feat(mcp): authenticated remote MCP server support (bearer token + custom headers)#39
Merged
Conversation
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…cp_servers Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
- mcp/auth_test.go: assert combined BearerToken + custom Headers both land on the same request at the http.Client level. - manage/mcpconfig_test.go: cover the headers-only -> Authenticated=true branch (the len(Headers) > 0 side of the OR). - cmd/mcpmanage_test.go: assert --header X-Foo=a=b parses value "a=b" (strings.Cut splits on first = only). - manage/mcpconfig.go: document that Authenticated marks ANY custom header, not just real auth tokens (deliberate simplification). Test-only + one doc comment; no production behavior change. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wiz already supports remote MCP servers over HTTP (Streamable) and SSE transports, but had no way to authenticate to them. This adds bearer-token and custom-header auth support, per
docs/superpowers/specs/2026-07-01-mcp-remote-auth-design.md(local-only spec, not part of this diff sincedocs/superpowers/is gitignored).types.MCPServergainsBearerTokenandHeadersfields (types/config.go), validated inConfigurator.AddMCPServer: only valid for remote (url-based) servers, and rejected ifBearerTokenand aHeaders["Authorization"]entry are both set (case-insensitive).mcp/auth.gobuilds a*http.Clientthat injects the token/headers into every outgoing request via a header-injectinghttp.RoundTripper, built once and statically from config (no per-request resolution, no token refresh). Returnsnilwhen no auth is configured, preserving today's behavior for unauthenticated remote servers.TransportForServer(mcp/clienttransport.go) via theHTTPClientfield already exposed by bothSSEClientTransportandStreamableClientTransportingo-sdkv1.0.0.nib mcp add <name> --url <url> --token <token>/--header K=V(repeatable), mirroring the existing--envflag pattern.add_mcp_servergainstoken/headersargs (sameKEY=VALUEshape as the existingenvarg).nib mcp listand thelist_mcp_serversagent tool show(authenticated)for configured servers and never print the token/header values — enforced structurally via a computedMCPServerInfo.Authenticated boolthat carries no secret fields.Envfield — no keychain, no env-var interpolation (deliberate, matches the rest of the config).Implemented via TDD across 7 sequential tasks (
docs/superpowers/plans/2026-07-01-mcp-remote-auth.md, also local-only), each independently reviewed, plus a final whole-branch review (verdict: ready to merge) and one fix pass closing the review's Minor coverage findings.Test plan
go build ./...andgo test ./...pass across all packageshttptestservers (mcp/auth_test.go), validation rules incl. the case-insensitive Authorization conflict (manage/mcpconfig_test.go), transport wiring (mcp/clienttransport_test.go), CLI flag parsing incl.=-containing header values (cmd/mcpmanage_test.go), self-config tool + redaction leak-check (chat/selfconfig_test.go)nib mcp add --token/nib mcp list/nib mcp removeagainst a built binary🤖 Generated with Claude Code