Block HS* algorithms when JWTVerifier is configured with JWKS

[jlowin]

Motivation

• Prevent a dangerous misconfiguration where an HMAC algorithm (HS256/HS384/HS512) is selected while verification is wired to a JWKS endpoint, which is semantically invalid and can create ambiguous/security-risk surface.

Description

• Add a runtime guard in JWTVerifier to raise ValueError when jwks_uri is provided together with an HMAC algorithm (checks algorithm.startswith("HS")).
• Update Supabase provider tests to remove HS256 from the allowed parametrized algorithms and add an explicit test that HS256 is rejected when the provider is configured to use JWKS.
• Add a unit test for JWTVerifier that asserts HMAC algorithms are rejected when jwks_uri is supplied, preserving symmetric-key support via public_key only.

Testing

• Ran uv sync successfully to ensure dependencies were resolved.
• Ran targeted tests uv run pytest tests/server/auth/providers/test_supabase.py tests/server/auth/test_jwt_provider.py which passed (35 passed).
• Ran the full test suite with uv run pytest -n auto; the run exposed unrelated timeouts/flaky failures in this environment (several tests failed/errored) that are not caused by the auth change.
• Ran uv run prek run --all-files which failed to initialize hooks due to network restrictions fetching an external hook repo (CI/network environment issue).

---

Codex Task

[jlowin]

/marvin fix static analysis

[marvin-context-protocol]

Test Failure Analysis

Summary: The static analysis (ruff format) failed because tests/server/auth/providers/test_supabase.py has a spurious extra blank line that doesn't match the formatter's expectations.

Root Cause: ruff format auto-reformatted one file — it removed a double blank line between two test methods in the TestSupabaseProvider class. The PR was submitted without running the formatter locally first.

Suggested Solution: Run ruff format tests/server/auth/providers/test_supabase.py (or prek run --all-files) locally, then commit the result.

Detailed Analysis

The prek log shows:

ruff format..............................................................[Failed]
- hook id: ruff-format
- files were modified by this hook

  1 file reformatted, 667 files left unchanged

The exact diff applied by ruff:

--- a/tests/server/auth/providers/test_supabase.py
+++ b/tests/server/auth/providers/test_supabase.py
@@ -106,7 +106,6 @@
     assert isinstance(provider.token_verifier, JWTVerifier)
     assert provider.token_verifier.algorithm == algorithm
 
-
     def test_algorithm_hs256_rejected(self):

Just one extra blank line (line ~109) between two methods needs to be removed.

Related Files

• tests/server/auth/providers/test_supabase.py — the only file that needs reformatting

[marvin-context-protocol]

Claude finished @jlowin's task in 59s —— View job

---

Fixing Static Analysis

• Run static analysis to identify issues
• Fix any issues found
• Verify fixes pass

Fixed a ruff format issue — an extra blank line in tests/server/auth/providers/test_supabase.py. All static checks now pass (commit 02d4466f).

---

Marvin Context Protocol | Type /marvin to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[jlowin]

Auto-reviewed and merging on behalf of @jlowin — CI is green (Windows OAuth proxy timeouts are pre-existing flaky tests).