addressed review comments

Author: blublinsky

README.md

@@ -302,20 +302,20 @@ MCP (Model Context Protocol) servers provide tools and capabilities to the AI ag
 
 **Basic Configuration Structure:**
 
-Each MCP server requires three fields:
+Each MCP server requires two fields:
 - `name`: Unique identifier for the MCP server
-- `provider_id`: MCP provider identification (typically `"model-context-protocol"`)
 - `url`: The endpoint where the MCP server is running
 
+And one optional field:
+- `provider_id`: MCP provider identification (defaults to `"model-context-protocol"`)
+
 **Minimal Example:**
 
 ```yaml
 mcp_servers:
   - name: "filesystem-tools"
-    provider_id: "model-context-protocol"
     url: "http://localhost:3000"
   - name: "git-tools"
-    provider_id: "model-context-protocol"
     url: "http://localhost:3001"
 ```
 
@@ -332,7 +332,6 @@ Store authentication tokens in secret files and reference them in your configura
 ```yaml
 mcp_servers:
   - name: "api-service"
-    provider_id: "model-context-protocol"
     url: "http://api-service:8080"
     authorization_headers:
       Authorization: "/var/secrets/api-token"      # Path to file containing token
@@ -356,7 +355,6 @@ Use the special `"kubernetes"` keyword to automatically use the authenticated us
 ```yaml
 mcp_servers:
   - name: "k8s-internal-service"
-    provider_id: "model-context-protocol"
     url: "http://internal-mcp.default.svc.cluster.local:8080"
     authorization_headers:
       Authorization: "kubernetes"    # Uses user's k8s token from request auth
@@ -371,7 +369,6 @@ Use the special `"client"` keyword to allow clients to provide custom tokens per
 ```yaml
 mcp_servers:
   - name: "user-specific-service"
-    provider_id: "model-context-protocol"
     url: "http://user-service:8080"
     authorization_headers:
       Authorization: "client"         # Token provided via MCP-HEADERS
@@ -387,7 +384,9 @@ curl -X POST "http://localhost:8080/v1/query" \
   -d '{"query": "Get my data"}'
 ```
 
-**Note**: The `MCP-HEADERS` dictionary is keyed by **server name** (not URL), matching the `name` field in your MCP server configuration.
+**Note**: `MCP-HEADERS` is an **HTTP request header** containing a JSON-encoded dictionary. The dictionary is keyed by **server name** (not URL), matching the `name` field in your MCP server configuration. Each server name maps to another dictionary containing the HTTP headers to forward to that specific MCP server.
+
+**Structure**: `MCP-HEADERS: {"<server-name>": {"<header-name>": "<header-value>", ...}, ...}`
 
 ##### Combining Authentication Methods
 
@@ -397,21 +396,18 @@ You can mix and match authentication methods across different MCP servers, and e
 mcp_servers:
   # Static credentials for public API
   - name: "weather-api"
-    provider_id: "model-context-protocol"
     url: "http://weather-api:8080"
     authorization_headers:
       X-API-Key: "/var/secrets/weather-api-key"
   
   # Kubernetes auth for internal services
   - name: "internal-db"
-    provider_id: "model-context-protocol"
     url: "http://db-mcp.cluster.local:8080"
     authorization_headers:
       Authorization: "kubernetes"
   
   # Mixed: static API key + per-user token
   - name: "multi-tenant-service"
-    provider_id: "model-context-protocol"
     url: "http://multi-tenant:8080"
     authorization_headers:
       X-Service-Key: "/var/secrets/service-key"    # Static service credential

dev-tools/MANUAL_TESTING.md

@@ -91,7 +91,7 @@ The mock server should return unique tool names for each auth type:
 - `mock_tool_client` - from `mock-client-auth`
 
 Check the Lightspeed Core logs, you should see:
-```
+```text
 DEBUG    Configured 3 MCP tools: ['mock-file-auth', 'mock-k8s-auth', 'mock-client-auth']
 ```
 

dev-tools/mcp-mock-server/README.md

@@ -11,6 +11,8 @@ This mock server helps developers:
 - Develop and test MCP-related features
 - Test both HTTP and HTTPS connections
 
+**⚠️ Testing Only:** This server is single-threaded and handles requests sequentially. It is designed purely for development and testing purposes, not for production or high-load scenarios.
+
 ## Features
 
 - ✅ **Pure Python** - No external dependencies (uses stdlib only)

dev-tools/mcp-mock-server/server.py

@@ -23,11 +23,10 @@
 from http.server import HTTPServer, BaseHTTPRequestHandler
 from datetime import datetime
 from pathlib import Path
-from typing import Dict
 
 
 # Global storage for captured headers (last request)
-last_headers: Dict[str, str] = {}
+last_headers: dict[str, str] = {}
 request_log: list = []
 
 
@@ -79,19 +78,22 @@ def do_POST(self) -> None:  # pylint: disable=invalid-name
 
         # Determine tool name based on authorization header to avoid collisions
         auth_header = self.headers.get("Authorization", "")
-        if "test-secret-token" in auth_header:
-            tool_name = "mock_tool_file"
-            tool_desc = "Mock tool with file-based auth"
-        elif "my-k8s-token" in auth_header:
-            tool_name = "mock_tool_k8s"
-            tool_desc = "Mock tool with Kubernetes token"
-        elif "my-client-token" in auth_header:
-            tool_name = "mock_tool_client"
-            tool_desc = "Mock tool with client-provided token"
-        else:
-            # No auth header or unrecognized token
-            tool_name = "mock_tool_no_auth"
-            tool_desc = "Mock tool with no authorization"
+
+        # Match based on token content
+        match auth_header:
+            case _ if "test-secret-token" in auth_header:
+                tool_name = "mock_tool_file"
+                tool_desc = "Mock tool with file-based auth"
+            case _ if "my-k8s-token" in auth_header:
+                tool_name = "mock_tool_k8s"
+                tool_desc = "Mock tool with Kubernetes token"
+            case _ if "my-client-token" in auth_header:
+                tool_name = "mock_tool_client"
+                tool_desc = "Mock tool with client-provided token"
+            case _:
+                # No auth header or unrecognized token
+                tool_name = "mock_tool_no_auth"
+                tool_desc = "Mock tool with no authorization"
 
         # Handle MCP protocol methods
         if method == "initialize":
@@ -150,51 +152,53 @@ def do_POST(self) -> None:  # pylint: disable=invalid-name
 
     def do_GET(self) -> None:  # pylint: disable=invalid-name
         """Handle GET requests (debug endpoints)."""
-        # Debug endpoint to view captured headers
-        if self.path == "/debug/headers":
-            self.send_response(200)
-            self.send_header("Content-Type", "application/json")
-            self.end_headers()
-            response = {
-                "last_headers": last_headers,
-                "request_count": len(request_log),
-            }
-            self.wfile.write(json.dumps(response, indent=2).encode())
-
-        # Debug endpoint to view request log
-        elif self.path == "/debug/requests":
-            self.send_response(200)
-            self.send_header("Content-Type", "application/json")
-            self.end_headers()
-            self.wfile.write(json.dumps(request_log, indent=2).encode())
-
-        # Root endpoint - show help
-        elif self.path == "/":
-            self.send_response(200)
-            self.send_header("Content-Type", "text/html")
-            self.end_headers()
-            help_html = """
-            <html>
-            <head><title>MCP Mock Server</title></head>
-            <body>
-                <h1>MCP Mock Server</h1>
-                <p>This is a development mock server for testing MCP integrations.</p>
-                <h2>Debug Endpoints:</h2>
-                <ul>
-                    <li><a href="/debug/headers">/debug/headers</a> - View last captured headers</li>
-                    <li><a href="/debug/requests">/debug/requests</a> - View recent request log</li>
-                </ul>
-                <h2>MCP Endpoints:</h2>
-                <ul>
-                    <li>POST /mcp/v1/list_tools - Mock MCP tools endpoint</li>
-                </ul>
-            </body>
-            </html>
-            """
-            self.wfile.write(help_html.encode())
-        else:
-            self.send_response(404)
-            self.end_headers()
+        # Handle different GET endpoints
+        match self.path:
+            case "/debug/headers":
+                self._send_json_response(
+                    {"last_headers": last_headers, "request_count": len(request_log)}
+                )
+            case "/debug/requests":
+                self._send_json_response(request_log)
+            case "/":
+                self._send_help_page()
+            case _:
+                self.send_response(404)
+                self.end_headers()
+
+    def _send_json_response(self, data: dict | list) -> None:
+        """Send a JSON response."""
+        self.send_response(200)
+        self.send_header("Content-Type", "application/json")
+        self.end_headers()
+        self.wfile.write(json.dumps(data, indent=2).encode())
+
+    def _send_help_page(self) -> None:
+        """Send HTML help page for root endpoint."""
+        self.send_response(200)
+        self.send_header("Content-Type", "text/html")
+        self.end_headers()
+        help_html = """<!DOCTYPE html>
+        <html>
+        <head><title>MCP Mock Server</title></head>
+        <body>
+            <h1>MCP Mock Server</h1>
+            <p>Development mock server for testing MCP integrations.</p>
+            <h2>Debug Endpoints:</h2>
+            <ul>
+                <li><a href="/debug/headers">/debug/headers</a> - View captured headers</li>
+                <li><a href="/debug/requests">/debug/requests</a> - View request log</li>
+            </ul>
+            <h2>MCP Protocol:</h2>
+            <p>POST requests to <code>/</code> with JSON-RPC format:</p>
+            <ul>
+                <li><code>{"jsonrpc": "2.0", "id": 1, "method": "initialize"}</code></li>
+                <li><code>{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}</code></li>
+            </ul>
+        </body>
+        </html>
+        """
+        self.wfile.write(help_html.encode())
 
 
 def generate_self_signed_cert(cert_dir: Path) -> tuple[Path, Path]:

dev-tools/mcp-mock-server/test_mock_mcp_server.py

@@ -103,34 +103,38 @@ def make_request(
 def test_http_mcp_list_tools(mock_server):
     """Test the MCP list_tools endpoint over HTTP."""
     status, response = make_request(
-        f"{mock_server['http_url']}/mcp/v1/list_tools",
+        f"{mock_server['http_url']}/",
         method="POST",
-        data={"test": "data"},
+        data={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
         headers={"Authorization": "Bearer test-token-123"},
     )
 
     assert status == 200, f"Expected 200 OK, got {status}"
     assert isinstance(response, dict), f"Expected dict, got {type(response)}"
-    assert "tools" in response, "Response should contain 'tools' key"
-    assert isinstance(response["tools"], list), "Tools should be a list"
-    assert len(response["tools"]) == 1, "Should have 1 mock tool"
-    assert (
-        response["tools"][0]["name"] == "mock_tool"
-    ), "Tool name should be 'mock_tool'"
+    assert "result" in response, "Response should contain 'result' key (JSON-RPC)"
+    assert "tools" in response["result"], "Result should contain 'tools' key"
+    assert isinstance(response["result"]["tools"], list), "Tools should be a list"
+    assert len(response["result"]["tools"]) == 1, "Should have 1 mock tool"
+    # Tool name varies based on auth header
+    assert response["result"]["tools"][0]["name"].startswith(
+        "mock_tool"
+    ), "Tool name should start with 'mock_tool'"
 
 
 def test_https_mcp_list_tools(mock_server):
     """Test the MCP list_tools endpoint over HTTPS."""
     status, response = make_request(
-        f"{mock_server['https_url']}/mcp/v1/list_tools",
+        f"{mock_server['https_url']}/",
         method="POST",
-        data={"test": "data"},
+        data={"jsonrpc": "2.0", "id": 1, "method": "tools/list"},
         headers={"Authorization": "Bearer test-https-token"},
         use_https=True,
     )
 
     assert status == 200, f"Expected 200 OK over HTTPS, got {status}"
     assert isinstance(response, dict), f"Expected dict, got {type(response)}"
+    assert "result" in response, "Response should contain 'result' key (JSON-RPC)"
+    assert "tools" in response["result"], "Result should contain 'tools' key"
 
 
 def test_debug_headers_endpoint(mock_server):

src/utils/mcp_auth_headers.py

@@ -14,8 +14,8 @@ def resolve_authorization_headers(
 
     Parameters:
         authorization_headers: Map of header names to secret locations or special keywords.
-            - If value is "kubernetes": live is unchanged. We substitute it during request.
-            - If value is "client": live it unchanged. . We substitute it during request.
+            - If value is "kubernetes": leave is unchanged. We substitute it during request.
+            - If value is "client": leave it unchanged. . We substitute it during request.
             - Otherwise: Treat as file path and read the secret from that file
 
     Returns:

tests/unit/models/config/test_model_context_protocol_server.py

@@ -2,6 +2,8 @@
 
 # pyright: reportCallIssue=false
 
+from pathlib import Path
+
 import pytest
 
 from pydantic import ValidationError
@@ -137,20 +139,31 @@ def test_configuration_multiple_mcp_servers() -> None:
     assert cfg.mcp_servers[2].name == "server3"
 
 
-def test_model_context_protocol_server_with_authorization_headers() -> None:
+def test_model_context_protocol_server_with_authorization_headers(
+    tmp_path: Path,
+) -> None:
     """Test ModelContextProtocolServer with authorization headers."""
+    auth_file = tmp_path / "auth.txt"
+    auth_file.write_text("my-secret")
+    api_key_file = tmp_path / "api_key.txt"
+    api_key_file.write_text("api-key-secret")
+
     mcp = ModelContextProtocolServer(
         name="auth-server",
         url="http://localhost:8080",
         authorization_headers={
-            "Authorization": "my-secret",
-            "X-API-Key": "api-key-secret",
+            "Authorization": str(auth_file),
+            "X-API-Key": str(api_key_file),
         },
     )
     assert mcp is not None
     assert mcp.name == "auth-server"
     assert mcp.url == "http://localhost:8080"
     assert mcp.authorization_headers == {
+        "Authorization": str(auth_file),
+        "X-API-Key": str(api_key_file),
+    }
+    assert mcp.resolved_authorization_headers == {
         "Authorization": "my-secret",
         "X-API-Key": "api-key-secret",
     }
@@ -178,19 +191,22 @@ def test_model_context_protocol_server_client_special_case() -> None:
     assert mcp.authorization_headers == {"Authorization": "client"}
 
 
-def test_configuration_mcp_servers_with_mixed_auth_headers() -> None:
+def test_configuration_mcp_servers_with_mixed_auth_headers(tmp_path: Path) -> None:
     """
     Test Configuration with MCP servers having mixed authorization headers.
 
     Verifies backward compatibility (servers without auth headers) and
     new functionality (servers with auth headers) work together.
     """
+    secret_file = tmp_path / "secret.txt"
+    secret_file.write_text("my-secret")
+
     mcp_servers = [
         ModelContextProtocolServer(name="server-no-auth", url="http://localhost:8080"),
         ModelContextProtocolServer(
             name="server-with-secret",
             url="http://localhost:8081",
-            authorization_headers={"Authorization": "my-secret"},
+            authorization_headers={"Authorization": str(secret_file)},
         ),
         ModelContextProtocolServer(
             name="server-with-k8s",
@@ -225,7 +241,8 @@ def test_configuration_mcp_servers_with_mixed_auth_headers() -> None:
 
     # Server with secret reference
     assert cfg.mcp_servers[1].name == "server-with-secret"
-    assert cfg.mcp_servers[1].authorization_headers == {"Authorization": "my-secret"}
+    assert cfg.mcp_servers[1].authorization_headers == {"Authorization": str(secret_file)}
+    assert cfg.mcp_servers[1].resolved_authorization_headers == {"Authorization": "my-secret"}
 
     # Server with kubernetes special case
     assert cfg.mcp_servers[2].name == "server-with-k8s"
@@ -279,4 +296,4 @@ def test_model_context_protocol_server_resolved_headers_empty() -> None:
         url="http://localhost:8080",
     )
     assert mcp is not None
-    assert mcp.resolved_authorization_headers == {}
+    assert not mcp.resolved_authorization_headers