feat(mcp): integrate diagnostics for end-to-end rehearsal#2675
feat(mcp): integrate diagnostics for end-to-end rehearsal#2675reachjalil wants to merge 15 commits into
Conversation
# Conflicts: # ee/apps/den-api/src/capability-sources/external-mcp-client.ts # ee/apps/den-api/src/capability-sources/url-guard.ts # ee/apps/den-api/src/routes/org/mcp-connections.ts # ee/apps/den-api/test/mcp-url-guard.test.ts # ee/apps/den-web/app/(den)/dashboard/_components/mcp-connections-screen.tsx
# Conflicts: # ee/apps/den-api/src/app.ts # ee/apps/den-api/src/capability-sources/external-mcp-client.ts # ee/apps/den-api/src/capability-sources/external-mcp-connections.ts # ee/apps/den-api/src/capability-sources/external-mcp-diagnostics.ts # ee/apps/den-api/src/capability-sources/url-guard.ts # ee/apps/den-api/src/request-log-redaction.ts # ee/apps/den-api/src/routes/org/mcp-connections.ts # ee/apps/den-api/test/mcp-url-guard.test.ts # ee/apps/den-api/test/request-log-redaction.test.ts # ee/apps/den-web/app/(den)/dashboard/_components/mcp-connections-data.tsx # ee/apps/den-web/app/(den)/dashboard/_components/mcp-connections-screen.tsx # scripts/mock-oauth-mcp-server.mjs
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@reachjalil is attempting to deploy a commit to the Different AI Team on Vercel. A member of the Team first needs to authorize it. |
CI checkpoint — 2026-07-11Repository checks for b44089c are complete and green:
The three Vercel application preview contexts report Authorization required to deploy. The same fork-preview permission condition appears on the source PRs; it is an external preview authorization gate, not a failed application build. The landing preview passed. Release status is unchanged: agent-verified yes, verified by Jalil not started, integrated into #2674 no. |
|
Published exact rehearsal head |
MCP diagnostics integration rehearsal
Important
This is an independent, agent-run integration rehearsal, not the controlled release branch.
Managerial summary
We set out to make enterprise MCP failures understandable at three levels:
and what support-safe evidence exists;
the workflow can be tested without customer data or live-provider risk; and
time, preserve the highest proven health, repair the fault, and retry.
Each level was originally built as a separate source PR. This branch plays out
Jalil's proposed release process independently: merge the levels in order,
review every overlap semantically, exercise them as one user journey, fix what
the integration exposes, and record the evidence before anything is accepted
into the real feature branch.
The result is positive: the three levels now work together in the rehearsal.
The agent found and fixed several release-blocking correctness and support
problems along the way. This does not replace Jalil's review, and it does
not prove conformance with a real ServiceNow or Microsoft 365 tenant.
Before and after: combined rehearsal
isErrorhandling, deletion races, realistic confidential-client proof, fixture leaks, and proof-viewer clarity/accessibility issues.Not claimed: no real customer ServiceNow or Microsoft tenant was used; the parent release branch remains unchanged; and Connect still requires the separate Diagnose action for the full timeline. The recommended promotion path remains one accepted source level at a time through #2674.
Current checkpoint
7b99407ce1569ec33e84bd30fc21b086onfeature/mcp-diagnostics-integration-rehearsalThe real release branch remains deliberately unchanged. The next action is for
Jalil to choose one capability, review its short demonstration, and decide
whether it is accepted, needs another fix, or should be deferred.
What the combined journey now proves
The browser automation performs one connected operator scenario:
Network Admin, with safe evidence instead of
fetch failed.client, exact Den callback,
client_secret_post, PKCE, and no dynamic clientregistration.
2025-06-18, reads the fullfour-tool catalog across two pages, and closes the session without invoking
a tool.
highest proven health and names MCP Version / Provider Admin as the first
failure and owner.
does not prove provider operations or mutations.
Den's real capability execution path. Den preserves protocol readiness and
reports
provider_policy_denied, phasePROVIDER_AUTHORIZATION, and theProvider Admin remediation without returning credentials, session IDs,
arguments, or provider content.
The superseding Fraimz run passed one flow, eight operational chapters (setup,
six diagnostic steps, and cleanup), 66 assertions, and nine evidence frames
with zero failures or skips. Local evidence is recorded under
evals/results/2026-07-11T21-25-52-239Z/; the repeatable flow itself isevals/flows/mcp-diagnostics-integration-rehearsal.flow.mjs.Guided proof viewer
This branch includes a small React viewer so a maintainer can replay the
canonical evidence without starting Den, the mock server, or using
credentials:
Open
http://127.0.0.1:3334. The viewer walks through all eight chapters,shows the nine captured frames, explains what each frame proves, and keeps the
approval boundary visible: Agent verified / Jalil not started / parent none.
See the proof viewer README
for the short start and replay guide.
The viewer itself is checked with:
pnpm --filter @openwork/mcp-diagnostics-proof test pnpm --filter @openwork/mcp-diagnostics-proof typecheck pnpm --filter @openwork/mcp-diagnostics-proof buildThe viewer's own Fraimz run
2026-07-11T22-59-33-547Zpassed 1/0/0 with fouruser-facing proof frames and 24 assertions, including voice-over coverage.
Manual browser review covered all eight hash-addressable chapters and nine
loaded images, the full-size image dialog, local review persistence/reset,
keyboard navigation, and 720px/390px responsive layouts. A command-grid
overflow found at 390px was fixed and rerun with no horizontal overflow. The
final console had no warnings or errors.
The final flow explicitly asserts that the skip control moves focus without
changing the current hash and that the 390px document has no horizontal
overflow.
That run verifies the proof viewer, not the MCP implementation. The canonical
MCP behavior evidence remains
2026-07-11T21-25-52-239Z.Recommended human review order: status and scope, Level 1 network ownership,
Level 2 confidential OAuth and catalog-only test, Level 3 fault/repair and
provider denial, then limitations. Record each selected level as verified,
needs changes, or deferred before integrating its source SHA into #2674.
What we found and why it mattered
tools/callerrors could look like successful execution.client_secret_post, and asserts no DCR request.Verification performed
URL and transport safety, request-log redaction, persisted tracing,
connection testing, real capability execution, Den Web contracts, and the
enterprise mock.
@openwork/typesproduction builds passed.db:push, clean supporteddb:bootstrap, and schemageneration with no drift passed.
fc21b086passed on Linux and macOS, includingschema, i18n, Helm, and Den builds. Three Vercel preview contexts report
authorization required for the fork; those are preview-access blockers,
not code or test failures.
git diff --checkpassed.The focused total is intentionally reported separately from GitHub CI. CI on
the source PRs continues to be the repository-level gate; the rehearsal adds
integration and user-journey evidence.
Remaining limitations and decisions
These are visible release decisions, not hidden claims of completeness:
ServiceNow tenant and a nonproduction Microsoft 365 tenant still need
provider-conformance verification.
A Den restart or instance hop ends an in-flight authorization clearly and
retryably; seamless cross-instance continuation is not claimed.
lifecycle, but cannot always be forcibly aborted inside the third-party SDK.
Late persistence is fenced.
complete bounded catalog, and shutdown. It does not invoke provider tools or
prove mutation permissions.
different safety bounds and should be aligned before being described as
behaviorally identical.
the repository's supported fresh
db:bootstrappath passes. This is a setupconstraint, not an MCP schema failure.
Safe promotion plan
This rehearsal should not be merged wholesale into the parent release branch.
Instead:
feature/mcp-diagnostics-release.Branch topology
All feature branches live only on Jalil's forks. Draft PRs are opened only in
different-ai/openworkand target upstreamdev.GitHub cannot use a branch that exists only on a fork as the literal base of an
upstream-repository PR. Therefore #2669, #2670, and #2672 remain
dev-basedsource/evidence PRs and point to the parent ledger. Accepted source SHAs will
be integrated into the fork-only parent branch after Jalil's approval.
This PR is a sibling rehearsal based on upstream
dev; it is not a substitutebase and does not change the status of the real parent.
Exact administrator-facing Connect behavior
The rehearsal verified two related but distinct UI layers:
<reference>.” Callback failures after provider consent use a Connection failed browser page with the same safe explanation and reference.This means the old generic “Failed to connect” behavior is corrected, but the Connect alert itself does not display every structured field and does not automatically open Diagnose. The richer detail is one explicit click away. The rehearsal proves the current behavior; whether to add an inline phase badge or View diagnostics button is a product-review decision for the controlled parent #2674.