Fix missing PRM endpoint that hinders OAuth functionality

[Copilot]

Adds the /.well-known/oauth-protected-resource (Protected Resource Metadata) endpoint to both HTTP-based transports, resolving the PRM discovery failure reported by OAuth compliance tools such as authprobe.

Changes Made

• src/services/streamable.ts: Added a GET handler at /.well-known/oauth-protected-resource/mcp (path suffix follows RFC 9728) that returns the resource metadata JSON.
• src/services/sse.ts: Added a GET handler at /.well-known/oauth-protected-resource/sse that returns the resource metadata JSON.

The resource URL is dynamically constructed from the incoming request's protocol and host headers, so it works correctly in any deployment environment without hardcoded values.

Example response for a server running at http://localhost:8024/mcp:

{ "resource": "http://localhost:8024/mcp" }

Testing

• ✅ TypeScript compilation passes
• ✅ Biome lint passes with no issues

Original prompt

---

This section details on the original issue you should resolve

<issue_title>missing PRM hinders oauth</issue_title>
<issue_description>```
Command: authprobe scan --llm-max-tokens=1080 --openai-api-key=REDACTED http://localhost:8024/mcp
Scanning: http://localhost:8024/mcp
Scan time: Feb 20, 2026 06:58:55 UTC
Github: https://github.com/authprobe/authprobe

Funnel
[1] MCP probe (401 + WWW-Authenticate) [-] SKIP
probe returned 405; checking PRM for OAuth config

[2] MCP initialize + tools/list [+] PASS
initialize -> 200
notifications/initialized -> 202
tools/list -> 200 (tools: generate_area_chart, generate_bar_chart,
generate_boxplot_chart, generate_column_chart, +23 more)

[3] PRM fetch matrix [X] FAIL
PRM unreachable or unusable; OAuth discovery unavailable

[4] Auth server metadata [-] SKIP
auth not required

[5] Token endpoint readiness (heuristics) [-] SKIP
auth not required

[6] Dynamic client registration (RFC 7591) [-] SKIP
auth not required

┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe

┌────────────┐ ┌────────────┐
│ authprobe │ │ MCP Server │
└─────┬──────┘ └─────┬──────┘
│ │
│ ╔═══ Step 1: MCP probe ═══════╪═══════════════════╗
│ GET http://localhost:8024/mcp
│ Reason: 401 + WWW-Authenticate discovery
│ Accept: text/event-stream
│ Host: localhost:8024
├─────────────────────────────────────────────────────────────────►│
│ 405 Method Not Allowed
│ Connection: keep-alive
│ Date: Fri, 20 Feb 2026 06:58:51 GMT
│ Keep-Alive: timeout=5
│ X-Powered-By: Express
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ ╔═══ Step 2: MCP initialize ═══════╪═══════════════════╗
│ POST http://localhost:8024/mcp
│ Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
│ Accept: application/json, text/event-stream
│ Content-Type: application/json
│ Host: localhost:8024
│ Mcp-Protocol-Version: 2025-11-25
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Cache-Control: no-cache
│ Connection: keep-alive
│ Content-Type: text/event-stream
│ Date: Fri, 20 Feb 2026 06:58:51 GMT
│ X-Powered-By: Express
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ POST http://localhost:8024/mcp
│ Reason: Step 2: MCP initialize + tools/list (initialize)
│ Accept: application/json, text/event-stream
│ Content-Type: application/json
│ Host: localhost:8024
│ Mcp-Protocol-Version: 2025-11-25
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Cache-Control: no-cache
│ Connection: keep-alive
│ Content-Type: text/event-stream
│ Date: Fri, 20 Feb 2026 06:58:52 GMT
│ X-Powered-By: Express
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ POST http://localhost:8024/mcp
│ Reason: Step 2: MCP initialize + tools/list (notifications/initialized)
│ Accept: application/json, text/event-stream
│ Content-Type: application/json
│ Host: localhost:8024
│ Mcp-Protocol-Version: 2025-11-25
├─────────────────────────────────────────────────────────────────►│
│ 202 Accepted
│ Connection: keep-alive
│ Content-Type: text/plain; charset=UTF-8
│ Date: Fri, 20 Feb 2026 06:58:52 GMT
│ Keep-Alive: timeout=5
│ X-Pow...

• Fixes missing PRM hinders oauth #269

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[hustcc]

@copilot 继续

[Copilot]

@copilot 继续

已完成修复（commit e84fcc3）。

在 streamable.ts 和 sse.ts 两个 HTTP 服务中分别新增了 /.well-known/oauth-protected-resource 端点（遵循 RFC 9728），以解决 PRM 不可达的问题。

• 对于 streamable 服务（默认端点 /mcp），PRM 路径为 /.well-known/oauth-protected-resource/mcp
• 对于 SSE 服务（默认端点 /sse），PRM 路径为 /.well-known/oauth-protected-resource/sse

返回示例：

{ "resource": "http://localhost:8024/mcp" }

[hustcc]

@clgtm 帮忙看看这个是不是解决了？

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.70%. Comparing base (d5da035) to head (bf74834).

Files with missing lines	Patch %	Lines
src/services/sse.ts	0.00%	5 Missing ⚠️
src/services/streamable.ts	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #270      +/-   ##
==========================================
- Coverage   82.10%   81.70%   -0.41%     
==========================================
  Files          43       43              
  Lines        2040     2050      +10     
  Branches       34       34              
==========================================
  Hits         1675     1675              
- Misses        363      373      +10     
  Partials        2        2              

Files with missing lines	Coverage Δ
src/services/sse.ts	1.92% <0.00%> (-0.21%)	⬇️
src/services/streamable.ts	2.00% <0.00%> (-0.23%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.