Skip to content

RFC-0070: thv llm subcommand for LLM gateway authentication#70

Merged
jerm-dro merged 4 commits intomainfrom
jerm-dro/thv-0058-llm-subcommand
Apr 23, 2026
Merged

RFC-0070: thv llm subcommand for LLM gateway authentication#70
jerm-dro merged 4 commits intomainfrom
jerm-dro/thv-0058-llm-subcommand

Conversation

@jerm-dro
Copy link
Copy Markdown
Contributor

@jerm-dro jerm-dro commented Apr 17, 2026

Summary

Proposes a thv llm command group that bridges AI coding tools to OIDC-protected LLM gateways. Two authentication modes cover the full spectrum of tools:

  • Proxy mode — localhost reverse proxy for static-key-only tools (Cursor) that injects fresh OIDC tokens
  • Token helper modethv llm token prints a fresh JWT for OIDC-capable tools (Claude Code)

A single thv llm setup command detects installed tools, configures them, starts the proxy, and handles OIDC login — extending ToolHive's existing MCP auto-wiring to LLM gateway access.

Key design decisions

  • Builds on ToolHive's existing config persistence (UpdateConfig()), secrets provider (ScopeLLM), client config editing (pkg/client/config_editor.go), and OIDC infrastructure
  • Config types live in pkg/llm/config.go; implementation details in pkg/llm/internal/
  • Client configs modified in place without backups, matching MCP auto-wiring convention
  • Claude Code and Cursor illustrate the two modes; additional tools evaluated case-by-case

jerm-dro and others added 2 commits April 17, 2026 14:34
@jerm-dro @claude
RFC-0058: thv llm subcommand for LLM gateway authentication
98af64c 
Adds RFC proposing a `thv llm` command group that bridges AI coding tools
to OIDC-protected LLM gateways via a localhost reverse proxy and token
helper, with auto-wiring of client applications.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jerm-dro @claude
Rename RFC to THV-0070 to match PR number
9e0e200 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jerm-dro jerm-dro requested a review from JAORMX April 17, 2026 21:58
@jerm-dro @claude
Address review feedback on RFC-0070
c1c2f59 
- Fix inconsistent teardown language (remove backup/restore references)
- Remove mermaid diagram
- Add Audit and Logging security subsection
- Remove all ScopeLLM references (implementation detail)
- Clarify token helper is preferred over background proxy
- Clarify config set vs setup relationship
- Add Documentation section (CLI help text only)
- Fix nitpick on Revert description

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jerm-dro jerm-dro changed the title RFC-0058: thv llm subcommand for LLM gateway authentication RFC-0070: thv llm subcommand for LLM gateway authentication Apr 17, 2026
JAORMX
JAORMX reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would this be settable/usable via the HTTP API? That is, could the UI set this up?

@jerm-dro
Copy link
Copy Markdown
Contributor Author

jerm-dro commented Apr 21, 2026

This will need to be updated to explain how a single command can be used to login once to provide access to automatically wire MCP servers and LLM gateways, where both require the same oidc auth.

@jerm-dro jerm-dro mentioned this pull request Apr 22, 2026
Open
21 tasks
@jerm-dro
Copy link
Copy Markdown
Contributor Author

jerm-dro commented Apr 22, 2026

Out of scope for this RFC. The OIDC flow for MCP tool authentication is fundamentally different from LLM gateway auth — unifying them into a single sign-on would add significant complexity. Two separate logins is acceptable for now; a unified login can be explored in a future RFC if there's demand.

Added a non-goal entry to the RFC to make this explicit.

@jerm-dro
Copy link
Copy Markdown
Contributor Author

jerm-dro commented Apr 22, 2026

@JAORMX Good question. This RFC is scoped to the CLI only — thv llm setup runs locally, patches local tool config files, and manages a local proxy process. The HTTP API isn't in scope here.

That said, the config model and core logic are designed to be reusable, so exposing LLM gateway configuration via the HTTP API (e.g., for UI-driven setup) is a natural follow-up. Added a non-goal entry to make this explicit.

@jerm-dro @claude
Add non-goals for unified SSO and HTTP API exposure
8916b59 
Address review feedback from @JAORMX and self-review:
- Unified MCP/LLM single sign-on is out of scope due to flow differences
- HTTP API exposure is future work; core logic designed to be reusable

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 23, 2026
Closed
Closed
Open
Open
Open
Merged
@jerm-dro jerm-dro merged commit eb7fbb8 into main Apr 23, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JAORMX JAORMX JAORMX approved these changes

@yrobla yrobla Awaiting requested review from yrobla

@aponcedeleonch aponcedeleonch Awaiting requested review from aponcedeleonch

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jerm-dro @JAORMX