fix(mcp): keep country brief context out of signed URL#4508
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pro/OAuth
get_country_briefno longer signs its grounding context in the URL, so large country brief requests avoid proxy/CDN request-line truncation that could invalidate the downstream HMAC. The tool now signs a short/api/intelligence/v1/get-country-intel-briefURL and sends the bounded grounding context in the existing JSON POST body, which the gateway already promotes after internal-MCP verification. If this endpoint still returns a non-2xx response, the thrown error now includes the gateway error code so Sentry can distinguishinvalid_internal_mcp_signaturefrom entitlement failures.Fixes #4503.
Validation
git diff --checknode --check tests/mcp.test.mjsnode --check tests/mcp-news-auth-docs-contract.test.mjsnode --test tests/mcp-news-auth-docs-contract.test.mjs; blocked before assertions because plain Node cannot resolve this repo's extensionless TypeScript imports.npm ci --ignore-scripts --cache /tmp/worldmonitor-npm-cacheandnpm ci --ignore-scripts --omit=optional --no-audit --cache /tmp/worldmonitor-npm-cache; both failed withENOSPC: no space left on device, so thetsx --testsuites could not be run locally in this worktree.