Add ContextIQ partner plugin — governed enterprise knowledge access

partner-built/contextiq/.claude-plugin/plugin.json

@@ -0,0 +1,16 @@
+{
+  "name": "contextiq",
+  "version": "1.0.0",
+  "display_name": "ContextIQ",
+  "description": "Governed enterprise knowledge access with citations, entitlement scoping, and audit-ready answer paths. Query your organization's knowledge sources through AI assistants with evidence-backed responses.",
+  "author": {
+    "name": "TechMatrix AI Systems",
+    "url": "https://contextiq.us"
+  },
+  "homepage": "https://contextiq.us",
+  "repository": "https://github.com/TMX-AgenticAI/contextiq-cowork-plugin",
+  "license": "MIT",
+  "keywords": ["contextiq", "enterprise-knowledge", "governed-access", "citations", "mcp", "rag", "compliance", "audit"],
+  "documentation": "https://contextiq-releases.s3.us-west-2.amazonaws.com/essentials/latest/templates/README.md",
+  "setup_instructions": "End users: run ./contextiq-setup with the setup URL or config file provided by your admin. Admins: deploy ContextIQ Essentials (see quickstart guide), then run ./contextiq-setup --export-config --publish --email-to <users> to onboard your team."
+}

partner-built/contextiq/.mcp.json

@@ -0,0 +1,12 @@
+{
+  "mcpServers": {
+    "contextiq": {
+      "command": "python3",
+      "args": ["contextiq-mcp-proxy"],
+      "cwd": "${PLUGIN_DIR}",
+      "env": {
+        "CONTEXTIQ_GATEWAY_URL": "${CONTEXTIQ_GATEWAY_URL}"
+      }
+    }
+  }
+}

partner-built/contextiq/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 TechMatrix AI Systems
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

partner-built/contextiq/README.md

@@ -0,0 +1,123 @@
+# ContextIQ Plugin for Cowork and Claude Code
+
+Governed enterprise knowledge access — cited answers, entitlement-scoped retrieval, and audit-ready answer paths — powered by [ContextIQ](https://contextiq.us).
+
+---
+
+## What This Plugin Does
+
+ContextIQ connects Cowork and Claude Desktop to your organization's knowledge sources through Model Context Protocol (MCP). It controls which sources each user can query, returns cited answers with source evidence, and keeps retrieval scoped to authorized entitlements.
+
+| Skill | Description |
+|---|---|
+| **Governed Query** | Ask questions answered from authorized enterprise sources with cited evidence |
+| **Source Discovery** | List available knowledge sources scoped to your entitlements |
+
+---
+
+## Requirements
+
+- Python 3.10+
+- Cognito username and password (provided by your admin)
+- Setup link or config file (provided by your admin)
+- No AWS CLI, AWS account, or backend access required — everything runs through the admin's deployment
+
+**Admins** — ContextIQ must be deployed before users can connect. See the [Quickstart Guide](https://contextiq-releases.s3.us-west-2.amazonaws.com/essentials/latest/templates/README.md) for deployment, user creation, and distribution options.
+
+---
+
+## Setup
+
+End users do not need AWS CLI, direct backend access, or any infrastructure setup. Your admin deploys ContextIQ and manages the knowledge bases — you just need a setup link or config file from your admin to connect.
+
+### From a setup link (recommended)
+
+Your admin will share a setup link via email, Slack, or your internal wiki.
+
+```bash
+./contextiq-setup --url "https://your-setup-link..."
+```
+
+Enter your username and password when prompted. Done.
+
+### From a config file
+
+If your admin sent a `contextiq-connection.json` file:
+
+1. Save it to your Downloads folder
+2. Run `./contextiq-setup`
+
+The script auto-detects the config from these locations (checked in order):
+- `~/.contextiq/contextiq-connection.json`
+- `~/Downloads/contextiq-connection.json`
+- Current directory
+- Plugin directory
+
+You can also point to the file explicitly:
+
+```bash
+./contextiq-setup --config /path/to/contextiq-connection.json
+```
+
+### Admin self-setup (fallback)
+
+If you are the admin who deployed ContextIQ and have AWS CLI configured with access to the deployment account, you can skip the config file and connect directly via CloudFormation discovery:
+
+```bash
+./contextiq-setup --username your-email@company.com
+```
+
+The script discovers the deployment automatically from CloudFormation stack outputs. See the [Quickstart Guide](https://contextiq-releases.s3.us-west-2.amazonaws.com/essentials/latest/templates/README.md) for full admin setup and team distribution options.
+
+### After setup
+
+Restart Cowork or Claude Desktop. Start asking questions about your enterprise knowledge — the plugin activates automatically when relevant.
+
+### Re-authentication
+
+Access tokens refresh automatically for 30 days. When you see a "session expired" error, re-run the same setup command you used initially.
+
+---
+
+## Admin Guide
+
+Admins deploy the ContextIQ backend, create user accounts, and distribute connection configs. All of this is covered in the Quickstart Guide:
+
+**[Quickstart Guide — Deployment, User Management & Distribution](https://contextiq-releases.s3.us-west-2.amazonaws.com/essentials/latest/templates/README.md)**
+
+The quickstart covers:
+- CloudFormation deployment (~20-30 minutes)
+- Cognito user creation (standalone user pools; contact hello@contextiq.us for Active Directory, SAML, or SSO integration via ContextIQ Enterprise)
+- Team distribution via automated email (S3 + SES), shareable link, or config file attachment
+- Admin command reference for `contextiq-setup`
+
+Supported regions: us-east-1 or us-west-2. Requires Bedrock model access (Anthropic Claude + Amazon Titan Embed Text V2).
+
+---
+
+## Troubleshooting
+
+| Error | Fix |
+|-------|-----|
+| "No gateway URL configured" | Run `contextiq-setup` first |
+| "Session expired" | Re-run `contextiq-setup` to refresh tokens |
+| "No connection config found" | Save `contextiq-connection.json` to `~/Downloads/` or use `--config` / `--url` flag |
+| "Authentication failed" | Check username and password; if first login, use the temporary password from your welcome email |
+| Tools not appearing in Claude | Restart Cowork/Claude Desktop; verify `contextiq-mcp-proxy` is executable (`chmod +x`) |
+
+For admin-side issues (CloudFormation, S3 publishing, SES), see the [Quickstart Guide troubleshooting section](https://contextiq-releases.s3.us-west-2.amazonaws.com/essentials/latest/templates/README.md).
+
+---
+
+## Resources
+
+- **Quickstart guide:** [Deployment & setup instructions](https://contextiq-releases.s3.us-west-2.amazonaws.com/essentials/latest/templates/README.md)
+- **Website:** [contextiq.us](https://contextiq.us)
+- **Support:** hello@contextiq.us
+- **Enterprise:** Contact us for broader source coverage, custom guardrails, domain-specific validation, and guided rollout
+
+---
+
+## License
+
+MIT — see [LICENSE](LICENSE) for details.

partner-built/contextiq/contextiq-mcp-proxy

@@ -0,0 +1,197 @@
+#!/usr/bin/env python3
+"""Stdio-to-HTTP MCP proxy for ContextIQ.
+
+Claude Desktop / Cowork launches this as a local stdio MCP server. It proxies
+JSON-RPC messages to the remote ContextIQ gateway over HTTP, obtaining and
+refreshing Cognito tokens automatically.
+
+Token lifecycle (zero external dependencies — stdlib only):
+  1. Use cached access_token if still valid
+  2. If expired, use cached refresh_token (valid 30 days) via Cognito API
+  3. If refresh_token also expired, prompt user to re-run contextiq-setup
+
+First-time setup: run `contextiq-setup` to authenticate and cache tokens.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import sys
+import time
+import urllib.request
+import urllib.error
+from pathlib import Path
+
+AUTH_CACHE_PATH = Path.home() / ".contextiq" / "auth.json"
+TOKEN_SKEW_S = 120
+
+
+def _resolve_gateway_url() -> str:
+    env = os.environ.get("CONTEXTIQ_GATEWAY_URL")
+    if env:
+        return env
+    try:
+        url = json.loads(AUTH_CACHE_PATH.read_text()).get("gateway_url")
+        if url:
+            return url
+    except Exception:
+        pass
+    raise RuntimeError(
+        "ContextIQ: no gateway URL configured. "
+        "Run 'contextiq-setup' or set CONTEXTIQ_GATEWAY_URL."
+    )
+
+
+def _decode_jwt_field(token: str, field: str):
+    try:
+        payload = token.split(".")[1]
+        payload += "=" * (-len(payload) % 4)
+        claims = json.loads(base64.urlsafe_b64decode(payload))
+        return claims.get(field)
+    except Exception:
+        return None
+
+
+def _token_valid(token: str | None) -> bool:
+    if not token:
+        return False
+    exp = _decode_jwt_field(token, "exp")
+    return isinstance(exp, (int, float)) and exp > time.time() + TOKEN_SKEW_S
+
+
+def _load_cache() -> dict:
+    try:
+        return json.loads(AUTH_CACHE_PATH.read_text())
+    except Exception:
+        return {}
+
+
+def _save_cache(data: dict) -> None:
+    AUTH_CACHE_PATH.parent.mkdir(parents=True, exist_ok=True)
+    AUTH_CACHE_PATH.write_text(json.dumps(data, indent=2))
+
+
+def _cognito_initiate_auth(region: str, client_id: str, auth_flow: str, auth_params: dict) -> dict:
+    endpoint = f"https://cognito-idp.{region}.amazonaws.com/"
+    body = json.dumps({
+        "AuthFlow": auth_flow,
+        "ClientId": client_id,
+        "AuthParameters": auth_params,
+    }).encode("utf-8")
+    req = urllib.request.Request(
+        endpoint,
+        data=body,
+        headers={
+            "Content-Type": "application/x-amz-json-1.1",
+            "X-Amz-Target": "AWSCognitoIdentityProviderService.InitiateAuth",
+        },
+        method="POST",
+    )
+    with urllib.request.urlopen(req, timeout=30) as resp:
+        return json.loads(resp.read().decode("utf-8"))
+
+
+def _refresh_access_token(cached: dict) -> str | None:
+    refresh_token = cached.get("refresh_token")
+    client_id = cached.get("client_id")
+    region = cached.get("region")
+    if not all([refresh_token, client_id, region]):
+        return None
+    try:
+        result = _cognito_initiate_auth(
+            region, client_id,
+            "REFRESH_TOKEN_AUTH",
+            {"REFRESH_TOKEN": refresh_token},
+        )
+        token = result["AuthenticationResult"]["AccessToken"]
+        cached["access_token"] = token
+        cached["access_exp"] = _decode_jwt_field(token, "exp")
+        cached["updated_at"] = int(time.time())
+        _save_cache(cached)
+        return token
+    except Exception:
+        return None
+
+
+def _get_token() -> str:
+    cached = _load_cache()
+    token = cached.get("access_token")
+    if _token_valid(token):
+        return token
+
+    refreshed = _refresh_access_token(cached)
+    if refreshed:
+        return refreshed
+
+    raise RuntimeError(
+        "ContextIQ: session expired. Run 'contextiq-setup' to re-authenticate."
+    )
+
+
+def _parse_sse_response(raw: str) -> dict:
+    for line in raw.splitlines():
+        if line.startswith("data: "):
+            return json.loads(line[6:])
+    return json.loads(raw)
+
+
+def _forward_to_gateway(rpc_message: dict) -> dict:
+    token = _get_token()
+    gateway_url = _resolve_gateway_url()
+    body = json.dumps(rpc_message).encode("utf-8")
+    req = urllib.request.Request(
+        gateway_url,
+        data=body,
+        headers={
+            "Authorization": f"Bearer {token}",
+            "Content-Type": "application/json",
+            "Accept": "application/json, text/event-stream",
+        },
+        method="POST",
+    )
+    with urllib.request.urlopen(req, timeout=120) as resp:
+        content_type = resp.headers.get("Content-Type", "")
+        raw = resp.read().decode("utf-8")
+        if "text/event-stream" in content_type:
+            return _parse_sse_response(raw)
+        return json.loads(raw)
+
+
+def main() -> None:
+    for line in sys.stdin:
+        line = line.strip()
+        if not line:
+            continue
+
+        try:
+            rpc_message = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+
+        is_notification = "id" not in rpc_message
+
+        try:
+            response = _forward_to_gateway(rpc_message)
+        except Exception as e:
+            if is_notification:
+                continue
+            response = {
+                "jsonrpc": "2.0",
+                "id": rpc_message.get("id"),
+                "error": {
+                    "code": -32000,
+                    "message": str(e),
+                },
+            }
+
+        if is_notification:
+            continue
+
+        sys.stdout.write(json.dumps(response) + "\n")
+        sys.stdout.flush()
+
+
+if __name__ == "__main__":
+    main()