feat(mcp-gateway): scaffold runtime worker#3697
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| import { notImplementedResponse } from '../lib/responses'; | ||
|
|
||
| export function handleUserConnect(c: Context<MCPGatewayEnv>, params: UserConnectRouteParams) { | ||
| UserConnectRouteParamsSchema.parse(params); |
There was a problem hiding this comment.
WARNING: Zod parse result is discarded — use the validated value
The result of UserConnectRouteParamsSchema.parse(params) is thrown away and the original params argument (which TypeScript accepts as UserConnectRouteParams but has not actually been validated at the call site — the caller passes c.req.param() which is Record<string, string>) is used implicitly by the stub response. This is currently harmless because the handler only calls notImplementedResponse, but as soon as real logic is added the handler will operate on the raw Hono path params rather than the Zod-validated and potentially-transformed object. It is also inconsistent with the IO-boundary convention documented in AGENTS.md.
Suggest:
const validatedParams = UserConnectRouteParamsSchema.parse(params);
// use validatedParams going forwardSame pattern applies to handleOrgConnect on line 17.
| c: Context<MCPGatewayEnv>, | ||
| params: UserConnectRouteParams | ||
| ) { | ||
| UserConnectRouteParamsSchema.parse(params); |
There was a problem hiding this comment.
WARNING: Zod parse result is discarded — use the validated value
Same issue as connect.handler.ts:12: UserConnectRouteParamsSchema.parse(params) validates but the returned object is ignored. Use the return value when real logic is added so Zod transforms/coercions are not silently bypassed. Same applies to OrgConnectRouteParamsSchema.parse(params) on line 27.
Code Review SummaryStatus: 2 Issues Found | Recommendation: Address before merge Executive SummaryDiscarded Zod parse return values in all four route handlers will silently bypass Zod transforms once real business logic is added, violating the IO-boundary contract in Overview
Issue Details (click to expand)WARNING
Other Observations (not in diff)Wildcard route params include a
Files Reviewed (11 files)
Fix these issues in Kilo Cloud Reviewed by claude-sonnet-4.6 · 888,341 tokens Review guidance: REVIEW.md from base branch |
1 participant
Summary
services/mcp-gatewayWorker scaffold for the app-owned control plane / Worker-owned runtime architecture, including top-level production Wrangler config,env.dev, Hyperdrive, per-instance DO binding, Analytics Engine binding, generated Worker types, and local service docs./health, scoped/mcp-connect/...runtime routes, and generic/scoped protected-resource metadata routes; all gateway runtime routes remain501stubs so the service is safe to merge before OAuth/runtime implementation.Verification
pnpm --filter cloudflare-mcp-gateway devand confirmed the local Worker booted onhttp://0.0.0.0:8806.GET /healthlocally and confirmed200with{"status":"ok","service":"mcp-gateway"}.GET /mcp-connect/user/user-123/config-123/route-123locally and confirmed501with{"status":"not_implemented"}.Visual Changes
N/A
Reviewer Notes
mcp.kilo.aior implement OAuth, gateway tables/migrations, provider discovery, proxying, or DO domain behavior.env.dev; the compatibility date is pinned to2026-05-15because that was the newest date supported by the local Wrangler runtime used during validation.