headers->set('Authorization', 'Bearer '.$apiKey->plainTextKey); $capturedContext = null; $response = $middleware->handle($request, function (Request $authenticatedRequest) use (&$capturedContext) { $capturedContext = $authenticatedRequest->attributes->get('mcp_workspace_context'); return response()->json([ 'workspace_id' => $authenticatedRequest->attributes->get('workspace_id'), ]); }); $data = json_decode((string) $response->getContent(), true); expect($response->getStatusCode())->toBe(200) ->and($capturedContext)->toBeArray() ->and($capturedContext['workspace_id'])->toBe($workspace->id) ->and($data['workspace_id'])->toBe($workspace->id) ->and($response->headers->get('X-MCP-Workspace-ID'))->toBe((string) $workspace->id); }); test('McpApiKeyAuth_handle_Bad_rejects_requests_without_an_mcp_api_key', function (): void { $middleware = new McpApiKeyAuth(app(AgentApiKeyService::class)); $request = Request::create('/api/v1/mcp/tools/call', 'POST'); $response = $middleware->handle($request, fn () => response()->json(['success' => true])); $data = json_decode((string) $response->getContent(), true); expect($response->getStatusCode())->toBe(401) ->and($data['error'])->toBe('unauthorised'); }); test('McpApiKeyAuth_handle_Ugly_blocks_api_keys_for_inactive_workspaces', function (): void { $workspace = Workspace::factory()->inactive()->create(); $apiKey = createApiKey($workspace, 'Inactive Workspace Key'); $middleware = new McpApiKeyAuth(app(AgentApiKeyService::class)); $request = Request::create('/api/v1/mcp/tools/call', 'POST'); $request->headers->set('X-MCP-API-Key', (string) $apiKey->plainTextKey); $response = $middleware->handle($request, fn () => response()->json(['success' => true])); $data = json_decode((string) $response->getContent(), true); expect($response->getStatusCode())->toBe(403) ->and($data['error'])->toBe('workspace_inactive'); });