feat(mcp): 支持动态鉴权连接管理并优化运行态稳定性

.env.template

@@ -29,6 +29,7 @@ YUXI_INSTANCE_ID=
 # # Servies
 # YUXI_SUPER_ADMIN_NAME=
 # YUXI_SUPER_ADMIN_PASSWORD=
+# MCP_CREDENTIALS_MASTER_KEY=
 
 # # URL Whitelist (comma-separated domains/IPs, empty to disable URL parsing)
 # YUXI_URL_WHITELIST=github.com,docs.example.com,gitlab.example.com,127.0.0.1
@@ -73,4 +74,4 @@ YUXI_INSTANCE_ID=
 # SANDBOX_NODE_HOST=host.docker.internal
 # KUBECONFIG_PATH=/root/.kube/config
 # THREAD_PVC=yuxi-thread
-# SKILLS_PVC=yuxi-skills  # 当前代码会读取，但 Pod 挂载实际仍只使用 THREAD_PVC
+# SKILLS_PVC=yuxi-skills  # 当前代码会读取，但 Pod 挂载实际仍只使用 THREAD_PVC

.gitignore

@@ -79,4 +79,7 @@ docs/vibe
 
 /models
 
-.taskr/
+.taskr/
+
+.workbuddy
+.worktrees/

backend/package/pyproject.toml

@@ -16,6 +16,7 @@ dependencies = [
     "aiosqlite>=0.20.0",
     "argon2-cffi>=25.1.0",
     "asyncpg>=0.30.0",
+    "cachetools>=5.3.0",
     "chardet>=5.0.0",
     "colorlog>=6.9.0",
     "dashscope>=1.23.2",

backend/package/yuxi/agents/__init__.py

@@ -12,7 +12,7 @@
 from yuxi.agents.toolkits.utils import get_tool_info
 
 # MCP - Agent 层统一入口（自动过滤 disabled_tools）
-from yuxi.services.mcp_service import get_enabled_mcp_tools
+from yuxi.services.mcp.tool_registry_service import get_enabled_mcp_tools
 
 __all__ = [
     # Base classes

backend/package/yuxi/agents/buildin/chatbot/graph.py

@@ -12,16 +12,19 @@
     save_attachments_to_fs,
 )
 from yuxi.agents.middlewares.knowledge_base_middleware import KnowledgeBaseMiddleware
-from yuxi.agents.middlewares.skills_middleware import SkillsMiddleware
-from yuxi.services.mcp_service import get_tools_from_all_servers
+from yuxi.agents.middlewares.skills_middleware import SkillsMiddleware, collect_context_mcp_names_for_preload
+from yuxi.services.mcp.tool_registry_service import get_tools_from_all_servers
 from yuxi.services.subagent_service import get_subagents_from_names
+from yuxi.utils.logging_config import logger
 
 from .prompt import TODO_MID_PROMPT, build_prompt_with_context
 
 
 async def _build_middlewares(context):
     """构建中间件列表"""
-    all_mcp_tools = await get_tools_from_all_servers()  # 因为异步加载，无法放在 RuntimeConfigMiddleware 的 __init__ 中
+    preload_mcp_names = await collect_context_mcp_names_for_preload(context)
+    logger.info(f"ChatbotAgent MCP preload candidates: {preload_mcp_names}")
+    all_mcp_tools = await get_tools_from_all_servers(preload_mcp_names)
 
     # summary middleware
     # 主 Agent 上下文优化：90k tokens 触发压缩（128k context window 的 70%）

backend/package/yuxi/agents/buildin/deep_agent/graph.py

@@ -15,9 +15,9 @@
     save_attachments_to_fs,
 )
 from yuxi.agents.middlewares.knowledge_base_middleware import KnowledgeBaseMiddleware
-from yuxi.agents.middlewares.skills_middleware import SkillsMiddleware
+from yuxi.agents.middlewares.skills_middleware import SkillsMiddleware, collect_context_mcp_names_for_preload
 from yuxi.agents.toolkits.buildin.tools import _create_tavily_search
-from yuxi.services.mcp_service import get_tools_from_all_servers
+from yuxi.services.mcp.tool_registry_service import get_tools_from_all_servers
 from yuxi.services.subagent_service import get_subagents_from_names
 from yuxi.utils import logger
 
@@ -57,7 +57,9 @@ async def get_graph(self, context=None, **kwargs):
         model = load_chat_model(context.model)
         sub_model = load_chat_model(context.subagents_model)
         search_tools = await self.get_tools()
-        all_mcp_tools = await get_tools_from_all_servers()
+        preload_mcp_names = await collect_context_mcp_names_for_preload(context)
+        logger.info(f"DeepAgent MCP preload candidates: {preload_mcp_names}")
+        all_mcp_tools = await get_tools_from_all_servers(preload_mcp_names)
         # 合并搜索工具和 MCP 工具
 
         # 从数据库加载 subagent specs（工具名称已解析）

backend/package/yuxi/agents/context.py

@@ -33,6 +33,20 @@ def update(self, data: dict):
         metadata={"name": "用户ID", "configurable": False, "description": "用来唯一标识一个用户"},
     )
 
+    work_id: str | None = field(
+        default=None,
+        metadata={
+            "name": "工号",
+            "configurable": False,
+            "description": "用来匹配个人 MCP 连接绑定范围的工号",
+        },
+    )
+
+    department_id: str | None = field(
+        default=None,
+        metadata={"name": "部门ID", "configurable": False, "description": "用来标识当前用户所属部门"},
+    )
+
     system_prompt: Annotated[str, {"__template_metadata__": {"kind": "prompt"}}] = field(
         default="You are a helpful assistant.",
         metadata={"name": "系统提示词", "description": "用来描述智能体的角色和行为"},

backend/package/yuxi/agents/middlewares/dynamic_tool_middleware.py

@@ -3,7 +3,7 @@
 
 from langchain.agents.middleware import AgentMiddleware, ModelRequest, ModelResponse
 
-from yuxi.services.mcp_service import get_mcp_tools
+from yuxi.services.mcp.tool_registry_service import get_mcp_tools
 from yuxi.utils import logger
 
 

backend/package/yuxi/agents/middlewares/runtime_config_middleware.py

@@ -4,14 +4,18 @@
 from typing import Any
 
 from langchain.agents.middleware import AgentMiddleware, ModelRequest, ModelResponse
+from langchain.tools.tool_node import ToolCallRequest
 from langchain_core.messages import SystemMessage
 
 from yuxi.agents import load_chat_model
 from yuxi.agents.toolkits import get_all_tool_instances
-from yuxi.services.mcp_service import get_enabled_mcp_tools
+from yuxi.services.mcp.tool_registry_service import get_enabled_mcp_tools
+from yuxi.services.mcp_auth.orchestrator import AuthContext
 from yuxi.utils.datetime_utils import shanghai_now
 from yuxi.utils.logging_config import logger
 
+_RUNTIME_DYNAMIC_TOOLS_ATTR = "_runtime_config_dynamic_tools_by_name"
+
 
 class RuntimeConfigMiddleware(AgentMiddleware):
     """运行时配置中间件 - 应用模型/工具/MCP/提示词配置
@@ -89,14 +93,19 @@ async def awrap_model_call(
             # 获取上下文配置的工具
             enabled_tools = await self.get_tools_from_context(runtime_context)
             existing_tools = list(request.tools or [])
-            enabled_tool_names = {t.name for t in enabled_tools}
             managed_tool_names = {t.name for t in self.tools}
             merged_tools = []
             for t_bind in existing_tools:
-                # (1) 已启用的工具保留
-                # (2) 非本中间件管理的工具保留
-                if t_bind.name in enabled_tool_names or t_bind.name not in managed_tool_names:
+                # 非本中间件管理的工具保留；本中间件管理的工具统一用本轮实时加载结果覆盖。
+                if t_bind.name not in managed_tool_names:
                     merged_tools.append(t_bind)
+            merged_tool_names = {t.name for t in merged_tools}
+            for tool in enabled_tools:
+                if tool.name in merged_tool_names:
+                    continue
+                merged_tools.append(tool)
+                merged_tool_names.add(tool.name)
+            setattr(runtime_context, _RUNTIME_DYNAMIC_TOOLS_ATTR, {tool.name: tool for tool in enabled_tools})
             overrides["tools"] = merged_tools
             logger.debug(f"RuntimeConfigMiddleware selected tools: {[t.name for t in merged_tools]}")
 
@@ -116,6 +125,33 @@ async def awrap_model_call(
 
         return await handler(request)
 
+    async def awrap_tool_call(self, request: ToolCallRequest, handler: Callable[[ToolCallRequest], Any]):
+        """Allow ToolNode to execute runtime-auth MCP tools loaded during the last model call."""
+        if request.tool is None:
+            runtime_context = getattr(request.runtime, "context", None)
+            dynamic_tools = getattr(runtime_context, _RUNTIME_DYNAMIC_TOOLS_ATTR, {}) or {}
+            tool = dynamic_tools.get(request.tool_call.get("name")) if isinstance(dynamic_tools, dict) else None
+            if tool is not None:
+                request = request.override(tool=tool)
+
+        # NOTE: 注入当前的 AuthContext 以便于长连接拦截器 DynamicMCPTokenAuth 随时刷新 token
+        runtime_context = getattr(request.runtime, "context", None)
+        if runtime_context is not None:
+            user_id = getattr(runtime_context, "user_id", None)
+            work_id = getattr(runtime_context, "work_id", None)
+            dept_id = getattr(runtime_context, "department_id", None)
+            auth_context = AuthContext(user_id=user_id, department_id=dept_id, work_id=work_id)
+
+            from yuxi.services.mcp_auth.orchestrator import mcp_auth_context_var
+
+            token = mcp_auth_context_var.set(auth_context)
+            try:
+                return await handler(request)
+            finally:
+                mcp_auth_context_var.reset(token)
+
+        return await handler(request)
+
     async def get_tools_from_context(self, context) -> list:
         """从上下文配置中获取工具列表"""
         selected_tools = []
@@ -146,16 +182,41 @@ async def get_tools_from_context(self, context) -> list:
                 all_mcp_names.append(server_name)
 
         selected_mcp_servers: set[str] = set()
+        selected_mcp_names: list[str] = []
+        loaded_mcp_tools: dict[str, int] = {}
+        unavailable_mcp_servers: list[str] = []
+        failed_mcp_servers: list[str] = []
         for server_name in all_mcp_names:
             if server_name in selected_mcp_servers:
                 continue
             selected_mcp_servers.add(server_name)
+            selected_mcp_names.append(server_name)
             try:
-                mcp_tools = await get_enabled_mcp_tools(server_name)
+                user_id = getattr(context, "user_id", None)
+                work_id = getattr(context, "work_id", None)
+                mcp_tools = await get_enabled_mcp_tools(
+                    server_name,
+                    auth_context=AuthContext(
+                        user_id=user_id,
+                        department_id=getattr(context, "department_id", None),
+                        work_id=work_id,
+                    ),
+                )
                 if not mcp_tools:
-                    logger.warning(f"RuntimeConfigMiddleware: mcp dependency unavailable, skip: {server_name}")
+                    unavailable_mcp_servers.append(server_name)
+                    logger.debug(f"RuntimeConfigMiddleware: mcp dependency unavailable, skip: {server_name}")
+                else:
+                    loaded_mcp_tools[server_name] = len(mcp_tools)
                 selected_tools.extend(mcp_tools)
             except Exception as e:
+                failed_mcp_servers.append(server_name)
                 logger.warning(f"RuntimeConfigMiddleware: failed to load mcp dependency '{server_name}': {e}")
 
+        if selected_mcp_names:
+            logger.info(
+                "RuntimeConfigMiddleware MCP runtime selection: "
+                f"selected={selected_mcp_names}, loaded={loaded_mcp_tools}, "
+                f"unavailable={unavailable_mcp_servers}, failed={failed_mcp_servers}"
+            )
+
         return selected_tools

backend/package/yuxi/agents/middlewares/skills_middleware.py

@@ -15,7 +15,8 @@
 
 from yuxi.agents.toolkits import get_all_tool_instances
 from yuxi.repositories.skill_repository import SkillRepository
-from yuxi.services.mcp_service import get_enabled_mcp_tools
+from yuxi.services.mcp.tool_registry_service import get_enabled_mcp_tools
+from yuxi.services.mcp_auth.orchestrator import AuthContext
 from yuxi.services.skill_service import _normalize_string_list, is_valid_skill_slug
 from yuxi.storage.postgres.manager import pg_manager
 from yuxi.utils.logging_config import logger
@@ -79,6 +80,21 @@ async def get_dependency_map(db: AsyncSession | None = None) -> dict[str, SkillD
     return result
 
 
+async def collect_context_mcp_names_for_preload(context, *, skills_context_name: str = "skills") -> list[str]:
+    """收集图构建阶段需要预注册的 MCP 名称。"""
+    names: list[str] = []
+    names.extend(normalize_selected_skills(getattr(context, "mcps", None) or []))
+
+    dependency_map = await get_dependency_map()
+    configured_skills = normalize_selected_skills(getattr(context, skills_context_name, None) or [])
+    for slug in expand_skill_closure(configured_skills, dependency_map):
+        node = dependency_map.get(slug)
+        if node:
+            names.extend(node.get("mcps", []))
+
+    return normalize_selected_skills(names)
+
+
 def normalize_selected_skills(selected_skills: list[str] | None) -> list[str]:
     """规范化 skills 列表，去重并过滤无效值"""
     return _normalize_string_list(selected_skills)
@@ -338,20 +354,42 @@ async def _get_mcp_tools_from_context(
 
         # 去重
         unique_mcp_names = list(dict.fromkeys(all_mcp_names))
+        loaded_mcp_tools: dict[str, int] = {}
+        unavailable_mcp_servers: list[str] = []
+        failed_mcp_servers: list[str] = []
 
         async def load_mcp_tools(server_name: str) -> list:
             """加载单个 MCP 服务器的工具"""
             try:
-                mcp_tools = await get_enabled_mcp_tools(server_name)
+                user_id = getattr(context, "user_id", None)
+                work_id = getattr(context, "work_id", None)
+                mcp_tools = await get_enabled_mcp_tools(
+                    server_name,
+                    auth_context=AuthContext(
+                        user_id=user_id,
+                        department_id=getattr(context, "department_id", None),
+                        work_id=work_id,
+                    ),
+                )
                 if not mcp_tools:
-                    logger.warning(f"SkillsMiddleware: mcp dependency unavailable, skip: {server_name}")
+                    unavailable_mcp_servers.append(server_name)
+                    logger.debug(f"SkillsMiddleware: mcp dependency unavailable, skip: {server_name}")
+                else:
+                    loaded_mcp_tools[server_name] = len(mcp_tools)
                 return mcp_tools
             except Exception as e:
+                failed_mcp_servers.append(server_name)
                 logger.warning(f"SkillsMiddleware: failed to load mcp dependency '{server_name}': {e}")
                 return []
 
         # 并行加载所有 MCP 工具
         results = await asyncio.gather(*[load_mcp_tools(name) for name in unique_mcp_names])
+        if unique_mcp_names:
+            logger.info(
+                "SkillsMiddleware MCP dependency selection: "
+                f"selected={unique_mcp_names}, loaded={loaded_mcp_tools}, "
+                f"unavailable={unavailable_mcp_servers}, failed={failed_mcp_servers}"
+            )
         selected_tools = []
         for tools in results:
             selected_tools.extend(tools)