[MCP reslice 1/2] @churnkey/mcp transport + OAuth client#24
Merged
Conversation
This was referenced Jun 16, 2026
robert-moore
approved these changes
Jun 25, 2026
jordancardwell
approved these changes
Jun 25, 2026
Carve the transport/OAuth/client layer of the MCP overhaul off origin/main: - OAuth login/token/storage (src/auth/*) + auth commands - HTTP transport (http.ts), client.ts, config.ts, server.ts, bin.ts, index.ts - package metadata (package.json, CHANGELOG, README), scripts, root manifests - auth/client/config/http test suites - dsr.ts (description hardening) carried here since it only depends on pre-existing framework files - src/tools/index.ts reduced to register zero tools so the framework builds without the tool catalog (restored in reslice 2/2)
…+ exhaustive tests resolvePublicUrl built the RFC 9728 resource identifier from config.port, so an ephemeral bind (port 0) with no CHURNKEY_MCP_PUBLIC_URL advertised an unusable "http://host:0". Refresh publicUrl/resourceMetadataUrl from server.address() after listen() so the real bound port is used. Harmless in prod (real port or explicit public URL); fixes the ephemeral case. Also lands the exhaustive @churnkey/mcp coverage suite (auth/client/config/http adversarial, bin, commands, login, server tool-wrapper) — 178 tests, taking the transport+OAuth-client base to ~100% on client/config/server/oauth/storage and high coverage on http/tokens/login. server.test.ts hardened to reset its captured client each test (hermetic under any runner pooling).
The OAuth login already authenticates the user; referencing the legacy Data API key in the success message is noise. The authStatus fallback warning (key-in-env overrides OAuth) is kept since that's a real gotcha.
…05 probe) Hardening the Streamable HTTP transport so pasting our URL into the major MCP clients connects with no manual fiddling. Grounded in the MCP auth spec (2025-11-25) + RFC 9728/8414/7591. - Path-aware protected-resource metadata: also serve it at `/.well-known/oauth-protected-resource/mcp` (the path-inserted form clients derive from the MCP endpoint URL), not just the root well-known. Some clients probe the path-aware variant. - GET/DELETE with no session now returns 405 + `Allow: POST` instead of 400 — some clients' transport detection expects 405 on a bare GET to the endpoint. - CORS expose-headers now includes `mcp-protocol-version` and `www-authenticate` so browser-based clients can read them. (CORS itself stays gated on CHURNKEY_MCP_CORS_ORIGIN, unchanged.) 179 mcp tests pass (added a path-aware-variant test); typecheck + biome clean.
f7bae95 to
cc9d339
Compare
This was referenced Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of the MCP reslice — the @churnkey/mcp overhaul (#23) carved into reviewable slices. 1 of 2.
This PR — transport + OAuth + client infra: the Streamable HTTP transport (
http.ts,bin.ts --http), OAuth login/token/storage (src/auth/*),client.ts(incl. capturing the acting-org headers),config.ts,server.ts(surfaces acting-org per tool result), and the auth/client/config/http test suites. Tools land in 2/2 (thetools/index.tsregistry is empty here).Stack: base
main; followed by[MCP reslice 2/2] tools.Supersedes: the transport/OAuth portion of #23 (and the stale #10/#15).
Verified: typecheck + build clean; 28/28 tests.
🤖 Generated with Claude Code
Ships XDEV-2334 — MCP Authentication via OAuth + role-based scopes: https://linear.app/churnkey/issue/XDEV-2334