fix(mcp): deduplicate scopes in insufficient_scope challenge response

[asoorm]

Summary

• Fixes a bug where sendInsufficientScopeResponse duplicated operation scopes in the WWW-Authenticate header when scopeChallengeIncludeTokenScopes was enabled
• Root cause: challengeScopes := operationScopes aliased the slice, then append added existing scopes onto it, and the subsequent loop re-added operationScopes (already present)
• Fix: build a fresh combined slice — existing token scopes first, then operation scopes deduplicated

Test plan

• TestMCPAuthMiddleware_HTTPMiddleware/insufficient_init_scopes_-_403_with_include_token_scopes_enabled — was failing, now passes
• TestMCPAuthMiddleware_MethodLevelScopes/tools/list_with_insufficient_scopes_-_include_token_scopes — was failing, now passes
• TestMCPAuthMiddleware_MethodLevelScopes/tools/call_with_insufficient_scopes_-_include_token_scopes — was failing, now passes

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d35f4c71-6b09-41e9-a69b-237e188ee0dd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router-nonroot image scan failed

❌ Security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-a78c462a6ea4bb52bae3773112337926c375e02b-nonroot

Please check the security vulnerabilities found in the PR.

If you believe this is a false positive, please add the vulnerability to the .trivyignore file and re-run the scan.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 23.62%. Comparing base (8e6cd4d) to head (5eb1985).
⚠️ Report is 1 commits behind head on ahmet/eng-8386-implement-oauth-21-authorization-and-protected-resource.

Files with missing lines	Patch %	Lines
router/pkg/mcpserver/auth_middleware.go	0.00%	6 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (8e6cd4d) and HEAD (5eb1985). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (8e6cd4d)	HEAD (5eb1985)
	6	4

Additional details and impacted files

@@                                             Coverage Diff                                             @@
##           ahmet/eng-8386-implement-oauth-21-authorization-and-protected-resource    #2604       +/-   ##
===========================================================================================================
- Coverage                                                                   33.93%   23.62%   -10.32%     
===========================================================================================================
  Files                                                                         227      225        -2     
  Lines                                                                       25396    25152      -244     
===========================================================================================================
- Hits                                                                         8618     5941     -2677     
- Misses                                                                      15706    18381     +2675     
+ Partials                                                                     1072      830      -242     

Files with missing lines	Coverage Δ
router/pkg/mcpserver/auth_middleware.go	0.00% <0.00%> (ø)

... and 93 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.