Wire HeaderForward into vMCP session HTTP client

lorr1 · lorr1 · commit 5ead2ff5dadf · 2026-05-18T09:02:30.000-07:00
PR #5239 added HeaderForward support to the startup capability-discovery client at pkg/vmcp/client/client.go, but the per-session MCP HTTP client in pkg/vmcp/session/internal/backend builds a parallel transport chain (DefaultTransport -> auth -> identity) that never reads target.HeaderForward. Every post-initialize MCP call (tools/list, tools/call, ...) therefore reaches the upstream without user-configured headers, leaving features like GitHub Copilot's X-MCP-Toolsets filter silently broken in v0.27.2. Construct a single secrets.EnvironmentProvider at connector build time, plumb it into createMCPClient, and wrap the shared chain with BuildHeaderForwardTripper as the outermost stage so vMCP auth/identity headers still win on overlapping names. Export the existing helper from pkg/vmcp/client so the session backend can reuse it without duplication. Fixes #5289
diff --git a/pkg/vmcp/headerforward/transport.go b/pkg/vmcp/headerforward/transport.go
@@ -64,6 +64,11 @@ func (h *headerForwardRoundTripper) RoundTrip(req *http.Request) (*http.Response
 // backend's pre-resolved HeaderForwardConfig. Returns base unchanged when no
 // header injection is configured or the effective header set is empty.
 //
+// Used by both the vMCP backend client (startup capability discovery) and the
+// per-session backend connector (long-lived MCP traffic). Exported so the
+// session backend in pkg/vmcp/session/internal/backend can share the same
+// transport-chain wiring.
+//
 // Fails loudly (constructor validation, per go-style.md) when a secret identifier
 // cannot be resolved through the provider, so a misconfigured backend surfaces
 // at pod startup — not as a silent missing-header on every request.
diff --git a/pkg/vmcp/session/internal/backend/mcp_session.go b/pkg/vmcp/session/internal/backend/mcp_session.go
@@ -17,11 +17,13 @@ import (
 	"github.com/mark3labs/mcp-go/mcp"
 
 	"github.com/stacklok/toolhive/pkg/auth"
+	"github.com/stacklok/toolhive/pkg/secrets"
 	"github.com/stacklok/toolhive/pkg/versions"
 	"github.com/stacklok/toolhive/pkg/vmcp"
 	vmcpauth "github.com/stacklok/toolhive/pkg/vmcp/auth"
 	authtypes "github.com/stacklok/toolhive/pkg/vmcp/auth/types"
 	"github.com/stacklok/toolhive/pkg/vmcp/conversion"
+	"github.com/stacklok/toolhive/pkg/vmcp/headerforward"
 )
 
 const (
@@ -196,19 +198,25 @@ func (c *mcpSession) GetPrompt(
 //
 // registry provides the authentication strategy for outgoing backend requests.
 // Pass a registry configured with the "unauthenticated" strategy to disable auth.
+//
+// A single secrets.EnvironmentProvider is constructed once per connector and
+// shared across every session it creates; its lifetime matches the connector's.
+// It is consumed by BuildHeaderForwardTripper to resolve secret-backed entries
+// in target.HeaderForward.
 func NewHTTPConnector(registry vmcpauth.OutgoingAuthRegistry) func(
 	ctx context.Context,
 	target *vmcp.BackendTarget,
 	identity *auth.Identity,
 	sessionHint string,
 ) (Session, *vmcp.CapabilityList, error) {
+	provider := secrets.NewEnvironmentProvider()
 	return func(
 		ctx context.Context,
 		target *vmcp.BackendTarget,
 		identity *auth.Identity,
 		sessionHint string,
 	) (Session, *vmcp.CapabilityList, error) {
-		c, err := createMCPClient(target, identity, registry, sessionHint)
+		c, err := createMCPClient(ctx, target, identity, registry, sessionHint, provider)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create MCP client for backend %s: %w", target.WorkloadID, err)
 		}
@@ -238,11 +246,17 @@ func NewHTTPConnector(registry vmcpauth.OutgoingAuthRegistry) func(
 // to client.Close(), not to any caller-supplied init context.
 // sessionHint, when non-empty, is passed as the initial Mcp-Session-Id for
 // streamable-HTTP transports so the backend can resume an existing session.
+//
+// ctx is used only to resolve secret-backed entries in target.HeaderForward at
+// client-creation time; the transport itself is started with context.Background()
+// as described above. provider supplies values for those secret-backed headers.
 func createMCPClient(
+	ctx context.Context,
 	target *vmcp.BackendTarget,
 	identity *auth.Identity,
 	registry vmcpauth.OutgoingAuthRegistry,
 	sessionHint string,
+	provider secrets.Provider,
 ) (*mcpclient.Client, error) {
 	// Resolve and validate the auth strategy once at client creation time.
 	strategyName := authtypes.StrategyTypeUnauthenticated
@@ -259,7 +273,10 @@ func createMCPClient(
 
 	slog.Debug("Applied authentication strategy", "strategy", strategy.Name(), "backendID", target.WorkloadID)
 
-	// Build shared transport chain: auth → identity propagation.
+	// Build shared transport chain: auth → identity propagation → header forward.
+	// HeaderForward is the outermost stage so inner stages (auth, identity) win
+	// on any overlapping header name — matching the ordering in
+	// headerForwardRoundTripper.RoundTrip, which skips names already set.
 	// The per-transport sections below may add a size-limiting wrapper on top.
 	base := http.RoundTripper(http.DefaultTransport)
 	base = &authRoundTripper{
@@ -269,6 +286,10 @@ func createMCPClient(
 		target:       target,
 	}
 	base = &identityRoundTripper{base: base, identity: identity}
+	base, err = headerforward.BuildHeaderForwardTripper(ctx, base, target.HeaderForward, provider, target.WorkloadID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build header-forward transport for backend %s: %w", target.WorkloadID, err)
+	}
 
 	var c *mcpclient.Client
 	switch target.TransportType {
diff --git a/pkg/vmcp/session/internal/backend/mcp_session_header_forward_test.go b/pkg/vmcp/session/internal/backend/mcp_session_header_forward_test.go
@@ -0,0 +1,190 @@
+// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package backend
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/stacklok/toolhive/pkg/vmcp"
+)
+
+// headerCapturingBackend is a minimal streamable-HTTP MCP fake that records
+// inbound request headers keyed by JSON-RPC method. The test asserts that a
+// user-configured HeaderForward header reaches the backend on POST-INITIALIZE
+// traffic — see issue #5289. The startup capability-discovery path was fixed
+// in PR #5239; per-session HTTP traffic is still missing the wrap.
+type headerCapturingBackend struct {
+	t *testing.T
+
+	mu              sync.Mutex
+	headersByMethod map[string]http.Header
+}
+
+func newHeaderCapturingBackend(t *testing.T) (*headerCapturingBackend, string) {
+	t.Helper()
+	fb := &headerCapturingBackend{
+		t:               t,
+		headersByMethod: make(map[string]http.Header),
+	}
+	mux := http.NewServeMux()
+	mux.HandleFunc("/mcp", fb.handle)
+	ts := httptest.NewServer(mux)
+	t.Cleanup(ts.Close)
+	return fb, ts.URL + "/mcp"
+}
+
+func (f *headerCapturingBackend) headersFor(method string) http.Header {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	return f.headersByMethod[method]
+}
+
+func (f *headerCapturingBackend) handle(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		// Streamable-HTTP transports may open a GET for server-pushed
+		// notifications; rejecting it cleanly is fine for this test.
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		f.t.Errorf("headerCapturingBackend: read body: %v", err)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+	defer func() { _ = r.Body.Close() }()
+
+	var msg struct {
+		JSONRPC string          `json:"jsonrpc"`
+		ID      json.RawMessage `json:"id"`
+		Method  string          `json:"method"`
+	}
+	if err := json.Unmarshal(body, &msg); err != nil {
+		f.t.Errorf("headerCapturingBackend: decode: %v body=%s", err, string(body))
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	f.mu.Lock()
+	f.headersByMethod[msg.Method] = r.Header.Clone()
+	f.mu.Unlock()
+
+	// Notifications (no id, e.g. notifications/initialized) get an empty 202.
+	if len(msg.ID) == 0 || string(msg.ID) == "null" {
+		w.WriteHeader(http.StatusAccepted)
+		return
+	}
+
+	switch msg.Method {
+	case string(mcp.MethodInitialize):
+		w.Header().Set("Mcp-Session-Id", "header-forward-test-session")
+		f.writeResult(w, msg.ID, map[string]any{
+			"protocolVersion": mcp.LATEST_PROTOCOL_VERSION,
+			"capabilities": map[string]any{
+				"tools": map[string]any{},
+			},
+			"serverInfo": map[string]any{"name": "header-forward-fake", "version": "0.0.0"},
+		})
+	case string(mcp.MethodToolsList):
+		f.writeResult(w, msg.ID, map[string]any{
+			"tools": []mcp.Tool{{Name: "echo", Description: "echo tool"}},
+		})
+	case string(mcp.MethodToolsCall):
+		f.writeResult(w, msg.ID, map[string]any{
+			"content": []map[string]any{
+				{"type": "text", "text": "ok"},
+			},
+			"isError": false,
+		})
+	default:
+		f.writeResult(w, msg.ID, map[string]any{})
+	}
+}
+
+func (f *headerCapturingBackend) writeResult(w http.ResponseWriter, id json.RawMessage, result any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(map[string]any{
+		"jsonrpc": "2.0",
+		"id":      json.RawMessage(id),
+		"result":  result,
+	}); err != nil {
+		f.t.Errorf("headerCapturingBackend: encode result: %v", err)
+	}
+}
+
+// TestHTTPSession_AppliesHeaderForwardToPostInitializeRequests is the red-phase
+// regression test for issue #5289. PR #5239 fixed HeaderForward for the vMCP
+// backend client (used for startup capability discovery) but did not extend the
+// fix to the session-side connector at pkg/vmcp/session/internal/backend.
+// As a result, user-configured headers (e.g. X-MCP-Toolsets for GitHub MCP)
+// never reach the backend on per-session requests like tools/call.
+//
+// The test asserts that, after the connector completes Initialize, a
+// subsequent CallTool carries the configured plaintext header on the wire.
+// On main today it fails because the connector's transport chain does not
+// include a header-forward round-tripper — see createMCPClient in
+// mcp_session.go (the chain is http.DefaultTransport → authRoundTripper →
+// identityRoundTripper, with no HeaderForward stage).
+func TestHTTPSession_AppliesHeaderForwardToPostInitializeRequests(t *testing.T) {
+	t.Parallel()
+
+	const (
+		headerName  = "X-MCP-Toolsets"
+		headerValue = "projects,issues,pull_requests,users,repos"
+	)
+
+	fb, url := newHeaderCapturingBackend(t)
+
+	target := &vmcp.BackendTarget{
+		WorkloadID:    "header-forward-backend",
+		WorkloadName:  "header-forward-backend",
+		BaseURL:       url,
+		TransportType: "streamable-http",
+		HeaderForward: &vmcp.HeaderForwardConfig{
+			AddPlaintextHeaders: map[string]string{
+				headerName: headerValue,
+			},
+		},
+	}
+
+	registry := newTestRegistry(t)
+	connector := NewHTTPConnector(registry)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	sess, caps, err := connector(ctx, target, nil, "")
+	require.NoError(t, err, "connector must initialise the backend successfully")
+	require.NotNil(t, sess, "connector returned nil session")
+	require.NotNil(t, caps, "connector returned nil capability list")
+	t.Cleanup(func() { _ = sess.Close() })
+
+	// Make a single MCP call AFTER initialize completes. tools/call exercises
+	// the same transport chain as initialize but is unambiguously a
+	// post-handshake request — which is exactly where the regression lives.
+	_, err = sess.CallTool(ctx, "echo", map[string]any{}, nil)
+	require.NoError(t, err, "post-initialize CallTool must succeed")
+
+	// The recorded inbound headers for the tools/call request must include the
+	// user-configured forward header. This is the single assertion target:
+	// the test fails for exactly one reason — header missing on the recorded
+	// post-initialize request.
+	gotHeaders := fb.headersFor(string(mcp.MethodToolsCall))
+	require.NotNil(t, gotHeaders, "backend never received a tools/call request")
+	assert.Equal(t, headerValue, gotHeaders.Get(headerName),
+		"HeaderForward.AddPlaintextHeaders must reach the backend on post-initialize requests")
+}
diff --git a/pkg/vmcp/session/internal/backend/mcp_session_test.go b/pkg/vmcp/session/internal/backend/mcp_session_test.go
@@ -4,11 +4,13 @@
 package backend
 
 import (
+	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/stacklok/toolhive/pkg/secrets"
 	"github.com/stacklok/toolhive/pkg/vmcp"
 	vmcpauth "github.com/stacklok/toolhive/pkg/vmcp/auth"
 	"github.com/stacklok/toolhive/pkg/vmcp/auth/strategies"
@@ -40,7 +42,7 @@ func TestCreateMCPClient_UnsupportedTransport(t *testing.T) {
 				TransportType: transport,
 			}
 
-			_, err := createMCPClient(target, nil, newTestRegistry(t), "")
+			_, err := createMCPClient(context.Background(), target, nil, newTestRegistry(t), "", secrets.NewEnvironmentProvider())
 			require.Error(t, err)
 			assert.ErrorIs(t, err, vmcp.ErrUnsupportedTransport,
 				"transport %q should return ErrUnsupportedTransport", transport)
