charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Bind patched Penpot MCP into designer + design-reviewer containers #64

New issue
Closed
opened 2026-04-18 20:19:17 +00:00 by claude-desktop · 0 comments
claude-desktop commented 2026-04-18 20:19:17 +00:00
Collaborator
Copy link

User story

As the designer agent, I want the patched Penpot MCP server registered in my container with the right env vars, so that my design-implement skill can actually create pages/frames/shapes on Penpot files instead of aborting with "no mcp__penpot__* namespace".

Context

First live dispatch on #62 failed cleanly — the designer read the spec, listed its MCP surface, found only claude.ai Excalidraw, Context7, Gmail, Google Calendar, Google Drive, Hugging Face, and forgejono mcp__penpot__* — and per the design-implement skill rule ("container env is wrong — surface it, don't silently retry") posted a diagnostic comment and aborted:

  • Failure report: #62 comment #62 (comment)
  • The agent itself behaved correctly; this is infrastructure work that #56's "MCP bindings — container image" AC bullet hasn't covered yet.

The MCP patches already live under ~/Workspace/penpot-mcp-server/ on the claude-hooks host. They include AUTHELIA_BASIC_AUTH (forward-auth), PENPOT_AUTH_TOKEN_COOKIE (pre-seeded OIDC session — this Penpot instance has login-with-password disabled and tokens off), and a DB→RPC fallback on get_file_info. Host secrets are at ~/.config/claude-hooks/{penpot-creds,authelia-creds,penpot-cookie}.

Acceptance criteria

Image

  • claude-hooks:dev (or a new tagged variant for design agents, e.g. claude-hooks:designer) includes the patched penpot-mcp-server binary. Bake-in pattern mirrors the forgejo-mcp patch approach (see commit 109fb12 feat(infra): bake patched forgejo-mcp into the image).
  • Build is reproducible from Dockerfile + /home/charles/Workspace/penpot-mcp-server/ pinned to a known commit (vendor via submodule or copy-on-build).

MCP registration

  • Container's MCP config (the analogue of what registers forgejo-mcp) includes a penpot entry invoking the patched binary with the right env vars.
  • Only designer and design-reviewer containers embed the Penpot MCP. boss/dev/reviewer stay code-only.

Env vars passed from host secrets

  • AUTHELIA_BASIC_AUTH = <user>:<password> from ~/.config/claude-hooks/authelia-creds (format: two lines, user then password).
  • PENPOT_AUTH_TOKEN_COOKIE = contents of ~/.config/claude-hooks/penpot-cookie (single-line JWE).
  • PENPOT_EMAIL, PENPOT_PASSWORD = lines 1+2 of ~/.config/claude-hooks/penpot-creds (even though login-with-password is disabled on our instance, the MCP expects them to be set — empty strings cause an earlier crash per the .env comment).
  • PENPOT_BASE_URL = https://design.jacquin.app, PENPOT_PUBLIC_URL = same.

Smoke

  • New script scripts/smoke-creds.sh (or extend the existing one) also probes Penpot MCP presence inside the designer container — something like docker exec claude-hooks-designer <command> list-tools | grep -c mcp__penpot__ returning > 0.
  • After landing + service restart, re-dispatch on #62 (toggle area:design off/on). The designer task should now drive the MCP, create a Penpot file, and post a handoff comment. The hello-frame with HELLO text is the verification artifact.

Docs

  • CLAUDE.md "Penpot MCP auth" paragraph already mentions the cookie + Authelia-basic bits. Add a pointer to the smoke script and note which containers carry the MCP (and which don't).

Out of scope

  • Token-write RPC in the MCP itself — already covered by #60 (merged in 376f8f9); this ticket is pure plumbing.
  • Upstreaming the penpot-mcp-server patches to the public repo — separate follow-up.
  • Fixing the re-dispatch churn on label_updated (when a second label is added to an already-area:design issue) — noted in fix/forgejo-label-updated-event / PR #63; separate story if the churn bites.

References

  • Failure comment: #62 (comment)
  • Parent story: #56
  • Patched MCP on host: /home/charles/Workspace/penpot-mcp-server/ (see src/penpot_mcp/{config.py,services/api.py,services/changes.py} for the three patches)
  • Host-side secret files: ~/.config/claude-hooks/{penpot-creds,authelia-creds,penpot-cookie} (all 0600)
  • Existing analogue: commit 109fb12 feat(infra): bake patched forgejo-mcp into the image (closes #32) — mirror the pattern
  • Memory: mcp_merge_bug.md — documents the forgejo-mcp patch bake-in

Dependencies

  • Blocked by: nothing (everything needed is already on the host + in main).
  • Blocks: the full #56 designer loop.
  • Branch off: main.
## User story As the **designer agent**, I want the patched Penpot MCP server registered in my container with the right env vars, so that my `design-implement` skill can actually create pages/frames/shapes on Penpot files instead of aborting with "no `mcp__penpot__*` namespace". ## Context First live dispatch on #62 failed cleanly — the designer read the spec, listed its MCP surface, found only `claude.ai Excalidraw`, `Context7`, `Gmail`, `Google Calendar`, `Google Drive`, `Hugging Face`, and `forgejo` — **no `mcp__penpot__*`** — and per the `design-implement` skill rule ("container env is wrong — surface it, don't silently retry") posted a diagnostic comment and aborted: - Failure report: #62 comment https://forge.jacquin.app/charles/claude-hooks/issues/62#issuecomment-5371 - The agent itself behaved correctly; this is infrastructure work that #56's "MCP bindings — container image" AC bullet hasn't covered yet. The MCP patches already live under `~/Workspace/penpot-mcp-server/` on the claude-hooks host. They include `AUTHELIA_BASIC_AUTH` (forward-auth), `PENPOT_AUTH_TOKEN_COOKIE` (pre-seeded OIDC session — this Penpot instance has `login-with-password` disabled and tokens off), and a DB→RPC fallback on `get_file_info`. Host secrets are at `~/.config/claude-hooks/{penpot-creds,authelia-creds,penpot-cookie}`. ## Acceptance criteria ### Image - [ ] `claude-hooks:dev` (or a new tagged variant for design agents, e.g. `claude-hooks:designer`) includes the patched `penpot-mcp-server` binary. Bake-in pattern mirrors the forgejo-mcp patch approach (see commit `109fb12 feat(infra): bake patched forgejo-mcp into the image`). - [ ] Build is reproducible from `Dockerfile` + `/home/charles/Workspace/penpot-mcp-server/` pinned to a known commit (vendor via submodule or copy-on-build). ### MCP registration - [ ] Container's MCP config (the analogue of what registers `forgejo-mcp`) includes a `penpot` entry invoking the patched binary with the right env vars. - [ ] Only `designer` and `design-reviewer` containers embed the Penpot MCP. `boss`/`dev`/`reviewer` stay code-only. ### Env vars passed from host secrets - [ ] `AUTHELIA_BASIC_AUTH` = `<user>:<password>` from `~/.config/claude-hooks/authelia-creds` (format: two lines, `user` then `password`). - [ ] `PENPOT_AUTH_TOKEN_COOKIE` = contents of `~/.config/claude-hooks/penpot-cookie` (single-line JWE). - [ ] `PENPOT_EMAIL`, `PENPOT_PASSWORD` = lines 1+2 of `~/.config/claude-hooks/penpot-creds` (even though login-with-password is disabled on our instance, the MCP expects them to be set — empty strings cause an earlier crash per the `.env` comment). - [ ] `PENPOT_BASE_URL` = `https://design.jacquin.app`, `PENPOT_PUBLIC_URL` = same. ### Smoke - [ ] New script `scripts/smoke-creds.sh` (or extend the existing one) also probes Penpot MCP presence inside the `designer` container — something like `docker exec claude-hooks-designer <command> list-tools | grep -c mcp__penpot__` returning > 0. - [ ] After landing + service restart, re-dispatch on #62 (toggle `area:design` off/on). The designer task should now drive the MCP, create a Penpot file, and post a handoff comment. The `hello-frame` with `HELLO` text is the verification artifact. ### Docs - [ ] `CLAUDE.md` "Penpot MCP auth" paragraph already mentions the cookie + Authelia-basic bits. Add a pointer to the smoke script and note which containers carry the MCP (and which don't). ## Out of scope - Token-write RPC in the MCP itself — already covered by **#60** (merged in `376f8f9`); this ticket is pure plumbing. - Upstreaming the penpot-mcp-server patches to the public repo — separate follow-up. - Fixing the re-dispatch churn on `label_updated` (when a second label is added to an already-`area:design` issue) — noted in `fix/forgejo-label-updated-event` / PR #63; separate story if the churn bites. ## References - Failure comment: https://forge.jacquin.app/charles/claude-hooks/issues/62#issuecomment-5371 - Parent story: #56 - Patched MCP on host: `/home/charles/Workspace/penpot-mcp-server/` (see `src/penpot_mcp/{config.py,services/api.py,services/changes.py}` for the three patches) - Host-side secret files: `~/.config/claude-hooks/{penpot-creds,authelia-creds,penpot-cookie}` (all 0600) - Existing analogue: commit `109fb12 feat(infra): bake patched forgejo-mcp into the image (closes #32)` — mirror the pattern - Memory: `mcp_merge_bug.md` — documents the forgejo-mcp patch bake-in ## Dependencies - **Blocked by:** nothing (everything needed is already on the host + in `main`). - **Blocks:** the full #56 designer loop. - **Branch off:** `main`.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/sync-pre-push-from-forge-base
fix/flows-yaml-dispatch-identity
feat/board-tap-to-assign
dev/1107
code-lead/1106
code-lead/1108
dev/1104
code-lead/1103
code-lead/1080
dev/1087
feat/flows-yaml-ci-events
chore/board-drop-stalled-and-density-controls
fix/flows-yaml-routes-always-register
flows-yaml/api-defaults
dev/1023
fix/event-log-history-bleed
fix/janitor-fix-ci-logs-and-cap
dev/1022
fix/board-card-provider
code-lead/1036
dev/1025
code-lead/1020
dev/1017
code-lead/1026
feat/web-shortcut-registry-1018
dev/1015
code-lead/1009
code-lead/1008
dev/975
dev/969
dev/973
dev/967
code-lead/968
code-lead/953
dev/970
dev/976
code-lead/966
code-lead/956
code-lead/951
dev/962
dev/963
dev/977
dev/955
dev/983
dev/961
dev/974
code-lead/950
code-lead/939
dev/941
dev/940
dev/937
dev/938
dev/936
dev/935
feat/web-i18n-fr-locale
feat/spec-editor-ui-polish
chore/drop-legacy-compat
fix/skills-drop-preview-pane
fix/882-skills-safety-rail
dev/911
dev/909
dev/923
dev/917
dev/915
feat/879-sr11-m2-drop-legacy-skill
code-lead/873
dev/881
code-lead/869
dev/867
code-lead/845
code-lead/843
code-lead/844
dev/837
dev/861
dev/849
code-lead/837
code-lead/842
fix/dedup-rebase-inflight
dev/838
code-lead/847
dev/833
code-lead/848
pr/838
code-lead/841
feat/settings-save-bar/836
code-lead/840
dev/846
code-lead/839
dev/832
fix/board-sse-stale-cache
dev/834
dev/835
feat/settings-breadcrumbs
feat/forge-oauth-credentials
refactor/service-config-consolidation
feat/agent-tokens-to-secrets
feat/gitlab-oauth-to-db
feat/authelia-rip-and-voice-fixes
fix/rebase-storm-and-dead-letter
code-lead/797
code-lead/796
dev/811
code-lead/798
dev/810
code-lead/795
dev/808
code-lead/794
dev/805
dev/802
dev/803
feat/avatar-menu-settings-entry
feat/per-agent-token-tracking
dev/793
dev/747
dev/752
code-lead/790
code-lead/759
dev/756
dev/760
dev/741
dev/767
dev/740
dev/709
dev/644
dev/637
boss/614
dev/600
dev/611
dev/585
fix/login-bonus-fixes
boss/544
dev/542
refactor/api-prefix-and-session-gate
dev/489
boss/531
boss/518
dev/499
boss/516
dev/530
dev/517
dev/519
dev/515
dev/522
dev/503
dev/471
boss/329
dev/417
dev/418
dev/402
boss/327
dev/334
dev/332
boss/326
boss/325
dev/331
boss/324
boss/323
boss/322
dev/294
test/s11-task-analytics
dev/262
boss/270
dev/268
foreman/ui-consolidation-spec
dev/234
boss/196
boss/176
boss/164
fix/124-session-persist-bind
boss/52
dev/87
boss/73
dev/77
dev/81
dev/82
boss/79
dev/42
dev/35
boss/7
No results found.
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
dev
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks#64
No description provided.