test(http): cover session TTL, trust proxy, and k8s routing regressions#571
Draft
cursor[bot] wants to merge 2 commits into
Draft
test(http): cover session TTL, trust proxy, and k8s routing regressions#571cursor[bot] wants to merge 2 commits into
cursor[bot] wants to merge 2 commits into
Conversation
Remote clients (e.g. the claude.ai connector) were being prompted to
re-authenticate very frequently. The connection was not actually expiring
— the server was losing the session and returning "Session not found",
which the client surfaces as a re-auth prompt. Two independent causes:
1. Multi-replica with a per-pod in-memory session store and no session
affinity. Sessions live in a process-local Map, so a request
load-balanced to a different replica than the one that initialized the
session 404s. With 2 replicas this hit a large fraction of requests
("every prompt"). Set replicas to 1 and add Service sessionAffinity
ClientIP; document that scaling out requires an externalized session
store (SDK eventStore) plus sticky ingress.
2. Aggressive 5-minute idle session TTL reaped sessions during normal
think-time (the connector holds no persistent SSE stream between
prompts). Raise the default MCP_SESSION_TTL_MS to 30 minutes.
Also add HARNESS_MCP_TRUST_PROXY so per-IP rate limiting keys on the real
client behind a load balancer instead of bucketing all users together.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
AI-Session-Id: b8e26a07-057c-406c-bfde-245eb0c917ae
AI-Tool: claude-code
AI-Model: unknown
Add integration tests for the PR #570 HTTP session re-auth fix: - Thirty-minute default TTL keeps interactive idle sessions alive - Trust proxy enables per-client rate limiting behind load balancers - K8s deployment/service guardrails for in-memory session affinity Align packaged manifest MCP_SESSION_TTL_MS default with runtime config. Co-authored-by: Rohan Gupta <thisrohangupta@users.noreply.github.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds regression tests for the HTTP session re-authentication fix merged in #570 (
fix/http-session-reauth-churn). No production logic changes except aligning packaged manifest defaults with the runtimeMCP_SESSION_TTL_MSdefault (30 minutes).Risky behavior now covered
HARNESS_MCP_TRUST_PROXY > 0,req.ipmust resolve fromX-Forwarded-Forso rate limits are not shared across all clients behind a proxy.ConfigSchemadefault so operators do not get a 5-minute packaged default while the server runs 30 minutes.Test files added/updated
tests/integration/http-transport.test.ts— 30-minute TTL regression, trust-proxyreq.ipresolution, per-client rate-limit bucketstests/k8s/http-session-routing.test.ts— new — deployment replica count and service session affinity guardrailstests/release-metadata.test.ts— manifestMCP_SESSION_TTL_MSdefault assertion updated to1800000manifest.json,mcp-directory/manifest.json— default aligned to1800000Why these tests reduce regression risk
These paths directly caused user-visible "Session not found" / re-authenticate loops in production. The tests lock in the TTL default change, proxy-aware rate limiting, and K8s routing constraints that together prevent session churn without requiring a live Harness environment or multi-pod cluster.
Type of Change
Checklist
pnpm testpasses (targeted: http-transport, http-sessions, config, release-metadata, k8s)pnpm typecheckpassespnpm buildpassespnpm standards:checkpassespnpm docs:checkpasses