feat(satellite): add authentication middleware to MCP routes for stats

Author: Lasim

services/satellite/src/core/mcp-server-wrapper.ts

@@ -306,8 +306,21 @@ export class McpServerWrapper {
    * Setup Fastify routes for MCP transport
    */
   setupRoutes(fastify: FastifyInstance): void {
+    // Get authentication middleware from server instance
+    const tokenIntrospectionService = (fastify as any).tokenIntrospectionService;
+    const activityTracker = (fastify as any).activityTracker;
+
     // Handle POST requests for client-to-server communication
-    fastify.post('/mcp', async (request: FastifyRequest, reply: FastifyReply) => {
+    fastify.post('/mcp', {
+      preValidation: async (request: FastifyRequest, reply: FastifyReply) => {
+        // Apply authentication middleware
+        if (tokenIntrospectionService && activityTracker) {
+          const { requireAuthentication } = await import('../middleware/auth-middleware');
+          const authMiddleware = requireAuthentication(tokenIntrospectionService, activityTracker);
+          await authMiddleware(request, reply);
+        }
+      }
+    }, async (request: FastifyRequest, reply: FastifyReply) => {
       const sessionId = request.headers['mcp-session-id'] as string | undefined;
       let transport: StreamableHTTPServerTransport;
       let server: Server;
@@ -374,6 +387,11 @@ export class McpServerWrapper {
         return;
       }
 
+      // Track activity before handling request (redundant now - auth middleware does this)
+      // const requestBody = request.body as any;
+      // const isToolCall = requestBody?.method === 'tools/call';
+      // await this.trackActivity(request, sessionId, isToolCall);
+
       // Handle the request
       await transport.handleRequest(request.raw, reply.raw, request.body);
     });

services/satellite/src/server.ts

@@ -626,8 +626,9 @@ export async function createServer() {
 
       server.log.info({
         operation: 'oauth_services_initialized',
-        satellite_id: satelliteId
-      }, 'OAuth authentication and team-aware MCP services initialized');
+        satellite_id: satelliteId,
+        activity_tracking_enabled: true
+      }, 'OAuth authentication, team-aware MCP services, and activity tracking initialized');
     } else {
       server.log.error({
         operation: 'satellite_registration_failed',
@@ -707,8 +708,9 @@ export async function createServer() {
 
     server.log.info({
       operation: 'oauth_services_initialized',
-      satellite_id: satelliteId
-    }, 'OAuth authentication and team-aware MCP services initialized');
+      satellite_id: satelliteId,
+      activity_tracking_enabled: true
+    }, 'OAuth authentication, team-aware MCP services, and activity tracking initialized');
   }
 
   // Initialize heartbeat service