Skip to content

Harden hosted MCP auth and add safe read-only surface#144

Open
Rumblingb wants to merge 1 commit into
mainfrom
codex/hosted-mcp-safe-surface-clean
Open

Harden hosted MCP auth and add safe read-only surface#144
Rumblingb wants to merge 1 commit into
mainfrom
codex/hosted-mcp-safe-surface-clean

Conversation

@Rumblingb
Copy link
Copy Markdown
Owner

@Rumblingb Rumblingb commented Apr 17, 2026

Summary

  • harden hosted MCP execution in the Worker runtime and route internal AgentPay API calls through loopback fetch instead of recursive public-domain fetches
  • fix hosted MCP OAuth/email-link flow reliability, including duplicate confirm handling and a host-callback bridge page for Claude/ChatGPT popup flows
  • add a recommendation-friendly read-only MCP surface at /api/mcp/read-only and mark safe tools with readOnlyHint
  • clean up MCP tool schemas so OpenAI imports the tool catalog successfully

Why

AgentPay now works as a real hosted remote MCP surface, but the host-native path still had practical blockers:

  • Worker-hosted tool execution could fail on production runtime invocation patterns
  • email-link OAuth confirmation could die on duplicate host/browser submits
  • host popups could stall after auth instead of returning to the MCP host cleanly
  • OpenAI rejected MCP tool schemas during import
  • the single mixed tool surface made AgentPay look destructive even for safe demos

This PR closes those gaps and gives hosts a safer default entry point.

Main changes

Hosted MCP runtime

  • bind/wrap runtime fetch safely for Worker execution
  • add internalAppFetch loopback dispatch so /api/mcp can execute AgentPay API calls in-process when targeting the same Worker

Host-native OAuth

  • make email-link confirmation idempotent for duplicate submit cases by replaying the same PKCE-bound authorization redirect when safe
  • replace bare success redirects with an explicit host-continue bridge page that auto-launches the callback and exposes a manual continue button

Read-only recommendation surface

  • introduce SAFE_TOOLS and READ_ONLY_TOOL_NAMES
  • mark read-only tools with annotations.readOnlyHint = true
  • add /api/mcp/read-only as a real hosted remote MCP surface
  • expose the safe endpoint in public MCP discovery/setup/info payloads as the recommended starting point

MCP schema compatibility

  • normalize importer-hostile tool schemas (explicit object/array shapes, remove ambiguous oneOf recipient form) so OpenAI can import the tool catalog successfully

Validation

Validated on the original working tree before isolating this branch:

  • npx tsc -p packages/mcp-server/tsconfig.json --noEmit
  • npx tsc -p apps/api-edge/tsconfig.json --noEmit
  • npx jest --runInBand tests/routes/mcpOAuth.test.ts
  • npx jest --runInBand tests/unit/mcp-server.test.ts tests/routes/mcpRemote.test.ts

Production notes

  • deployed and verified live during development
  • public read-only MCP discovery now resolves at https://api.agentpay.so/api/mcp/read-only
  • /api/mcp/info now advertises the read-only endpoint and read-only tool count

Follow-up

  • refresh or recreate host app drafts against the read-only endpoint for safe demos and recommendations
  • keep the full /api/mcp surface for governed write-capable actions only

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 17, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agentpay-dashboard Error Error Apr 17, 2026 5:36pm
agentpay-docs Ready Ready Preview, Comment Apr 17, 2026 5:36pm

@Rumblingb Rumblingb mentioned this pull request Apr 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Rumblingb