fix(sep-2243): map custom-header check IDs to their requirements#303
Merged
Conversation
The x-mcp-header / Mcp-Param / Base64 half of SEP-2243 was already tested, but the scenarios emitted one check ID per test case while sep-2243.yaml declares one per normative requirement, so the traceability join (exact ID match) reported 14 of 20 requirements as untested. #287 collapsed the standard-header IDs but left the custom-header ones per-case. This finishes the rename and adds DECLARED_CHECK_IDS backfill (the request-metadata.ts pattern) so every requirement-level ID is emitted on every run — exercised, backfilled as FAILURE, or SKIPPED when the server under test exposes no x-mcp-header tool. SEP-2243 traceability goes from 6/20 to 18/20 tested; the remaining 2 (server-not-expect-null, server-reject-missing-required) have no test case yet. Client scenarios: - param-header-{name} -> client-mirrors-designated-params / client-encode-values / client-base64-unsafe, picked by what the parameter exercises - no-mirror-unannotated -> client-mirrors-designated-params - param-header-tool-call-gate -> client-supports-custom-headers, now also emitted SUCCESS when the annotated tool is called with Mcp-Param headers - the invalid-tool loop emits the specific x-mcp-header constraint each tool violates (not-empty / charset / unique / primitive-only) Server scenarios: - accepts-valid-base64 -> server-decode-base64 - rejects-invalid-base64-{padding,chars} -> server-reject-invalid-param-chars - literal-missing-base64-{prefix,suffix} -> server-validate-param-match - rejects-missing-custom-header -> server-validate-param-match - every custom-header rejection's -32001 check -> server-reject-param-mismatch - standard-header reject cases pass the coarse ID through the catch path too
commit: |
pcarleton
added a commit
that referenced
this pull request
May 22, 2026
Regenerated from a full client+server suite run against typescript-sdk@258f1a04a5d3 on current main: - sep-2468: the two new client checks are emitted (tested) and the two authorization-server rows move to excluded (#304) - sep-2243: 12 rows flip to tested now that the custom-header check IDs match their requirements (#303)
3 tasks
pcarleton
added a commit
that referenced
this pull request
May 22, 2026
…305) * chore: refresh SEP traceability manifest after #303 and #304 Regenerated from a full client+server suite run against typescript-sdk@258f1a04a5d3 on current main: - sep-2468: the two new client checks are emitted (tested) and the two authorization-server rows move to excluded (#304) - sep-2243: 12 rows flip to tested now that the custom-header check IDs match their requirements (#303) * chore: regenerate the manifest on top of SEP-2106 (#295) Re-ran both suites after rebasing onto main so the manifest also picks up the new sep-2106 block (1 tested, 4 excluded, 3 untracked check IDs emitted by the server scenario with no yaml row yet).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
SEP-2243's traceability showed 6 of 20 requirements tested even though the x-mcp-header / Mcp-Param / Base64 half of the SEP has had scenarios since #259. The scenarios emit one check ID per test case while
src/seps/sep-2243.yamldeclares one per normative requirement, and the traceability join is an exact ID match — so the custom-header checks never connected to their requirements. #287 collapsed the standard-header IDs but intentionally left the custom-header ones per-case.This finishes the rename and adds the
DECLARED_CHECK_IDSbackfill pattern (fromrequest-metadata.ts) so every requirement-level ID is emitted on every run — exercised, backfilled as FAILURE, or SKIPPED when the server under test exposes no x-mcp-header tool. The IDs therefore reachchecks.jsoneven when the reference SDK gates the feature off, which is what kept the manifest stuck at 6/20.SEP-2243 traceability: 6/20 → 18/20. The remaining 2 (
server-not-expect-null,server-reject-missing-required) have no test case yet and will be a follow-up.Renames
param-header-{name}(15 params)client-mirrors-designated-params/client-encode-values/client-base64-unsafe, picked by what the parameter exercisesno-mirror-unannotatedclient-mirrors-designated-paramsparam-header-tool-call-gateclient-supports-custom-headers(now also emitted SUCCESS when the annotated tool is called with ≥1Mcp-Param-*header)reject-invalid-toolloop (10 tools)x-mcp-header-not-empty/-charset/-unique/-primitive-only;client-reject-invalid-toolkeeps the "valid tool was not over-rejected" checkserver-accepts-valid-base64server-decode-base64server-rejects-invalid-base64-{padding,chars}server-reject-invalid-param-charsserver-literal-missing-base64-{prefix,suffix}server-validate-param-matchserver-rejects-missing-custom-headerserver-validate-param-match-error-codecheckserver-reject-param-mismatchserver-reject-invalid-headersJudgment calls (so they don't get re-litigated)
server-reject-invalid-param-chars: every character is in the base64 alphabet; the defect is padding. "Invalid characters" is a stretch but it's the closest requirement;server-validate-param-matchwas the alternative.server-validate-param-match: treated as the limiting case of a header/body mismatch. The separateserver-reject-missing-requiredrow (param absent from body and header) remains untested.untracked— they are not SEP requirements.Test plan
npm run typecheck,npm run lint,npx vitest run src/— 599/599 pass.http-custom-headers.test.tspins the declared-ID sets: zero-interaction runs emit exactly the declared IDs, conforming calls map each parameter kind to its requirement ID, and violations land on the violated constraint's ID.typescript-sdk@mainand fed the results throughcollectEmittedIds→computeTraceability: 18 tested / 2 untested / 4 excluded / 3 untracked.src/seps/traceability.jsonis not regenerated here — the next manifest refresh will pick up the new IDs.