|
| 1 | +// Local-only — REPRO + guard for "I've been running executor as stdio as get |
| 2 | +// errors trying http one in opencode". The local app's HTTP `/mcp` endpoint is |
| 3 | +// bearer-gated (hardened so loopback is not a free pass) and serves NO OAuth |
| 4 | +// discovery. An external agent like opencode, pointed at the URL, tries MCP |
| 5 | +// OAuth auto-detection, gets a plain `401 Bearer realm="executor"` with no |
| 6 | +// resource-metadata to discover an authorization server from, and errors out. |
| 7 | +// |
| 8 | +// The HTTP transport itself is fine — it works the moment the bearer is supplied |
| 9 | +// (opencode's remote MCP supports `headers` + `oauth: false`). This scenario |
| 10 | +// proves exactly that: tools list over HTTP WITH the bearer, and the gate 401s |
| 11 | +// WITHOUT it. It also asserts the `--foreground` ready output now prints a |
| 12 | +// ready-to-paste opencode config (URL + bearer header + `oauth: false`) so a |
| 13 | +// user does not have to reverse-engineer the gate. |
| 14 | +import { expect } from "@effect/vitest"; |
| 15 | +import { Effect } from "effect"; |
| 16 | +import { Client } from "@modelcontextprotocol/sdk/client/index.js"; |
| 17 | +import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js"; |
| 18 | + |
| 19 | +import { scenario } from "../src/scenario"; |
| 20 | +import { Cli, RunDir } from "../src/services"; |
| 21 | +import { withLocalServer } from "./local-server"; |
| 22 | + |
| 23 | +/** Connect an MCP client to the local `/mcp` over HTTP and list tools. Rejects |
| 24 | + * if the bearer gate (or transport) refuses the connection. */ |
| 25 | +const listToolsOverHttp = async ( |
| 26 | + origin: string, |
| 27 | + headers?: Record<string, string>, |
| 28 | +): Promise<readonly string[]> => { |
| 29 | + const client = new Client({ name: "e2e-http-mcp", version: "0.0.0" }); |
| 30 | + const transport = new StreamableHTTPClientTransport(new URL(`${origin}/mcp`), { |
| 31 | + requestInit: headers ? { headers } : undefined, |
| 32 | + }); |
| 33 | + await client.connect(transport); |
| 34 | + try { |
| 35 | + const { tools } = await client.listTools(); |
| 36 | + return tools.map((t) => t.name); |
| 37 | + } finally { |
| 38 | + await client.close().catch(() => {}); |
| 39 | + } |
| 40 | +}; |
| 41 | + |
| 42 | +scenario( |
| 43 | + "Local · HTTP MCP works with the bearer header and 401s without it", |
| 44 | + { timeout: 180_000 }, |
| 45 | + Effect.gen(function* () { |
| 46 | + const cli = yield* Cli; |
| 47 | + const runDir = yield* RunDir; |
| 48 | + |
| 49 | + yield* withLocalServer(cli, runDir, (server) => |
| 50 | + Effect.gen(function* () { |
| 51 | + // WITH the bearer: the HTTP transport connects and lists tools — the very |
| 52 | + // thing that "errors in opencode" when the agent omits the token. |
| 53 | + const tools = yield* Effect.promise(() => |
| 54 | + listToolsOverHttp(server.origin, { authorization: `Bearer ${server.token}` }), |
| 55 | + ); |
| 56 | + expect( |
| 57 | + tools.length, |
| 58 | + "HTTP MCP lists tools once the bearer is supplied", |
| 59 | + ).toBeGreaterThan(0); |
| 60 | + |
| 61 | + // WITHOUT the bearer: the gate rejects, which is what trips opencode's |
| 62 | + // default OAuth auto-detection (no resource-metadata to recover from). |
| 63 | + const unauthorized = yield* Effect.promise(async () => { |
| 64 | + try { |
| 65 | + await listToolsOverHttp(server.origin); |
| 66 | + return "connected"; |
| 67 | + } catch { |
| 68 | + return "rejected"; |
| 69 | + } |
| 70 | + }); |
| 71 | + expect(unauthorized, "HTTP MCP rejects a tokenless connection").toBe("rejected"); |
| 72 | + }), |
| 73 | + ); |
| 74 | + }), |
| 75 | +); |
0 commit comments