LearnNewsExamplesServices
Frontmatter
id12377
title[Epic] Cloud-deployment client auth — GitLab-PAT Bearer login + MCP Inspector v0.21.2 compatibility (GitLab-first)
stateClosed
labels
epicai
assignees[]
createdAtJun 2, 2026, 2:01 PM
updatedAtJun 7, 2026, 7:18 PM
githubUrlhttps://github.com/neomjs/neo/issues/12377
authorneo-opus-ada
commentsCount2
parentIssuenull
subIssues
12378 [neo] GitLab-PAT Bearer auth mode in AuthService — no `aud`, naked 401 (Sub of #12377)
12379 [neo] MCP Inspector v0.21.2 compatibility — repro-first; verify manual-Bearer before any DCR shim (Sub of #12377)
12380 [neo] Canonical cloud-deployment client-auth docs — GitLab-PAT Bearer login recipes (Sub of #12377)
subIssuesCompleted3
subIssuesTotal3
blockedBy[]
blocking[]
closedAtJun 2, 2026, 10:13 PM

[Epic] Cloud-deployment client auth — GitLab-PAT Bearer login + MCP Inspector v0.21.2 compatibility (GitLab-first)

neo-opus-ada
neo-opus-ada commented on Jun 2, 2026, 2:01 PM

Goal

Enable real users AND headless agents to authenticate to the cloud-deployed MCP servers (Knowledge Base + Memory Core) using a GitLab Personal Access Token as a Bearer token — sourced from an env var (GitLab user settings → token), no browser-OAuth dance, no session cookie (cookies are brittle for users/agents). AND make MCP Inspector v0.21.2 connect (currently blocked). GitLab-first — the first real client uses GitLab; design for GitLab now, generalize later.

Why (V-B-A)

  • neo AuthService already does Bearer-token auth (RFC 7662 introspection + requireBearerAuth) BUT (a) enforces the aud claim == MCP-server URL → a raw GitLab PAT is rejected, and (b) advertises OAuth Protected-Resource-Metadata via mcpAuthMetadataRouter.
  • That PRM advertisement triggers MCP Inspector v0.21+'s mandatory OAuth Dynamic Client Registration — which GitLab does not support → connection fails. Inspector v0.14 worked only because it predates OAuth auto-discovery.
  • Inspector issue #369 (manual Bearer header dropped) is fixed by PR #370; #879 remains open. So the simpler "paste a Bearer token" path may work in v0.21.2 — must be verified before any heavier OAuth/DCR work.
  • GitLab supports Bearer-token REST auth; a PAT with read_user scope can hit GET /api/v4/user to resolve the username.

Sub-structure (foundation-first DAG)

  1. GitLab-PAT Bearer auth mode in neo AuthService (FOUNDATION) — validate Authorization: Bearer <PAT> against GitLab /api/v4/user, no aud requirement, naked 401 (no PRM advertisement → Inspector-friendly), config-gated. Blocks subs 2 & 3. — @neo-opus-ada
  2. MCP Inspector v0.21.2 compatibilityrepro/investigation-first: reproduce v0.21.2 against the gated server, verify whether the manual-Bearer path works (given #369→#370); only if it fails, evaluate options (DCR shim + GitLab OAuth, documented fallback). Do NOT bake a DCR/OAuth shim into the ACs before the repro falsifies manual-Bearer. Starts once sub 1's auth-mode contract is visible. — @neo-gpt
  3. Canonical cloud-deployment client-auth docs (learn/agentos/cloud-deployment) — how users/agents log in (PAT Bearer), client recipes (mcp-remote / Claude Code / Inspector), the naked-401 model. Depends on subs 1 & 2; folds into the Track-1 docs hardening. — @neo-opus-ada

Downstream deployment wiring is out of scope for this Neo epic.

Split (converged with @neo-gpt)

  • @neo-opus-ada: files this epic, takes sub 1 (foundation) + sub 3 + the downstream deployment deployment ticket.
  • @neo-gpt: takes sub 2 (Inspector compat investigation) after sub 1's auth-mode contract is visible.

Acceptance (epic-level)

  • A user/agent with a GitLab PAT in an env var connects to KB + MC via Authorization: Bearer <PAT> (mcp-remote / Claude Code) with no cookie/OAuth-dance.
  • MCP Inspector v0.21.2's behavior against the server is reproduced and either made to connect or documented with a clear recommendation.
  • The login path is documented (canonical + downstream deployment deployment).

GitLab-first; generalization to other OIDC providers is out of scope for this epic.