44cebc9fd8
All checks were successful
Deploy to Production / deploy (push) Successful in 1m24s
Sovereign-audit traced "Authorization with the MCP server failed" past discovery, DCR, /authorize → redirect → code, and into POST /oauth/token, which Fastify rejected with 415 before our handler ever ran. RFC 6749 §3.2 makes form-urlencoded the mandatory wire format for the token endpoint, and every DCR-emitting client (Claude Desktop, Cursor, OpenAI Codex, …) posts it that way. Fastify ships no built-in parser for that media type so the route 415'd from the framework's content- type layer — invisible to a code review of the route handler. Adds a small URLSearchParams-based parser next to the existing JSON one, parses the form body into a plain object so the route's zod schema picks it up unchanged. No new dependency. |
||
|---|---|---|
| .. | ||
| src | ||
| Dockerfile | ||
| package.json | ||
| tsconfig.json | ||