Skip to content

test(http): cover session TTL, trust proxy, and k8s routing regressions#571

Draft
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/missing-test-coverage-db7d
Draft

test(http): cover session TTL, trust proxy, and k8s routing regressions#571
cursor[bot] wants to merge 2 commits into
mainfrom
cursor/missing-test-coverage-db7d

Conversation

@cursor

@cursor cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

Adds regression tests for the HTTP session re-authentication fix merged in #570 (fix/http-session-reauth-churn). No production logic changes except aligning packaged manifest defaults with the runtime MCP_SESSION_TTL_MS default (30 minutes).

Risky behavior now covered

  1. Interactive client session eviction — Sessions idle for ~6 minutes (e.g. claude.ai connector between prompts) must not expire under the new 30-minute default TTL; the old 5-minute default would have forced re-authentication.
  2. Per-client rate limiting behind load balancers — When HARNESS_MCP_TRUST_PROXY > 0, req.ip must resolve from X-Forwarded-For so rate limits are not shared across all clients behind a proxy.
  3. Multi-replica session routing — K8s deployment must stay at 1 replica with ClientIP session affinity until sessions are externalized, preventing cross-pod "Session not found" churn.
  4. Packaged vs runtime TTL drift — Manifest default must match ConfigSchema default so operators do not get a 5-minute packaged default while the server runs 30 minutes.

Test files added/updated

  • tests/integration/http-transport.test.ts — 30-minute TTL regression, trust-proxy req.ip resolution, per-client rate-limit buckets
  • tests/k8s/http-session-routing.test.tsnew — deployment replica count and service session affinity guardrails
  • tests/release-metadata.test.ts — manifest MCP_SESSION_TTL_MS default assertion updated to 1800000
  • manifest.json, mcp-directory/manifest.json — default aligned to 1800000

Why these tests reduce regression risk

These paths directly caused user-visible "Session not found" / re-authenticate loops in production. The tests lock in the TTL default change, proxy-aware rate limiting, and K8s routing constraints that together prevent session churn without requiring a live Harness environment or multi-pod cluster.

Type of Change

  • Bug fix
  • New feature
  • Refactor
  • Documentation
  • Other (test coverage)

Checklist

  • pnpm test passes (targeted: http-transport, http-sessions, config, release-metadata, k8s)
  • pnpm typecheck passes
  • pnpm build passes
  • pnpm standards:check passes
  • pnpm docs:check passes
Open in Web View Automation 

thisrohangupta and others added 2 commits July 7, 2026 11:07
Remote clients (e.g. the claude.ai connector) were being prompted to
re-authenticate very frequently. The connection was not actually expiring
— the server was losing the session and returning "Session not found",
which the client surfaces as a re-auth prompt. Two independent causes:

1. Multi-replica with a per-pod in-memory session store and no session
   affinity. Sessions live in a process-local Map, so a request
   load-balanced to a different replica than the one that initialized the
   session 404s. With 2 replicas this hit a large fraction of requests
   ("every prompt"). Set replicas to 1 and add Service sessionAffinity
   ClientIP; document that scaling out requires an externalized session
   store (SDK eventStore) plus sticky ingress.

2. Aggressive 5-minute idle session TTL reaped sessions during normal
   think-time (the connector holds no persistent SSE stream between
   prompts). Raise the default MCP_SESSION_TTL_MS to 30 minutes.

Also add HARNESS_MCP_TRUST_PROXY so per-IP rate limiting keys on the real
client behind a load balancer instead of bucketing all users together.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

AI-Session-Id: b8e26a07-057c-406c-bfde-245eb0c917ae
AI-Tool: claude-code
AI-Model: unknown
Add integration tests for the PR #570 HTTP session re-auth fix:
- Thirty-minute default TTL keeps interactive idle sessions alive
- Trust proxy enables per-client rate limiting behind load balancers
- K8s deployment/service guardrails for in-memory session affinity

Align packaged manifest MCP_SESSION_TTL_MS default with runtime config.

Co-authored-by: Rohan Gupta <thisrohangupta@users.noreply.github.com>
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ thisrohangupta
❌ cursoragent
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants