Skip to content

fix: stabilize LocalToken so client configs never go stale (401)#898

Merged
IvanMurzak merged 1 commit into
mainfrom
worktree-ce7c387a48d2
Jul 16, 2026
Merged

fix: stabilize LocalToken so client configs never go stale (401)#898
IvanMurzak merged 1 commit into
mainfrom
worktree-ce7c387a48d2

Conversation

@IvanMurzak

Copy link
Copy Markdown
Owner

Summary

  • BUG-B (mcp-authorize i2, mcp-authorize i2: stabilize LocalToken and rewrite client configs on token change (fix 401) #897): in Custom + token mode the client .mcp.json ended up with a DIFFERENT token than the running local server → Claude Code 401.
  • Root cause / regen trigger identified: UnityConnectionConfig.SetDefault() assigns the freshly-generated local server token through the mode-routed Token setter after setting ConnectionMode = Cloud. So Token = GenerateToken() routed the local secret into CloudToken and left LocalToken unseeded. LocalToken initialization then fell entirely to the generate-if-empty fallback in GetOrCreateConfig, which let the persisted local token drift / regenerate and orphan the already-written client .mcp.json (stale Bearer → 401).
  • Fix: seed LocalToken directly in SetDefault() (GenerateToken() produces a local server secret; CloudToken is populated by Cloud sign-in, so it now correctly stays null). A persisted LocalToken is stable across construction, mode re-apply, and a serialize/deserialize (domain reload / save-load) round-trip, so the server launch token (McpServerManagerUnityMcpPluginEditor.Token) and the client-config Bearer (AgentConfiguratorSettingsFactoryUnityMcpPluginEditor.Token) stay in lockstep.
  • Token change (New button) → reconfigure: left unchanged. That path already restarts the server and calls InvalidateAndReloadAgentUI() → re-evaluates _configurator.GetStatus(...) == ReconfigureNeeded and shows the "Reconfiguration Required" alert (driven by sibling task i1's token-aware validator). No new plumbing needed here.
  • No version bump / no McpPlugin re-pin (client-side-only fix; coordinated bump + release is task i6).

Test plan

  • New LocalTokenStabilityTests (EditMode) — 5 tests, all pass: SetDefault seeds LocalToken not CloudToken; LocalToken stable across mode re-apply; survives save/load round-trip; round-trip leaves it non-empty (generate-if-empty stays a no-op); serializes under the token JSON field.
  • Full Unity EditMode suite (2022.3.62f3) — 0 failures across all runnable fixtures (chunked). One fixture, TestsRunDirtySceneTests, cannot run through the MCP tests-run tool (it mutates Tool_Tests' active-run bookkeeping, self-interfering with the tool's completion detection) and is validated by CI's direct Unity Test Runner instead — unrelated to this diff.
  • Unity PlayMode suite — 0 failures.

Closes #897

SetDefault() seeded the generated local server token into CloudToken instead of
LocalToken: it assigns via the mode-routed `Token` setter AFTER setting
ConnectionMode=Cloud, so `Token = GenerateToken()` routed the local secret into
CloudToken and left LocalToken unseeded. LocalToken initialization then fell to
the generate-if-empty fallback in GetOrCreateConfig, letting the persisted local
token drift/regenerate and orphan the already-written client `.mcp.json` (stale
Bearer -> Claude Code 401; mcp-authorize BUG-B).

Seed LocalToken directly in SetDefault() (GenerateToken() produces a local
server secret; CloudToken is populated by Cloud sign-in, so it stays null). A
persisted LocalToken is now stable across construction, mode re-apply, and a
serialize/deserialize (domain reload / save-load) round-trip, so the server
launch token and the client-config Bearer stay in lockstep.

Add LocalTokenStabilityTests (EditMode) locking the seeding invariant and the
three stability properties. The intentional-token-change path (New button) is
unchanged and already re-evaluates the reconfigure alert via
InvalidateAndReloadAgentUI -> GetStatus (sibling task i1's token-aware validator).

Closes #897
@IvanMurzak
IvanMurzak merged commit 9872d8f into main Jul 16, 2026
16 checks passed
@IvanMurzak
IvanMurzak deleted the worktree-ce7c387a48d2 branch July 16, 2026 23:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

mcp-authorize i2: stabilize LocalToken and rewrite client configs on token change (fix 401)

1 participant