chore: migrate proof primitives and enforce fail-closed gate exits#43
chore: migrate proof primitives and enforce fail-closed gate exits#43davidahmann merged 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 745825ed92
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| func validateMCPBoundaryOAuthEvidence(call mcp.ToolCall, profile gateEvalProfile) error { | ||
| mode := strings.ToLower(strings.TrimSpace(call.Context.AuthMode)) | ||
| if mode == "" { | ||
| if raw, ok := call.Context.AuthContext["oauth_mode"]; ok { |
There was a problem hiding this comment.
Read auth_mode from auth_context for OAuth fail-closed checks
In validateMCPBoundaryOAuthEvidence, the fallback reads call.Context.AuthContext["oauth_mode"], but the rest of this change propagates mode as auth_mode (see core/mcp/proxy.go), so requests that carry OAuth mode only in context.auth_context.auth_mode are treated as if no mode was provided. In oss-prod, that path hits the early return nil branch when OAuthEvidence is not set on the top-level context, which lets boundary calls bypass the new required OAuth evidence enforcement instead of failing closed.
Useful? React with 👍 / 👎.
Summary
github.com/Clyra-AI/proofcompatibility packagesValidation
make prepush-full./gait doctor --json