Serve the Server Card at a single canonical path

SamMorrowDrums · Copilot · SamMorrowDrums · commit 35b34e873451 · 2026-06-26T10:05:52.000+02:00
The card is discovered via a single catalog link, so it must be served at exactly one canonical location. Register only the reserved relative path /server-card and drop the duplicate /mcp/server-card registration: the hosted edge strips the /mcp base path before forwarding, so the backend receives /server-card while the public URL stays https://api.githubcopilot.com/mcp/server-card. Update the tests to assert the single canonical path, guard that /mcp/server-card is no longer registered (404), and verify the static card route is not shadowed by the streamable MCP catch-all mount. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/pkg/http/servercard/handler.go b/pkg/http/servercard/handler.go
@@ -27,16 +27,17 @@ func NewHandler(cfg Config) *Handler {
 	return &Handler{cfg: cfg}
 }
 
-// RegisterRoutes mounts the Server Card handler at the reserved
-// `<streamable-http-url>/server-card` location. Because GitHub's hosted edge
-// strips the `/mcp` base path before forwarding, both `/server-card` and
-// `/mcp/server-card` are registered so the card is reachable either way. The
-// handler is registered for all methods (mirroring oauth.AuthHandler) so it
-// owns the path and answers non-GET requests itself rather than falling through
-// to the auth-gated MCP endpoint.
+// RegisterRoutes mounts the Server Card handler at the single reserved
+// `<streamable-http-url>/server-card` location. The handler is registered for
+// all methods (mirroring oauth.AuthHandler) so it owns the path and answers
+// non-GET requests itself rather than falling through to the auth-gated MCP
+// endpoint.
+//
+// The card is served at exactly one canonical location — the URL the MCP/AI
+// catalog links — so it is deliberately not also exposed under any alternate
+// path.
 func (h *Handler) RegisterRoutes(r chi.Router) {
 	r.Handle(Path, h)
-	r.Handle("/mcp"+Path, h)
 }
 
 // ServeHTTP serves the Server Card as application/mcp-server-card+json.
diff --git a/pkg/http/servercard/handler_test.go b/pkg/http/servercard/handler_test.go
@@ -129,37 +129,101 @@ func TestHandlerRegisterRoutes(t *testing.T) {
 	r := chi.NewRouter()
 	NewHandler(Config{}).RegisterRoutes(r)
 
-	for _, path := range []string{Path, "/mcp" + Path} {
-		t.Run(path, func(t *testing.T) {
-			t.Parallel()
+	t.Run("GET serves the card at the canonical path", func(t *testing.T) {
+		t.Parallel()
 
-			req := httptest.NewRequest(http.MethodGet, path, nil)
-			rec := httptest.NewRecorder()
-			r.ServeHTTP(rec, req)
+		req := httptest.NewRequest(http.MethodGet, Path, nil)
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
 
-			res := rec.Result()
-			defer res.Body.Close()
+		res := rec.Result()
+		defer res.Body.Close()
 
-			assert.Equal(t, http.StatusOK, res.StatusCode)
-			assert.Equal(t, MediaType, res.Header.Get(headers.ContentTypeHeader))
-		})
+		assert.Equal(t, http.StatusOK, res.StatusCode)
+		assert.Equal(t, MediaType, res.Header.Get(headers.ContentTypeHeader))
+	})
 
-		t.Run(path+" POST owned by card handler", func(t *testing.T) {
-			t.Parallel()
+	t.Run("POST owned by card handler", func(t *testing.T) {
+		t.Parallel()
 
-			// The handler is registered for all methods so non-GET requests are
-			// answered here (405) rather than falling through to another route.
-			req := httptest.NewRequest(http.MethodPost, path, nil)
-			rec := httptest.NewRecorder()
-			r.ServeHTTP(rec, req)
+		// The handler is registered for all methods so non-GET requests are
+		// answered here (405) rather than falling through to another route.
+		req := httptest.NewRequest(http.MethodPost, Path, nil)
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
 
-			res := rec.Result()
-			defer res.Body.Close()
+		res := rec.Result()
+		defer res.Body.Close()
 
-			assert.Equal(t, http.StatusMethodNotAllowed, res.StatusCode)
-			assert.Equal(t, "*", res.Header.Get("Access-Control-Allow-Origin"))
-		})
-	}
+		assert.Equal(t, http.StatusMethodNotAllowed, res.StatusCode)
+		assert.Equal(t, "*", res.Header.Get("Access-Control-Allow-Origin"))
+	})
+
+	t.Run("card is served at exactly one path", func(t *testing.T) {
+		t.Parallel()
+
+		// The card must be discoverable at a single canonical location only;
+		// no alternate path (e.g. /mcp/server-card) is registered.
+		req := httptest.NewRequest(http.MethodGet, "/mcp"+Path, nil)
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
+
+		res := rec.Result()
+		defer res.Body.Close()
+
+		assert.Equal(t, http.StatusNotFound, res.StatusCode)
+	})
+}
+
+// TestHandlerRegisterRoutesNotShadowedByCatchAll mirrors the production wiring
+// (pkg/http/server.go), where the streamable MCP endpoint is mounted as a
+// catch-all at "/" (pkg/http/handler.go: r.Mount("/", h)). The card's static
+// route must take precedence over that wildcard mount so the card — and not the
+// auth-gated MCP endpoint — answers GET and non-GET requests at the card path.
+func TestHandlerRegisterRoutesNotShadowedByCatchAll(t *testing.T) {
+	t.Parallel()
+
+	const mcpStatus = http.StatusUnauthorized // sentinel for the auth-gated MCP endpoint
+
+	r := chi.NewRouter()
+	r.Group(func(r chi.Router) {
+		r.Mount("/", http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(mcpStatus)
+		}))
+	})
+	r.Group(func(r chi.Router) {
+		NewHandler(Config{}).RegisterRoutes(r)
+	})
+
+	t.Run("GET is owned by the card handler", func(t *testing.T) {
+		t.Parallel()
+
+		req := httptest.NewRequest(http.MethodGet, Path, nil)
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
+
+		res := rec.Result()
+		defer res.Body.Close()
+
+		assert.Equal(t, http.StatusOK, res.StatusCode)
+		assert.Equal(t, MediaType, res.Header.Get(headers.ContentTypeHeader))
+	})
+
+	t.Run("non-GET is owned by the card handler, not the catch-all", func(t *testing.T) {
+		t.Parallel()
+
+		// A POST must get the card handler's 405, not the MCP catch-all's
+		// sentinel status — proving the static route is not shadowed.
+		req := httptest.NewRequest(http.MethodPost, Path, nil)
+		rec := httptest.NewRecorder()
+		r.ServeHTTP(rec, req)
+
+		res := rec.Result()
+		defer res.Body.Close()
+
+		assert.Equal(t, http.StatusMethodNotAllowed, res.StatusCode)
+		assert.NotEqual(t, mcpStatus, res.StatusCode)
+	})
 }
 
 func TestHandlerETagConditionalRequests(t *testing.T) {
