Skip to content

v2.1.5 — fix /mcp redirect stripping auth + Cowork sandbox blind spot#9

Merged
mrdulasolutions merged 1 commit intomainfrom
feat/v2-monorepo
Apr 21, 2026
Merged

v2.1.5 — fix /mcp redirect stripping auth + Cowork sandbox blind spot#9
mrdulasolutions merged 1 commit intomainfrom
feat/v2-monorepo

Conversation

@mrdulasolutions
Copy link
Copy Markdown
Owner

@mrdulasolutions mrdulasolutions commented Apr 21, 2026

Summary

  • Router redirect fix. POST /mcp → 307 redirect to /mcp/ was dropping the POST body AND downgrading HTTPS→HTTP, which stripped the Authorization header. Fixed with --proxy-headers on uvicorn plus ASGI middleware that rewrites the path in-place (no redirect issued).
  • Client defaults use /mcp/ (trailing slash) so installs work even before the router redeploys.
  • /connect Cowork fix — detect mcp__Control_your_Mac__osascript and use it to write credentials to the real Mac, not the Cowork sandbox.
  • Bumps plugin to v2.1.5.

Test plan

  • curl -s -o /dev/null -w '%{http_code}' -X POST https://mcp-router-production-460a.up.railway.app/mcp ... returns 200 (not 307) after deploy
  • Fresh install through /signup → paste key → /connect lands creds on real Mac when run in Cowork
  • /reva-turbo:revmyengine shows crm_*/mem_*/reva_* tools on next restart

🤖 Generated with Claude Code

@claude
fix(router): stop the /mcp → /mcp/ redirect from stripping auth
b3d36a8 
Two bugs turned every non-technical install into a 40-minute debugging
session:

1. **Starlette auto-redirect.** `app.mount("/mcp", ...)` makes Starlette
   307-redirect any POST to /mcp → /mcp/. mcp-remote drops the POST
   body when following a 307, so the router reported "Missing session
   ID" on every initialize.

2. **HTTPS → HTTP protocol downgrade.** Behind Railway's TLS-terminating
   proxy, uvicorn wasn't trusting X-Forwarded-Proto, so the 307's
   Location header came back http:// instead of https://. Clients that
   did follow the redirect correctly stripped the Authorization header
   on protocol downgrade — silent 401s everywhere.

Fixes:

- **`services/mcp-router/Dockerfile`**: add `--proxy-headers
  --forwarded-allow-ips='*'` to uvicorn. Starlette now sees the real
  scheme and any redirect stays HTTPS.
- **`services/mcp-router/router/main.py`**: add ASGI middleware that
  rewrites `/mcp` → `/mcp/` IN-PLACE. No redirect issued at all —
  clients can POST to either URL and both work.
- **Client defaults updated to `/mcp/` (trailing slash)** so even on
  older router versions the redirect is bypassed:
  - `plugin/bin/reva-mcp-launch.sh` default URL
  - `plugin/scripts/desktop-install.sh` `DEFAULT_MCP_URL`
  - `plugin/skills/revmyengine/SKILL.md` /connect default

Also in this commit — fix the `/connect` Cowork sandbox blind spot:

When the engine runs inside Claude Cowork, the `Bash` tool writes to
an ephemeral sandbox filesystem, NOT the user's real Mac. Credentials
written via Bash in Cowork never reach Claude Desktop's launcher, so
the plugin stays disconnected while the PM watches us "succeed."

Fix: `/connect` now runs the same capability-detection dance as
`/heal`. If `mcp__Control_your_Mac__osascript` is present, prefer it
over `Bash` — osascript punches through the sandbox and lands the
creds on the real Mac's `~/.reva-turbo/state/mcp-credentials.env`.

Bumps plugin to v2.1.5 (VERSION, plugin.json, SKILL.md frontmatter,
signup footer).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mrdulasolutions mrdulasolutions merged commit b67958f into main Apr 21, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrdulasolutions