Altinity / altinity-mcp / 25912856463
80%
main: 79%

LAST BUILD BRANCH: feature-multicluster
DEFAULT BRANCH: main
Ran
Jobs 1
Files 18
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 75.546% (-5.7%) from 81.263%
25912856463

Pull #116

github

BorisTyshkevich 
oauth: CIMD inbound + DCR removal + HA replay (#115)

Replace Dynamic Client Registration with OAuth Client ID Metadata Documents
as the only inbound MCP OAuth client mechanism. Aligns altinity-mcp with the
MCP authorization spec direction (DCR retired 2025-11-25 in favor of CIMD)
and lets the upstream IdP be the cross-replica replay oracle.

CIMD resolver (cmd/altinity-mcp/cimd.go, new):
- HTTPS-only URL validation: no userinfo/fragment/query, port 443 only,
  dot-segment + encoded-slash + IDN normalization rejection.
- SSRF-safe fetcher: custom DialContext explicitly resolves DNS, blocks
  loopback / RFC1918 / link-local / multicast / IPv6 ULA / CGNAT / 0.0.0.0/8
  / 192.0.0.0/24, pins dial to a validated IP, post-dial address re-check,
  no env proxy, no redirects, 3s timeout, 5 KiB body limit, JSON-only.
- Schema validation: client_id must equal request URL, token_endpoint_auth_method
  must equal "none", redirect_uris bounded and deduped + https-only, refresh_token
  tolerated in grant_types (but unused), client_secret/private_key_jwt rejected.
- In-memory LRU cache with Cache-Control: max-age (capped at 1h), no-store
  honored, negative-cache 30s, never overrides a positive entry.

DCR removal (cmd/altinity-mcp/oauth_server.go):
- handleOAuthRegister and its route deleted; /oauth/register now returns 404.
- /.well-known/oauth-authorization-server drops registration_endpoint and
  refresh_token, advertises token_endpoint_auth_methods_supported=["none"]
  and client_id_metadata_document_supported: true.
- handleOAuthTokenRefreshDispatch / handleOAuthTokenRefreshForward /
  mintForwardRefreshToken deleted; refresh_token grant returns
  unsupported_grant_type. CIMD clients re-authorize in v1.
- parseStatelessRegisteredClient + authenticateClientSecret + hex import
  deleted as unused.

HA replay model (#115 § HA replay):
- /oauth/callback no longer POSTs to upstream /token. Instead it wraps the
  upstream auth code + upstream PKCE verifier + redirec... (continued)
Pull Request #116: oauth: CIMD inbound + DCR removal + HA replay (#115)

322 of 482 new or added lines in 3 files covered. (66.8%)

298 existing lines in 2 files now uncovered.

4396 of 5819 relevant lines covered (75.55%)

1.1 hits per line

Uncovered Changes

Lines Coverage File
91
74.22
 cmd/altinity-mcp/cimd.go
69
47.66
 -30.33% cmd/altinity-mcp/oauth_server.go

Coverage Regressions

Lines Coverage File
294
47.66
 -30.33% cmd/altinity-mcp/oauth_server.go
4
90.05
 -1.0% pkg/server/server_auth_oauth.go
Jobs
ID Job ID Ran Files Coverage
1 25912856463.1 18
75.55
 GitHub Action Run
Source Files on build 25912856463