Skip to content

[MCP reslice 1/2] @churnkey/mcp transport + OAuth client#24

Merged
hookdump merged 4 commits into
mainfrom
reslice/mcp-1-transport-oauth
Jun 25, 2026
Merged

[MCP reslice 1/2] @churnkey/mcp transport + OAuth client#24
hookdump merged 4 commits into
mainfrom
reslice/mcp-1-transport-oauth

Conversation

@hookdump

@hookdump hookdump commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Part of the MCP reslice — the @churnkey/mcp overhaul (#23) carved into reviewable slices. 1 of 2.

This PR — transport + OAuth + client infra: the Streamable HTTP transport (http.ts, bin.ts --http), OAuth login/token/storage (src/auth/*), client.ts (incl. capturing the acting-org headers), config.ts, server.ts (surfaces acting-org per tool result), and the auth/client/config/http test suites. Tools land in 2/2 (the tools/index.ts registry is empty here).

Stack: base main; followed by [MCP reslice 2/2] tools.
Supersedes: the transport/OAuth portion of #23 (and the stale #10/#15).
Verified: typecheck + build clean; 28/28 tests.

🤖 Generated with Claude Code

Ships XDEV-2334 — MCP Authentication via OAuth + role-based scopes: https://linear.app/churnkey/issue/XDEV-2334

@jordancardwell jordancardwell self-requested a review June 25, 2026 18:48
hookdump added 4 commits June 25, 2026 18:19
Carve the transport/OAuth/client layer of the MCP overhaul off origin/main:
- OAuth login/token/storage (src/auth/*) + auth commands
- HTTP transport (http.ts), client.ts, config.ts, server.ts, bin.ts, index.ts
- package metadata (package.json, CHANGELOG, README), scripts, root manifests
- auth/client/config/http test suites
- dsr.ts (description hardening) carried here since it only depends on
  pre-existing framework files
- src/tools/index.ts reduced to register zero tools so the framework builds
  without the tool catalog (restored in reslice 2/2)
…+ exhaustive tests

resolvePublicUrl built the RFC 9728 resource identifier from config.port, so an
ephemeral bind (port 0) with no CHURNKEY_MCP_PUBLIC_URL advertised an unusable
"http://host:0". Refresh publicUrl/resourceMetadataUrl from server.address()
after listen() so the real bound port is used. Harmless in prod (real port or
explicit public URL); fixes the ephemeral case.

Also lands the exhaustive @churnkey/mcp coverage suite (auth/client/config/http
adversarial, bin, commands, login, server tool-wrapper) — 178 tests, taking the
transport+OAuth-client base to ~100% on client/config/server/oauth/storage and
high coverage on http/tokens/login. server.test.ts hardened to reset its
captured client each test (hermetic under any runner pooling).
The OAuth login already authenticates the user; referencing the legacy
Data API key in the success message is noise. The authStatus fallback
warning (key-in-env overrides OAuth) is kept since that's a real gotcha.
…05 probe)

Hardening the Streamable HTTP transport so pasting our URL into the major MCP
clients connects with no manual fiddling. Grounded in the MCP auth spec
(2025-11-25) + RFC 9728/8414/7591.

- Path-aware protected-resource metadata: also serve it at
  `/.well-known/oauth-protected-resource/mcp` (the path-inserted form clients
  derive from the MCP endpoint URL), not just the root well-known. Some clients
  probe the path-aware variant.
- GET/DELETE with no session now returns 405 + `Allow: POST` instead of 400 —
  some clients' transport detection expects 405 on a bare GET to the endpoint.
- CORS expose-headers now includes `mcp-protocol-version` and `www-authenticate`
  so browser-based clients can read them. (CORS itself stays gated on
  CHURNKEY_MCP_CORS_ORIGIN, unchanged.)

179 mcp tests pass (added a path-aware-variant test); typecheck + biome clean.
@hookdump hookdump force-pushed the reslice/mcp-1-transport-oauth branch from f7bae95 to cc9d339 Compare June 25, 2026 21:19
@hookdump hookdump merged commit f1eb1ff into main Jun 25, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants