You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SDK OAuth errors may include raw provider response bodies, and non-auth MCP HTTP errors include response text in StreamableHTTPError. Junior captures these exceptions and may attach their messages to logs or spans.
OAuth callback HTML also lacks explicit Cache-Control: no-store, a restrictive referrer policy, and CSP.
Acceptance criteria
OAuth/MCP transport errors are translated into phase-specific safe error types before logging.
Raw response bodies, authorization URLs, codes, tokens, client secrets, and provider-controlled HTML/text never enter telemetry.
Diagnostic metadata records safe phase, provider, status, resource host, and correlation IDs.
Error response reads are size-bounded.
OAuth callback responses use Cache-Control: no-store, restrictive referrer policy, CSP, and content-type protections.
Tests inject secret-bearing/malicious provider errors and assert logs, spans, and HTML remain safe.
Confirmed by the provider-agnostic OAuth implementation audit tracked in #843.
Problem
SDK OAuth errors may include raw provider response bodies, and non-auth MCP HTTP errors include response text in
StreamableHTTPError. Junior captures these exceptions and may attach their messages to logs or spans.OAuth callback HTML also lacks explicit
Cache-Control: no-store, a restrictive referrer policy, and CSP.Acceptance criteria
Cache-Control: no-store, restrictive referrer policy, CSP, and content-type protections.Confirmed by the provider-agnostic OAuth implementation audit tracked in #843.