feat: Add HTTP Transport Support (MVP)

[petems]

Summary

Adds minimal HTTP transport support for remote MCP access. This is a clean MVP implementation without any complex authentication, OAuth, or rate limiting - just the basics to enable HTTP access.

What's Included

Core Implementation

• --http CLI flag: Start server in HTTP mode (default: 127.0.0.1:8000)
• run_http() method: Uses StreamableHTTPServerTransport with JSON responses
• Server-side auth: Uses GITHUB_TOKEN from server environment (transparent to clients)

Tests (28 tests added, 360 total passing)

• HTTP flag parsing (default and custom host:port)
• HTTP mode validation (invalid port, missing port)
• Integration with existing CLI infrastructure
• Full test coverage maintained

Documentation

• HTTP_TRANSPORT.md: Quick start guide with client configuration
• Updated CLAUDE.md: HTTP transport overview

Usage

Start HTTP server:

# Default
uv run mcp-github-pr-review --http

# Custom host/port
uv run mcp-github-pr-review --http 0.0.0.0:3000

Client Configuration (Claude Code):

{
  "mcpServers": {
    "github-pr-review": {
      "url": "http://127.0.0.1:8000",
      "transport": "http"
    }
  }
}

Client Configuration (OpenAI Codex):

[mcp_servers.github-pr-review]
url = "http://127.0.0.1:8000"

Technical Details

• Protocol: MCP JSON-RPC over HTTP POST
• Transport: StreamableHTTPServerTransport (MCP Python SDK)
• Response Format: JSON only (no SSE)
• Server: Starlette + uvicorn
• Authentication: Server-side GitHub token (clients don't need credentials)

Future Enhancements (Not in This PR)

This is intentionally a minimal MVP. Future enhancements could include:

• Per-user GitHub token support (OAuth)
• MCP server authentication (TokenVerifier)
• Rate limiting per client
• Observability/metrics
• HTTPS/TLS support
• CORS configuration

See MULTI_TENANT_TOKEN_ARCHITECTURE.md on the old branch for detailed architecture options.

Testing

# All tests pass
uv run pytest -q
# 360 passed in 4.93s

# Quality checks pass
uv run ruff format --check .
uv run ruff check .
uv run mypy .
make compile-check

Breaking Changes

None - HTTP mode is opt-in via --http flag. Default stdio mode unchanged.

---

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added an HTTP transport mode for running the server via a new CLI option with host:port defaults, validation, and optional token-based access control.

• Documentation

  • Added an HTTP transport guide with quick start, client setup, authentication, and access-control details.

• Tests

  • Expanded tests to cover HTTP flows, auth/error paths, coverage gaps, version fallbacks, deprecation warnings, and rate-limit/PR resolution edge cases.

• Chores

  • Added a coverage make target and updated local testing/config prompts.

[gemini-code-assist]

Summary of Changes

Hello @petems, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the MCP server's accessibility by introducing an HTTP transport layer. This allows the server to be accessed remotely, moving beyond the default stdio mode. The implementation focuses on a minimal viable product, providing core HTTP functionality with server-side token authentication, and lays the groundwork for future, more complex features.

Highlights

• HTTP Transport Support: Introduced a new --http CLI flag to enable HTTP transport for the MCP server, allowing remote access for clients like Claude Code and OpenAI Codex.
• Server-Side Authentication: Implemented server-side authentication using the GITHUB_TOKEN environment variable, making client-side GitHub credentials unnecessary when using HTTP transport.
• New run_http() Method: Added an asynchronous run_http() method to PRReviewServer which leverages StreamableHTTPServerTransport, Starlette, and uvicorn to serve MCP JSON-RPC over HTTP POST.
• Updated Documentation: Created a new HTTP_TRANSPORT.md guide and updated CLAUDE.md to include instructions and details on configuring and using the new HTTP transport mode.
• CLI Argument Validation: Added robust parsing and validation for the --http flag, ensuring correct host:port format and handling invalid port inputs.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds HTTP transport support and a new CLI --http option with HOST:PORT parsing and validation; implements PRReviewServer.run_http() and _is_loopback_host() with loopback-based access control and optional token auth; adds optional HTTP deps, docs, Makefile coverage target, and expanded tests for HTTP and edge cases.

Changes

Cohort / File(s)	Summary
Core HTTP Implementation src/mcp_github_pr_review/cli.py, src/mcp_github_pr_review/server.py	Added --http CLI flag with HOST:PORT parsing/validation; added _is_loopback_host(host) and PRReviewServer.run_http(host, port) to configure ASGI/uvicorn streaming transport, enforce loopback/auth rules, and run HTTP server alongside the MCP server.
Optional HTTP Dependencies pyproject.toml	Added [project.optional-dependencies].http group with anyio, uvicorn, and starlette.
CLI Tests tests/test_cli.py	Expanded tests to cover --http parsing (default and explicit HOST:PORT), invalid values, and main() paths invoking server.run_http.
HTTP / Edge Case & Coverage Tests tests/test_coverage_gaps.py, tests/test_systematic_coverage.py, tests/test_final_push.py, tests/test_mcp_server_deprecated.py	Added tests for PR URL resolution errors, version-fallback behaviors, deprecation warnings, _is_loopback_host cases, rate-limit handling, and HTTP dependency/auth error paths.
Docs & Guidance docs/guides/http-transport.md, CLAUDE.md, prompts/RALPH_TEST_PROMPT.md	New HTTP transport guide; updated CLAUDE.md with HTTP/stdio notes and env auth vars; added testing-guideline prompt file.
Build & Misc Makefile, .claude/settings.local.json	Added coverage make target and updated .PHONY; extended local CLAUDE permissions.
Test adjustments / Exports tests/test_rate_limit_handling.py, src/mcp_github_pr_review/server.py	Removed exported symbol SecondaryRateLimitError and deleted a test exercising a secondary-limit exhaustion path.

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant Uvicorn as Uvicorn (HTTP Server)
    participant ASGI as StreamableHTTPServerTransport (ASGI)
    participant MCP as MCP Server
    participant TG as Async Task Group

    rect rgba(100,200,100,0.5)
    Note over Client,Uvicorn: HTTP Mode (--http HOST:PORT)
    Client->>Uvicorn: HTTP Request
    Uvicorn->>ASGI: Forward to ASGI app
    ASGI->>MCP: JSON-RPC request
    MCP-->>ASGI: JSON-RPC response
    ASGI-->>Uvicorn: HTTP response
    Uvicorn-->>Client: HTTP response
    end

    rect rgba(100,150,200,0.5)
    Note over TG,MCP: Concurrent Execution
    TG->>MCP: run MCP server
    TG->>Uvicorn: run uvicorn server
    end

Loading

sequenceDiagram
    participant CLI as CLI Parser
    participant Server as PRReviewServer
    participant Auth as Loopback/Auth Check
    participant Env as Env Config

    rect rgba(200,150,100,0.5)
    CLI->>CLI: parse --http HOST:PORT
    CLI->>Server: call run_http(host, port)
    Server->>Auth: _is_loopback_host(host)
    alt host is loopback
        Auth-->>Server: allow binding
    else non-loopback
        Server->>Env: read MCP_HTTP_AUTH_TOKEN / MCP_HTTP_ALLOW_PUBLIC
        Env-->>Server: require token or deny
    end
    Server->>Server: configure ASGI transport and auth middleware (if token)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: Enhanced GitHub API rate limit handling with structured logging #50: Touches server.py and rate-limit/export surface; overlaps with removal/handling of SecondaryRateLimitError.
• refactor: rename package and remove legacy 'spec-maker' branding #43: Earlier CLI/server refactor that this PR extends with HTTP transport, --http flag, and run_http logic.

Poem

🐇 I hopped in with a flag, --http to play,

Stdio or web, now both have a way,
Tokens and loopbacks keep access polite,
Tests multiplied under the moonlight,
Coverage blooms — hop, compile, delight!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 55.88% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: Add HTTP Transport Support (MVP)' directly and specifically summarizes the main change: adding HTTP transport capability to the MCP server as a minimal viable product.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/http-transport-mvp

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 95.45455% with 2 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/mcp_github_pr_review/cli.py	88.23%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[gemini-code-assist]

Code Review

This pull request introduces HTTP transport support, which is a great addition for remote access. The implementation is a solid MVP. I've provided a few suggestions to enhance the robustness of the CLI argument parsing, improve dependency handling for the new HTTP feature, and correct a small omission in the documentation.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@src/mcp_github_pr_review/cli.py`:
- Around line 106-120: The HTTP startup path needs explicit validation: after
parsing args.http in the CLI, ensure the extracted host is non-empty (reject
strings like ":8000") and validate port is an integer within 1–65535; if
validation fails print a clear error to stderr and return 1 rather than calling
server.run_http; update the block around args.http parsing (the code that
computes host, port_str and calls server.run_http / asyncio.run) to perform
these checks (and strip whitespace) before invoking server.run_http(host=host,
port=port).

In `@src/mcp_github_pr_review/server.py`:
- Around line 1478-1535: The run_http method currently exposes the server over
HTTP without any auth; add an opt-in/shared-secret guard to prevent
unauthenticated use. Implement a check that is enabled by an environment
variable (e.g., REQUIRE_HTTP_AUTH=true) and reads a secret (e.g.,
HTTP_SHARED_SECRET) and reject requests that do not provide the secret in a
header (e.g., X-Shared-Secret) or query param; integrate this into the
mcp_endpoint (or wrap StreamableHTTPServerTransport.handle_request) so requests
are validated before calling transport.handle_request, and surface a clear
401/403 response when missing/invalid; document the new env vars and ensure
run_http logs a warning and refuses to bind to non-loopback unless auth is
enabled or an explicit opt-in flag is passed.

🧹 Nitpick comments (1)

tests/test_cli.py (1)

300-327: Avoid calling the mock during assertions.

mock_server.run_http(...) is invoked inside the assertion, which adds an extra call and doesn’t verify the args cleanly. Prefer asserting run_http arguments directly and using its return_value for asyncio.run.

✅ Proposed test tightening

-        mock_asyncio_run.assert_called_once_with(
-            mock_server.run_http(host="127.0.0.1", port=8000)
-        )
+        mock_server.run_http.assert_called_once_with(host="127.0.0.1", port=8000)
+        mock_asyncio_run.assert_called_once_with(mock_server.run_http.return_value)
...
-        mock_asyncio_run.assert_called_once_with(
-            mock_server.run_http(host="0.0.0.0", port=3000)  # noqa: S104
-        )
+        mock_server.run_http.assert_called_once_with(host="0.0.0.0", port=3000)  # noqa: S104
+        mock_asyncio_run.assert_called_once_with(mock_server.run_http.return_value)

[petems]

@gemini-code-assist review

[gemini-code-assist]

Code Review

This pull request introduces HTTP transport support as a minimal viable product, which is a great addition. The implementation is clean and includes a new --http CLI flag, the run_http method using StreamableHTTPServerTransport, and server-side authentication via GITHUB_TOKEN. The changes are well-documented in HTTP_TRANSPORT.md and CLAUDE.md, and are accompanied by a comprehensive set of new tests.

My review focuses on improving the security and robustness of the new HTTP server implementation. I've identified two high-severity issues in src/mcp_github_pr_review/server.py:

1. The authentication token comparison is not constant-time, which could be vulnerable to timing attacks.
2. The loopback address check does not correctly handle IPv6 addresses in brackets, which could lead to incorrect security enforcement.

I've provided detailed comments and code suggestions for both issues. Addressing these will make the new HTTP transport more secure and reliable. Overall, this is a solid contribution.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@tests/test_systematic_coverage.py`:
- Around line 146-151: Replace the problematic subscript access on __builtins__
by using the builtins module: import builtins and capture original_import =
builtins.__import__, then keep mock_import as written (raising ImportError for
"anyio", "uvicorn", "starlette") and ensure you restore builtins.__import__
after the test; update any references to original_import and mock_import
accordingly (search for original_import and mock_import in the file to locate
the change points).

🧹 Nitpick comments (1)

tests/test_systematic_coverage.py (1)

34-40: Prefer mocking filesystem access in this test.
Using a real temp directory introduces filesystem coupling; consider mocking the filesystem interaction instead.

Based on learnings: Mock external dependencies (GitHub API, filesystem) in tests.