fix: complete MCP server integration (#51)

- Extract parseMcpServers() helper with defense-in-depth enabled filtering
- Pass MCP servers (GitHub + user) on resume_session (SDK + fallback)
- Update ResumeSessionMessage type to include mcpServers
- Client sends enabled MCP servers when resuming sessions
- Add unit tests for MCP parser (9 tests) and session config (3 tests)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: devartifex

src/lib/server/copilot/session.test.ts

@@ -400,6 +400,75 @@ describe('createCopilotSession', () => {
     expect(config.customAgents).toEqual(customAgents);
   });
 
+  it('supports SSE-type MCP servers alongside HTTP servers', async () => {
+    const client = createClientMock();
+
+    await createCopilotSession(client as unknown as Parameters<typeof createCopilotSession>[0], 'gh-token', {
+      mcpServers: [
+        {
+          name: 'http-server',
+          url: 'https://api.example.com/mcp',
+          type: 'http',
+          headers: { 'X-Api-Key': 'key1' },
+          tools: ['search'],
+        },
+        {
+          name: 'sse-server',
+          url: 'https://stream.example.com/events',
+          type: 'sse',
+          headers: { Authorization: 'Bearer tok' },
+          tools: [],
+        },
+      ],
+    });
+
+    const mcpServers = getSessionConfig(client).mcpServers as Record<string, Record<string, unknown>>;
+
+    // GitHub server always present
+    expect(mcpServers.github).toBeDefined();
+
+    // HTTP server preserved as-is
+    expect(mcpServers['http-server']).toEqual({
+      type: 'http',
+      url: 'https://api.example.com/mcp',
+      headers: { 'X-Api-Key': 'key1' },
+      tools: ['search'],
+    });
+
+    // SSE server with empty tools defaults to wildcard
+    expect(mcpServers['sse-server']).toEqual({
+      type: 'sse',
+      url: 'https://stream.example.com/events',
+      headers: { Authorization: 'Bearer tok' },
+      tools: ['*'],
+    });
+  });
+
+  it('always includes GitHub MCP server with the provided token', async () => {
+    const client = createClientMock();
+
+    await createCopilotSession(client as unknown as Parameters<typeof createCopilotSession>[0], 'my-gh-token-123');
+
+    const mcpServers = getSessionConfig(client).mcpServers as Record<string, Record<string, unknown>>;
+    expect(mcpServers.github).toEqual({
+      type: 'http',
+      url: 'https://api.githubcopilot.com/mcp/x/all',
+      headers: { Authorization: 'Bearer my-gh-token-123' },
+      tools: ['*'],
+    });
+  });
+
+  it('omits user MCP servers when none are provided', async () => {
+    const client = createClientMock();
+
+    await createCopilotSession(client as unknown as Parameters<typeof createCopilotSession>[0], 'gh-token', {
+      mcpServers: [],
+    });
+
+    const mcpServers = getSessionConfig(client).mcpServers as Record<string, Record<string, unknown>>;
+    expect(Object.keys(mcpServers)).toEqual(['github']);
+  });
+
   it('wires session hooks when onHookEvent callback is provided', async () => {
     const client = createClientMock();
     const onHookEvent = vi.fn();

src/lib/server/ws/handler.ts

@@ -41,6 +41,36 @@ export function isValidAttachmentPath(filePath: string): boolean {
   return resolved.startsWith(UPLOAD_DIR_PREFIX + '/');
 }
 
+/** Parse and validate MCP server entries from a WebSocket message, filtering out disabled servers. */
+export function parseMcpServers(raw: unknown): Array<{ name: string; url: string; type: 'http' | 'sse'; headers: Record<string, string>; tools: string[] }> | undefined {
+  if (!Array.isArray(raw)) return undefined;
+  const servers = raw
+    .filter((s: unknown) => {
+      if (!s || typeof s !== 'object') return false;
+      const obj = s as Record<string, unknown>;
+      if (obj.enabled === false) return false;
+      return (
+        typeof obj.name === 'string' &&
+        typeof obj.url === 'string' &&
+        (obj.type === 'http' || obj.type === 'sse') &&
+        typeof obj.headers === 'object' && obj.headers !== null &&
+        Array.isArray(obj.tools)
+      );
+    })
+    .slice(0, 10)
+    .map((s: unknown) => {
+      const obj = s as Record<string, unknown>;
+      return {
+        name: obj.name as string,
+        url: obj.url as string,
+        type: obj.type as 'http' | 'sse',
+        headers: obj.headers as Record<string, string>,
+        tools: (obj.tools as unknown[]).filter((t): t is string => typeof t === 'string'),
+      };
+    });
+  return servers.length > 0 ? servers : undefined;
+}
+
 /** Normalize SDK quota snapshots: convert remainingPercentage from 0.0–1.0 to 0–100 and add percentageUsed */
 function normalizeQuotaSnapshots(raw: Record<string, any> | undefined): Record<string, any> | undefined {
   if (!raw) return raw;
@@ -1058,6 +1088,29 @@ export function setupWebSocket(
               // Read filesystem plan for injection into resumed session context
               const detail = await getSessionDetail(sessionId);
 
+              // Parse MCP servers from the message so resumed sessions retain MCP access
+              const resumeMcpServers = parseMcpServers(msg.mcpServers);
+
+              // Build the full MCP config (GitHub server + user servers)
+              const mcpServersConfig: Record<string, unknown> = {
+                github: {
+                  type: 'http',
+                  url: 'https://api.githubcopilot.com/mcp/x/all',
+                  headers: { Authorization: `Bearer ${githubToken}` },
+                  tools: ['*'],
+                },
+              };
+              if (resumeMcpServers) {
+                for (const s of resumeMcpServers) {
+                  mcpServersConfig[s.name] = {
+                    type: s.type,
+                    url: s.url,
+                    headers: s.headers,
+                    tools: s.tools.length > 0 ? s.tools : ['*'],
+                  };
+                }
+              }
+
               let resumed = false;
 
               // Try native SDK resume first
@@ -1067,6 +1120,7 @@ export function setupWebSocket(
                   streaming: true,
                   onUserInputRequest: makeUserInputHandler(connectionEntry),
                   configDir: resolvedConfigDir,
+                  mcpServers: mcpServersConfig as any,
                   ...(detail?.plan && {
                     systemMessage: {
                       mode: 'append' as const,
@@ -1092,6 +1146,7 @@ export function setupWebSocket(
                   onUserInputRequest: makeUserInputHandler(connectionEntry),
                   permissionMode: 'approve_all',
                   configDir: resolvedConfigDir,
+                  mcpServers: resumeMcpServers,
                   onHookEvent: (message) => poolSend(connectionEntry, message),
                 });
                 console.log(`[RESUME] Fallback session created for ${sessionId} with context injection`);

src/lib/server/ws/parse-mcp-servers.test.ts

@@ -0,0 +1,92 @@
+// @vitest-environment node
+import { describe, expect, it } from 'vitest';
+import { parseMcpServers } from './handler.js';
+
+describe('parseMcpServers', () => {
+  it('returns undefined for non-array input', () => {
+    expect(parseMcpServers(undefined)).toBeUndefined();
+    expect(parseMcpServers(null)).toBeUndefined();
+    expect(parseMcpServers('string')).toBeUndefined();
+    expect(parseMcpServers(42)).toBeUndefined();
+  });
+
+  it('returns undefined for an empty array', () => {
+    expect(parseMcpServers([])).toBeUndefined();
+  });
+
+  it('parses valid HTTP and SSE servers', () => {
+    const result = parseMcpServers([
+      { name: 'api', url: 'https://api.example.com/mcp', type: 'http', headers: { 'X-Key': 'k1' }, tools: ['search'] },
+      { name: 'stream', url: 'https://stream.example.com/events', type: 'sse', headers: {}, tools: [] },
+    ]);
+
+    expect(result).toEqual([
+      { name: 'api', url: 'https://api.example.com/mcp', type: 'http', headers: { 'X-Key': 'k1' }, tools: ['search'] },
+      { name: 'stream', url: 'https://stream.example.com/events', type: 'sse', headers: {}, tools: [] },
+    ]);
+  });
+
+  it('filters out servers with enabled === false', () => {
+    const result = parseMcpServers([
+      { name: 'active', url: 'https://a.example.com/mcp', type: 'http', headers: {}, tools: [], enabled: true },
+      { name: 'disabled', url: 'https://b.example.com/mcp', type: 'http', headers: {}, tools: [], enabled: false },
+    ]);
+
+    expect(result).toEqual([
+      { name: 'active', url: 'https://a.example.com/mcp', type: 'http', headers: {}, tools: [] },
+    ]);
+  });
+
+  it('returns undefined when all servers are disabled', () => {
+    const result = parseMcpServers([
+      { name: 's1', url: 'https://a.example.com/mcp', type: 'http', headers: {}, tools: [], enabled: false },
+      { name: 's2', url: 'https://b.example.com/mcp', type: 'sse', headers: {}, tools: [], enabled: false },
+    ]);
+
+    expect(result).toBeUndefined();
+  });
+
+  it('includes servers without an enabled field (defaults to enabled)', () => {
+    const result = parseMcpServers([
+      { name: 'no-flag', url: 'https://a.example.com/mcp', type: 'http', headers: {}, tools: [] },
+    ]);
+
+    expect(result).toHaveLength(1);
+    expect(result![0].name).toBe('no-flag');
+  });
+
+  it('rejects entries with missing or invalid fields', () => {
+    const result = parseMcpServers([
+      null,
+      { name: 'missing-url', type: 'http', headers: {}, tools: [] },
+      { name: 'bad-type', url: 'https://a.example.com', type: 'grpc', headers: {}, tools: [] },
+      { name: 'no-headers', url: 'https://a.example.com', type: 'http', tools: [] },
+      { name: 'no-tools', url: 'https://a.example.com', type: 'http', headers: {} },
+      'not-an-object',
+    ]);
+
+    expect(result).toBeUndefined();
+  });
+
+  it('limits to 10 servers', () => {
+    const servers = Array.from({ length: 15 }, (_, i) => ({
+      name: `server-${i}`,
+      url: `https://s${i}.example.com/mcp`,
+      type: 'http' as const,
+      headers: {},
+      tools: [],
+    }));
+
+    const result = parseMcpServers(servers);
+    expect(result).toHaveLength(10);
+    expect(result![9].name).toBe('server-9');
+  });
+
+  it('filters non-string values from tools arrays', () => {
+    const result = parseMcpServers([
+      { name: 'mixed-tools', url: 'https://a.example.com/mcp', type: 'http', headers: {}, tools: ['valid', 42, null, 'also-valid'] },
+    ]);
+
+    expect(result![0].tools).toEqual(['valid', 'also-valid']);
+  });
+});

src/lib/stores/ws.svelte.ts

@@ -6,6 +6,7 @@ import type {
   ServerMessage,
   NewSessionConfig,
   MessageDeliveryMode,
+  McpServerDefinition,
 } from '$lib/types/index.js';
 import { notify } from '$lib/utils/notifications.js';
 
@@ -40,7 +41,7 @@ export interface WsStore {
     mode?: MessageDeliveryMode,
   ): void;
   newSession(config: NewSessionConfig): void;
-  resumeSession(sessionId: string): void;
+  resumeSession(sessionId: string, mcpServers?: McpServerDefinition[]): void;
   setMode(mode: SessionMode): void;
   setModel(model: string): void;
   setReasoning(effort: ReasoningEffort): void;
@@ -248,9 +249,14 @@ export function createWsStore(): WsStore {
     send(msg);
   }
 
-  function resumeSession(sessionId: string): void {
+  function resumeSession(sessionId: string, mcpServers?: McpServerDefinition[]): void {
     sessionReady = false;
-    send({ type: 'resume_session', sessionId });
+    const enabledServers = mcpServers?.filter(s => s.enabled);
+    send({
+      type: 'resume_session',
+      sessionId,
+      ...(enabledServers?.length && { mcpServers: enabledServers }),
+    });
   }
 
   function setMode(mode: SessionMode): void {

src/lib/types/index.ts

@@ -695,6 +695,7 @@ export interface ListSessionsMessage {
 export interface ResumeSessionMessage {
   type: 'resume_session';
   sessionId: string;
+  mcpServers?: McpServerDefinition[];
 }
 
 export interface DeleteSessionMessage {

src/routes/+page.svelte

@@ -207,7 +207,7 @@
 
   function handleResumeSession(sessionId: string): void {
     chatStore.clearMessages();
-    wsStore.resumeSession(sessionId);
+    wsStore.resumeSession(sessionId, settings.mcpServers);
     sessionsOpen = false;
   }