What is the 'Neural Link'?

The Neural Link is a bi-directional bridge that connects AI agents (like Gemini or Claude) directly to the Neo.mjs runtime. It allows agents to 'see' the application's Scene Graph, inspect component state, verify event listeners, and even mutate the running application in real-time. This turns the application into a 'glass box' for AI, enabling autonomous debugging and feature development.

Why is Neo.mjs called an 'Application Engine' instead of a framework?

Traditional frameworks are general-purpose libraries (like a Toyota) that help you organize code, but they compile away into ephemeral DOM nodes. Neo.mjs is a precision-engineered runtime (like an F1 car), similar to Unreal Engine for games. It maintains a persistent 'Scene Graph' of objects in a separate worker thread. These objects retain their identity, state, and relationships, allowing for advanced capabilities like multi-window orchestration, runtime permutation, and deep AI introspection that are impossible with 'melted plastic' DOM-based frameworks.

What is 'Context Engineering'?

Context Engineering is the practice of curating the environment and information flow for AI agents to maximize their autonomy. In Neo.mjs, this is implemented via three Model Context Protocol (MCP) servers: a Knowledge Base for semantic code understanding, a Memory Core for learning from past sessions, and a GitHub Workflow server for project management. This ecosystem allows agents to work as fully integrated members of the development team.

What is 'Object Permanence' in the context of Neo.mjs?

In Neo.mjs, UI components are persistent JavaScript objects living in the App Worker, not just transient rendering results. This 'Object Permanence' means a component (like a Dashboard) maintains its state (scroll position, user input, internal logic) even if it is detached from the DOM or moved to a different browser window. This is the 'Lego Technic' approach versus the 'Duplo' approach of traditional frameworks.

What is an 'Agent Operating System'?

Neo.mjs v11 introduced the concept of an Agent OS, where the platform itself provides the tools and interfaces for AI agents to operate. It combines a standalone, type-safe AI SDK for autonomous 'Code Execution' with the Neural Link for runtime control. This enables agents to monitor, debug, and heal the application autonomously, effectively acting as an operating system for synthetic intelligence.

How does Neo.mjs handle multi-window applications?

Neo.mjs uses shared web workers to run a single application instance across multiple browser windows. All windows share the same application state and data in real-time. Components can even move between windows while retaining their JavaScript instances. This enables desktop-class experiences like multi-window IDEs, browser-based email clients, and multi-screen control rooms.

What makes Neo.mjs different from React, Angular, or Vue?

Neo.mjs is fundamentally different in its architecture: (1) It uses True Multithreading via web workers to prevent UI jank, (2) It is an AI-Native Application Engine with built-in bridges for AI collaboration, and (3) It treats components as persistent objects in a Scene Graph, enabling native multi-window support and runtime permutation.

Frontmatter

id	9558
title	Implement OIDC/OAuth Authorization for KB and Memory MCP Servers
state	Closed
labels	enhancementdeveloper-experienceaiarchitecture
assignees	tobiu
createdAt	Mar 26, 2026, 2:39 PM
updatedAt	Mar 26, 2026, 3:07 PM
githubUrl	https://github.com/neomjs/neo/issues/9558
author	tobiu
commentsCount	2
parentIssue	null
subIssues	[]
subIssuesCompleted	0
subIssuesTotal	0
blockedBy	[]
blocking	[]
closedAt	Mar 26, 2026, 2:51 PM

Implement OIDC/OAuth Authorization for KB and Memory MCP Servers

Name: Neo.mjs Application Engine
Author: Neo.mjs

Closed v12.1.0 enhancementdeveloper-experienceaiarchitecture

tobiu commented on Mar 26, 2026, 2:39 PM

Implement out-of-the-box OAuth 2.1 / OIDC authorization for the Knowledge Base and Memory Core MCP servers. This enables IaC-driven deployments using standard identity providers like Keycloak.

Requirements:

Map AUTH_HOST, AUTH_PORT, AUTH_REALM, OAUTH_CLIENT_ID, and OAUTH_CLIENT_SECRET in aiConfig.mjs.
In Server.mjs (for both knowledge-base and memory-core):
- Automatically setup the mcpAuthMetadataRouter for discovery.
- Implement a tokenVerifier using standard token introspection.
- Apply the requireBearerAuth middleware to the SSE transport.
Ensure the existing authMiddleware escape hatch remains functional.

tobiu added the enhancement label on Mar 26, 2026, 2:39 PM

tobiu added the developer-experience label on Mar 26, 2026, 2:39 PM

tobiu added the ai label on Mar 26, 2026, 2:39 PM

tobiu added the architecture label on Mar 26, 2026, 2:39 PM

tobiu referenced in commit db1cc18 - "Implement OIDC/OAuth 2.1 authorization for KB and Memory Core MCP servers (#9558)" on Mar 26, 2026, 2:50 PM

tobiu closed this issue on Mar 26, 2026, 2:51 PM

tobiu Mar 26, 2026, 2:55 PM

Input from Gemini 3.1 Pro:

✦ I have completed the implementation of OIDC/OAuth 2.1 authorization for the Knowledge Base and Memory Core MCP servers.

Key Enhancements:

Added auth configuration block to aiConfig.mjs to support AUTH_HOST, AUTH_PORT, AUTH_REALM, OAUTH_CLIENT_ID, and OAUTH_CLIENT_SECRET.

Updated Server.mjs to automatically wire up mcpAuthMetadataRouter, requireBearerAuth, and a standard tokenVerifier when AUTH_HOST is present.

Protocol Awareness: Implemented a getFullUrl helper that intelligently defaults to HTTPS for remote hosts while allowing HTTP for local development (localhost/127.0.0.1).

Consistency: Added import 'dotenv/config' to all MCP server entry points (KB, Memory, GitHub, Neural Link) to ensure environment variables are consistently loaded.

The servers are now ready for IaC-driven deployments using standard identity providers like Keycloak.

tobiu referenced in commit 8a66876 - "Implement CORS support for MCP servers (#9558)" on Mar 26, 2026, 2:57 PM

tobiu Mar 26, 2026, 2:57 PM

Added CORS support to Knowledge Base and Memory Core MCP servers for better cross-origin client compatibility.

tobiu referenced in commit 6cb5ba4 - "Implement OIDC/OAuth 2.1, CORS, and env mapping for MCP servers (#9558, #9560)" on Mar 26, 2026, 3:06 PM

tobiu assigned to @tobiu on Mar 26, 2026, 3:07 PM