Skip to content

test(oauth): Complete headless MCP auth fixture#847

Draft
dcramer wants to merge 4 commits into
mainfrom
codex/oauth-adversarial-mock
Draft

test(oauth): Complete headless MCP auth fixture#847
dcramer wants to merge 4 commits into
mainfrom
codex/oauth-adversarial-mock

Conversation

@dcramer

@dcramer dcramer commented Jul 11, 2026

Copy link
Copy Markdown
Member

Extends the existing MCP OAuth MSW fixture just enough for Junior's product integrations to stop injecting a magic authorization code. The fixture now performs a headless DCR and authorization transition, preserves state, validates the exact callback URI and S256 PKCE verifier, and issues the token consumed by the resumed MCP request.

The existing callback and Slack runtime integrations traverse that fixture directly. There is no separate test suite for the fixture, no production OAuth code, and no refresh or concurrency simulation until a production behavior test requires it.

Refs #838

dcramer and others added 2 commits July 11, 2026 00:43
Exercise registered client identity, browser-issued PKCE grants, rotating refresh families, scope boundaries, and interleaved flows through the shared MSW integration server. Keep captured protocol diagnostics secret-free and require callback tests to traverse the real authorization endpoint.

Refs #838

Co-Authored-By: GPT-5 Codex <noreply@openai.com>
Route generic and MCP callback pages through one response policy that disables caching and referrers and applies restrictive CSP and content-type protections. Preserve the existing success guidance without duplicating callback copy.

Refs #842

Co-Authored-By: GPT-5 Codex <noreply@openai.com>
@vercel

vercel Bot commented Jul 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
junior-docs Ready Ready Preview Jul 11, 2026 1:53pm

Request Review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit ca97bb8. Configure here.

Comment thread packages/junior/tests/msw/handlers/eval-mcp-auth.ts Outdated
This reverts commit ca97bb8.

Reason: Keep the OAuth test-foundation PR headless and test-only. Track callback response hardening separately from the mock authorization server.

Co-Authored-By: GPT-5 Codex <noreply@openai.com>
@dcramer dcramer changed the title test(oauth): Add adversarial MCP authorization server test(oauth): Add headless MCP authorization harness Jul 11, 2026
Keep the shared OAuth fixture focused on product integration behavior. Remove the harness-only integration suite and unused concurrency and refresh machinery while retaining headless DCR, state, PKCE, code exchange, and callback coverage.

Refs #838

Co-Authored-By: GPT-5 Codex <noreply@openai.com>
@dcramer dcramer changed the title test(oauth): Add headless MCP authorization harness test(oauth): Complete headless MCP auth fixture Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant