21924576857
44%

Ran 11 Feb 2026 10:06PM UTC

Jobs 1

Files 669

Run time 1min

Badge

Embed ▾

Committed 11 Feb 2026 09:55PM UTC coverage: 44.252% (+0.2%) from 44.075%

Build # 21924576857

Build Type

push

github

Committed by

web-flow

Commit Message

mcp: add ext_proc integration for response interception (#6091)

## Summary

Add Envoy ext_proc (External Processor) support for MCP routes to enable
future response interception (401/403 handling for upstream OAuth
flows).

Key changes:
- New `extproc` package with gRPC server implementation
- Route context metadata passing from ext_authz to ext_proc via Envoy
dynamic metadata
- Per-route ext_proc enablement (disabled by default, enabled for MCP
server routes)
- Fail-closed behavior for MCP routes requiring ext_proc

Currently a no-op that passes through all requests/responses while
logging MCP route details. Future implementation will intercept 401/403
responses to trigger upstream OAuth authorization flows.

## Related issues

- https://linear.app/pomerium/issue/ENG-3528

## User Explanation

No user-facing changes. This is infrastructure for future MCP proxy
authorization features.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

Run Details

271 of 323 new or added lines in 10 files covered. (83.9%)

17 existing lines in 3 files now uncovered.

32289 of 72966 relevant lines covered (44.25%)

117.45 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
1	50.53	0.0%	authorize/grpc.go
2	89.86	-0.31%	config/envoyconfig/routes.go
3	87.43	-0.64%	authorize/check_response.go
4	59.14	0.7%	internal/controlplane/server.go
6	0.0	0.0%	pkg/cmd/pomerium/pomerium.go
16	50.0	-16.0%	config/envoyconfig/per_filter_config.go
20	90.83		internal/mcp/extproc/server.go

Uncovered Existing Lines

Lines	Coverage	∆	File
3	95.83	-3.13%	pkg/identity/manager/schedulers.go
4	48.82	-0.72%	internal/databroker/server_clustered_follower.go
10	85.78	-4.9%	config/config_source.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	21924576857.1	11 Feb 2026 10:06PM UTC	669	44.25	GitHub Action Run

pomerium / pomerium / 21924576857
44%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21924576857

pomerium / pomerium / 21924576857 44%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21924576857

pomerium / pomerium / 21924576857
44%

README BADGES
x