Scaffolds an MCP protected resource into a Phoenix application
Wires the building blocks an MCP server needs to act as an OAuth 2.0 protected resource into a host Phoenix application:
- The OAuth 2.0 Protected Resource Metadata endpoint (RFC 9728 Section 3),
mounted from the per-resource well-known path (RFC 9728 Section 3.1) with
the same route form emitted by
AttestoMCP.Router.attesto_mcp_protected_resource_metadata/2. - A Phoenix pipeline that enforces bearer-token authentication and the
required OAuth scopes (RFC 6750 Bearer Token Usage, RFC 6749 Section 3.3
scope semantics) via
AttestoMCP.Plug.ProtectResource.
This task is idempotent: re-running it will not duplicate the pipeline or the scopes that a previous run already added. Igniter matches the pipeline by name and the scope by its exact contents, so a second run is a no-op.
Example
mix attesto_mcp.install --resource-path /mcp --scopes mcp:use
Options
--resource-path- the path component of the protected resource being served, for example/mcp(RFC 9728 Section 3.1). The metadata endpoint is mounted at/.well-known/oauth-protected-resource<resource-path>and the protecting pipeline is piped through the matching scope. Defaults to/mcp.--scopes- a comma-separated list of OAuth scope strings the bearer token must carry to access the protected resource (RFC 6749 Section 3.3). Defaults tomcp:use.--router- the Phoenix router module to wire the routes into. Defaults to the application's discovered router.