Fail-fast OIDC env var validation at config load time (#3367)

When an HTTP server uses `auth.type: "github-oidc"`, missing
`ACTIONS_ID_TOKEN_REQUEST_URL` was only surfaced on first request. The
gateway would start, report healthy, then fail when a client actually
hit the OIDC server.

### Changes

- **`internal/config/validation.go`** — Check
`ACTIONS_ID_TOKEN_REQUEST_URL` in `validateAuthConfig()` after
confirming `auth.type == "github-oidc"`, returning a fail-fast
validation error at config load time
- **`internal/launcher/launcher.go`** — Pre-populate `serverErrors`
during `New()` for OIDC-misconfigured servers so `/health` immediately
reflects error state (defensive fallback for configs that bypass
validation, e.g. tests)
- **Tests** — Added cases for missing env var validation and early error
recording; set env var in existing tests that construct valid OIDC
configs

```go
// validateAuthConfig now fails fast for missing OIDC env vars
if auth.Type == "github-oidc" {
    if os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") == "" {
        return rules.MissingRequired(
            "ACTIONS_ID_TOKEN_REQUEST_URL", "environment", authPath,
            "Server requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set. "+
                "OIDC auth requires running in GitHub Actions with `permissions: { id-token: write }`")
    }
}
```

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1150468762/b514/launcher.test
/tmp/go-build1150468762/b514/launcher.test
-test.testlogfile=/tmp/go-build1150468762/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s insp�� uf@v1.36.11/type-errorsas
om/tetratelabs/w-ifaceassert x_amd64/vet g_.a ce
64/pkg/tool/linu--format x_amd64/vet /usr�� g_.a
64/pkg/tool/linux_amd64/vet x_amd64/vet -I /known/anypb
64/pkg/tool/linux_amd64/vet x_amd64/vet` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3631266208/b001/config.test
/tmp/go-build3631266208/b001/config.test
-test.testlogfile=/tmp/go-build3631266208/b001/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
ache/go/1.25.8/x64/src/runtime/c--gdwarf-5 YVt4/qIWeKIr-djJe-CXpYVt4
x_amd64/compile -I /tmp/go-build102-unsafeptr=false -I x_amd64/compile
7443�� ache/go/1.25.8/x64/src/runtime/c/tmp/go-build1027443045/b148/
ache/go/1.25.8/x64/src/crypto/in-imultiarch .13/x64/bin/as --gdwarf-5
--64 -o 9964951/b135/_x012.o` (dns block)
> - Triggering command: `/tmp/go-build2092181885/b001/config.test
/tmp/go-build2092181885/b001/config.test
-test.testlogfile=/tmp/go-build2092181885/b001/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 64/src/net -trimpath
x_amd64/vet -I /tmp/go-build102-qE /x64=/_/GOROOT x_amd64/vet ut-2��
7443045/b147/_pkg_.a -I x_amd64/vet ctor --64 E=3 x_amd64/vet` (dns
block)
> - Triggering command: `/tmp/go-build1129750467/b001/config.test
/tmp/go-build1129750467/b001/config.test
-test.testlogfile=/tmp/go-build1129750467/b001/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a
Wn3v/y-pYGV7LMnpJY6ujWn3v 64/pkg/tool/linux_amd64/vet . on --64
64/pkg/tool/linux_amd64/vet 9964�� 5vRKptRn1 .cfg
64/pkg/tool/linux_amd64/compile . 9964951/b187/ --64
64/pkg/tool/linux_amd64/compile` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1150468762/b514/launcher.test
/tmp/go-build1150468762/b514/launcher.test
-test.testlogfile=/tmp/go-build1150468762/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s insp�� uf@v1.36.11/type-errorsas
om/tetratelabs/w-ifaceassert x_amd64/vet g_.a ce
64/pkg/tool/linu--format x_amd64/vet /usr�� g_.a
64/pkg/tool/linux_amd64/vet x_amd64/vet -I /known/anypb
64/pkg/tool/linux_amd64/vet x_amd64/vet` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1150468762/b514/launcher.test
/tmp/go-build1150468762/b514/launcher.test
-test.testlogfile=/tmp/go-build1150468762/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s insp�� uf@v1.36.11/type-errorsas
om/tetratelabs/w-ifaceassert x_amd64/vet g_.a ce
64/pkg/tool/linu--format x_amd64/vet /usr�� g_.a
64/pkg/tool/linux_amd64/vet x_amd64/vet -I /known/anypb
64/pkg/tool/linux_amd64/vet x_amd64/vet` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1150468762/b523/mcp.test
/tmp/go-build1150468762/b523/mcp.test
-test.testlogfile=/tmp/go-build1150468762/b523/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -goversion go1.25.8 -c=4
-nolocalimports -importcfg /tmp/go-build1150468762/b517/importcfg -pack
/tmp/go-build1150468762/b517/_testmain.go /usr�� fg
olang.org/protobuf@v1.36.11/inte-ifaceassert x_amd64/vet
ache/go/1.25.8/x/usr/libexec/docker/docker-init .cfg de/node/bin/bash
x_amd64/vet` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

internal/config/config_stdin_test.go

@@ -1027,6 +1027,9 @@ func TestConvertStdinConfig_TrustedBots(t *testing.T) {
 
 // TestConvertStdinServerConfig_HTTPWithAuth tests that auth config is properly converted.
 func TestConvertStdinServerConfig_HTTPWithAuth(t *testing.T) {
+	// OIDC validation now checks that ACTIONS_ID_TOKEN_REQUEST_URL is set
+	t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "https://token.actions.example.com")
+
 	t.Run("auth with explicit audience", func(t *testing.T) {
 		server := &StdinServerConfig{
 			Type: "http",

internal/config/validation.go

@@ -258,6 +258,17 @@ func validateAuthConfig(auth *AuthConfig, serverName, jsonPath string) error {
 		return rules.UnsupportedType("type", auth.Type, authPath, fmt.Sprintf("Unsupported auth type %q. Currently only \"github-oidc\" is supported", auth.Type))
 	}
 
+	// Fail-fast: check that required OIDC environment variables are present.
+	// This catches misconfigurations at config-load time rather than deferring
+	// the error to the first request against this server.
+	if os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") == "" {
+		logValidateServerFailed(serverName, "ACTIONS_ID_TOKEN_REQUEST_URL is not set")
+		return rules.MissingRequired(
+			"ACTIONS_ID_TOKEN_REQUEST_URL", "github-oidc", authPath,
+			"Server requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set. "+
+				"OIDC auth requires running in GitHub Actions with `permissions: { id-token: write }`")
+	}
+
 	logValidation.Printf("Auth config validated: server=%s, type=%s", serverName, auth.Type)
 	return nil
 }

internal/config/validation_test.go

@@ -956,6 +956,7 @@ func TestValidateAuthConfig(t *testing.T) {
 		server    *StdinServerConfig
 		shouldErr bool
 		errMsg    string
+		clearEnv  bool // when true, ensure ACTIONS_ID_TOKEN_REQUEST_URL is unset
 	}{
 		{
 			name: "valid github-oidc auth on http server",
@@ -1016,10 +1017,30 @@ func TestValidateAuthConfig(t *testing.T) {
 			shouldErr: true,
 			errMsg:    "type",
 		},
+		{
+			name: "github-oidc rejected when ACTIONS_ID_TOKEN_REQUEST_URL is not set",
+			server: &StdinServerConfig{
+				Type: "http",
+				URL:  "https://example.com/mcp",
+				Auth: &AuthConfig{
+					Type:     "github-oidc",
+					Audience: "https://example.com",
+				},
+			},
+			shouldErr: true,
+			errMsg:    "ACTIONS_ID_TOKEN_REQUEST_URL",
+			clearEnv:  true,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.clearEnv {
+				t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "")
+			} else {
+				// Ensure OIDC env var is set for tests that expect valid config
+				t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "https://token.actions.example.com")
+			}
 			err := validateStandardServerConfig("test-server", tt.server, "mcpServers.test-server")
 			if tt.shouldErr {
 				require.Error(t, err)

internal/launcher/launcher.go

@@ -72,13 +72,19 @@ func New(ctx context.Context, cfg *config.Config) *Launcher {
 		logger.LogInfo("startup", "GitHub Actions OIDC provider initialized")
 	}
 
-	// Validate that all servers requiring OIDC have the provider available
+	// Defensive fallback: pre-populate serverErrors for OIDC-misconfigured servers
+	// so /health reports them as "error" immediately at startup. Normal config
+	// validation (validateAuthConfig) catches this earlier; this handles cases
+	// where validation was bypassed (e.g., tests constructing configs manually).
+	serverErrors := make(map[string]string)
 	for serverID, serverCfg := range cfg.Servers {
 		if serverCfg.Auth != nil && serverCfg.Auth.Type == "github-oidc" && oidcProvider == nil {
-			logger.LogError("startup",
+			errMsg := fmt.Sprintf(
 				"Server %q requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set. "+
 					"OIDC auth is only available when running in GitHub Actions with `permissions: { id-token: write }`.",
 				serverID)
+			logger.LogError("startup", "%s", errMsg)
+			serverErrors[serverID] = errMsg
 		}
 	}
 
@@ -91,7 +97,7 @@ func New(ctx context.Context, cfg *config.Config) *Launcher {
 		startupTimeout:     startupTimeout,
 		oidcProvider:       oidcProvider,
 		serverStartTimes:   make(map[string]time.Time),
-		serverErrors:       make(map[string]string),
+		serverErrors:       serverErrors,
 	}
 }
 

internal/launcher/launcher_test.go

@@ -776,6 +776,32 @@ func TestLauncher_MixedAuthTypes(t *testing.T) {
 	assert.Nil(t, l.oidcProvider, "OIDC provider should be nil without env vars")
 }
 
+func TestLauncher_OIDCMissingEnvRecordsErrorAtStartup(t *testing.T) {
+	ctx := context.Background()
+	t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "")
+
+	cfg := &config.Config{
+		Servers: map[string]*config.ServerConfig{
+			"oidc-http": {
+				Type: "http",
+				URL:  "https://secure.example.com/mcp",
+				Auth: &config.AuthConfig{
+					Type:     "github-oidc",
+					Audience: "https://secure.example.com",
+				},
+			},
+		},
+	}
+
+	l := New(ctx, cfg)
+	defer l.Close()
+
+	// The launcher should record an error for the OIDC server at startup
+	state := l.GetServerState("oidc-http")
+	assert.Equal(t, "error", state.Status, "OIDC server with missing env should be in error state at startup")
+	assert.Contains(t, state.LastError, "ACTIONS_ID_TOKEN_REQUEST_URL")
+}
+
 func TestGetServerState_StoppedByDefault(t *testing.T) {
 	cfg := newTestConfig(map[string]*config.ServerConfig{
 		"test-server": {Type: "stdio", Command: "echo"},