Skip to content

fix(auth): issue durable local MCP sessions#223

Merged
Artexis10 merged 15 commits into
mainfrom
fix/local-auth-sessions
Jul 13, 2026
Merged

fix(auth): issue durable local MCP sessions#223
Artexis10 merged 15 commits into
mainfrom
fix/local-auth-sessions

Conversation

@Artexis10

Copy link
Copy Markdown
Owner

Summary

  • replace GitHub-backed reference JWTs with durable Exomem-owned opaque sessions
  • use GitHub once for login plus immutable user-ID proof, then discard the upstream token
  • make HA session validation remote-authoritative with explicit revocation and 503 outage semantics
  • add operator commands, setup/doctor validation, coordinated rollout docs, and a Codex reuse harness

Root cause

GitHub retains at most ten OAuth tokens per user/application/scope combination. Production had accumulated 44 upstream-token records, so each new authorization could revoke another active MCP client's token and create the reauthentication loop.

Verification

  • focused auth/HA/setup gate: 201 passed, 1 skipped (NTFS does not expose POSIX chmod bits under WSL)
  • Ruff: clean
  • strict OpenSpec validation: clean
  • live hosted-client smoke and coordinated two-replica rollout remain the deployment gate

@Artexis10 Artexis10 merged commit 230a1c5 into main Jul 13, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant