|
| 1 | +# Tasks: Auto-Detect RFC 8707 Resource Parameter |
| 2 | + |
| 3 | +**Input**: Design documents from `/specs/011-resource-auto-detect/` |
| 4 | +**Prerequisites**: plan.md, spec.md, research.md, data-model.md, quickstart.md |
| 5 | + |
| 6 | +**Tests**: Included per constitution requirement (V. Test-Driven Development) |
| 7 | + |
| 8 | +**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story. |
| 9 | + |
| 10 | +## Format: `[ID] [P?] [Story] Description` |
| 11 | + |
| 12 | +- **[P]**: Can run in parallel (different files, no dependencies) |
| 13 | +- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3, US4) |
| 14 | +- Include exact file paths in descriptions |
| 15 | + |
| 16 | +## Path Conventions |
| 17 | + |
| 18 | +- **Go project**: `internal/` for packages, `tests/` for test infrastructure |
| 19 | +- Paths follow existing MCPProxy structure per plan.md |
| 20 | + |
| 21 | +--- |
| 22 | + |
| 23 | +## Phase 1: Setup |
| 24 | + |
| 25 | +**Purpose**: No new project setup needed - working within existing codebase |
| 26 | + |
| 27 | +- [ ] T001 Verify branch `011-resource-auto-detect` is up to date with main |
| 28 | + |
| 29 | +**Checkpoint**: Ready to begin foundational changes |
| 30 | + |
| 31 | +--- |
| 32 | + |
| 33 | +## Phase 2: Foundational (Discovery Layer) |
| 34 | + |
| 35 | +**Purpose**: Add `DiscoverProtectedResourceMetadata()` that returns full RFC 9728 metadata struct. This is required by ALL user stories. |
| 36 | + |
| 37 | +**⚠️ CRITICAL**: No user story work can begin until this phase is complete |
| 38 | + |
| 39 | +### Tests for Discovery Layer |
| 40 | + |
| 41 | +- [ ] T002 [P] Add unit test `TestDiscoverProtectedResourceMetadata_ReturnsFullStruct` in internal/oauth/discovery_test.go |
| 42 | +- [ ] T003 [P] Add unit test `TestDiscoverProtectedResourceMetadata_HandlesError` in internal/oauth/discovery_test.go |
| 43 | + |
| 44 | +### Implementation for Discovery Layer |
| 45 | + |
| 46 | +- [ ] T004 Add `DiscoverProtectedResourceMetadata()` function in internal/oauth/discovery.go |
| 47 | +- [ ] T005 Refactor `DiscoverScopesFromProtectedResource()` to delegate to new function in internal/oauth/discovery.go |
| 48 | +- [ ] T006 Run tests: `go test ./internal/oauth/... -v -run TestDiscoverProtectedResourceMetadata` |
| 49 | + |
| 50 | +**Checkpoint**: Discovery layer ready - `DiscoverProtectedResourceMetadata()` returns full metadata struct including `resource` field |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +## Phase 3: User Story 1 - Zero-Config Runlayer OAuth (Priority: P1) 🎯 MVP |
| 55 | + |
| 56 | +**Goal**: Auto-detect `resource` parameter from Protected Resource Metadata and inject into authorization URL |
| 57 | + |
| 58 | +**Independent Test**: Configure a server with only `name` and `url`, initiate OAuth, verify authorization URL contains `?resource=<detected-value>` |
| 59 | + |
| 60 | +### Tests for User Story 1 |
| 61 | + |
| 62 | +- [ ] T007 [P] [US1] Add unit test `TestCreateOAuthConfig_AutoDetectsResource` in internal/oauth/config_test.go |
| 63 | +- [ ] T008 [P] [US1] Add unit test `TestCreateOAuthConfig_FallsBackToServerURL` in internal/oauth/config_test.go |
| 64 | +- [ ] T009 [P] [US1] Add unit test `TestHandleOAuthAuthorization_InjectsExtraParams` in internal/upstream/core/connection_test.go |
| 65 | + |
| 66 | +### Implementation for User Story 1 |
| 67 | + |
| 68 | +- [ ] T010 [US1] Change `CreateOAuthConfig()` signature to return `(*client.OAuthConfig, map[string]string)` in internal/oauth/config.go |
| 69 | +- [ ] T011 [US1] Add resource auto-detection logic in `CreateOAuthConfig()` in internal/oauth/config.go |
| 70 | +- [ ] T012 [US1] Add fallback to server URL when metadata lacks resource field in internal/oauth/config.go |
| 71 | +- [ ] T013 [US1] Build `extraParams` map with auto-detected resource in internal/oauth/config.go |
| 72 | +- [ ] T014 [US1] Update `handleOAuthAuthorization()` signature to accept `extraParams` in internal/upstream/core/connection.go |
| 73 | +- [ ] T015 [US1] Add URL injection logic after `GetAuthorizationURL()` in internal/upstream/core/connection.go |
| 74 | +- [ ] T016 [US1] Update call site in `tryOAuthAuth()` (~line 1108) in internal/upstream/core/connection.go |
| 75 | +- [ ] T017 [US1] Update call site in `trySSEOAuthAuth()` (~line 1557) in internal/upstream/core/connection.go |
| 76 | +- [ ] T018 [US1] Update call site in `forceHTTPOAuthFlow()` (~line 2436) in internal/upstream/core/connection.go |
| 77 | +- [ ] T019 [US1] Update call site in `forceSSEOAuthFlow()` (~line 2495) in internal/upstream/core/connection.go |
| 78 | +- [ ] T020 [US1] Add INFO logging for detected resource parameter in internal/oauth/config.go |
| 79 | +- [ ] T021 [US1] Run unit tests: `go test ./internal/oauth/... ./internal/upstream/core/... -v` |
| 80 | + |
| 81 | +**Checkpoint**: User Story 1 complete - OAuth flows auto-detect and inject resource parameter into authorization URL |
| 82 | + |
| 83 | +--- |
| 84 | + |
| 85 | +## Phase 4: User Story 2 - Manual Override of Auto-Detected Resource (Priority: P2) |
| 86 | + |
| 87 | +**Goal**: Allow `extra_params.resource` in config to override auto-detected value |
| 88 | + |
| 89 | +**Independent Test**: Configure server with both auto-detectable metadata AND manual `extra_params.resource`, verify manual value is used |
| 90 | + |
| 91 | +### Tests for User Story 2 |
| 92 | + |
| 93 | +- [ ] T022 [P] [US2] Add unit test `TestCreateOAuthConfig_ManualOverride` in internal/oauth/config_test.go |
| 94 | +- [ ] T023 [P] [US2] Add unit test `TestCreateOAuthConfig_MergesExtraParams` in internal/oauth/config_test.go |
| 95 | + |
| 96 | +### Implementation for User Story 2 |
| 97 | + |
| 98 | +- [ ] T024 [US2] Add merge logic for manual `extra_params` in `CreateOAuthConfig()` in internal/oauth/config.go |
| 99 | +- [ ] T025 [US2] Ensure manual values override auto-detected values in internal/oauth/config.go |
| 100 | +- [ ] T026 [US2] Add INFO logging when manual override is applied in internal/oauth/config.go |
| 101 | +- [ ] T027 [US2] Run unit tests: `go test ./internal/oauth/... -v -run TestCreateOAuthConfig` |
| 102 | + |
| 103 | +**Checkpoint**: User Story 2 complete - Manual `extra_params` override auto-detected values |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +## Phase 5: User Story 3 - Token Request Resource Injection (Priority: P2) |
| 108 | + |
| 109 | +**Goal**: Include `resource` parameter in token exchange and refresh requests |
| 110 | + |
| 111 | +**Independent Test**: Complete OAuth flow, verify token exchange request body contains `resource` parameter |
| 112 | + |
| 113 | +### Tests for User Story 3 |
| 114 | + |
| 115 | +- [ ] T028 [P] [US3] Add E2E test for token exchange with resource parameter in tests/oauthserver/ |
| 116 | + |
| 117 | +### Implementation for User Story 3 |
| 118 | + |
| 119 | +- [ ] T029 [US3] Verify `OAuthTransportWrapper` injects `resource` into token requests in internal/oauth/transport_wrapper.go |
| 120 | +- [ ] T030 [US3] Ensure `extraParams` are passed to transport wrapper in internal/oauth/config.go |
| 121 | +- [ ] T031 [US3] Run E2E test: `go test ./tests/oauthserver/... -v` |
| 122 | + |
| 123 | +**Checkpoint**: User Story 3 complete - Resource parameter included in token exchange/refresh |
| 124 | + |
| 125 | +--- |
| 126 | + |
| 127 | +## Phase 6: User Story 4 - Diagnostic Visibility (Priority: P3) |
| 128 | + |
| 129 | +**Goal**: Show auto-detected `resource` parameter in diagnostic commands |
| 130 | + |
| 131 | +**Independent Test**: Run `mcpproxy auth status --server=<name>` and verify resource parameter is displayed |
| 132 | + |
| 133 | +### Implementation for User Story 4 |
| 134 | + |
| 135 | +- [ ] T032 [US4] Add `resource` field to auth status output in cmd/mcpproxy/auth_cmd.go |
| 136 | +- [ ] T033 [US4] Add resource parameter to doctor diagnostics in cmd/mcpproxy/doctor_cmd.go |
| 137 | +- [ ] T034 [US4] Test manually: `go build && ./mcpproxy auth status --server=test` |
| 138 | + |
| 139 | +**Checkpoint**: User Story 4 complete - Diagnostic commands show detected resource parameter |
| 140 | + |
| 141 | +--- |
| 142 | + |
| 143 | +## Phase 7: Polish & Cross-Cutting Concerns |
| 144 | + |
| 145 | +**Purpose**: Final validation and documentation |
| 146 | + |
| 147 | +- [ ] T035 [P] Run full test suite: `./scripts/run-all-tests.sh` |
| 148 | +- [ ] T036 [P] Run linter: `./scripts/run-linter.sh` |
| 149 | +- [ ] T037 Update CLAUDE.md OAuth section if needed |
| 150 | +- [ ] T038 Run quickstart.md validation steps manually |
| 151 | +- [ ] T039 [P] Add E2E test with mock OAuth server requiring resource in internal/server/e2e_oauth_test.go |
| 152 | + |
| 153 | +--- |
| 154 | + |
| 155 | +## Dependencies & Execution Order |
| 156 | + |
| 157 | +### Phase Dependencies |
| 158 | + |
| 159 | +- **Setup (Phase 1)**: No dependencies - can start immediately |
| 160 | +- **Foundational (Phase 2)**: Depends on Setup - BLOCKS all user stories |
| 161 | +- **User Stories (Phase 3-6)**: All depend on Foundational phase completion |
| 162 | + - US1 (P1): Can start after Phase 2 |
| 163 | + - US2 (P2): Can start after Phase 2 (independent of US1) |
| 164 | + - US3 (P2): Can start after Phase 2 (independent of US1/US2) |
| 165 | + - US4 (P3): Can start after Phase 2 (independent of others) |
| 166 | +- **Polish (Phase 7)**: Depends on all user stories being complete |
| 167 | + |
| 168 | +### User Story Dependencies |
| 169 | + |
| 170 | +- **User Story 1 (P1)**: Depends only on Foundational (Phase 2) |
| 171 | +- **User Story 2 (P2)**: Depends only on Foundational (Phase 2) - builds on US1 implementation but independently testable |
| 172 | +- **User Story 3 (P2)**: Depends only on Foundational (Phase 2) - uses existing transport wrapper |
| 173 | +- **User Story 4 (P3)**: Depends only on Foundational (Phase 2) - CLI changes independent of OAuth flow |
| 174 | + |
| 175 | +### Within Each User Story |
| 176 | + |
| 177 | +- Tests MUST be written and FAIL before implementation |
| 178 | +- Core logic before integration |
| 179 | +- Story complete before moving to next priority |
| 180 | + |
| 181 | +### Parallel Opportunities |
| 182 | + |
| 183 | +- T002, T003 can run in parallel (different test functions) |
| 184 | +- T007, T008, T009 can run in parallel (different test files) |
| 185 | +- T022, T023 can run in parallel (same file but different tests) |
| 186 | +- T028 can run in parallel with other US3 work |
| 187 | +- T035, T036, T039 can run in parallel (different scripts/files) |
| 188 | + |
| 189 | +--- |
| 190 | + |
| 191 | +## Parallel Example: User Story 1 |
| 192 | + |
| 193 | +```bash |
| 194 | +# Launch all tests for User Story 1 together: |
| 195 | +Task: "Add unit test TestCreateOAuthConfig_AutoDetectsResource in internal/oauth/config_test.go" |
| 196 | +Task: "Add unit test TestCreateOAuthConfig_FallsBackToServerURL in internal/oauth/config_test.go" |
| 197 | +Task: "Add unit test TestHandleOAuthAuthorization_InjectsExtraParams in internal/upstream/core/connection_test.go" |
| 198 | +``` |
| 199 | + |
| 200 | +--- |
| 201 | + |
| 202 | +## Implementation Strategy |
| 203 | + |
| 204 | +### MVP First (User Story 1 Only) |
| 205 | + |
| 206 | +1. Complete Phase 1: Setup (trivial) |
| 207 | +2. Complete Phase 2: Foundational (discovery layer) |
| 208 | +3. Complete Phase 3: User Story 1 (core auto-detection) |
| 209 | +4. **STOP and VALIDATE**: Test with real Runlayer server |
| 210 | +5. Deploy/demo if ready |
| 211 | + |
| 212 | +### Incremental Delivery |
| 213 | + |
| 214 | +1. Complete Setup + Foundational → Discovery layer ready |
| 215 | +2. Add User Story 1 → Test auto-detection → Deploy (MVP!) |
| 216 | +3. Add User Story 2 → Test manual override → Deploy |
| 217 | +4. Add User Story 3 → Test token injection → Deploy |
| 218 | +5. Add User Story 4 → Test diagnostics → Deploy |
| 219 | +6. Each story adds value without breaking previous stories |
| 220 | + |
| 221 | +--- |
| 222 | + |
| 223 | +## Notes |
| 224 | + |
| 225 | +- [P] tasks = different files, no dependencies |
| 226 | +- [Story] label maps task to specific user story for traceability |
| 227 | +- Each user story should be independently completable and testable |
| 228 | +- Verify tests fail before implementing |
| 229 | +- Commit after each task or logical group |
| 230 | +- Stop at any checkpoint to validate story independently |
| 231 | +- Related PR: #188, Related issue: #165 |
0 commit comments