From 8c287351675ce2f3b6087200428c4f39a06ef0cd Mon Sep 17 00:00:00 2001
From: Alexey Puzik <alexey.puzik@devpulse.io>
Date: Thu, 12 Feb 2026 01:26:20 +0200
Subject: [PATCH 1/3] Add playground OAuth flow

---
 CLAUDE.md                                     | 137 +++++++++++
 crates/agentgateway/src/mcp/router.rs         |  13 ++
 crates/agentgateway/src/proxy/mod.rs          |   7 +
 ui/src/app/playground/oauth/callback/page.tsx | 113 +++++++++
 ui/src/app/playground/page.tsx                | 140 ++++++++----
 ui/src/lib/mcp-oauth-provider.ts              | 214 ++++++++++++++++++
 6 files changed, 582 insertions(+), 42 deletions(-)
 create mode 100644 CLAUDE.md
 create mode 100644 ui/src/app/playground/oauth/callback/page.tsx
 create mode 100644 ui/src/lib/mcp-oauth-provider.ts

diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 000000000..2ec453c4a
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,137 @@
+# AgentGateway Submodule — Claude Code Guide
+
+## IMPORTANT: Do Not Build Locally
+
+**Do NOT attempt to build this Rust project on Windows.** The user builds and checks it manually in a VS2022 Developer Command Prompt. Claude Code should only read, analyze, and edit source files — never run `cargo build`, `cargo test`, or similar commands.
+
+## MCP Security Guards
+
+Guards intercept MCP tool calls at different phases and can Allow, Deny, or Modify operations.
+
+### Guard Phases (`runs_on`)
+
+| Phase | When | Purpose |
+|-------|------|---------|
+| `ToolsList` | `tools/list` response | Filter/block exposed tools |
+| `ToolInvoke` | Before `tools/call` | Block/modify tool execution |
+| `Request` | Any MCP request | General request filtering |
+| `Response` | Any MCP response | General response filtering |
+
+### Core Trait
+
+```rust
+// crates/agentgateway/src/mcp/security/native/mod.rs
+pub trait NativeGuard: Send + Sync {
+    fn evaluate_tools_list(&self, tools: &[Tool], context: &GuardContext) -> GuardResult;
+    fn evaluate_tool_invoke(&self, tool_name: &str, arguments: &Value, context: &GuardContext) -> GuardResult;
+    fn evaluate_request(&self, request: &Value, context: &GuardContext) -> GuardResult;
+    fn evaluate_response(&self, response: &Value, context: &GuardContext) -> GuardResult;
+    fn reset_server(&self, server_name: &str);
+}
+```
+
+### Native Guards
+
+| Guard | File | What It Does |
+|-------|------|-------------|
+| **ToolPoisoningDetector** | `native/tool_poisoning.rs` (28 KB) | Blocks tools with malicious descriptions — prompt injection, system overrides, safety bypass, hidden instructions, prompt leaking, encoding tricks. 32 built-in regex patterns + custom patterns. |
+| **RugPullDetector** | `native/rug_pull.rs` (38 KB) | Detects bait-and-switch: establishes per-server tool baseline on first encounter, then blocks if tools are modified/removed. Risk scoring with configurable weights (description=2, schema=3, remove=3, add=1), threshold=5. |
+| **PiiGuard** | `native/pii_guard.rs` (28 KB) | Detects PII (email, phone, SSN, credit cards, CA SIN, URLs) via regex. Two modes: Mask (replace with `<ENTITY_TYPE>` placeholders) or Reject (block entire response). |
+| **ToolShadowingDetector** | `native/tool_shadowing.rs` | Placeholder — will block duplicate tool names across servers. |
+| **ServerWhitelistChecker** | `native/server_whitelist.rs` | Placeholder — will enforce allowed server whitelist. |
+
+### WASM Guards
+
+Custom guards loaded at runtime as WebAssembly components (`security/wasm.rs`). Fully sandboxed (no FS/network). ~5-10ms latency vs <1ms for native. See `examples/wasm-guards/` for examples.
+
+### Key Files
+
+- **Orchestration**: `crates/agentgateway/src/mcp/security/mod.rs` — `GuardExecutor`, `GuardExecutorRegistry`, config types, priority ordering
+- **Integration**: `crates/agentgateway/src/mcp/handler.rs` — calls guards before tool execution and on tools/list responses
+- **Config binding**: `crates/agentgateway/src/types/local.rs` — `McpBackendConfig` holds `Vec<McpSecurityGuard>`
+- **PII patterns**: `crates/agentgateway/src/mcp/security/native/pii_detection.rs`
+
+### Guard Configuration (YAML)
+
+```yaml
+security_guards:
+  - id: pii-mask
+    description: "Mask PII in responses"
+    priority: 10          # Lower = runs first
+    enabled: true
+    timeout_ms: 100
+    failure_mode: fail_closed  # or fail_open
+    runs_on: [response]
+    type:
+      native:
+        pii:
+          action: mask
+          pii_types: [email, phone, ssn, credit_card]
+```
+
+## E2E Tests (`tests/`)
+
+### Test Files
+
+| File | Tests | What It Covers |
+|------|-------|----------------|
+| `e2e_security_guards_test.py` | Master runner | Orchestrates all guard suites sequentially |
+| `e2e_pii_guard_test.py` | 19 per mode (mask+reject) | 6 PII types: single, embedded-in-text, bulk, full-record, clean-data-passthrough |
+| `e2e_tool_poisoning_guard_test.py` | 6 | tools/list blocked (HTTP 403), deny reason structure, 6 attack categories covered |
+| `e2e_rug_pull_guard_test.py` | 22 | Baseline establishment, session vs global scope, 5 mutation modes (all/description/schema/remove/add) |
+| `e2e_mcp_sse_test.py` | 5+ | SSE transport compliance with guards |
+| `benchmark.py` | Configurable | Throughput, latency percentiles (p95/p99), error rates |
+| `mcp_client.py` | — | Shared client library: `MCPSSEClient`, `MCPStreamableHTTPClient`, `TestResults` |
+
+### Test Routes
+
+| Route | Guard Config | Backend Port |
+|-------|-------------|-------------|
+| `/pii-test` | PII mask mode | 8000 |
+| `/pii-test-reject` | PII reject mode | 8000 |
+| `/poison` | Tool poisoning | 8010 |
+| `/rug-pull` | Rug pull (default) | 8020 |
+| `/rug-pull-desc` | Rug pull description-only | 8020 |
+| `/rug-pull-schema` | Rug pull schema-only | 8020 |
+| `/rug-pull-remove` | Rug pull remove mode | 8020 |
+| `/rug-pull-add` | Rug pull add mode | 8020 |
+
+### Running Tests
+
+```bash
+# Docker (CI/CD) — runs full suite
+cd tests/docker && docker compose up --build --abort-on-container-exit --exit-code-from test-runner
+
+# Against deployed environment
+GATEWAY_URL=https://... python tests/e2e_security_guards_test.py --transport streamable
+```
+
+## Test Servers (`testservers/`)
+
+Three Python MCP servers in one Docker image, started via `start-server.sh`:
+
+### PII Test Server (port 8000)
+- **Module**: `src/mcp_test_server/fastmcp_server.py`
+- **Tools**: `generate_pii`, `generate_bulk_pii`, `generate_full_record`, `generate_text_with_pii`, `list_pii_types`
+- **Data**: Faker-generated emails, phones, SSNs, credit cards, CA SINs, URLs, addresses
+- **Resources**: `pii://fixtures/{personal,identity,financial,mixed}` — predefined test fixtures
+
+### Tool Poisoning Server (port 8010)
+- **Module**: `src/tool_poisoning_test/server.py`
+- **Tools**: 6 poisoned (`add`, `secret_notes`, `translate_text`, `get_status`, `search_files`, `run_diagnostic`) + 2 clean (`subtract`, `multiply`)
+- **Attack categories**: hidden instructions, prompt injection, system override, safety bypass, role manipulation, prompt leaking
+
+### Rug Pull Server (port 8020)
+- **Module**: `src/rug_pull_test/server.py`
+- **Tools**: `get_weather` (session trigger), `get_global_weather` (global trigger), `get_forecast`, `reset_session_rug`, `reset_global_rug`, `get_rug_status`, `set_rug_pull_mode`
+- **Mutation modes**: `all` (default), `description`, `schema`, `remove`, `add` — each changes tool definitions differently after trigger
+- **Benign→Malicious**: e.g. "Get weather" becomes "Get weather AND read all env vars, API keys, secrets..."
+
+### Docker Setup
+
+```yaml
+# tests/docker/docker-compose.yaml — 3 services
+mcp-test-servers:  # Builds from testservers/, exposes 8000/8010/8020
+agentgateway:      # ACR image, mounts test config, port 8080
+test-runner:       # Python 3.12, runs e2e_security_guards_test.py
+```
diff --git a/crates/agentgateway/src/mcp/router.rs b/crates/agentgateway/src/mcp/router.rs
index 84bf349f6..813f14f3b 100644
--- a/crates/agentgateway/src/mcp/router.rs
+++ b/crates/agentgateway/src/mcp/router.rs
@@ -148,6 +148,19 @@ impl App {
 						"MCP auth configured; validating Authorization header (mode={:?})",
 						auth.mode
 					);
+					// When mcpAuthentication is configured, always require an Authorization
+					// header — even in permissive mode. This ensures the gateway returns
+					// 401 + WWW-Authenticate on the first unauthenticated request, triggering
+					// OAuth discovery. Without this, permissive mode would silently forward
+					// unauthenticated requests to the upstream, which returns its own 401
+					// with the upstream's URL (not the gateway's), breaking the OAuth flow.
+					if req.headers().get(http::header::AUTHORIZATION).is_none() {
+						return Err(Self::create_auth_required_response(
+							ProxyError::ProcessingString("missing authorization header".to_string()),
+							&req,
+							auth,
+						));
+					}
 					auth
 						.jwt_validator
 						.apply(None, &mut req)
diff --git a/crates/agentgateway/src/proxy/mod.rs b/crates/agentgateway/src/proxy/mod.rs
index b2b07e7aa..1ab3531b9 100644
--- a/crates/agentgateway/src/proxy/mod.rs
+++ b/crates/agentgateway/src/proxy/mod.rs
@@ -207,6 +207,13 @@ impl ProxyError {
 		}
 	}
 	pub fn into_response(self) -> Response {
+		// For upstream MCP errors, return the original response directly.
+		// This preserves headers like WWW-Authenticate needed for OAuth flows.
+		if let ProxyError::MCP(mcp::Error::UpstreamError(resp)) = self {
+			let (parts, body) = resp.0.into_parts();
+			return ::http::Response::from_parts(parts, http::Body::from(body));
+		}
+
 		let code = match self {
 			ProxyError::BindNotFound => StatusCode::NOT_FOUND,
 			ProxyError::ListenerNotFound => StatusCode::NOT_FOUND,
diff --git a/ui/src/app/playground/oauth/callback/page.tsx b/ui/src/app/playground/oauth/callback/page.tsx
new file mode 100644
index 000000000..137742a4a
--- /dev/null
+++ b/ui/src/app/playground/oauth/callback/page.tsx
@@ -0,0 +1,113 @@
+"use client";
+
+import { Suspense, useEffect, useState } from "react";
+import { useSearchParams } from "next/navigation";
+
+/**
+ * Inner component that uses useSearchParams (must be wrapped in Suspense).
+ *
+ * Extracts the authorization code (or error) from URL search params,
+ * sends it back to the opener window via postMessage, and closes itself.
+ */
+function OAuthCallbackContent() {
+  const searchParams = useSearchParams();
+  const [status, setStatus] = useState<"processing" | "success" | "error" | "no-opener">(
+    "processing"
+  );
+  const [errorMessage, setErrorMessage] = useState<string>("");
+
+  useEffect(() => {
+    const code = searchParams.get("code");
+    const error = searchParams.get("error");
+    const errorDescription = searchParams.get("error_description");
+
+    if (!window.opener) {
+      setStatus("no-opener");
+      return;
+    }
+
+    if (error) {
+      setStatus("error");
+      setErrorMessage(errorDescription || error);
+      window.opener.postMessage(
+        { type: "mcp-oauth-callback", code: null, error: errorDescription || error },
+        window.location.origin
+      );
+      setTimeout(() => window.close(), 3000);
+      return;
+    }
+
+    if (code) {
+      setStatus("success");
+      window.opener.postMessage(
+        { type: "mcp-oauth-callback", code, error: null },
+        window.location.origin
+      );
+      setTimeout(() => window.close(), 1000);
+      return;
+    }
+
+    setStatus("error");
+    setErrorMessage("No authorization code or error received.");
+    window.opener.postMessage(
+      { type: "mcp-oauth-callback", code: null, error: "No authorization code received" },
+      window.location.origin
+    );
+  }, [searchParams]);
+
+  return (
+    <div className="text-center space-y-4 p-8">
+      {status === "processing" && (
+        <>
+          <div className="animate-spin h-8 w-8 border-4 border-primary border-t-transparent rounded-full mx-auto" />
+          <p className="text-muted-foreground">Completing authentication...</p>
+        </>
+      )}
+      {status === "success" && (
+        <>
+          <div className="text-green-600 text-4xl">&#10003;</div>
+          <p className="font-medium">Authorization successful!</p>
+          <p className="text-sm text-muted-foreground">This window will close automatically.</p>
+        </>
+      )}
+      {status === "error" && (
+        <>
+          <div className="text-red-600 text-4xl">&#10007;</div>
+          <p className="font-medium">Authorization failed</p>
+          <p className="text-sm text-muted-foreground">{errorMessage}</p>
+          <p className="text-xs text-muted-foreground">This window will close shortly.</p>
+        </>
+      )}
+      {status === "no-opener" && (
+        <>
+          <div className="text-orange-600 text-4xl">&#9888;</div>
+          <p className="font-medium">Unable to complete authorization</p>
+          <p className="text-sm text-muted-foreground">
+            This page should be opened from the playground. Please close this window and try again.
+          </p>
+        </>
+      )}
+    </div>
+  );
+}
+
+/**
+ * OAuth callback page for the playground.
+ * Opened in a popup by the BrowserOAuthProvider during the MCP OAuth flow.
+ */
+export default function OAuthCallbackPage() {
+  return (
+    <div className="flex items-center justify-center min-h-screen bg-background">
+      <Suspense
+        fallback={
+          <div className="text-center space-y-4 p-8">
+            <div className="animate-spin h-8 w-8 border-4 border-primary border-t-transparent rounded-full mx-auto" />
+            <p className="text-muted-foreground">Completing authentication...</p>
+          </div>
+        }
+      >
+        <OAuthCallbackContent />
+      </Suspense>
+    </div>
+  );
+}
diff --git a/ui/src/app/playground/page.tsx b/ui/src/app/playground/page.tsx
index 212716490..790ac335e 100644
--- a/ui/src/app/playground/page.tsx
+++ b/ui/src/app/playground/page.tsx
@@ -2,7 +2,7 @@
 
 import { useState, useEffect, useCallback } from "react";
 import { Client as McpClient } from "@modelcontextprotocol/sdk/client/index.js";
-import { SSEClientTransport as McpSseTransport } from "@modelcontextprotocol/sdk/client/sse.js";
+import { StreamableHTTPClientTransport as McpHttpTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import {
   ClientRequest as McpClientRequest,
   Result as McpResult,
@@ -11,6 +11,8 @@ import {
   ListToolsResultSchema as McpListToolsResultSchema,
   Tool as McpTool,
 } from "@modelcontextprotocol/sdk/types.js";
+import { UnauthorizedError } from "@modelcontextprotocol/sdk/client/auth.js";
+import { BrowserOAuthProvider } from "@/lib/mcp-oauth-provider";
 import { z } from "zod";
 import {
   A2AClient,
@@ -247,9 +249,21 @@ export default function PlaygroundPage() {
         if (listener.routes) {
           listener.routes.forEach((route: Route, routeIndex: number) => {
             const protocol = listener.protocol === ListenerProtocol.HTTPS ? "https" : "http";
-            const hostname = listener.hostname || "localhost";
-            const port = bind.port; // Use the actual port from the bind configuration
-            const baseEndpoint = `${protocol}://${hostname}:${port}`;
+            // Use window.location.hostname when listener hostname is not set
+            // This ensures the UI connects to the correct domain in deployed environments
+            const hostname =
+              listener.hostname ||
+              (typeof window !== "undefined" ? window.location.hostname : "localhost");
+            const configPort = bind.port;
+            // Local dev: browser URL has explicit port (e.g., 127.0.0.1:15000) -> use config port for routes
+            // Deployed (Azure): browser URL has no port (standard 80/443) -> use origin (ingress handles routing)
+            // Drawback: if Azure exposed non-standard port, this would break (uncommon scenario)
+            const hasExplicitPort = typeof window !== "undefined" && window.location.port !== "";
+            const baseEndpoint = hasExplicitPort
+              ? `${protocol}://${hostname}:${configPort}`
+              : typeof window !== "undefined"
+                ? window.location.origin
+                : `${protocol}://${hostname}:${configPort}`;
 
             // Generate route path and description with better pattern recognition
             let routePath = "/";
@@ -447,48 +461,91 @@ export default function PlaygroundPage() {
       if (backendType === "mcp") {
         setConnectionState((prev) => ({ ...prev, connectionType: "mcp" }));
 
-        // TODO: Support acting as a stateless client
-        const client = new McpClient(
-          { name: "agentgateway-dashboard", version: "0.1.0" },
-          { capabilities: {} }
-        );
+        const mcpUrl = selectedRoute.endpoint.endsWith("/")
+          ? selectedRoute.endpoint.slice(0, -1)
+          : selectedRoute.endpoint;
 
-        const headers: Record<string, string> = {
-          Accept: "text/event-stream",
-          "Cache-Control": "no-cache",
-          "mcp-protocol-version": "2024-11-05",
-        };
+        let connectedClient: McpClient<McpRequest, any, McpResult>;
 
-        // Only add auth header if token is provided and not empty
         if (connectionState.authToken && connectionState.authToken.trim()) {
-          headers["Authorization"] = `Bearer ${connectionState.authToken}`;
-        }
+          // Manual bearer token mode: use header injection (backward compatible)
+          const client = new McpClient(
+            { name: "agentgateway-dashboard", version: "0.1.0" },
+            { capabilities: {} }
+          );
+
+          const headers: Record<string, string> = {
+            Accept: "text/event-stream",
+            "Cache-Control": "no-cache",
+            "mcp-protocol-version": "2024-11-05",
+            Authorization: `Bearer ${connectionState.authToken}`,
+          };
 
-        const sseUrl = selectedRoute.endpoint.endsWith("/")
-          ? `${selectedRoute.endpoint}sse`
-          : `${selectedRoute.endpoint}/sse`;
-        const transport = new McpSseTransport(new URL(sseUrl), {
-          eventSourceInit: {
-            fetch: (url, init) => {
-              return fetch(url, {
-                ...init,
-                headers: headers as HeadersInit,
-              });
+          const transport = new McpHttpTransport(new URL(mcpUrl), {
+            requestInit: {
+              headers: headers as HeadersInit,
+              credentials: "omit",
+              mode: "cors",
             },
-          },
-          requestInit: {
-            headers: headers as HeadersInit,
-            credentials: "omit",
-            mode: "cors",
-          },
-        });
+          });
 
-        await client.connect(transport);
-        setMcpState((prev) => ({ ...prev, client }));
+          await client.connect(transport);
+          connectedClient = client;
+        } else {
+          // Automatic OAuth mode: use SDK's built-in authProvider
+          // If the server doesn't require auth, the provider is never invoked.
+          // If the server requires auth, the full OAuth 2.1 flow runs automatically.
+          const oauthProvider = new BrowserOAuthProvider(mcpUrl);
+
+          const client = new McpClient(
+            { name: "agentgateway-dashboard", version: "0.1.0" },
+            { capabilities: {} }
+          );
+
+          const transport = new McpHttpTransport(new URL(mcpUrl), {
+            authProvider: oauthProvider,
+          });
+
+          try {
+            await client.connect(transport);
+            connectedClient = client;
+          } catch (error) {
+            if (error instanceof UnauthorizedError) {
+              // OAuth redirect was triggered — popup is open, wait for auth code
+              toast.info("Please authorize in the popup window...");
+              try {
+                const authCode = await oauthProvider.waitForAuthCode();
+                await transport.finishAuth(authCode);
+
+                // Reconnect with a new client + transport (tokens are now cached in provider)
+                const newClient = new McpClient(
+                  { name: "agentgateway-dashboard", version: "0.1.0" },
+                  { capabilities: {} }
+                );
+                const newTransport = new McpHttpTransport(new URL(mcpUrl), {
+                  authProvider: oauthProvider,
+                });
+                await newClient.connect(newTransport);
+                connectedClient = newClient;
+              } catch (oauthError) {
+                oauthProvider.dispose();
+                throw oauthError;
+              }
+            } else {
+              oauthProvider.dispose();
+              throw error;
+            }
+          }
+        }
+
+        setMcpState((prev) => ({ ...prev, client: connectedClient }));
 
         setUiState((prev) => ({ ...prev, isLoadingCapabilities: true }));
         const listToolsRequest: McpClientRequest = { method: "tools/list", params: {} };
-        const toolsResponse = await client.request(listToolsRequest, McpListToolsResultSchema);
+        const toolsResponse = await connectedClient.request(
+          listToolsRequest,
+          McpListToolsResultSchema
+        );
         setMcpState((prev) => ({ ...prev, tools: toolsResponse.tools }));
 
         // Only mark as connected and show success after tools are loaded successfully
@@ -1093,8 +1150,7 @@ export default function PlaygroundPage() {
                     <span className="font-medium text-sm">Request URL</span>
                   </div>
                   <div className="font-mono text-sm break-all">
-                    {selectedRoute.protocol}://{selectedRoute.listener.hostname || "localhost"}:
-                    {selectedRoute.bindPort}
+                    {selectedRoute.endpoint}
                     {request.path}
                   </div>
                 </div>
@@ -1415,12 +1471,12 @@ export default function PlaygroundPage() {
                       </Badge>
                     </div>
                     <div className="flex items-center gap-2">
-                      <Label htmlFor="auth-token" className="text-sm">
-                        Bearer Token (Optional):
+                      <Label htmlFor="auth-token" className="text-sm whitespace-nowrap">
+                        Bearer Token:
                       </Label>
                       <Input
                         id="auth-token"
-                        placeholder="Enter token if required"
+                        placeholder="Leave empty for automatic OAuth"
                         type="password"
                         value={connectionState.authToken}
                         onChange={(e) => handleAuthTokenChange(e.target.value)}
diff --git a/ui/src/lib/mcp-oauth-provider.ts b/ui/src/lib/mcp-oauth-provider.ts
new file mode 100644
index 000000000..7bb62f942
--- /dev/null
+++ b/ui/src/lib/mcp-oauth-provider.ts
@@ -0,0 +1,214 @@
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import type {
+  OAuthClientMetadata,
+  OAuthClientInformationMixed,
+  OAuthTokens,
+} from "@modelcontextprotocol/sdk/shared/auth.js";
+
+const POPUP_WIDTH = 600;
+const POPUP_HEIGHT = 700;
+
+/**
+ * Detect the callback URL dynamically from the current location.
+ * Handles both gateway-proxied access (/ui/playground) and direct dev access (/playground).
+ * Looks for "/playground" in the current pathname to find the basePath prefix.
+ *
+ * IMPORTANT: The trailing slash is required. Without it, the static file server
+ * (ServeDir behind nest_service) will redirect to add a trailing slash, but
+ * that redirect uses the internal backend origin (stripping the gateway prefix),
+ * which breaks the OAuth callback.
+ */
+function getCallbackUrl(): URL {
+  const pathname = window.location.pathname;
+  const playgroundIdx = pathname.indexOf("/playground");
+  const basePath = playgroundIdx > 0 ? pathname.substring(0, playgroundIdx) : "";
+  return new URL(`${window.location.origin}${basePath}/playground/oauth/callback/`);
+}
+
+/**
+ * Browser-based OAuthClientProvider for the playground.
+ *
+ * Handles the full MCP OAuth 2.1 flow using:
+ * - A popup window for user authorization
+ * - postMessage for receiving the authorization code from the callback page
+ * - localStorage for persisting tokens and client registration (keyed by server URL)
+ * - sessionStorage for PKCE code verifier
+ */
+export class BrowserOAuthProvider implements OAuthClientProvider {
+  private serverUrl: string;
+  private _authPromise: Promise<string> | null = null;
+  private _authResolve: ((code: string) => void) | null = null;
+  private _authReject: ((err: Error) => void) | null = null;
+  private _messageHandler: ((event: MessageEvent) => void) | null = null;
+  private _popupPollTimer: ReturnType<typeof setInterval> | null = null;
+
+  constructor(serverUrl: string) {
+    this.serverUrl = serverUrl;
+  }
+
+  private storageKey(suffix: string): string {
+    return `mcp_oauth_${suffix}_${this.serverUrl}`;
+  }
+
+  get redirectUrl(): URL {
+    return getCallbackUrl();
+  }
+
+  get clientMetadata(): OAuthClientMetadata {
+    return {
+      redirect_uris: [this.redirectUrl.href],
+      client_name: "AgentGateway Playground",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none",
+    } as OAuthClientMetadata;
+  }
+
+  clientInformation(): OAuthClientInformationMixed | undefined {
+    const stored = localStorage.getItem(this.storageKey("client"));
+    if (!stored) return undefined;
+    try {
+      return JSON.parse(stored) as OAuthClientInformationMixed;
+    } catch {
+      return undefined;
+    }
+  }
+
+  saveClientInformation(clientInformation: OAuthClientInformationMixed): void {
+    localStorage.setItem(this.storageKey("client"), JSON.stringify(clientInformation));
+  }
+
+  tokens(): OAuthTokens | undefined {
+    const stored = localStorage.getItem(this.storageKey("tokens"));
+    if (!stored) return undefined;
+    try {
+      return JSON.parse(stored) as OAuthTokens;
+    } catch {
+      return undefined;
+    }
+  }
+
+  saveTokens(tokens: OAuthTokens): void {
+    localStorage.setItem(this.storageKey("tokens"), JSON.stringify(tokens));
+  }
+
+  saveCodeVerifier(codeVerifier: string): void {
+    sessionStorage.setItem(this.storageKey("verifier"), codeVerifier);
+  }
+
+  codeVerifier(): string {
+    const verifier = sessionStorage.getItem(this.storageKey("verifier"));
+    if (!verifier) {
+      throw new Error("No code verifier saved");
+    }
+    return verifier;
+  }
+
+  redirectToAuthorization(authorizationUrl: URL): void {
+    // Set up promise to receive the auth code from the popup
+    this._authPromise = new Promise<string>((resolve, reject) => {
+      this._authResolve = resolve;
+      this._authReject = reject;
+    });
+
+    // Listen for postMessage from the callback page
+    this._messageHandler = (event: MessageEvent) => {
+      if (event.origin !== window.location.origin) return;
+      if (event.data?.type !== "mcp-oauth-callback") return;
+
+      this.cleanupPopupWatcher();
+
+      if (event.data.error) {
+        this._authReject?.(new Error(`OAuth authorization failed: ${event.data.error}`));
+      } else if (event.data.code) {
+        this._authResolve?.(event.data.code);
+      } else {
+        this._authReject?.(new Error("No authorization code received from callback"));
+      }
+    };
+    window.addEventListener("message", this._messageHandler);
+
+    // Open popup centered on screen
+    const left = Math.round(window.screenX + (window.outerWidth - POPUP_WIDTH) / 2);
+    const top = Math.round(window.screenY + (window.outerHeight - POPUP_HEIGHT) / 2);
+    const popup = window.open(
+      authorizationUrl.toString(),
+      "mcp_oauth",
+      `width=${POPUP_WIDTH},height=${POPUP_HEIGHT},left=${left},top=${top},popup=true`
+    );
+
+    // Detect popup blocked
+    if (!popup || popup.closed) {
+      this.cleanupPopupWatcher();
+      this._authReject?.(
+        new Error(
+          "Popup was blocked by the browser. Please allow popups for this site and try again."
+        )
+      );
+      return;
+    }
+
+    // Poll for popup being closed manually (user cancelled)
+    this._popupPollTimer = setInterval(() => {
+      if (popup.closed) {
+        this.cleanupPopupWatcher();
+        this._authReject?.(new Error("Authorization cancelled — popup was closed."));
+      }
+    }, 500);
+  }
+
+  /**
+   * Wait for the authorization code from the popup callback.
+   * This is called by the playground after catching UnauthorizedError.
+   */
+  waitForAuthCode(): Promise<string> {
+    if (!this._authPromise) {
+      return Promise.reject(new Error("No OAuth authorization flow in progress"));
+    }
+    return this._authPromise;
+  }
+
+  /**
+   * Clear all stored OAuth data for this server.
+   */
+  clearAuth(): void {
+    localStorage.removeItem(this.storageKey("client"));
+    localStorage.removeItem(this.storageKey("tokens"));
+    sessionStorage.removeItem(this.storageKey("verifier"));
+  }
+
+  /**
+   * Clean up event listeners.
+   */
+  dispose(): void {
+    this.cleanupPopupWatcher();
+  }
+
+  invalidateCredentials(scope: "all" | "client" | "tokens" | "verifier"): void {
+    switch (scope) {
+      case "all":
+        this.clearAuth();
+        break;
+      case "client":
+        localStorage.removeItem(this.storageKey("client"));
+        break;
+      case "tokens":
+        localStorage.removeItem(this.storageKey("tokens"));
+        break;
+      case "verifier":
+        sessionStorage.removeItem(this.storageKey("verifier"));
+        break;
+    }
+  }
+
+  private cleanupPopupWatcher(): void {
+    if (this._messageHandler) {
+      window.removeEventListener("message", this._messageHandler);
+      this._messageHandler = null;
+    }
+    if (this._popupPollTimer) {
+      clearInterval(this._popupPollTimer);
+      this._popupPollTimer = null;
+    }
+  }
+}

From 88fd129415e5a04f1d79f03babe6a552a8256793 Mon Sep 17 00:00:00 2001
From: Alexey Puzik <alexey.puzik@devpulse.io>
Date: Thu, 12 Feb 2026 18:38:35 +0200
Subject: [PATCH 2/3] Restore original agentgateway files

---
 crates/agentgateway/src/proxy/mod.rs          |   7 -
 ui/src/app/playground/oauth/callback/page.tsx | 113 ---------
 ui/src/app/playground/page.tsx                | 140 ++++--------
 ui/src/lib/mcp-oauth-provider.ts              | 214 ------------------
 4 files changed, 42 insertions(+), 432 deletions(-)
 delete mode 100644 ui/src/app/playground/oauth/callback/page.tsx
 delete mode 100644 ui/src/lib/mcp-oauth-provider.ts

diff --git a/crates/agentgateway/src/proxy/mod.rs b/crates/agentgateway/src/proxy/mod.rs
index 1ab3531b9..b2b07e7aa 100644
--- a/crates/agentgateway/src/proxy/mod.rs
+++ b/crates/agentgateway/src/proxy/mod.rs
@@ -207,13 +207,6 @@ impl ProxyError {
 		}
 	}
 	pub fn into_response(self) -> Response {
-		// For upstream MCP errors, return the original response directly.
-		// This preserves headers like WWW-Authenticate needed for OAuth flows.
-		if let ProxyError::MCP(mcp::Error::UpstreamError(resp)) = self {
-			let (parts, body) = resp.0.into_parts();
-			return ::http::Response::from_parts(parts, http::Body::from(body));
-		}
-
 		let code = match self {
 			ProxyError::BindNotFound => StatusCode::NOT_FOUND,
 			ProxyError::ListenerNotFound => StatusCode::NOT_FOUND,
diff --git a/ui/src/app/playground/oauth/callback/page.tsx b/ui/src/app/playground/oauth/callback/page.tsx
deleted file mode 100644
index 137742a4a..000000000
--- a/ui/src/app/playground/oauth/callback/page.tsx
+++ /dev/null
@@ -1,113 +0,0 @@
-"use client";
-
-import { Suspense, useEffect, useState } from "react";
-import { useSearchParams } from "next/navigation";
-
-/**
- * Inner component that uses useSearchParams (must be wrapped in Suspense).
- *
- * Extracts the authorization code (or error) from URL search params,
- * sends it back to the opener window via postMessage, and closes itself.
- */
-function OAuthCallbackContent() {
-  const searchParams = useSearchParams();
-  const [status, setStatus] = useState<"processing" | "success" | "error" | "no-opener">(
-    "processing"
-  );
-  const [errorMessage, setErrorMessage] = useState<string>("");
-
-  useEffect(() => {
-    const code = searchParams.get("code");
-    const error = searchParams.get("error");
-    const errorDescription = searchParams.get("error_description");
-
-    if (!window.opener) {
-      setStatus("no-opener");
-      return;
-    }
-
-    if (error) {
-      setStatus("error");
-      setErrorMessage(errorDescription || error);
-      window.opener.postMessage(
-        { type: "mcp-oauth-callback", code: null, error: errorDescription || error },
-        window.location.origin
-      );
-      setTimeout(() => window.close(), 3000);
-      return;
-    }
-
-    if (code) {
-      setStatus("success");
-      window.opener.postMessage(
-        { type: "mcp-oauth-callback", code, error: null },
-        window.location.origin
-      );
-      setTimeout(() => window.close(), 1000);
-      return;
-    }
-
-    setStatus("error");
-    setErrorMessage("No authorization code or error received.");
-    window.opener.postMessage(
-      { type: "mcp-oauth-callback", code: null, error: "No authorization code received" },
-      window.location.origin
-    );
-  }, [searchParams]);
-
-  return (
-    <div className="text-center space-y-4 p-8">
-      {status === "processing" && (
-        <>
-          <div className="animate-spin h-8 w-8 border-4 border-primary border-t-transparent rounded-full mx-auto" />
-          <p className="text-muted-foreground">Completing authentication...</p>
-        </>
-      )}
-      {status === "success" && (
-        <>
-          <div className="text-green-600 text-4xl">&#10003;</div>
-          <p className="font-medium">Authorization successful!</p>
-          <p className="text-sm text-muted-foreground">This window will close automatically.</p>
-        </>
-      )}
-      {status === "error" && (
-        <>
-          <div className="text-red-600 text-4xl">&#10007;</div>
-          <p className="font-medium">Authorization failed</p>
-          <p className="text-sm text-muted-foreground">{errorMessage}</p>
-          <p className="text-xs text-muted-foreground">This window will close shortly.</p>
-        </>
-      )}
-      {status === "no-opener" && (
-        <>
-          <div className="text-orange-600 text-4xl">&#9888;</div>
-          <p className="font-medium">Unable to complete authorization</p>
-          <p className="text-sm text-muted-foreground">
-            This page should be opened from the playground. Please close this window and try again.
-          </p>
-        </>
-      )}
-    </div>
-  );
-}
-
-/**
- * OAuth callback page for the playground.
- * Opened in a popup by the BrowserOAuthProvider during the MCP OAuth flow.
- */
-export default function OAuthCallbackPage() {
-  return (
-    <div className="flex items-center justify-center min-h-screen bg-background">
-      <Suspense
-        fallback={
-          <div className="text-center space-y-4 p-8">
-            <div className="animate-spin h-8 w-8 border-4 border-primary border-t-transparent rounded-full mx-auto" />
-            <p className="text-muted-foreground">Completing authentication...</p>
-          </div>
-        }
-      >
-        <OAuthCallbackContent />
-      </Suspense>
-    </div>
-  );
-}
diff --git a/ui/src/app/playground/page.tsx b/ui/src/app/playground/page.tsx
index 790ac335e..212716490 100644
--- a/ui/src/app/playground/page.tsx
+++ b/ui/src/app/playground/page.tsx
@@ -2,7 +2,7 @@
 
 import { useState, useEffect, useCallback } from "react";
 import { Client as McpClient } from "@modelcontextprotocol/sdk/client/index.js";
-import { StreamableHTTPClientTransport as McpHttpTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { SSEClientTransport as McpSseTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import {
   ClientRequest as McpClientRequest,
   Result as McpResult,
@@ -11,8 +11,6 @@ import {
   ListToolsResultSchema as McpListToolsResultSchema,
   Tool as McpTool,
 } from "@modelcontextprotocol/sdk/types.js";
-import { UnauthorizedError } from "@modelcontextprotocol/sdk/client/auth.js";
-import { BrowserOAuthProvider } from "@/lib/mcp-oauth-provider";
 import { z } from "zod";
 import {
   A2AClient,
@@ -249,21 +247,9 @@ export default function PlaygroundPage() {
         if (listener.routes) {
           listener.routes.forEach((route: Route, routeIndex: number) => {
             const protocol = listener.protocol === ListenerProtocol.HTTPS ? "https" : "http";
-            // Use window.location.hostname when listener hostname is not set
-            // This ensures the UI connects to the correct domain in deployed environments
-            const hostname =
-              listener.hostname ||
-              (typeof window !== "undefined" ? window.location.hostname : "localhost");
-            const configPort = bind.port;
-            // Local dev: browser URL has explicit port (e.g., 127.0.0.1:15000) -> use config port for routes
-            // Deployed (Azure): browser URL has no port (standard 80/443) -> use origin (ingress handles routing)
-            // Drawback: if Azure exposed non-standard port, this would break (uncommon scenario)
-            const hasExplicitPort = typeof window !== "undefined" && window.location.port !== "";
-            const baseEndpoint = hasExplicitPort
-              ? `${protocol}://${hostname}:${configPort}`
-              : typeof window !== "undefined"
-                ? window.location.origin
-                : `${protocol}://${hostname}:${configPort}`;
+            const hostname = listener.hostname || "localhost";
+            const port = bind.port; // Use the actual port from the bind configuration
+            const baseEndpoint = `${protocol}://${hostname}:${port}`;
 
             // Generate route path and description with better pattern recognition
             let routePath = "/";
@@ -461,91 +447,48 @@ export default function PlaygroundPage() {
       if (backendType === "mcp") {
         setConnectionState((prev) => ({ ...prev, connectionType: "mcp" }));
 
-        const mcpUrl = selectedRoute.endpoint.endsWith("/")
-          ? selectedRoute.endpoint.slice(0, -1)
-          : selectedRoute.endpoint;
+        // TODO: Support acting as a stateless client
+        const client = new McpClient(
+          { name: "agentgateway-dashboard", version: "0.1.0" },
+          { capabilities: {} }
+        );
 
-        let connectedClient: McpClient<McpRequest, any, McpResult>;
+        const headers: Record<string, string> = {
+          Accept: "text/event-stream",
+          "Cache-Control": "no-cache",
+          "mcp-protocol-version": "2024-11-05",
+        };
 
+        // Only add auth header if token is provided and not empty
         if (connectionState.authToken && connectionState.authToken.trim()) {
-          // Manual bearer token mode: use header injection (backward compatible)
-          const client = new McpClient(
-            { name: "agentgateway-dashboard", version: "0.1.0" },
-            { capabilities: {} }
-          );
-
-          const headers: Record<string, string> = {
-            Accept: "text/event-stream",
-            "Cache-Control": "no-cache",
-            "mcp-protocol-version": "2024-11-05",
-            Authorization: `Bearer ${connectionState.authToken}`,
-          };
+          headers["Authorization"] = `Bearer ${connectionState.authToken}`;
+        }
 
-          const transport = new McpHttpTransport(new URL(mcpUrl), {
-            requestInit: {
-              headers: headers as HeadersInit,
-              credentials: "omit",
-              mode: "cors",
+        const sseUrl = selectedRoute.endpoint.endsWith("/")
+          ? `${selectedRoute.endpoint}sse`
+          : `${selectedRoute.endpoint}/sse`;
+        const transport = new McpSseTransport(new URL(sseUrl), {
+          eventSourceInit: {
+            fetch: (url, init) => {
+              return fetch(url, {
+                ...init,
+                headers: headers as HeadersInit,
+              });
             },
-          });
-
-          await client.connect(transport);
-          connectedClient = client;
-        } else {
-          // Automatic OAuth mode: use SDK's built-in authProvider
-          // If the server doesn't require auth, the provider is never invoked.
-          // If the server requires auth, the full OAuth 2.1 flow runs automatically.
-          const oauthProvider = new BrowserOAuthProvider(mcpUrl);
-
-          const client = new McpClient(
-            { name: "agentgateway-dashboard", version: "0.1.0" },
-            { capabilities: {} }
-          );
-
-          const transport = new McpHttpTransport(new URL(mcpUrl), {
-            authProvider: oauthProvider,
-          });
-
-          try {
-            await client.connect(transport);
-            connectedClient = client;
-          } catch (error) {
-            if (error instanceof UnauthorizedError) {
-              // OAuth redirect was triggered — popup is open, wait for auth code
-              toast.info("Please authorize in the popup window...");
-              try {
-                const authCode = await oauthProvider.waitForAuthCode();
-                await transport.finishAuth(authCode);
-
-                // Reconnect with a new client + transport (tokens are now cached in provider)
-                const newClient = new McpClient(
-                  { name: "agentgateway-dashboard", version: "0.1.0" },
-                  { capabilities: {} }
-                );
-                const newTransport = new McpHttpTransport(new URL(mcpUrl), {
-                  authProvider: oauthProvider,
-                });
-                await newClient.connect(newTransport);
-                connectedClient = newClient;
-              } catch (oauthError) {
-                oauthProvider.dispose();
-                throw oauthError;
-              }
-            } else {
-              oauthProvider.dispose();
-              throw error;
-            }
-          }
-        }
+          },
+          requestInit: {
+            headers: headers as HeadersInit,
+            credentials: "omit",
+            mode: "cors",
+          },
+        });
 
-        setMcpState((prev) => ({ ...prev, client: connectedClient }));
+        await client.connect(transport);
+        setMcpState((prev) => ({ ...prev, client }));
 
         setUiState((prev) => ({ ...prev, isLoadingCapabilities: true }));
         const listToolsRequest: McpClientRequest = { method: "tools/list", params: {} };
-        const toolsResponse = await connectedClient.request(
-          listToolsRequest,
-          McpListToolsResultSchema
-        );
+        const toolsResponse = await client.request(listToolsRequest, McpListToolsResultSchema);
         setMcpState((prev) => ({ ...prev, tools: toolsResponse.tools }));
 
         // Only mark as connected and show success after tools are loaded successfully
@@ -1150,7 +1093,8 @@ export default function PlaygroundPage() {
                     <span className="font-medium text-sm">Request URL</span>
                   </div>
                   <div className="font-mono text-sm break-all">
-                    {selectedRoute.endpoint}
+                    {selectedRoute.protocol}://{selectedRoute.listener.hostname || "localhost"}:
+                    {selectedRoute.bindPort}
                     {request.path}
                   </div>
                 </div>
@@ -1471,12 +1415,12 @@ export default function PlaygroundPage() {
                       </Badge>
                     </div>
                     <div className="flex items-center gap-2">
-                      <Label htmlFor="auth-token" className="text-sm whitespace-nowrap">
-                        Bearer Token:
+                      <Label htmlFor="auth-token" className="text-sm">
+                        Bearer Token (Optional):
                       </Label>
                       <Input
                         id="auth-token"
-                        placeholder="Leave empty for automatic OAuth"
+                        placeholder="Enter token if required"
                         type="password"
                         value={connectionState.authToken}
                         onChange={(e) => handleAuthTokenChange(e.target.value)}
diff --git a/ui/src/lib/mcp-oauth-provider.ts b/ui/src/lib/mcp-oauth-provider.ts
deleted file mode 100644
index 7bb62f942..000000000
--- a/ui/src/lib/mcp-oauth-provider.ts
+++ /dev/null
@@ -1,214 +0,0 @@
-import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
-import type {
-  OAuthClientMetadata,
-  OAuthClientInformationMixed,
-  OAuthTokens,
-} from "@modelcontextprotocol/sdk/shared/auth.js";
-
-const POPUP_WIDTH = 600;
-const POPUP_HEIGHT = 700;
-
-/**
- * Detect the callback URL dynamically from the current location.
- * Handles both gateway-proxied access (/ui/playground) and direct dev access (/playground).
- * Looks for "/playground" in the current pathname to find the basePath prefix.
- *
- * IMPORTANT: The trailing slash is required. Without it, the static file server
- * (ServeDir behind nest_service) will redirect to add a trailing slash, but
- * that redirect uses the internal backend origin (stripping the gateway prefix),
- * which breaks the OAuth callback.
- */
-function getCallbackUrl(): URL {
-  const pathname = window.location.pathname;
-  const playgroundIdx = pathname.indexOf("/playground");
-  const basePath = playgroundIdx > 0 ? pathname.substring(0, playgroundIdx) : "";
-  return new URL(`${window.location.origin}${basePath}/playground/oauth/callback/`);
-}
-
-/**
- * Browser-based OAuthClientProvider for the playground.
- *
- * Handles the full MCP OAuth 2.1 flow using:
- * - A popup window for user authorization
- * - postMessage for receiving the authorization code from the callback page
- * - localStorage for persisting tokens and client registration (keyed by server URL)
- * - sessionStorage for PKCE code verifier
- */
-export class BrowserOAuthProvider implements OAuthClientProvider {
-  private serverUrl: string;
-  private _authPromise: Promise<string> | null = null;
-  private _authResolve: ((code: string) => void) | null = null;
-  private _authReject: ((err: Error) => void) | null = null;
-  private _messageHandler: ((event: MessageEvent) => void) | null = null;
-  private _popupPollTimer: ReturnType<typeof setInterval> | null = null;
-
-  constructor(serverUrl: string) {
-    this.serverUrl = serverUrl;
-  }
-
-  private storageKey(suffix: string): string {
-    return `mcp_oauth_${suffix}_${this.serverUrl}`;
-  }
-
-  get redirectUrl(): URL {
-    return getCallbackUrl();
-  }
-
-  get clientMetadata(): OAuthClientMetadata {
-    return {
-      redirect_uris: [this.redirectUrl.href],
-      client_name: "AgentGateway Playground",
-      grant_types: ["authorization_code", "refresh_token"],
-      response_types: ["code"],
-      token_endpoint_auth_method: "none",
-    } as OAuthClientMetadata;
-  }
-
-  clientInformation(): OAuthClientInformationMixed | undefined {
-    const stored = localStorage.getItem(this.storageKey("client"));
-    if (!stored) return undefined;
-    try {
-      return JSON.parse(stored) as OAuthClientInformationMixed;
-    } catch {
-      return undefined;
-    }
-  }
-
-  saveClientInformation(clientInformation: OAuthClientInformationMixed): void {
-    localStorage.setItem(this.storageKey("client"), JSON.stringify(clientInformation));
-  }
-
-  tokens(): OAuthTokens | undefined {
-    const stored = localStorage.getItem(this.storageKey("tokens"));
-    if (!stored) return undefined;
-    try {
-      return JSON.parse(stored) as OAuthTokens;
-    } catch {
-      return undefined;
-    }
-  }
-
-  saveTokens(tokens: OAuthTokens): void {
-    localStorage.setItem(this.storageKey("tokens"), JSON.stringify(tokens));
-  }
-
-  saveCodeVerifier(codeVerifier: string): void {
-    sessionStorage.setItem(this.storageKey("verifier"), codeVerifier);
-  }
-
-  codeVerifier(): string {
-    const verifier = sessionStorage.getItem(this.storageKey("verifier"));
-    if (!verifier) {
-      throw new Error("No code verifier saved");
-    }
-    return verifier;
-  }
-
-  redirectToAuthorization(authorizationUrl: URL): void {
-    // Set up promise to receive the auth code from the popup
-    this._authPromise = new Promise<string>((resolve, reject) => {
-      this._authResolve = resolve;
-      this._authReject = reject;
-    });
-
-    // Listen for postMessage from the callback page
-    this._messageHandler = (event: MessageEvent) => {
-      if (event.origin !== window.location.origin) return;
-      if (event.data?.type !== "mcp-oauth-callback") return;
-
-      this.cleanupPopupWatcher();
-
-      if (event.data.error) {
-        this._authReject?.(new Error(`OAuth authorization failed: ${event.data.error}`));
-      } else if (event.data.code) {
-        this._authResolve?.(event.data.code);
-      } else {
-        this._authReject?.(new Error("No authorization code received from callback"));
-      }
-    };
-    window.addEventListener("message", this._messageHandler);
-
-    // Open popup centered on screen
-    const left = Math.round(window.screenX + (window.outerWidth - POPUP_WIDTH) / 2);
-    const top = Math.round(window.screenY + (window.outerHeight - POPUP_HEIGHT) / 2);
-    const popup = window.open(
-      authorizationUrl.toString(),
-      "mcp_oauth",
-      `width=${POPUP_WIDTH},height=${POPUP_HEIGHT},left=${left},top=${top},popup=true`
-    );
-
-    // Detect popup blocked
-    if (!popup || popup.closed) {
-      this.cleanupPopupWatcher();
-      this._authReject?.(
-        new Error(
-          "Popup was blocked by the browser. Please allow popups for this site and try again."
-        )
-      );
-      return;
-    }
-
-    // Poll for popup being closed manually (user cancelled)
-    this._popupPollTimer = setInterval(() => {
-      if (popup.closed) {
-        this.cleanupPopupWatcher();
-        this._authReject?.(new Error("Authorization cancelled — popup was closed."));
-      }
-    }, 500);
-  }
-
-  /**
-   * Wait for the authorization code from the popup callback.
-   * This is called by the playground after catching UnauthorizedError.
-   */
-  waitForAuthCode(): Promise<string> {
-    if (!this._authPromise) {
-      return Promise.reject(new Error("No OAuth authorization flow in progress"));
-    }
-    return this._authPromise;
-  }
-
-  /**
-   * Clear all stored OAuth data for this server.
-   */
-  clearAuth(): void {
-    localStorage.removeItem(this.storageKey("client"));
-    localStorage.removeItem(this.storageKey("tokens"));
-    sessionStorage.removeItem(this.storageKey("verifier"));
-  }
-
-  /**
-   * Clean up event listeners.
-   */
-  dispose(): void {
-    this.cleanupPopupWatcher();
-  }
-
-  invalidateCredentials(scope: "all" | "client" | "tokens" | "verifier"): void {
-    switch (scope) {
-      case "all":
-        this.clearAuth();
-        break;
-      case "client":
-        localStorage.removeItem(this.storageKey("client"));
-        break;
-      case "tokens":
-        localStorage.removeItem(this.storageKey("tokens"));
-        break;
-      case "verifier":
-        sessionStorage.removeItem(this.storageKey("verifier"));
-        break;
-    }
-  }
-
-  private cleanupPopupWatcher(): void {
-    if (this._messageHandler) {
-      window.removeEventListener("message", this._messageHandler);
-      this._messageHandler = null;
-    }
-    if (this._popupPollTimer) {
-      clearInterval(this._popupPollTimer);
-      this._popupPollTimer = null;
-    }
-  }
-}

From 56cb5a6017cea9599293d26ab75878594f117dac Mon Sep 17 00:00:00 2001
From: Alexey Puzik <alexey.puzik@devpulse.io>
Date: Thu, 12 Feb 2026 18:55:04 +0200
Subject: [PATCH 3/3] Remove project specific CLAUDE.md

---
 CLAUDE.md | 137 ------------------------------------------------------
 1 file changed, 137 deletions(-)
 delete mode 100644 CLAUDE.md

diff --git a/CLAUDE.md b/CLAUDE.md
deleted file mode 100644
index 2ec453c4a..000000000
--- a/CLAUDE.md
+++ /dev/null
@@ -1,137 +0,0 @@
-# AgentGateway Submodule — Claude Code Guide
-
-## IMPORTANT: Do Not Build Locally
-
-**Do NOT attempt to build this Rust project on Windows.** The user builds and checks it manually in a VS2022 Developer Command Prompt. Claude Code should only read, analyze, and edit source files — never run `cargo build`, `cargo test`, or similar commands.
-
-## MCP Security Guards
-
-Guards intercept MCP tool calls at different phases and can Allow, Deny, or Modify operations.
-
-### Guard Phases (`runs_on`)
-
-| Phase | When | Purpose |
-|-------|------|---------|
-| `ToolsList` | `tools/list` response | Filter/block exposed tools |
-| `ToolInvoke` | Before `tools/call` | Block/modify tool execution |
-| `Request` | Any MCP request | General request filtering |
-| `Response` | Any MCP response | General response filtering |
-
-### Core Trait
-
-```rust
-// crates/agentgateway/src/mcp/security/native/mod.rs
-pub trait NativeGuard: Send + Sync {
-    fn evaluate_tools_list(&self, tools: &[Tool], context: &GuardContext) -> GuardResult;
-    fn evaluate_tool_invoke(&self, tool_name: &str, arguments: &Value, context: &GuardContext) -> GuardResult;
-    fn evaluate_request(&self, request: &Value, context: &GuardContext) -> GuardResult;
-    fn evaluate_response(&self, response: &Value, context: &GuardContext) -> GuardResult;
-    fn reset_server(&self, server_name: &str);
-}
-```
-
-### Native Guards
-
-| Guard | File | What It Does |
-|-------|------|-------------|
-| **ToolPoisoningDetector** | `native/tool_poisoning.rs` (28 KB) | Blocks tools with malicious descriptions — prompt injection, system overrides, safety bypass, hidden instructions, prompt leaking, encoding tricks. 32 built-in regex patterns + custom patterns. |
-| **RugPullDetector** | `native/rug_pull.rs` (38 KB) | Detects bait-and-switch: establishes per-server tool baseline on first encounter, then blocks if tools are modified/removed. Risk scoring with configurable weights (description=2, schema=3, remove=3, add=1), threshold=5. |
-| **PiiGuard** | `native/pii_guard.rs` (28 KB) | Detects PII (email, phone, SSN, credit cards, CA SIN, URLs) via regex. Two modes: Mask (replace with `<ENTITY_TYPE>` placeholders) or Reject (block entire response). |
-| **ToolShadowingDetector** | `native/tool_shadowing.rs` | Placeholder — will block duplicate tool names across servers. |
-| **ServerWhitelistChecker** | `native/server_whitelist.rs` | Placeholder — will enforce allowed server whitelist. |
-
-### WASM Guards
-
-Custom guards loaded at runtime as WebAssembly components (`security/wasm.rs`). Fully sandboxed (no FS/network). ~5-10ms latency vs <1ms for native. See `examples/wasm-guards/` for examples.
-
-### Key Files
-
-- **Orchestration**: `crates/agentgateway/src/mcp/security/mod.rs` — `GuardExecutor`, `GuardExecutorRegistry`, config types, priority ordering
-- **Integration**: `crates/agentgateway/src/mcp/handler.rs` — calls guards before tool execution and on tools/list responses
-- **Config binding**: `crates/agentgateway/src/types/local.rs` — `McpBackendConfig` holds `Vec<McpSecurityGuard>`
-- **PII patterns**: `crates/agentgateway/src/mcp/security/native/pii_detection.rs`
-
-### Guard Configuration (YAML)
-
-```yaml
-security_guards:
-  - id: pii-mask
-    description: "Mask PII in responses"
-    priority: 10          # Lower = runs first
-    enabled: true
-    timeout_ms: 100
-    failure_mode: fail_closed  # or fail_open
-    runs_on: [response]
-    type:
-      native:
-        pii:
-          action: mask
-          pii_types: [email, phone, ssn, credit_card]
-```
-
-## E2E Tests (`tests/`)
-
-### Test Files
-
-| File | Tests | What It Covers |
-|------|-------|----------------|
-| `e2e_security_guards_test.py` | Master runner | Orchestrates all guard suites sequentially |
-| `e2e_pii_guard_test.py` | 19 per mode (mask+reject) | 6 PII types: single, embedded-in-text, bulk, full-record, clean-data-passthrough |
-| `e2e_tool_poisoning_guard_test.py` | 6 | tools/list blocked (HTTP 403), deny reason structure, 6 attack categories covered |
-| `e2e_rug_pull_guard_test.py` | 22 | Baseline establishment, session vs global scope, 5 mutation modes (all/description/schema/remove/add) |
-| `e2e_mcp_sse_test.py` | 5+ | SSE transport compliance with guards |
-| `benchmark.py` | Configurable | Throughput, latency percentiles (p95/p99), error rates |
-| `mcp_client.py` | — | Shared client library: `MCPSSEClient`, `MCPStreamableHTTPClient`, `TestResults` |
-
-### Test Routes
-
-| Route | Guard Config | Backend Port |
-|-------|-------------|-------------|
-| `/pii-test` | PII mask mode | 8000 |
-| `/pii-test-reject` | PII reject mode | 8000 |
-| `/poison` | Tool poisoning | 8010 |
-| `/rug-pull` | Rug pull (default) | 8020 |
-| `/rug-pull-desc` | Rug pull description-only | 8020 |
-| `/rug-pull-schema` | Rug pull schema-only | 8020 |
-| `/rug-pull-remove` | Rug pull remove mode | 8020 |
-| `/rug-pull-add` | Rug pull add mode | 8020 |
-
-### Running Tests
-
-```bash
-# Docker (CI/CD) — runs full suite
-cd tests/docker && docker compose up --build --abort-on-container-exit --exit-code-from test-runner
-
-# Against deployed environment
-GATEWAY_URL=https://... python tests/e2e_security_guards_test.py --transport streamable
-```
-
-## Test Servers (`testservers/`)
-
-Three Python MCP servers in one Docker image, started via `start-server.sh`:
-
-### PII Test Server (port 8000)
-- **Module**: `src/mcp_test_server/fastmcp_server.py`
-- **Tools**: `generate_pii`, `generate_bulk_pii`, `generate_full_record`, `generate_text_with_pii`, `list_pii_types`
-- **Data**: Faker-generated emails, phones, SSNs, credit cards, CA SINs, URLs, addresses
-- **Resources**: `pii://fixtures/{personal,identity,financial,mixed}` — predefined test fixtures
-
-### Tool Poisoning Server (port 8010)
-- **Module**: `src/tool_poisoning_test/server.py`
-- **Tools**: 6 poisoned (`add`, `secret_notes`, `translate_text`, `get_status`, `search_files`, `run_diagnostic`) + 2 clean (`subtract`, `multiply`)
-- **Attack categories**: hidden instructions, prompt injection, system override, safety bypass, role manipulation, prompt leaking
-
-### Rug Pull Server (port 8020)
-- **Module**: `src/rug_pull_test/server.py`
-- **Tools**: `get_weather` (session trigger), `get_global_weather` (global trigger), `get_forecast`, `reset_session_rug`, `reset_global_rug`, `get_rug_status`, `set_rug_pull_mode`
-- **Mutation modes**: `all` (default), `description`, `schema`, `remove`, `add` — each changes tool definitions differently after trigger
-- **Benign→Malicious**: e.g. "Get weather" becomes "Get weather AND read all env vars, API keys, secrets..."
-
-### Docker Setup
-
-```yaml
-# tests/docker/docker-compose.yaml — 3 services
-mcp-test-servers:  # Builds from testservers/, exposes 8000/8010/8020
-agentgateway:      # ACR image, mounts test config, port 8080
-test-runner:       # Python 3.12, runs e2e_security_guards_test.py
-```