itx: McpClient — first-party MCP client capability (loopback ref)

[jonastemplestein]

Stacks on the merged CapTarget kernel (#1436). Part of the codemode rip-out sequence (itx-next.md §4).

What

The first-party half of the §1 litmus test: MCP is a client implementation, not a transport — so it's an ordinary loopback-dialable RPC target, parameterized per server:

await itx.caps.define({
  invoke: "path-call",
  name: "docs",
  target: {
    type: "rpc",
    worker: { type: "loopback" },
    entrypoint: "McpClient",
    props: {
      serverUrl: "https://docs.example.com/mcp",
      headers: { authorization: 'Bearer getSecret({ key: "DOCS_TOKEN" })' },
    },
  },
});

await itx.docs.listTools();
await itx.docs.someToolName({ ... });

• All transport HTTP rides project egress via the cap's own itx handle (the MCP SDK's custom-fetch option), so header values may carry getSecret() placeholders — substitution happens in the Project DO, the credential never exists in the isolate (Law 5).
• Stateless by design: connect → call → close per invocation. When handshake latency matters, the same class becomes a durable-object ref without changing callers (the connection-caching pattern of the old OutboundMcpFromOurClientCapability DO).
• listTools() is an ordinary call, not a special discovery protocol — same convention the codemode provider used.
• Added to DIALABLE_LOOPBACKS; result shaping reuses the existing outbound-mcp-from-our-client-capability-core helpers.

In the upcoming codemode-drop PR this replaces connectToMcpServer and createOutboundMcpFromOurClientToolProviderRegistration.

Testing

typecheck / lint / format / unit green. New e2e test (itx.e2e.test.ts) defines an McpClient cap, lists tools, and calls the first one — gated on OS_E2E_MCP_SERVER_URL or MOCK_PROVIDER_BASE_URL (skips when no MCP server is reachable).

🤖 Generated with Claude Code

---

Note

Medium Risk
Expands dialable loopback surface and routes all MCP HTTP through project egress; behavior is gated by existing allowlists and attribution checks but affects outbound networking for defined caps.

Overview
Adds a first-party McpClient loopback RPC capability so projects can define remote MCP servers as ordinary path-call caps (listTools() plus dotted tool calls). Each invocation is connect → call → close; transport HTTP is forced through itx.fetch (project egress) so header secrets resolve in the Project DO, and tool listing/execution reuse the existing outbound MCP core helpers.

McpClient is allowlisted in DIALABLE_LOOPBACKS and exported from the main worker. Several itx entrypoints switch from Reflect.get(this, "ctx") to this.ctx.props. E2E gains a skipped-when-no-server test that defines an McpClient cap and exercises list/call, plus createdProjectIds cleanup for the AI bindings test project.

^{Reviewed by Cursor Bugbot for commit 236953d. Bugbot is set up for automated code reviews on this repo. Configure here.}

Environment Config Lease

No active environment config lease.

OS

Status: released
Commit: 236953d
Preview: https://os.iterate-preview-5.com
Summary: Preview app released.
Workflow run
Updated: 2026-06-10T13:56:08.912Z

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6ac16d9. Configure here.}

[jonastemplestein]

Bugbot findings addressed in 24c632b: the transport's custom fetch now builds a real Request before handing off to itx.fetch (URL inputs were bypassing stringification and a separate init could drop headers before secret substitution), and client.connect moved inside the try so a partial handshake still hits close().