feat: integrate Auth & Metrics into Server, add 71 integration tests — bump to v0.29.0

- Auth: server.auth() accessor, automatic enforcement on HTTP POST/GET/DELETE
- Metrics: server.metrics() accessor, auto per-method recording in dispatch,
  /metrics endpoint auto-registered on begin()
- 71 new tests: auth lifecycle, metrics tracking, batch JSON-RPC,
  JSON-RPC edge cases, cross-module integration
- Total: 1017 tests (946 → 1017)

Author: Nicola Spieser

.gitignore

@@ -20,3 +20,4 @@ test/native/test_robustness
 test/native/test_session
 test/native/test_content_transport
 test/native/test_advanced
+test/native/test_integration

CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.29.0] - 2026-02-21
+
+### Features
+- **Integrated Auth into Server** — `server.auth()` accessor, automatic authentication enforcement on all HTTP endpoints (POST/GET/DELETE). Supports Bearer tokens, API keys via header/query, custom callbacks, and multi-key rotation.
+- **Integrated Metrics into Server** — `server.metrics()` accessor, automatic per-method request counting and latency tracking in dispatch. Prometheus `/metrics` endpoint auto-registered on `begin()`. Error counting for unknown methods.
+
+### Tests
+- Added **71 new integration tests** (`test_integration.cpp`):
+  - Auth module: enable/disable, API key management, custom callbacks, re-enable after disable
+  - Metrics module: initial state, request/error counting, dispatch-level recording, notification tracking
+  - Batch JSON-RPC: single/multiple requests, all-notifications, mixed, empty array, metrics in batch
+  - JSON-RPC edge cases: missing/wrong version, parse errors, string/numeric ID preservation, error messages for missing params
+  - Cross-module integration: capabilities advertisement, tool/resource/prompt lifecycle, pagination, subscriptions, dynamic add/remove, rich tool handlers, exception handling, rate limit info in initialize, resource templates
+- **Total: 1017 tests** (946 → 1017)
+
 ## [0.28.0] - 2026-02-21
 
 ### Tests

README.md

@@ -33,7 +33,7 @@
 |---|:---:|:---:|:---:|
 | Runs on the MCU | ✅ | ✅ | ❌ CLI tool |
 | MCP spec compliant | ✅ 2025-03-26 | ❌ custom WS | ❌ |
-| Actually compiles | ✅ 946 tests | ❌ self-described | N/A |
+| Actually compiles | ✅ 1017 tests | ❌ self-described | N/A |
 | Streamable HTTP + SSE | ✅ | ❌ | ❌ |
 | WebSocket transport | ✅ | ✅ | ❌ |
 | Claude Desktop bridge | ✅ | ❌ | ❌ |

src/mcpd.cpp

@@ -182,6 +182,9 @@ void Server::begin() {
         _httpServer->send(204);
     });
 
+    // Register Prometheus metrics endpoint
+    _metrics.begin(*_httpServer);
+
     _httpServer->begin();
 
     // mDNS advertisement
@@ -334,6 +337,12 @@ void Server::stop() {
 void Server::_handleMCPPost() {
     transport::setCORSHeaders(*_httpServer);
 
+    // Authentication check
+    if (_auth.isEnabled() && !_auth.authenticate(*_httpServer)) {
+        Auth::sendUnauthorized(*_httpServer);
+        return;
+    }
+
     // Rate limit check
     if (_rateLimiter.isEnabled() && !_rateLimiter.tryAcquire()) {
         _httpServer->send(429, transport::CONTENT_TYPE_JSON,
@@ -377,6 +386,12 @@ void Server::_handleMCPPost() {
 void Server::_handleMCPGet() {
     transport::setCORSHeaders(*_httpServer);
 
+    // Authentication check
+    if (_auth.isEnabled() && !_auth.authenticate(*_httpServer)) {
+        Auth::sendUnauthorized(*_httpServer);
+        return;
+    }
+
     // Check that the client wants SSE
     // Note: on ESP32 WebServer, we need to take over the client socket
     if (!_initialized || _sessionId.isEmpty()) {
@@ -408,6 +423,12 @@ void Server::_handleMCPGet() {
 void Server::_handleMCPDelete() {
     transport::setCORSHeaders(*_httpServer);
 
+    // Authentication check
+    if (_auth.isEnabled() && !_auth.authenticate(*_httpServer)) {
+        Auth::sendUnauthorized(*_httpServer);
+        return;
+    }
+
     String clientSession = _httpServer->header(transport::HEADER_SESSION_ID);
     if (clientSession == _sessionId) {
         _initialized = false;
@@ -499,25 +520,34 @@ String Server::_dispatch(const char* method, JsonVariant params, JsonVariant id)
 
     String m(method);
 
-    if (m == "initialize")       return _handleInitialize(params, id);
-    if (m == "ping")             return _handlePing(id);
-    if (m == "tools/list")       return _handleToolsList(params, id);
-    if (m == "tools/call")       return _handleToolsCall(params, id);
-    if (m == "resources/list")   return _handleResourcesList(params, id);
-    if (m == "resources/read")   return _handleResourcesRead(params, id);
-    if (m == "resources/templates/list") return _handleResourcesTemplatesList(params, id);
-    if (m == "prompts/list")           return _handlePromptsList(params, id);
-    if (m == "prompts/get")            return _handlePromptsGet(params, id);
-    if (m == "logging/setLevel")       return _handleLoggingSetLevel(params, id);
-    if (m == "completion/complete")     return _handleCompletionComplete(params, id);
-    if (m == "resources/subscribe")     return _handleResourcesSubscribe(params, id);
-    if (m == "resources/unsubscribe")   return _handleResourcesUnsubscribe(params, id);
-    if (m == "roots/list")              return _handleRootsList(params, id);
+    // Record metrics for each dispatched method
+    unsigned long _dispatchStart = millis();
+
+    auto _recordAndReturn = [&](const String& result) -> String {
+        _metrics.recordRequest(m, millis() - _dispatchStart);
+        return result;
+    };
+
+    if (m == "initialize")       return _recordAndReturn(_handleInitialize(params, id));
+    if (m == "ping")             return _recordAndReturn(_handlePing(id));
+    if (m == "tools/list")       return _recordAndReturn(_handleToolsList(params, id));
+    if (m == "tools/call")       return _recordAndReturn(_handleToolsCall(params, id));
+    if (m == "resources/list")   return _recordAndReturn(_handleResourcesList(params, id));
+    if (m == "resources/read")   return _recordAndReturn(_handleResourcesRead(params, id));
+    if (m == "resources/templates/list") return _recordAndReturn(_handleResourcesTemplatesList(params, id));
+    if (m == "prompts/list")           return _recordAndReturn(_handlePromptsList(params, id));
+    if (m == "prompts/get")            return _recordAndReturn(_handlePromptsGet(params, id));
+    if (m == "logging/setLevel")       return _recordAndReturn(_handleLoggingSetLevel(params, id));
+    if (m == "completion/complete")     return _recordAndReturn(_handleCompletionComplete(params, id));
+    if (m == "resources/subscribe")     return _recordAndReturn(_handleResourcesSubscribe(params, id));
+    if (m == "resources/unsubscribe")   return _recordAndReturn(_handleResourcesUnsubscribe(params, id));
+    if (m == "roots/list")              return _recordAndReturn(_handleRootsList(params, id));
 
     // notifications/initialized — no response needed
-    if (m == "notifications/initialized") return "";
+    if (m == "notifications/initialized") { _metrics.recordRequest(m, millis() - _dispatchStart); return ""; }
     // notifications/cancelled — cancel in-flight request
     if (m == "notifications/cancelled") {
+        _metrics.recordRequest(m, millis() - _dispatchStart);
         if (!params.isNull()) {
             const char* rid = params["requestId"].as<const char*>();
             String reqId = rid ? rid : "";
@@ -529,6 +559,7 @@ String Server::_dispatch(const char* method, JsonVariant params, JsonVariant id)
         return "";
     }
 
+    _metrics.recordError();
     return _jsonRpcError(id, -32601, "Method not found");
 }
 

src/mcpd.h

@@ -37,12 +37,14 @@
 #include "MCPRateLimit.h"
 #include "MCPSession.h"
 #include "MCPHeap.h"
+#include "MCPAuth.h"
+#include "MCPMetrics.h"
 
 #ifdef ESP32
 #include "MCPTransportBLE.h"
 #endif
 
-#define MCPD_VERSION "0.28.0"
+#define MCPD_VERSION "0.29.0"
 #define MCPD_MCP_PROTOCOL_VERSION "2025-03-26"
 
 namespace mcpd {
@@ -251,6 +253,16 @@ class Server {
     /** Access heap monitor for memory diagnostics */
     HeapMonitor& heap() { return _heapMonitor; }
 
+    // ── Authentication ─────────────────────────────────────────────────
+
+    /** Access the authentication module */
+    Auth& auth() { return _auth; }
+
+    // ── Metrics ────────────────────────────────────────────────────────
+
+    /** Access the Prometheus metrics module */
+    Metrics& metrics() { return _metrics; }
+
     // ── Lifecycle Hooks ────────────────────────────────────────────────
 
     using LifecycleCallback = std::function<void()>;
@@ -349,6 +361,8 @@ class Server {
     RateLimiter _rateLimiter;
     SessionManager _sessionManager;
     HeapMonitor _heapMonitor;
+    Auth _auth;
+    Metrics _metrics;
 
     // Lifecycle callbacks
     InitCallback _onInitializeCb;

test/native/Makefile

@@ -3,7 +3,7 @@ CXXFLAGS = -std=c++17 -Wall -Wextra -Wno-unused-parameter -DMCPD_TEST -pthread
 INCLUDES = -I../../src -I../mock_includes -I..
 
 # Targets
-TESTS = test_jsonrpc test_tools test_mcp_http test_infrastructure test_modules test_auth_platform test_robustness test_session test_content_transport test_advanced
+TESTS = test_jsonrpc test_tools test_mcp_http test_infrastructure test_modules test_auth_platform test_robustness test_session test_content_transport test_advanced test_integration
 
 .PHONY: all clean test
 
@@ -39,6 +39,9 @@ test_content_transport: ../test_content_transport.cpp ../arduino_mock.h ../test_
 test_advanced: ../test_advanced.cpp ../arduino_mock.h ../test_framework.h ../../src/mcpd.h ../../src/mcpd.cpp
 	$(CXX) $(CXXFLAGS) $(INCLUDES) -o $@ ../test_advanced.cpp
 
+test_integration: ../test_integration.cpp ../arduino_mock.h ../test_framework.h ../../src/mcpd.h ../../src/mcpd.cpp ../../src/MCPAuth.h ../../src/MCPMetrics.h
+	$(CXX) $(CXXFLAGS) $(INCLUDES) -o $@ ../test_integration.cpp
+
 test: $(TESTS)
 	@echo ""
 	@echo "══════════════════════════════════════════"
@@ -55,6 +58,7 @@ test: $(TESTS)
 	@./test_session
 	@./test_content_transport
 	@./test_advanced
+	@./test_integration
 	@echo "All test suites completed."
 
 clean: