Merge branch 'http-stack-2' into mcp-ui-apps-3-http-stack

Author: mattdholloway

cmd/github-mcp-server/main.go

@@ -109,6 +109,7 @@ var (
 				ContentWindowSize:    viper.GetInt("content-window-size"),
 				LockdownMode:         viper.GetBool("lockdown-mode"),
 				RepoAccessCacheTTL:   &ttl,
+				ScopeChallenge:       viper.GetBool("scope-challenge"),
 			}
 
 			return ghhttp.RunHTTPServer(httpConfig)
@@ -141,6 +142,7 @@ func init() {
 	httpCmd.Flags().Int("port", 8082, "HTTP server port")
 	httpCmd.Flags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
 	httpCmd.Flags().String("base-path", "", "Externally visible base path for the HTTP server (for OAuth resource metadata)")
+	httpCmd.Flags().Bool("scope-challenge", false, "Enable OAuth scope challenge responses and tool filtering based on token scopes")
 
 	// Bind flag to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
@@ -159,7 +161,7 @@ func init() {
 	_ = viper.BindPFlag("port", httpCmd.Flags().Lookup("port"))
 	_ = viper.BindPFlag("base-url", httpCmd.Flags().Lookup("base-url"))
 	_ = viper.BindPFlag("base-path", httpCmd.Flags().Lookup("base-path"))
-
+	_ = viper.BindPFlag("scope-challenge", httpCmd.Flags().Lookup("scope-challenge"))
 	// Add subcommands
 	rootCmd.AddCommand(stdioCmd)
 	rootCmd.AddCommand(httpCmd)

internal/ghmcp/server.go

@@ -374,14 +374,7 @@ func fetchTokenScopesForHost(ctx context.Context, token, host string) ([]string,
 		return nil, fmt.Errorf("failed to parse API host: %w", err)
 	}
 
-	baseRestURL, err := apiHost.BaseRESTURL(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get base REST URL: %w", err)
-	}
-
-	fetcher := scopes.NewFetcher(scopes.FetcherOptions{
-		APIHost: baseRestURL.String(),
-	})
+	fetcher := scopes.NewFetcher(apiHost, scopes.FetcherOptions{})
 
 	return fetcher.FetchTokenScopes(ctx, token)
 }

pkg/context/mcp_info.go

@@ -0,0 +1,39 @@
+package context
+
+import "context"
+
+type mcpMethodInfoCtx string
+
+var mcpMethodInfoCtxKey mcpMethodInfoCtx = "mcpmethodinfo"
+
+// MCPMethodInfo contains pre-parsed MCP method information extracted from the JSON-RPC request.
+// This is populated early in the request lifecycle to enable:
+//   - Inventory filtering via ForMCPRequest (only register needed tools/resources/prompts)
+//   - Avoiding duplicate JSON parsing in middlewares (secret-scanning, scope-challenge)
+//   - Performance optimization for per-request server creation
+type MCPMethodInfo struct {
+	// Method is the MCP method being called (e.g., "tools/call", "tools/list", "initialize")
+	Method string
+	// ItemName is the name of the specific item being accessed (tool name, resource URI, prompt name)
+	// Only populated for call/get methods (tools/call, prompts/get, resources/read)
+	ItemName string
+	// Owner is the repository owner from tool call arguments, if present
+	Owner string
+	// Repo is the repository name from tool call arguments, if present
+	Repo string
+	// Arguments contains the raw tool arguments for tools/call requests
+	Arguments map[string]any
+}
+
+// WithMCPMethodInfo stores the MCPMethodInfo in the context.
+func WithMCPMethodInfo(ctx context.Context, info *MCPMethodInfo) context.Context {
+	return context.WithValue(ctx, mcpMethodInfoCtxKey, info)
+}
+
+// MCPMethod retrieves the MCPMethodInfo from the context.
+func MCPMethod(ctx context.Context) (*MCPMethodInfo, bool) {
+	if info, ok := ctx.Value(mcpMethodInfoCtxKey).(*MCPMethodInfo); ok {
+		return info, true
+	}
+	return nil, false
+}

pkg/context/token.go

@@ -1,19 +1,32 @@
 package context
 
-import "context"
+import (
+	"context"
+
+	"github.com/github/github-mcp-server/pkg/utils"
+)
 
 // tokenCtxKey is a context key for authentication token information
-type tokenCtxKey struct{}
+type tokenCtx string
+
+var tokenCtxKey tokenCtx = "tokenctx"
+
+type TokenInfo struct {
+	Token         string
+	TokenType     utils.TokenType
+	ScopesFetched bool
+	Scopes        []string
+}
 
 // WithTokenInfo adds TokenInfo to the context
-func WithTokenInfo(ctx context.Context, token string) context.Context {
-	return context.WithValue(ctx, tokenCtxKey{}, token)
+func WithTokenInfo(ctx context.Context, tokenInfo *TokenInfo) context.Context {
+	return context.WithValue(ctx, tokenCtxKey, tokenInfo)
 }
 
 // GetTokenInfo retrieves the authentication token from the context
-func GetTokenInfo(ctx context.Context) (string, bool) {
-	if token, ok := ctx.Value(tokenCtxKey{}).(string); ok {
-		return token, true
+func GetTokenInfo(ctx context.Context) (*TokenInfo, bool) {
+	if tokenInfo, ok := ctx.Value(tokenCtxKey).(*TokenInfo); ok {
+		return tokenInfo, true
 	}
-	return "", false
+	return nil, false
 }

pkg/github/dependencies.go

@@ -237,11 +237,6 @@ func NewToolFromHandler(
 }
 
 type RequestDeps struct {
-	Client          *gogithub.Client
-	GQLClient       *githubv4.Client
-	RawClient       *raw.Client
-	RepoAccessCache *lockdown.RepoAccessCache
-
 	// Static dependencies
 	apiHosts          utils.APIHostResolver
 	version           string
@@ -277,12 +272,12 @@ func NewRequestDeps(
 
 // GetClient implements ToolDependencies.
 func (d *RequestDeps) GetClient(ctx context.Context) (*gogithub.Client, error) {
-	if d.Client != nil {
-		return d.Client, nil
-	}
-
 	// extract the token from the context
-	token, _ := ghcontext.GetTokenInfo(ctx)
+	tokenInfo, ok := ghcontext.GetTokenInfo(ctx)
+	if !ok {
+		return nil, fmt.Errorf("no token info in context")
+	}
+	token := tokenInfo.Token
 
 	baseRestURL, err := d.apiHosts.BaseRESTURL(ctx)
 	if err != nil {
@@ -303,12 +298,12 @@ func (d *RequestDeps) GetClient(ctx context.Context) (*gogithub.Client, error) {
 
 // GetGQLClient implements ToolDependencies.
 func (d *RequestDeps) GetGQLClient(ctx context.Context) (*githubv4.Client, error) {
-	if d.GQLClient != nil {
-		return d.GQLClient, nil
-	}
-
 	// extract the token from the context
-	token, _ := ghcontext.GetTokenInfo(ctx)
+	tokenInfo, ok := ghcontext.GetTokenInfo(ctx)
+	if !ok {
+		return nil, fmt.Errorf("no token info in context")
+	}
+	token := tokenInfo.Token
 
 	// Construct GraphQL client
 	// We use NewEnterpriseClient unconditionally since we already parsed the API host
@@ -329,16 +324,11 @@ func (d *RequestDeps) GetGQLClient(ctx context.Context) (*githubv4.Client, error
 	}
 
 	gqlClient := githubv4.NewEnterpriseClient(graphqlURL.String(), gqlHTTPClient)
-	d.GQLClient = gqlClient
 	return gqlClient, nil
 }
 
 // GetRawClient implements ToolDependencies.
 func (d *RequestDeps) GetRawClient(ctx context.Context) (*raw.Client, error) {
-	if d.RawClient != nil {
-		return d.RawClient, nil
-	}
-
 	client, err := d.GetClient(ctx)
 	if err != nil {
 		return nil, err
@@ -350,7 +340,6 @@ func (d *RequestDeps) GetRawClient(ctx context.Context) (*raw.Client, error) {
 	}
 
 	rawClient := raw.NewClient(client, rawURL)
-	d.RawClient = rawClient
 
 	return rawClient, nil
 }
@@ -361,18 +350,13 @@ func (d *RequestDeps) GetRepoAccessCache(ctx context.Context) (*lockdown.RepoAcc
 		return nil, nil
 	}
 
-	if d.RepoAccessCache != nil {
-		return d.RepoAccessCache, nil
-	}
-
 	gqlClient, err := d.GetGQLClient(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	// Create repo access cache
 	instance := lockdown.GetInstance(gqlClient, d.RepoAccessOpts...)
-	d.RepoAccessCache = instance
 	return instance, nil
 }
 

pkg/github/pullrequests.go

@@ -944,7 +944,7 @@ func UpdatePullRequest(t translations.TranslationHelperFunc) inventory.ServerToo
 		})
 }
 
-// AddReplyToPullRequestComment creates a tool to add a reply to an existing PR comment.
+// AddReplyToPullRequestComment creates a tool to add a reply to an existing pull request comment.
 func AddReplyToPullRequestComment(t translations.TranslationHelperFunc) inventory.ServerTool {
 	schema := &jsonschema.Schema{
 		Type: "object",

pkg/github/server.go

@@ -73,10 +73,10 @@ type MCPServerConfig struct {
 
 type MCPServerOption func(*mcp.ServerOptions)
 
-func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependencies, inventory *inventory.Inventory) (*mcp.Server, error) {
+func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependencies, inv *inventory.Inventory) (*mcp.Server, error) {
 	// Create the MCP server
 	serverOpts := &mcp.ServerOptions{
-		Instructions:      inventory.Instructions(),
+		Instructions:      inv.Instructions(),
 		Logger:            cfg.Logger,
 		CompletionHandler: CompletionsHandler(deps.GetClient),
 	}
@@ -102,20 +102,20 @@ func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependenci
 	ghServer.AddReceivingMiddleware(addGitHubAPIErrorToContext)
 	ghServer.AddReceivingMiddleware(InjectDepsMiddleware(deps))
 
-	if unrecognized := inventory.UnrecognizedToolsets(); len(unrecognized) > 0 {
+	if unrecognized := inv.UnrecognizedToolsets(); len(unrecognized) > 0 {
 		cfg.Logger.Warn("Warning: unrecognized toolsets ignored", "toolsets", strings.Join(unrecognized, ", "))
 	}
 
 	// Register GitHub tools/resources/prompts from the inventory.
 	// In dynamic mode with no explicit toolsets, this is a no-op since enabledToolsets
 	// is empty - users enable toolsets at runtime via the dynamic tools below (but can
 	// enable toolsets or tools explicitly that do need registration).
-	inventory.RegisterAll(ctx, ghServer, deps)
+	inv.RegisterAll(ctx, ghServer, deps)
 
 	// Register dynamic toolset management tools (enable/disable) - these are separate
 	// meta-tools that control the inventory, not part of the inventory itself
 	if cfg.DynamicToolsets {
-		registerDynamicTools(ghServer, inventory, deps, cfg.Translator)
+		registerDynamicTools(ghServer, inv, deps, cfg.Translator)
 	}
 
 	return ghServer, nil

pkg/github/server_test.go

@@ -135,7 +135,7 @@ func TestNewMCPServer_CreatesSuccessfully(t *testing.T) {
 	require.NoError(t, err, "expected inventory build to succeed")
 
 	// Create the server
-	server, err := NewMCPServer(t.Context(), &cfg, deps, inv)
+	server, err := NewMCPServer(context.Background(), &cfg, deps, inv)
 	require.NoError(t, err, "expected server creation to succeed")
 	require.NotNil(t, server, "expected server to be non-nil")