pomerium / pomerium / 24733043775

45%

Build Type

push

github

Committed by web-flow

Commit Message

fix(mcp): recover MCP upstream auth after late config delivery (#6281)

## Summary

MCP routes delivered to a running Pomerium through the databroker config
sync path — the path Pomerium Zero uses — silently lost upstream auth.
The upstream saw empty Authorization headers and rejected every request.
Boot-time routes were unaffected. Restart cleared the symptom until the
next late-delivered route.

This change makes the ext_proc filter learn about routes and
allowed-domain updates that arrive after startup, and installs the MCP
handler on the fly when the MCP runtime flag itself is enabled via a
late configuration update.

## Related issues

- ENG-3926 —
https://linear.app/pomerium/issue/ENG-3926/pomerium-loses-mcp-upstream-auth-for-routes-delivered-after-startup

## User Explanation

MCP routes added to a running Pomerium Zero deployment now work without
a restart. Previously any MCP route added through the console after the
deployment was already running would appear reachable but fail upstream
authentication.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (\`enhancement\`, \`bug\`, \`breaking\`,
\`dependencies\`, \`ci\`)
- [ ] ready for review

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Coverage Stats

110 of 132 new or added lines in 5 files covered. (83.33%)

15 existing lines in 5 files now uncovered.

35461 of 77755 relevant lines covered (45.61%)

113.95 hits per line