Skip to content

Harden hosted MCP runner web-auth flows#74

Merged
sdb001 merged 1 commit into
jl/archive-legacy-strategies-keep-cfi-hedgefrom
jl/mcp-runner-web-auth-hardening-20260703
Jul 3, 2026
Merged

Harden hosted MCP runner web-auth flows#74
sdb001 merged 1 commit into
jl/archive-legacy-strategies-keep-cfi-hedgefrom
jl/mcp-runner-web-auth-hardening-20260703

Conversation

@JaeLeex

@JaeLeex JaeLeex commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Derive view-only runner context from trusted web-auth/account headers for hosted MCP reads.
  • Let hedge proposal and dry-run execution use view-only account state while keeping real execution behind signing context.
  • Add built-in CFI projection fallback for hedge backtests and structured MCP tool errors.
  • Add repeatable MCP workload experiment harness with cleanup support.

Test plan

  • python3 -m pytest tests/test_mcp_gateway_context.py tests/test_entrypoint.py
  • python3 -m py_compile cli/mcp_server.py cli/commands/hedge.py scripts/entrypoint.py scripts/mcp_workload_experiment.py
  • Production smoke confirmed setup/account/backtest health and structured runner errors.

Made with Cursor

@sdb001

sdb001 commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Local review on this PR: the focused checks pass and I did not find a direct blocker in the agent-cli changes.

Checks run:

  • python3 -m py_compile cli/mcp_server.py cli/commands/hedge.py scripts/entrypoint.py scripts/mcp_workload_experiment.py
  • .venv312-review/bin/python -m pytest tests/test_mcp_gateway_context.py tests/test_entrypoint.py = 29 passed

I would hold merge until Nunchi-trade/web-auth#67 narrows the INTERNAL_MCP_EXPERIMENT_TOKEN auth scope. This runner flow depends on the web-auth trusted context boundary, and #67 currently accepts that internal token through shared user-scoped auth middleware.

@sdb001 sdb001 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rechecked after the web-auth auth-scope fix in Nunchi-trade/web-auth#67. I’m comfortable approving this runner PR now.

The focused checks had already passed locally:

  • python3 -m py_compile cli/mcp_server.py cli/commands/hedge.py scripts/entrypoint.py scripts/mcp_workload_experiment.py
  • .venv312-review/bin/python -m pytest tests/test_mcp_gateway_context.py tests/test_entrypoint.py = 29 passed

Merge order note: this should still land after the fixed web-auth#67 layer, since it depends on that trusted context boundary.

@sdb001 sdb001 changed the base branch from jl/archive-apex-seda-second-pass to jl/archive-legacy-strategies-keep-cfi-hedge July 3, 2026 17:27
Co-authored-by: Cursor <cursoragent@cursor.com>
@sdb001 sdb001 force-pushed the jl/mcp-runner-web-auth-hardening-20260703 branch from 2f63db6 to 72c004d Compare July 3, 2026 17:32
@sdb001 sdb001 merged commit 2ab6541 into jl/archive-legacy-strategies-keep-cfi-hedge Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants