper commands (`ctxce auth ...`)
+
+These commands are used both by the VS Code extension and standalone flows to
+log in and manage auth sessions for the backend.
+
+### Login (token)
+
+```bash
+ctxce auth login \
+  --backend-url http://localhost:8004 \
+  --token $CTXCE_AUTH_SHARED_TOKEN
+```
+
+This hits the backend `/auth/login` endpoint and stores a session entry in
+`~/.ctxce/auth.json` under the given backend URL.
+
+### Login (username/password)
+
+```bash
+ctxce auth login \
+  --backend-url http://localhost:8004 \
+  --username your-user \
+  --password your-password
+```
+
+This calls `/auth/login/password` and persists the returned session the same
+way as the token flow.
+
+### Status
+
+Human-readable status:
+
+```bash
+ctxce auth status --backend-url http://localhost:8004
+```
+
+Machine-readable status (used by the VS Code extension):
+
+```bash
+ctxce auth status --backend-url http://localhost:8004 --json
+```
+
+The `--json` variant prints a single JSON object to stdout, for example:
+
+```json
+{
+  "backendUrl": "http://localhost:8004",
+  "state": "ok",           // "ok" | "missing" | "expired" | "missing_backend"
+  "sessionId": "...",
+  "userId": "user-123",
+  "expiresAt": 0           // 0 or a Unix timestamp
+}
+```
+
+Exit codes:
+
+- `0` – `state: "ok"` (valid session present).
+- `1` – `state: "missing"` or `"missing_backend"`.
+- `2` – `state: "expired"`.
+
+### Logout
+
+```bash
+ctxce auth logout --backend-url http://localhost:8004
+```
+
+Removes the stored auth entry for the given backend URL from
+`~/.ctxce/auth.json`.
+
+## Relationship to the VS Code extension
+
+The VS Code **Context Engine Uploader** extension is the recommended way to use
+this bridge for day-to-day development. It:
+
+- Launches the standalone upload client to push code into the remote stack.
+- Starts/stops the MCP HTTP bridge (`ctxce mcp-http-serve`) for the active
+  workspace when `autoStartMcpBridge` is enabled.
+- Uses `ctxce auth status --json` and `ctxce auth login` under the hood to
+  manage user sessions via UI prompts.
+
+This package README is aimed at advanced users who want to:
+
+- Run the MCP bridge outside of VS Code.
+- Integrate the Context Engine MCP servers with other MCP-compatible clients.
+
+You can safely mix both approaches: the extension and the standalone bridge
+share the same auth/session storage in `~/.ctxce/auth.json`.

ctx-mcp-bridge/bin/ctxce.js

@@ -0,0 +1,7 @@
+#!/usr/bin/env node
+import { runCli } from "../src/cli.js";
+
+runCli().catch((err) => {
+  console.error("[ctxce] Fatal error:", err && err.stack ? err.stack : err);
+  process.exit(1);
+});