feat(mcp): stage the diagnostics verification release#2674
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@reachjalil is attempting to deploy a commit to the Different AI Team on Vercel. A member of the Team first needs to authorize it. |
|
Validation disposition: keep this as release-staging documentation, not as the product fix. The repository checks are green, but this PR does not provide the runtime diagnostics implementation by itself. It should follow whichever implementation candidate is ultimately published and should not be merged independently as evidence that the ServiceNow MCP issue is fixed. The implementation validation now covers production builds, clean and upgrade DB migration paths, structured API compatibility, and 16 production fraimz frames. No merge or branch mutation performed. |
MCP diagnostics controlled release
Important
Current status: Level 1 is merged upstream. Jalil personally verified both the real native Microsoft 365 connection and the package-driven OAuth/MCP initialization path against the new mock. Catalog/safe-read and negative-fault evidence remain automated until Jalil selects those manual checkpoints.
Managerial summary
This draft is the decision and verification ledger for the MCP diagnostics program. It keeps implementation PRs independently reviewable while recording what has been merged, what automation proved, what Jalil personally verified, and what still needs a live or manual check.
We set out to deliver three understandable levels:
During the work, a fourth architectural concern became explicit: the reusable outbound enterprise client should be package-first, with Den supplying infrastructure through adapters. That is tracked separately in #2694.
Microsoft 365 and current package boundary
@openwork/enterprise-mcp-client.DEN_ENABLE_ENTERPRISE_MCP_CLIENT=trueswitches these external MCP routes only.Microsoft- and ServiceNow-named scenarios in #2670/#2699 are realistic mock fixtures, not newly shipped provider connectors. The word
enterprisedescribes hardened lifecycle, security, persistence, and diagnostics—not a Microsoft-specific implementation.The long-term direction is to consolidate reusable remote MCP behavior behind package contracts. Migrating native Microsoft 365 or claiming that all connections already use the package is outside this release.
Current status
devdevbefore reviewWhat the real Microsoft 365 check taught us
The browser authorization and callback succeeded, but token exchange returned HTTP 401. The old screen only said:
The provider's safe error was
invalid_client/AADSTS7000215: Microsoft rejected the client secret because the secret value must be supplied, not the secret ID. After the active secret value was configured, Jalil confirmed the real connection succeeded.The focused fix in #2698 makes that failure source explicit without exposing provider bodies or secrets, and adds a Den diagnostic reference.
The check also confirmed that Azure local development requires the exact callback form:
The mock in #2670 now accepts exact HTTP loopback callbacks using
localhost,127.0.0.1, or[::1]. Its protected admin UI uses a separate exact literal loopback origin (127.0.0.1by default, optionally[::1]) and never treatslocalhostas equivalent.What combined automation found
The package-first client/mock rehearsal found a subtle but important diagnostic bug: after token exchange failed, a later successful metadata request could overwrite the recorded request phase. The administrator could therefore be shown discovery as the problem instead of the wrong client secret.
#2694 now preserves failed-request evidence separately. #2699 proves that wrong-secret Microsoft and ServiceNow scenarios both end at
oauth-token-exchange, while their healthy flows complete OAuth, MCP initialization, catalog loading, and a safe read.Earlier integration rehearsal #2675 remains useful historical evidence for the original three levels, but #2699 is the current proof for the new package-first client/mock boundary. Neither rehearsal grants human approval.
What is complete versus still open
Complete:
dev.localhostcallback behavior represented and tested.Still open:
dev.Controlled verification process
For each checkpoint:
Automation reduces risk but never changes Jalil's verification state by itself.
Recommended next checkpoint
Start with the ServiceNow mock because it demonstrates the reusable enterprise path without involving the already-proven native Microsoft provider:
localhostcallback.After those steps are understood and recorded, review live tracing. Do not begin with the tracing PR while the underlying package connection story is still being learned.
Evidence boundary
The deterministic mock is a development and regression tool. It is not proof of a live customer's license, consent, Conditional Access, ACL, proxy/CA, egress policy, region, patch level, or provider business behavior. Those facts require approved nonproduction ServiceNow and Microsoft tenants and must remain separately recorded.
No secrets, OAuth codes, access tokens, customer hostnames, or customer content belong in this ledger or its linked PR evidence.