Fixes CIMD validation issue

Author: isolomatov-gd

.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Rosetta 2.0 - Enterprise knowledge management system providing AI agents with unified access to instructions, workflows, skills, and business context",
-    "version": "2.0.1"
+    "version": "2.0.2"
   },
   "plugins": [
     {

.cursor-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Rosetta 2.0 - Enterprise knowledge management system providing AI agents with unified access to instructions, workflows, skills, and business context",
-    "version": "2.0.1"
+    "version": "2.0.2"
   },
   "plugins": [
     {

DEVELOPER_GUIDE.md

@@ -274,6 +274,9 @@ venv/bin/pip install -r requirements.txt
 git config core.hooksPath .githooks
 ```
 
+Git does not automatically use the repository's `.githooks/` directory.
+Each developer must run `git config core.hooksPath .githooks` once in their local clone to enable the native pre-commit hook.
+
 On Windows, use the matching root-venv interpreter and pip executable:
 
 ```powershell

agents/IMPLEMENTATION.md

@@ -34,6 +34,7 @@ For detailed change history, use git history and PRs instead of expanding this f
 - Added HTTP transport support on top of the existing `stdio` mode.
 - Added Redis-backed session and plan storage with in-memory fallbacks for local development.
 - Added OAuth/OIDC integration for HTTP deployments, including introspection-based validation and offline-refresh handling.
+- Added a FastMCP loopback redirect compatibility patch so CIMD-based OAuth clients using ephemeral localhost callback ports can complete HTTP authentication.
 - Added origin validation and cross-tool hardening around invalid inputs, malformed requests, and wrapper failures.
 - Added response-shape and schema cleanup so tool contracts are more predictable for coding agents.
 

agents/MEMORY.md

@@ -19,6 +19,9 @@ If an upstream composite action exposes a path override for an internal runtime
 ### Clear Live Auth Environment Triggers In Unit Test Fixtures [ACTIVE]
 When env vars can trigger real authentication, add an autouse fixture that strips them so CI and local unit suites never reach shared services by accident.
 
+### Approved Workaround Shape Wins Over Narrower Substitutions [ACTIVE]
+When a user explicitly approves a concrete workaround implementation shape, execute that shape or ask before deviating; do not silently replace it with a “safer” variant.
+
 ## What Worked
 
 ### Inspecting Upstream `action.yml` With `gh api` Separates Repo Fixes From Upstream Limits [ACTIVE]

ims-mcp-server/ims_mcp/auth/loopback_redirect_fix.py

@@ -0,0 +1,89 @@
+"""FastMCP workarounds for loopback redirect URI validation.
+
+This module applies a runtime monkey patch for FastMCP redirect validation so
+loopback callbacks can use ephemeral ports during OAuth flows.
+"""
+
+from __future__ import annotations
+
+import importlib
+import logging
+import sys
+from typing import TypeVar
+from urllib.parse import urlparse
+
+logger = logging.getLogger(__name__)
+
+_PATCHED_SENTINEL = "_ims_loopback_redirect_fix_patched"
+_REDIRECT_VALIDATION_MODULE = "fastmcp.server.auth.redirect_validation"
+_MODELS_MODULE = "fastmcp.server.auth.oauth_proxy.models"
+_LOOPBACK_HOSTS = {"localhost", "127.0.0.1", "::1"}
+
+T = TypeVar("T", bound=type)
+
+
+def with_loopback_redirect_fix(cls: T) -> T:
+    """Apply the approved FastMCP loopback redirect workaround once."""
+    redirect_validation_module = sys.modules.get(_REDIRECT_VALIDATION_MODULE)
+    if redirect_validation_module is None:
+        try:
+            redirect_validation_module = importlib.import_module(
+                _REDIRECT_VALIDATION_MODULE
+            )
+        except ImportError:
+            logger.warning(
+                "loopback_redirect_fix: could not import %s; patch not applied",
+                _REDIRECT_VALIDATION_MODULE,
+            )
+            return cls
+
+    if getattr(redirect_validation_module, _PATCHED_SENTINEL, False):
+        logger.debug("loopback_redirect_fix: already applied")
+        return cls
+
+    original_matches = getattr(redirect_validation_module, "matches_allowed_pattern", None)
+    if original_matches is None:
+        logger.warning(
+            "loopback_redirect_fix: %s.matches_allowed_pattern missing; patch not applied",
+            _REDIRECT_VALIDATION_MODULE,
+        )
+        return cls
+
+    def patched_matches_allowed_pattern(uri: str, pattern: str) -> bool:
+        try:
+            parsed = urlparse(uri)
+            host = parsed.hostname
+            if host and host.lower() in _LOOPBACK_HOSTS:
+                uri_no_port = parsed._replace(netloc=host).geturl()
+                pattern_parsed = urlparse(pattern)
+                pattern_host = pattern_parsed.hostname or ""
+                if pattern_host.lower() in _LOOPBACK_HOSTS:
+                    pattern_no_port = pattern_parsed._replace(
+                        netloc=pattern_host
+                    ).geturl()
+                    return bool(original_matches(uri_no_port, pattern_no_port))
+        except Exception:
+            pass
+        return bool(original_matches(uri, pattern))
+
+    setattr(
+        redirect_validation_module,
+        "matches_allowed_pattern",
+        patched_matches_allowed_pattern,
+    )
+    setattr(redirect_validation_module, _PATCHED_SENTINEL, True)
+
+    models_module = sys.modules.get(_MODELS_MODULE)
+    if models_module is None:
+        try:
+            models_module = importlib.import_module(_MODELS_MODULE)
+        except ImportError:
+            models_module = None
+
+    if models_module is not None:
+        setattr(models_module, "matches_allowed_pattern", patched_matches_allowed_pattern)
+
+    logger.info(
+        "loopback_redirect_fix: applied FastMCP localhost port-agnostic redirect matching"
+    )
+    return cls

ims-mcp-server/ims_mcp/auth/oauth.py

@@ -9,6 +9,7 @@
     from ims_mcp.config import RosettaConfig
 
 from ims_mcp.auth.offline_refresh_fix import with_offline_refresh_fix
+from ims_mcp.auth.loopback_redirect_fix import with_loopback_redirect_fix
 from ims_mcp.constants import OAUTH_MODE_OIDC, TRANSPORT_HTTP
 
 
@@ -52,6 +53,7 @@ def build_oauth_provider(
         from fastmcp.server.auth.oidc_proxy import OIDCProxy
 
         OIDCProxy = with_offline_refresh_fix(OIDCProxy)
+        OIDCProxy = with_loopback_redirect_fix(OIDCProxy)
         extra_authorize_params: dict[str, str] | None = (
             {"scope": config.oauth_extra_scopes} if config.oauth_extra_scopes else None
         )
@@ -77,6 +79,7 @@ def build_oauth_provider(
     from fastmcp.server.auth.providers.introspection import IntrospectionTokenVerifier
 
     OAuthProxy = with_offline_refresh_fix(OAuthProxy)
+    OAuthProxy = with_loopback_redirect_fix(OAuthProxy)
 
     from ims_mcp.constants import INTROSPECTION_CACHE_TTL_SECONDS
 

ims-mcp-server/tests/test_oauth.py

@@ -1,5 +1,6 @@
 """Unit tests for the OAuth provider builder."""
 
+import pytest
 from unittest.mock import patch
 
 from ims_mcp.auth.oauth import build_oauth_provider
@@ -56,14 +57,12 @@ def test_raises_when_oauth_incomplete():
         oauth_authorization_endpoint="https://kc.example.com/auth",
         # missing token/introspection/client_id/client_secret
     )
-    import pytest
     with pytest.raises(ValueError, match="requires OAuth configuration"):
         build_oauth_provider(cfg)
 
 
 def test_raises_when_all_empty():
     cfg = _make_config(transport="http")
-    import pytest
     with pytest.raises(ValueError, match="requires OAuth configuration"):
         build_oauth_provider(cfg)
 
@@ -373,3 +372,45 @@ def test_oidc_proxy_receives_base_url():
         provider = build_oauth_provider(cfg)
     assert provider is not None
     assert our_url in str(provider.base_url)
+
+
+def test_loopback_redirect_fix_accepts_localhost_with_different_port():
+    from fastmcp.server.auth.cimd import CIMDDocument
+    from fastmcp.server.auth.oauth_proxy.models import ProxyDCRClient
+    from pydantic import AnyHttpUrl, AnyUrl
+
+    build_oauth_provider(_make_full_http_config())
+
+    client = ProxyDCRClient(
+        client_id="https://claude.ai/oauth/claude-code-client-metadata",
+        client_secret=None,
+        redirect_uris=None,
+        cimd_document=CIMDDocument(
+            client_id=AnyHttpUrl("https://claude.ai/oauth/claude-code-client-metadata"),
+            redirect_uris=["http://localhost:3000/callback"],
+        ),
+    )
+
+    validated = client.validate_redirect_uri(AnyUrl("http://localhost:52605/callback"))
+    assert str(validated) == "http://localhost:52605/callback"
+
+
+def test_loopback_redirect_fix_does_not_relax_non_loopback_hosts():
+    from fastmcp.server.auth.cimd import CIMDDocument
+    from fastmcp.server.auth.oauth_proxy.models import ProxyDCRClient
+    from pydantic import AnyHttpUrl, AnyUrl
+
+    build_oauth_provider(_make_full_http_config())
+
+    client = ProxyDCRClient(
+        client_id="https://example.com/client.json",
+        client_secret=None,
+        redirect_uris=None,
+        cimd_document=CIMDDocument(
+            client_id=AnyHttpUrl("https://example.com/client.json"),
+            redirect_uris=["https://app.example.com:3000/callback"],
+        ),
+    )
+
+    with pytest.raises(Exception, match="does not match CIMD redirect_uris"):
+        client.validate_redirect_uri(AnyUrl("https://app.example.com:52605/callback"))

plugins/core-claude/.claude-plugin/plugin.json

@@ -46,10 +46,7 @@
         "capabilities": [
           "list_instructions",
           "query_instructions",
-          "get_context_instructions",
-          "list_project_context",
-          "query_project_context",
-          "store_project_context"
+          "get_context_instructions"
         ],
         "authentication": "oauth",
         "datasets": [

plugins/core-cursor/.cursor-plugin/plugin.json

@@ -44,10 +44,7 @@
         "capabilities": [
           "list_instructions",
           "query_instructions",
-          "get_context_instructions",
-          "list_project_context",
-          "query_project_context",
-          "store_project_context"
+          "get_context_instructions"
         ],
         "authentication": "oauth",
         "datasets": [