From f8536b5474bd18c167ae688d42d5642765ae6bf6 Mon Sep 17 00:00:00 2001
From: Robert Helewka <r@helu.ca>
Date: Mon, 4 May 2026 18:18:44 -0400
Subject: [PATCH] fix(mcp): exempt get_health from bearer token auth
 requirement

Health probes (Pallas health pollers, agent startup checks) call get_health
without a bearer token. Auth should only be required for data-access tools.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 mnemosyne/mcp_server/auth.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/mnemosyne/mcp_server/auth.py b/mnemosyne/mcp_server/auth.py
index 36dc989..7fdcb8e 100644
--- a/mnemosyne/mcp_server/auth.py
+++ b/mnemosyne/mcp_server/auth.py
@@ -200,8 +200,16 @@ class MCPAuthMiddleware(Middleware):
     MCP_REQUIRE_AUTH=False.
     """
 
+    # Tools that don't touch user data and must be callable without a token
+    # (e.g. Pallas health pollers, agent startup probes).
+    _PUBLIC_TOOLS = {"get_health"}
+
     async def on_call_tool(self, context: MiddlewareContext, call_next):
         require_auth = getattr(settings, "MCP_REQUIRE_AUTH", True)
+
+        if require_auth and self._extract_tool_name(context) in self._PUBLIC_TOOLS:
+            return await call_next(context)
+
         token_string = self._extract_token()
 
         user = None