feat(server): export SignalUnauthorized for use by external packages

wolfeidau · wolfeidau · commit d14869c1cb61 · 2026-03-23T13:35:33.000+11:00
Allows consumers such as remote-mcp-server to call SignalUnauthorized
from their own middleware without reimplementing the context key logic.
diff --git a/pkg/server/mcp.go b/pkg/server/mcp.go
@@ -52,7 +52,7 @@ func unauthorizedMiddleware(cb func()) mcp.Middleware {
 			result, err := next(ctx, method, req)
 			if err != nil && errors.Is(err, buildkite.ErrUnauthorized) {
 				log.Ctx(ctx).Warn().Msg("Buildkite API returned 401 unauthorized; token may be invalid or expired")
-				signalUnauthorized(ctx)
+				SignalUnauthorized(ctx)
 				if cb != nil {
 					cb()
 				}
diff --git a/pkg/server/unauthorized.go b/pkg/server/unauthorized.go
@@ -8,9 +8,9 @@ import (
 
 type unauthorizedContextKey struct{}
 
-// signalUnauthorized sets the unauthorized flag in the context, if present.
+// SignalUnauthorized sets the unauthorized flag in the context, if present.
 // It is a no-op when not running in HTTP mode (i.e., when the context key is absent).
-func signalUnauthorized(ctx context.Context) {
+func SignalUnauthorized(ctx context.Context) {
 	if flag, ok := ctx.Value(unauthorizedContextKey{}).(*atomic.Bool); ok {
 		flag.Store(true)
 	}
diff --git a/pkg/server/unauthorized_test.go b/pkg/server/unauthorized_test.go
@@ -30,7 +30,7 @@ func TestNewHTTPUnauthorizedHandler_UnauthorizedSignal(t *testing.T) {
 	// An inner handler that signals unauthorized via the context flag.
 	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Simulate the MCP middleware detecting ErrUnauthorized.
-		signalUnauthorized(r.Context())
+		SignalUnauthorized(r.Context())
 		// The interceptingWriter will discard these writes.
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusOK)
@@ -52,7 +52,7 @@ func TestNewHTTPUnauthorizedHandler_UnauthorizedSignal(t *testing.T) {
 func TestSignalUnauthorized_NoopWithoutContext(t *testing.T) {
 	// Should not panic when the context key is absent.
 	require.NotPanics(t, func() {
-		signalUnauthorized(context.Background())
+		SignalUnauthorized(context.Background())
 	})
 }
 
@@ -61,7 +61,7 @@ func TestSignalUnauthorized_SetsFlag(t *testing.T) {
 	ctx := context.WithValue(context.Background(), unauthorizedContextKey{}, flag)
 
 	require.False(t, flag.Load())
-	signalUnauthorized(ctx)
+	SignalUnauthorized(ctx)
 	require.True(t, flag.Load())
 }
 

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func unauthorizedMiddleware(cb func()) mcp.Middleware {`
`52`	`52`	`result, err := next(ctx, method, req)`
`53`	`53`	`if err != nil && errors.Is(err, buildkite.ErrUnauthorized) {`
`54`	`54`	`log.Ctx(ctx).Warn().Msg("Buildkite API returned 401 unauthorized; token may be invalid or expired")`
`55`		`- signalUnauthorized(ctx)`
	`55`	`+ SignalUnauthorized(ctx)`
`56`	`56`	`if cb != nil {`
`57`	`57`	`cb()`
`58`	`58`	`}`