[BUG]Β #97
Description
π Bug Description
A clear and concise description of what the bug is.
π° Financial Disclaimer Acknowledgment
- I understand this is educational software and not financial advice
- I am not expecting investment recommendations or guaranteed returns
- This bug report is about technical functionality, not financial performance
π Reproduction Steps
Steps to reproduce the behavior:
Command: authprobe scan --explain --trace-failure https://gitmcp.io/wshobson/maverick-mcp
Scanning: https://gitmcp.io/wshobson/maverick-mcp
Scan time: Feb 12, 2026 06:16:41 UTC
Github: https://github.com/authprobe/authprobe
π― Expected Behavior
ββββββββββββββββββββββ€ LLM EXPLANATION βββββββββββββββββββββββ
The probe results indicate a critical failure during the MCP initialization sequence (Step 2) and related unavailability of the Protected Resource Matrix (PRM) (Step 3). Below is a detailed analysis referencing the relevant specifications and how the observed behavior deviates from MCP and OAuth requirements:
Step 2: MCP initialize + tools/list β Failure Analysis
Observed behavior:
- The client sent the MCP
initializeJSON-RPC request but encountered acontext deadline exceedederror, often meaning the client timed out waiting for a response or the server aborted the connection without sending a valid response.
MCP requirements:
- MCP 2025-11-25 Section 3.5.3 (JSON-RPC usage):
MCP servers must accept a properly formatted JSON-RPC 2.0initializerequest and respond with a valid JSON-RPC 2.0 response object. - JSON-RPC 2.0 (RFC 8259 + JSON-RPC two-point-oh specs):
- The server must not silently drop or close the connection.
- It must respond with one and only one JSON response object per request, conforming to the requested method signature, returning either
resultorerror.
- MCP 2025-11-25 Section 3.6 (Initialize semantics):
- The
initializemethod is the first call a client makes to the MCP server to establish protocol usage context. The server must not ignore or fail to respond to it.
- The
- Timeout management:
- While client-side timeouts are implementation-specific, the server is expected to respond promptly to prevent a timeout.
- Excessive delays or no response violates the interoperability contract.
Interpretation:
The failure to respond within the timeout window implies either a server-side malfunction (hang, crash, infinite loop) or network issues severing the connection prematurely.
Correct server behavior:
- Accept the JSON-RPC POST request to the MCP endpoint, parse it, and respond with a JSON body structured as:
{
"jsonrpc": "2.0",
"id": <matching-request-id>,
"result": {
"capabilities": {...},
"tools": [...]
}
}- Respond with HTTP 200 OK including
application/jsoncontent type. - Do not delay indefinitely or close the connection without a response.
- Any errors must be returned as a JSON-RPC error response, not by dropping connection or timing out.
Step 3: PRM fetch matrix β Failure Analysis
Observed behavior:
- Both the general PRM endpoint (
/.well-known/oauth-protected-resource) and the per-resource PRM (/.well-known/oauth-protected-resource/wshobson/maverick-mcp) respond with HTTP 200 OK but the probe deems the PRM "unreachable or unusable" and therefore the OAuth discovery is "unavailable".
Relevant specifications:
- RFC 9728 (OAuth PRM polling):
- The PRM endpoint must return a valid JSON document describing protected resources, scopes, and associated metadata.
- Responses must be well-formed JSON with required fields per the PRM schema.
- RFC 8414 (OAuth Authorization Server Metadata): applies if server publishes
πΈ Screenshots
Funnel
[1] MCP probe (401 + WWW-Authenticate) [-] SKIP
auth not required
[2] MCP initialize + tools/list [X] FAIL
initialize error: context deadline exceeded (Client.Timeout or context
cancellation while reading body)
[3] PRM fetch matrix [X] FAIL
https://gitmcp.io/.well-known/oauth-protected-resource -> 200
https://gitmcp.io/.well-known/oauth-protected-resource/wshobson/maverick-mcp
-> 200
PRM unreachable or unusable; OAuth discovery unavailable
[4] Auth server metadata [-] SKIP
auth not required
[5] Token endpoint readiness (heuristics) [-] SKIP
auth not required
[6] Dynamic client registration (RFC 7591) [-] SKIP
auth not required
Primary Finding (HIGH): MCP_INITIALIZE_FAILED (confidence 1.00)
Evidence:
initialize error: context deadline exceeded (Client.Timeout or context cancellation while
reading body)
MCP servers should accept the initialize JSON-RPC request and return a valid JSON response
per the MCP specification.
βββββββββββββββββββββββ€ RFC RATIONALE ββββββββββββββββββββββββ
Explain (RFC 9728 rationale)
1) MCP probe
- AuthProbe did not receive a 401 response that indicates authentication is required, so RFC 9728 PRM discovery is skipped.
βββββββββββββββββββββββββ€ CALL TRACE βββββββββββββββββββββββββ
Call Trace Using: https://github.com/authprobe/authprobe
ββββββββββββββ ββββββββββββββ
β authprobe β β MCP Server β
βββββββ¬βββββββ βββββββ¬βββββββ
β β
β ββββ Step 1: MCP probe ββββββββͺββββββββββββββββββββ
β GET https://gitmcp.io/wshobson/maverick-mcp
β Reason: 401 + WWW-Authenticate discovery
β Accept: text/event-stream
β Host: gitmcp.io
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β 200 OK
β Access-Control-Allow-Headers: Content-Type, mcp-session-id
β Access-Control-Allow-Methods: GET, POST, OPTIONS
β Access-Control-Allow-Origin: *
β Access-Control-Expose-Headers: mcp-session-id
β Access-Control-Max-Age: 86400
β Alt-Svc: h3=":443"; ma=86400
β Cache-Control: no-cache
β Cf-Ray: 9cc9f4d78e03df26-SJC
β Content-Type: text/event-stream
β Date: Thu, 12 Feb 2026 06:16:18 GMT
β Server: cloudflare
β Speculation-Rules: "/cdn-cgi/speculation"
β Vary: Accept-Encoding
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββ Step 2: MCP initialize ββββββββͺββββββββββββββββββββ
β POST https://gitmcp.io/wshobson/maverick-mcp
β Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
β Accept: application/json, text/event-stream
β Content-Type: application/json
β Host: gitmcp.io
β Mcp-Protocol-Version: 2025-11-25
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β 400 Bad Request
β Alt-Svc: h3=":443"; ma=86400
β Cf-Ray: 9cc9f5096ca5df26-SJC
β Content-Length: 110
β Content-Type: text/plain;charset=UTF-8
β Date: Thu, 12 Feb 2026 06:16:25 GMT
β Server: cloudflare
β Vary: Accept-Encoding
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββ Step 3: PRM Discovery ββββββββͺββββββββββββββββββββ
β GET https://gitmcp.io/.well-known/oauth-protected-resource
β Reason: Step 3: PRM fetch matrix
β Accept: application/json
β Host: gitmcp.io
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β 200 OK
β Alt-Svc: h3=":443"; ma=86400
β Cf-Ray: 9cc9f56d9eb8df26-SJC
β Content-Type: text/html
β Date: Thu, 12 Feb 2026 06:16:41 GMT
β Server: cloudflare
β Speculation-Rules: "/cdn-cgi/speculation"
β Vary: Accept-Encoding
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β GET https://gitmcp.io/.well-known/oauth-protected-resource/wshobson/maverick-mcp
β Reason: Step 3: PRM fetch matrix
β Accept: application/json
β Host: gitmcp.io
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β 200 OK
β Alt-Svc: h3=":443"; ma=86400
β Cf-Ray: 9cc9f56dced1df26-SJC
β Content-Type: text/html
β Date: Thu, 12 Feb 2026 06:16:41 GMT
β Server: cloudflare
β Speculation-Rules: "/cdn-cgi/speculation"
β Vary: Accept-Encoding
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
βΌ βΌ
π» Environment Information
Desktop/Server:
- OS: [e.g. macOS, Ubuntu, Windows]
- Python Version: [e.g. 3.12.0]
- MaverickMCP Version: [e.g. 0.1.0]
- Installation Method: [e.g. pip, uv, git clone]
Claude Desktop (if applicable):
- Claude Desktop Version: [e.g. 1.0.0]
- mcp-remote Version: [if using Claude Desktop]
Dependencies:
- FastMCP Version: [e.g. 2.7.0]
- FastAPI Version: [e.g. 0.115.0]
- Database: [SQLite, PostgreSQL]
- Redis: [Yes/No, version if yes]
π Configuration
Environment Variables (remove sensitive data):
TIINGO_API_KEY=***
DATABASE_URL=***
REDIS_HOST=***
# ... other relevant config
Relevant .env settings:
LOG_LEVEL=DEBUG
CACHE_ENABLED=true
# ... other settings
π Error Messages/Logs
Error message:
Paste the full error message here
Server logs (if available):
Paste relevant server logs here (remove API keys)
Console/Terminal output:
Paste terminal output here
π§ Additional Context
- Are you using any specific financial data providers?
- What stock symbols were you analyzing when this occurred?
- Any specific time ranges or parameters involved?
- Any custom configuration or modifications?
β Pre-submission Checklist
- [ Y ] I have searched existing issues to avoid duplicates
- [ Y ] I have removed all sensitive data (API keys, personal info)
- [ Y ] I can reproduce this bug consistently
- [ Y ] I have included relevant error messages and logs
- [ Y ] I understand this is educational software with no financial guarantees
π·οΈ Bug Classification
Severity:
- Critical (crashes, data loss)
- High (major feature broken)
- [ Y ] Medium (feature partially working)
- Low (minor issue, workaround available)
Component:
- Data fetching (Tiingo, Yahoo Finance)
- Technical analysis calculations
- Stock screening
- Database operations
- Caching (Redis)
- [ Y ] MCP server/tools
- Claude Desktop integration
- Installation/Setup
Additional Labels:
- documentation (if docs need updating)
- [ Y ] good first issue (if suitable for newcomers)
- help wanted (if community help is needed)