Add regression guard for auth context propagation through Close()#4781
Add regression guard for auth context propagation through Close()#4781
Conversation
yrobla
requested review from
JAORMX,
amirejaz,
jerm-dro and
jhrozek
as code owners
There was a problem hiding this comment.
Pull request overview
Adds an integration regression test to ensure auth/health-check context is still propagated through the full ListCapabilities → deferred Close() path for streamable HTTP backends, preventing a recurrence of the context.Background() teardown regression fixed in #4613.
Changes:
- Add a new integration test that spins up a real
mcp-goStreamable HTTP server and callsListCapabilities. - Assert server-side receipt of the
DELETEemitted byClose()to detect auth-context loss that would cause the request to be dropped pre-flight.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4781 +/- ##
==========================================
+ Coverage 68.97% 69.01% +0.03%
==========================================
Files 517 517
Lines 54798 54829 +31
==========================================
+ Hits 37799 37842 +43
+ Misses 14087 14066 -21
- Partials 2912 2921 +9 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — well-documented regression guard with a clear atomic flag assertion.
Extended reasoning...
Overview
This PR adds a single new integration test file () that guards against a regression in auth context propagation through . No production code is modified.
Security risks
None. This is a test-only change. The test itself exercises auth context propagation, which is a security-relevant path, but only adds coverage rather than altering behavior.
Level of scrutiny
Low. Single new test file, no production code changes, well-commented with references to the original bug (#4613) and the issue being fixed (#4725). The test logic is straightforward: spin up a real streamable-HTTP server, make a ListCapabilities call with a health-check context, and assert the DELETE from Close() reaches the server (proving auth context was propagated correctly).
Other factors
No bugs found by the automated system. The test uses standard patterns (atomic flag, httptest.NewServer, context with timeout). The approach of using a server-side flag to detect whether the DELETE reached the server is a solid regression guard strategy.
github-actions
bot
added
size/S
Adds an integration test for the ListCapabilities → Close() path that would fail if the context.Background() regression from #4613 were reintroduced. Uses a proper streamable-HTTP server (NewStreamableHTTPServer) so mcp-go issues a session ID and actually sends a DELETE on Close(). The assertion is a server-side atomic flag: if auth fails for the DELETE, authRoundTripper drops the request before it reaches the server, the flag stays false, and the test fails. Closes #4725
github-actions
bot
added
size/S
github-actions
bot
added
size/S
Summary
Adds an integration test for the ListCapabilities → Close() path that would fail if the context.Background() regression from #4613 were reintroduced. Uses a proper streamable-HTTP server (NewStreamableHTTPServer) so mcp-go issues a session ID and actually sends a DELETE on Close().
The assertion is a server-side atomic flag: if auth fails for the DELETE, authRoundTripper drops the request before it reaches the server, the flag stays false, and the test fails.
Fixes #4725
Type of change
Test plan
task test)task test-e2e)task lint-fix)Changes
Does this introduce a user-facing change?
Implementation plan
Approved implementation plan
Special notes for reviewers