Use JSON-RPC ping for OAuth auth-discovery probe

The probe POST previously sent a JSON-RPC `initialize`, which a strict
MCP mock (and potentially some real servers) counted as a real handshake
alongside the actual ECA initialize. The integration test
`mcp-remote-server-connects` asserts `(= 1 (count init-reqs))` and broke
with `(not (= 1 2))`.

Switch the probe to a JSON-RPC `ping`:
- Still a valid JSON-RPC envelope, so OAuth-protected servers (Figma,
  Glean, etc.) still hit their auth middleware and emit the expected
  401 + www-authenticate.
- Never confused with the real MCP handshake by servers that maintain
  per-connection state or by test mocks that bucket requests by method.

🤖 Generated with [eca](https://eca.dev)

Co-Authored-By: eca-agent <git@eca.dev>

Author: ericdallo

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Use a JSON-RPC `ping` (instead of `initialize`) for the OAuth auth-discovery probe, so the probe POST is never counted as a real handshake by servers or tests that track requests by method name.
+
 ## 0.134.1
 
 - Support optional `clientName` config field for MCP servers to override the OAuth Dynamic Client Registration `client_name` (useful for servers that allowlist clients by name, e.g. Figma).

src/eca/oauth.clj

@@ -150,26 +150,26 @@
   (and (= 401 (:status response))
        (some? (get (:headers response) "www-authenticate"))))
 
-(def ^:private probe-initialize-body
-  "JSON-RPC initialize body used to probe for OAuth challenges. Some servers
-   (e.g. Figma) only return 401 + www-authenticate when the request body is a
-   recognizable MCP initialize message; a bare '{}' is treated as malformed and
-   yields a generic JSON-RPC error instead of an auth challenge."
+(def ^:private probe-ping-body
+  "JSON-RPC ping body used to probe for OAuth challenges. Some servers
+   (e.g. Figma) only return 401 + www-authenticate when the request body is
+   a recognizable MCP message; a bare '{}' is treated as malformed and yields
+   a generic JSON-RPC error instead of an auth challenge.
+   `ping` is used (rather than `initialize`) so the probe is never confused
+   with the real MCP handshake by servers that maintain per-connection state
+   or by test mocks that count requests by method name."
   (json/generate-string
    {:jsonrpc "2.0"
     :id 0
-    :method "initialize"
-    :params {:protocolVersion "2024-11-05"
-             :capabilities {}
-             :clientInfo {:name "eca" :version "probe"}}}))
+    :method "ping"}))
 
 (defn ^:private probe-auth
   "Probe the MCP server for a 401 auth challenge with www-authenticate header.
-   Tries HEAD first; falls back to POST with a JSON-RPC initialize body if HEAD
+   Tries HEAD first; falls back to POST with a JSON-RPC ping body if HEAD
    doesn't return a valid challenge (some servers like Glean don't support HEAD,
    some proxies like istio-envoy return 401 on HEAD without actually requiring
    auth, and some servers like Figma only emit the auth challenge in response to
-   a valid MCP initialize request)."
+   a recognizable MCP request)."
   [^String url]
   (let [head-response (http/head url {:timeout 10000
                                       :throw-exceptions? false})]
@@ -179,7 +179,7 @@
                                           :throw-exceptions? false
                                           :headers {"Content-Type" "application/json"
                                                     "Accept" "application/json, text/event-stream"}
-                                          :body probe-initialize-body})]
+                                          :body probe-ping-body})]
         (when (valid-auth-challenge? post-response)
           post-response)))))