Bug: maybeAddMcpScope not executed in production when route caching is enabled #92
Description
Laravel Package Version
0.3.0
Laravel Version
12.34
PHP Version
8.3
Database Driver & Version
MySQL
Description
When MCP registers its OAuth routes via Registrar::oauthRoutes(), it calls maybeAddMcpScope() internally to ensure the mcp:use Passport scope exists.
However, when route caching is enabled (php artisan route:cache), the mcp:use scope isn’t registered in production, and /oauth/authorize requests that include scope=mcp:use fail — typically returning a 302 redirect without creating an auth code or token.
This works fine in local environments without route caching, which makes it a subtle, production-only bug.
Expected Behavior
The mcp:use scope should be registered consistently, even when routes are cached.
Root Cause
maybeAddMcpScope() runs as part of route registration. When routes are cached, that logic no longer executes, so Passport::tokensCan() never runs in production.
Potential Fix
The straightforward fix would be to move Passport::tokensCan(['mcp:use' => 'Use MCP server']) into a provider’s boot() method so it executes at application boot time instead of during route registration.
Hesitation / Design Consideration
However, doing this inside a provider introduces behavioral changes:
• This could override or merge incorrectly with user-defined scopes and may cause unexpected scope pollution in non-MCP OAuth setups.
• Therefore, it could be considered a breaking change for applications using Passport with their own scope definitions.
Steps To Reproduce
Steps to Reproduce
1. Install MCP in a Laravel app with Passport.
2. Run php artisan route:cache.
3. Attempt an /oauth/authorize request with scope=mcp:use.
4. Observe a 302 redirect or invalid_scope behavior.
5. Clear the route cache (php artisan route:clear) — it starts working again.