Skip to content

Commit a6bd387

Browse files
docs: add implementation tasks for RFC 8707 resource auto-detection
Related smart-mcp-proxy#165 Add structured task list with 39 tasks organized by user story: - Phase 1: Setup (1 task) - Phase 2: Foundational - discovery layer (5 tasks) - Phase 3: US1 - Zero-config auto-detection (15 tasks) - MVP - Phase 4: US2 - Manual override (6 tasks) - Phase 5: US3 - Token injection (4 tasks) - Phase 6: US4 - Diagnostic visibility (3 tasks) - Phase 7: Polish (5 tasks) Tasks follow TDD approach per constitution requirements.
1 parent eef13b6 commit a6bd387

1 file changed

Lines changed: 231 additions & 0 deletions

File tree

Lines changed: 231 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,231 @@
1+
# Tasks: Auto-Detect RFC 8707 Resource Parameter
2+
3+
**Input**: Design documents from `/specs/011-resource-auto-detect/`
4+
**Prerequisites**: plan.md, spec.md, research.md, data-model.md, quickstart.md
5+
6+
**Tests**: Included per constitution requirement (V. Test-Driven Development)
7+
8+
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
9+
10+
## Format: `[ID] [P?] [Story] Description`
11+
12+
- **[P]**: Can run in parallel (different files, no dependencies)
13+
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3, US4)
14+
- Include exact file paths in descriptions
15+
16+
## Path Conventions
17+
18+
- **Go project**: `internal/` for packages, `tests/` for test infrastructure
19+
- Paths follow existing MCPProxy structure per plan.md
20+
21+
---
22+
23+
## Phase 1: Setup
24+
25+
**Purpose**: No new project setup needed - working within existing codebase
26+
27+
- [ ] T001 Verify branch `011-resource-auto-detect` is up to date with main
28+
29+
**Checkpoint**: Ready to begin foundational changes
30+
31+
---
32+
33+
## Phase 2: Foundational (Discovery Layer)
34+
35+
**Purpose**: Add `DiscoverProtectedResourceMetadata()` that returns full RFC 9728 metadata struct. This is required by ALL user stories.
36+
37+
**⚠️ CRITICAL**: No user story work can begin until this phase is complete
38+
39+
### Tests for Discovery Layer
40+
41+
- [ ] T002 [P] Add unit test `TestDiscoverProtectedResourceMetadata_ReturnsFullStruct` in internal/oauth/discovery_test.go
42+
- [ ] T003 [P] Add unit test `TestDiscoverProtectedResourceMetadata_HandlesError` in internal/oauth/discovery_test.go
43+
44+
### Implementation for Discovery Layer
45+
46+
- [ ] T004 Add `DiscoverProtectedResourceMetadata()` function in internal/oauth/discovery.go
47+
- [ ] T005 Refactor `DiscoverScopesFromProtectedResource()` to delegate to new function in internal/oauth/discovery.go
48+
- [ ] T006 Run tests: `go test ./internal/oauth/... -v -run TestDiscoverProtectedResourceMetadata`
49+
50+
**Checkpoint**: Discovery layer ready - `DiscoverProtectedResourceMetadata()` returns full metadata struct including `resource` field
51+
52+
---
53+
54+
## Phase 3: User Story 1 - Zero-Config Runlayer OAuth (Priority: P1) 🎯 MVP
55+
56+
**Goal**: Auto-detect `resource` parameter from Protected Resource Metadata and inject into authorization URL
57+
58+
**Independent Test**: Configure a server with only `name` and `url`, initiate OAuth, verify authorization URL contains `?resource=<detected-value>`
59+
60+
### Tests for User Story 1
61+
62+
- [ ] T007 [P] [US1] Add unit test `TestCreateOAuthConfig_AutoDetectsResource` in internal/oauth/config_test.go
63+
- [ ] T008 [P] [US1] Add unit test `TestCreateOAuthConfig_FallsBackToServerURL` in internal/oauth/config_test.go
64+
- [ ] T009 [P] [US1] Add unit test `TestHandleOAuthAuthorization_InjectsExtraParams` in internal/upstream/core/connection_test.go
65+
66+
### Implementation for User Story 1
67+
68+
- [ ] T010 [US1] Change `CreateOAuthConfig()` signature to return `(*client.OAuthConfig, map[string]string)` in internal/oauth/config.go
69+
- [ ] T011 [US1] Add resource auto-detection logic in `CreateOAuthConfig()` in internal/oauth/config.go
70+
- [ ] T012 [US1] Add fallback to server URL when metadata lacks resource field in internal/oauth/config.go
71+
- [ ] T013 [US1] Build `extraParams` map with auto-detected resource in internal/oauth/config.go
72+
- [ ] T014 [US1] Update `handleOAuthAuthorization()` signature to accept `extraParams` in internal/upstream/core/connection.go
73+
- [ ] T015 [US1] Add URL injection logic after `GetAuthorizationURL()` in internal/upstream/core/connection.go
74+
- [ ] T016 [US1] Update call site in `tryOAuthAuth()` (~line 1108) in internal/upstream/core/connection.go
75+
- [ ] T017 [US1] Update call site in `trySSEOAuthAuth()` (~line 1557) in internal/upstream/core/connection.go
76+
- [ ] T018 [US1] Update call site in `forceHTTPOAuthFlow()` (~line 2436) in internal/upstream/core/connection.go
77+
- [ ] T019 [US1] Update call site in `forceSSEOAuthFlow()` (~line 2495) in internal/upstream/core/connection.go
78+
- [ ] T020 [US1] Add INFO logging for detected resource parameter in internal/oauth/config.go
79+
- [ ] T021 [US1] Run unit tests: `go test ./internal/oauth/... ./internal/upstream/core/... -v`
80+
81+
**Checkpoint**: User Story 1 complete - OAuth flows auto-detect and inject resource parameter into authorization URL
82+
83+
---
84+
85+
## Phase 4: User Story 2 - Manual Override of Auto-Detected Resource (Priority: P2)
86+
87+
**Goal**: Allow `extra_params.resource` in config to override auto-detected value
88+
89+
**Independent Test**: Configure server with both auto-detectable metadata AND manual `extra_params.resource`, verify manual value is used
90+
91+
### Tests for User Story 2
92+
93+
- [ ] T022 [P] [US2] Add unit test `TestCreateOAuthConfig_ManualOverride` in internal/oauth/config_test.go
94+
- [ ] T023 [P] [US2] Add unit test `TestCreateOAuthConfig_MergesExtraParams` in internal/oauth/config_test.go
95+
96+
### Implementation for User Story 2
97+
98+
- [ ] T024 [US2] Add merge logic for manual `extra_params` in `CreateOAuthConfig()` in internal/oauth/config.go
99+
- [ ] T025 [US2] Ensure manual values override auto-detected values in internal/oauth/config.go
100+
- [ ] T026 [US2] Add INFO logging when manual override is applied in internal/oauth/config.go
101+
- [ ] T027 [US2] Run unit tests: `go test ./internal/oauth/... -v -run TestCreateOAuthConfig`
102+
103+
**Checkpoint**: User Story 2 complete - Manual `extra_params` override auto-detected values
104+
105+
---
106+
107+
## Phase 5: User Story 3 - Token Request Resource Injection (Priority: P2)
108+
109+
**Goal**: Include `resource` parameter in token exchange and refresh requests
110+
111+
**Independent Test**: Complete OAuth flow, verify token exchange request body contains `resource` parameter
112+
113+
### Tests for User Story 3
114+
115+
- [ ] T028 [P] [US3] Add E2E test for token exchange with resource parameter in tests/oauthserver/
116+
117+
### Implementation for User Story 3
118+
119+
- [ ] T029 [US3] Verify `OAuthTransportWrapper` injects `resource` into token requests in internal/oauth/transport_wrapper.go
120+
- [ ] T030 [US3] Ensure `extraParams` are passed to transport wrapper in internal/oauth/config.go
121+
- [ ] T031 [US3] Run E2E test: `go test ./tests/oauthserver/... -v`
122+
123+
**Checkpoint**: User Story 3 complete - Resource parameter included in token exchange/refresh
124+
125+
---
126+
127+
## Phase 6: User Story 4 - Diagnostic Visibility (Priority: P3)
128+
129+
**Goal**: Show auto-detected `resource` parameter in diagnostic commands
130+
131+
**Independent Test**: Run `mcpproxy auth status --server=<name>` and verify resource parameter is displayed
132+
133+
### Implementation for User Story 4
134+
135+
- [ ] T032 [US4] Add `resource` field to auth status output in cmd/mcpproxy/auth_cmd.go
136+
- [ ] T033 [US4] Add resource parameter to doctor diagnostics in cmd/mcpproxy/doctor_cmd.go
137+
- [ ] T034 [US4] Test manually: `go build && ./mcpproxy auth status --server=test`
138+
139+
**Checkpoint**: User Story 4 complete - Diagnostic commands show detected resource parameter
140+
141+
---
142+
143+
## Phase 7: Polish & Cross-Cutting Concerns
144+
145+
**Purpose**: Final validation and documentation
146+
147+
- [ ] T035 [P] Run full test suite: `./scripts/run-all-tests.sh`
148+
- [ ] T036 [P] Run linter: `./scripts/run-linter.sh`
149+
- [ ] T037 Update CLAUDE.md OAuth section if needed
150+
- [ ] T038 Run quickstart.md validation steps manually
151+
- [ ] T039 [P] Add E2E test with mock OAuth server requiring resource in internal/server/e2e_oauth_test.go
152+
153+
---
154+
155+
## Dependencies & Execution Order
156+
157+
### Phase Dependencies
158+
159+
- **Setup (Phase 1)**: No dependencies - can start immediately
160+
- **Foundational (Phase 2)**: Depends on Setup - BLOCKS all user stories
161+
- **User Stories (Phase 3-6)**: All depend on Foundational phase completion
162+
- US1 (P1): Can start after Phase 2
163+
- US2 (P2): Can start after Phase 2 (independent of US1)
164+
- US3 (P2): Can start after Phase 2 (independent of US1/US2)
165+
- US4 (P3): Can start after Phase 2 (independent of others)
166+
- **Polish (Phase 7)**: Depends on all user stories being complete
167+
168+
### User Story Dependencies
169+
170+
- **User Story 1 (P1)**: Depends only on Foundational (Phase 2)
171+
- **User Story 2 (P2)**: Depends only on Foundational (Phase 2) - builds on US1 implementation but independently testable
172+
- **User Story 3 (P2)**: Depends only on Foundational (Phase 2) - uses existing transport wrapper
173+
- **User Story 4 (P3)**: Depends only on Foundational (Phase 2) - CLI changes independent of OAuth flow
174+
175+
### Within Each User Story
176+
177+
- Tests MUST be written and FAIL before implementation
178+
- Core logic before integration
179+
- Story complete before moving to next priority
180+
181+
### Parallel Opportunities
182+
183+
- T002, T003 can run in parallel (different test functions)
184+
- T007, T008, T009 can run in parallel (different test files)
185+
- T022, T023 can run in parallel (same file but different tests)
186+
- T028 can run in parallel with other US3 work
187+
- T035, T036, T039 can run in parallel (different scripts/files)
188+
189+
---
190+
191+
## Parallel Example: User Story 1
192+
193+
```bash
194+
# Launch all tests for User Story 1 together:
195+
Task: "Add unit test TestCreateOAuthConfig_AutoDetectsResource in internal/oauth/config_test.go"
196+
Task: "Add unit test TestCreateOAuthConfig_FallsBackToServerURL in internal/oauth/config_test.go"
197+
Task: "Add unit test TestHandleOAuthAuthorization_InjectsExtraParams in internal/upstream/core/connection_test.go"
198+
```
199+
200+
---
201+
202+
## Implementation Strategy
203+
204+
### MVP First (User Story 1 Only)
205+
206+
1. Complete Phase 1: Setup (trivial)
207+
2. Complete Phase 2: Foundational (discovery layer)
208+
3. Complete Phase 3: User Story 1 (core auto-detection)
209+
4. **STOP and VALIDATE**: Test with real Runlayer server
210+
5. Deploy/demo if ready
211+
212+
### Incremental Delivery
213+
214+
1. Complete Setup + Foundational → Discovery layer ready
215+
2. Add User Story 1 → Test auto-detection → Deploy (MVP!)
216+
3. Add User Story 2 → Test manual override → Deploy
217+
4. Add User Story 3 → Test token injection → Deploy
218+
5. Add User Story 4 → Test diagnostics → Deploy
219+
6. Each story adds value without breaking previous stories
220+
221+
---
222+
223+
## Notes
224+
225+
- [P] tasks = different files, no dependencies
226+
- [Story] label maps task to specific user story for traceability
227+
- Each user story should be independently completable and testable
228+
- Verify tests fail before implementing
229+
- Commit after each task or logical group
230+
- Stop at any checkpoint to validate story independently
231+
- Related PR: #188, Related issue: #165

0 commit comments

Comments
 (0)