Three silent MCP server bugs found while listing on five directories
u/crazedbunny shipped Auralogs, a hosted read-only MCP server for production logs, to five directories in one day and uncovered three server-side bugs that would have silently broken real clients.
Score breakdown
These three bugs — broken `$ref` resolution in Cline, auth header stripping in Smithery, and scanner stalls from blanket 401s — can silently break real client connections on any hosted MCP server, and the fixes are non-obvious without going through the multi-directory listing process that surfaced them.
- 01Auralogs is a hosted read-only MCP server for production logs using Streamable HTTP and bearer key auth, listed on five directories in one day.
- 02`zod-to-json-schema` generates `$ref` pointers that Cline's validator cannot resolve, rejecting all calls to affected tools; fix is `$refStrategy: "none"` to inline schemas.
- 03Smithery's gateway strips the `Bearer` prefix from auth headers, causing 401s for any middleware that requires the exact `"Bearer "` prefix.
u/crazedbunny built Auralogs, a hosted read-only MCP server for production logs available at `mcp.auralogs.ai/mcp` using Streamable HTTP and bearer key authentication. After listing it across five directories — the official MCP registry, Smithery, mcp.so, cursor.directory, and Cline's marketplace — in a single session, three server-side bugs surfaced that would have silently broken real client connections.
The fix is to serialize with `$refStrategy: "none"` so all schemas are fully inlined.
The first bug involves JSON Schema `$ref` pointers: `zod-to-json-schema` deduplicates repeated Zod instances into relative `{"$ref": "#/properties/..."}` pointers, which Cline's schema validator cannot resolve, causing every call to the affected tool to be rejected before execution. The fix is to serialize with `$refStrategy: "none"` so all schemas are fully inlined. The second bug is that Smithery's gateway strips the `Bearer` prefix when forwarding a user's key as the raw `Authorization` value; any middleware requiring the `"Bearer "` prefix exactly will 401 every Smithery connection. The fix is to accept both the raw token and the prefixed form. The third bug concerns anonymous discovery: registry crawlers connect without credentials to enumerate a server's tool catalog, and if the server returns a blanket 401, Smithery's scanner interprets this as an OAuth server and stalls while trying to fetch OAuth resource metadata that doesn't exist. The fix is to serve `initialize` and `tools/list` anonymously with static metadata only, while keeping `tools/call` key-gated.
The post notes that the five directory submission processes are all different, and that only the official registry is well documented. u/crazedbunny disclosed that Auralogs is their own product, described as read-only by design with a free tier.
Key facts
- 01Auralogs is a hosted read-only MCP server for production logs using Streamable HTTP and bearer key auth, listed on five directories in one day.
- 02`zod-to-json-schema` generates `$ref` pointers that Cline's validator cannot resolve, rejecting all calls to affected tools; fix is `$refStrategy: "none"` to inline schemas.
- 03Smithery's gateway strips the `Bearer` prefix from auth headers, causing 401s for any middleware that requires the exact `"Bearer "` prefix.
- 04Registry crawlers connect anonymously to enumerate tool catalogs; a blanket 401 causes Smithery's scanner to stall fetching non-existent OAuth resource metadata.
- 05Fix for the scanner issue: serve `initialize` and `tools/list` anonymously (static metadata only) and keep `tools/call` key-gated.
- 06The five directory submission processes are all different; only the official MCP registry is described as well documented.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 11, 2026 · 08:34 UTC. How this works →