cat1: mixed-server (2.7) + whoami per-user execution proof (2.4) PASS via tunnel-registered ref server
This commit is contained in:
+4
-1
@@ -47,7 +47,10 @@ Self-hosted on `backstage-wus2-v4` via Flux; vendor Helm chart **1.8.8**
|
||||
- **Baseline gateway:** `zeb-gateway-test` — auth mode **Arcade Headers** (API key + `Arcade-User-ID`);
|
||||
7 main-catalog tools (Slack ×2, GoogleDocs ×4, Brightdata ×1). See `config/targets.yaml`.
|
||||
Confirmed live 2026-06-18: tool list is gateway-wide (same for all `Arcade-User-ID`s).
|
||||
- **Shared reference server:** _name + tools echo/whoami/add (Task 1.4)_
|
||||
- **Shared reference server:** `arcade-eval-ref` (dashboard id `military-healthy-posted-rats`), toolkit
|
||||
`ArcadeEvalRef`, tools Echo/Add/Whoami — self-hosted at `lib/mcp_server`, registered via a Cloudflare
|
||||
**quick** tunnel (ephemeral URL in `results/tunnel_url.txt`; re-register on restart). whoami exec-proof
|
||||
verified (A→user-a, B→user-b).
|
||||
- **`whoami` identity field:** server reads `context.user_id` (arcade_mcp_server `Context`), populated by the Engine from the calling user (`Arcade-User-ID` / auth `sub`).
|
||||
|
||||
## Known behaviors (findings)
|
||||
|
||||
@@ -14,6 +14,6 @@
|
||||
- [ ] 2.2 — connect a **second real MCP client (Claude Code)** to the gateway (no-adapter evidence).
|
||||
- [x] 2.5 — **dynamic registration**: PASS — saved add/remove (−Brightdata, +Youtube) reflected on next list, no restart; draft didn't propagate until Save.
|
||||
- Reference server built at `lib/mcp_server` (echo/add/whoami); locally validated by `arcade deploy` (3 tools, 0 secrets). **`arcade deploy` is cloud-only (finding)** — see LIVE-POC.
|
||||
- [ ] 2.7 — **mixed prebuilt + custom**: needs the ref server behind the self-hosted Engine via the **register path** (run `server.py --transport http` + cloudflared tunnel + dashboard Add Server), then compose a gateway (a `main` tool + `echo`). Doubles as cat-9 Stage-2.
|
||||
- [ ] 2.4 — **`whoami` execution proof**: once registered, call whoami as A vs B (expect A→A, B→B).
|
||||
- [x] 2.7 — **mixed prebuilt + custom**: PASS — gateway lists 7 prebuilt + 3 custom (ArcadeEvalRef_*, self-hosted via cloudflared tunnel) in one flat list; echo invokes. Full chain validated (also cat-9 Stage-2).
|
||||
- [x] 2.4 — **`whoami` execution proof**: PASS — whoami A→user-a, B→user-b (calls execute as caller).
|
||||
- [ ] 2.8 — finalize scores once the above land.
|
||||
|
||||
@@ -12,8 +12,8 @@
|
||||
| 2 | Gateway tool curation — ability to expose a subset of tools from underlying servers to a given doorway. | | PASS — 7 tools listed == the 7-tool allow-list selected (Slack×2, GoogleDocs×4, Brightdata×1). |
|
||||
| 3 | Per-user tool scoping — different users see different tool lists based on their explicit grants. | | **FINDING** — User A and User B see the **identical 7 tools** on one gateway (Arcade-Headers). List is gateway-wide, not per-user. Per-user differentiation needs cat-3 Contextual Access or separate gateways / User Source. |
|
||||
| 4 | Supports all required MCP clients without custom adapters (Claude Code, Cursor, LangGraph, internal agent frameworks). | | PARTIAL — custom `mcp`-SDK client connected with no adapter ✓. Claude Code connect = 2.2; Cursor = teammate test. |
|
||||
| 5 | Tool execution isolation — one user's tool call cannot access another user's tokens or context. | | PENDING — vault is per-`user_id` by design; direct proof via reference-server `whoami` (2.4). |
|
||||
| 6 | Supports mixing prebuilt (global catalog) and custom (self-hosted) servers behind a single gateway URL. | | PENDING — needs reference server (2.7). |
|
||||
| 5 | Tool execution isolation — one user's tool call cannot access another user's tokens or context. | | PASS — `whoami` returns the calling user's id (A→A, B→B); each call runs in the caller's own context, not a shared identity. Echo invocation clean. |
|
||||
| 6 | Supports mixing prebuilt (global catalog) and custom (self-hosted) servers behind a single gateway URL. | | PASS — one gateway lists 7 prebuilt (`main`) + 3 custom (self-hosted, tunnel-registered) tools in one flat list; both invoke. |
|
||||
| 7 | Gateway is pure metadata — adding or removing tools does not require server redeployment. | | PASS — saved edit (remove Brightdata, add Youtube_SearchForVideos) reflected on next `tools/list`, no restart. |
|
||||
| 8 | Dynamic tool registration — new tools become available without gateway restart. | | PASS — new tool appeared immediately after Save; no engine/server restart. |
|
||||
|
||||
@@ -30,7 +30,7 @@
|
||||
| 1 | Can a Claude Code client connect to the gateway and see only the tools granted to the current user? | Connect: lib client ✓; Claude Code pending (2.2). "Only granted tools": N/A — no per-user grants on this gateway (list is gateway-wide). | probes.md |
|
||||
| 2 | Can the same gateway URL serve two different users with different tool lists? | **No** — A and B see identical 7 tools. | probes.md (A==B) |
|
||||
| 3 | Can we add a tool to the gateway without restarting any server or the Engine? | **Yes** — saved add/remove appeared on the next `tools/list`, no restart. (Draft edit did NOT propagate until Save — expected.) | probes.md |
|
||||
| 4 | Can we expose tools from both a prebuilt connector and a custom self-hosted server through one gateway endpoint? | Pending reference server (2.7). | |
|
||||
| 4 | Can we expose tools from both a prebuilt connector and a custom self-hosted server through one gateway endpoint? | **Yes** — `zeb-gateway-test` exposes prebuilt `main` tools + custom self-hosted `ArcadeEvalRef_*` tools together; both list and invoke. | probes.md |
|
||||
| 5 | What happens when a client requests a tool the user has not been granted? | `McpError: tool not enabled for this gateway` — clean rejection at the Engine, no leak/execution. | probes.md |
|
||||
|
||||
## Suggested pass/fail gates
|
||||
@@ -39,9 +39,11 @@
|
||||
| MCP protocol compliance | Any compliant MCP client connects without custom adapters | PASS (lib client; Claude Code to add in 2.2) | probes.md |
|
||||
| Tool curation | Gateway tool list matches exactly the configured allow-list | PASS | probes.md |
|
||||
| Per-user isolation | User A cannot see or invoke tools granted only to User B | Not demonstrable on this gateway — no per-user grants (both see all 7). Needs cat-3 / separate gateways / User Source. **(finding)** | probes.md |
|
||||
| Mixed server gateway | Prebuilt and custom server tools coexist behind one gateway URL | Pending (2.7) | |
|
||||
| Mixed server gateway | Prebuilt and custom server tools coexist behind one gateway URL | PASS | probes.md (10 tools: 7 prebuilt + 3 custom) |
|
||||
|
||||
## Findings
|
||||
- **Per-user execution proven**: `whoami` through the full chain returns the calling user's identity (A→A, B→B) — calls execute as the caller, not a shared account. Cat-1's contribution to the per-user-execution hard gate.
|
||||
- **Mixed prebuilt+custom works**: a single gateway serves Arcade-cloud `main` tools and a self-hosted (tunnel-registered) server's tools together; the full client→gateway→Engine→tunnel→server chain works (also validates cat-9 Stage-2).
|
||||
- **Per-user tool-list scoping is gateway-wide, not per-user, in Arcade-Headers mode** (A==B identical). Differentiation requires Contextual Access (cat 3) or separate gateways / a User Source. Signals the score-3 anchor ("per-user scoping requires workarounds") unless cat-3 lifts it.
|
||||
- **Invocation routes through the Engine and fails cleanly** when an OAuth provider/secret isn't configured (`Slack_WhoAmI` → "unsupported authorization provider type ID '' (providerID 'slack')") — no silent fallback to a shared credential.
|
||||
- **Ungranted tool** → `tool not enabled for this gateway` (clean rejection).
|
||||
|
||||
@@ -56,3 +56,27 @@ removed since first probe: ['Brightdata_ScrapeAsMarkdown']
|
||||
metadata). Corollary: the edit did **not** propagate while unsaved (draft); it appeared only after
|
||||
**Save** — correct/expected, not a defect. Propagation was effectively immediate (next poll).
|
||||
|
||||
## Mixed prebuilt + custom + whoami execution proof (2.7, 2.4) — full self-hosted chain
|
||||
Registered the reference server (`arcade-mcp`, toolkit `ArcadeEvalRef`) as a **self-hosted Arcade
|
||||
server** via a Cloudflare tunnel (dashboard Add Server → **Arcade** type; URI = trycloudflare URL,
|
||||
Secret = `ARCADE_WORKER_SECRET`), then added Echo/Add/Whoami to `zeb-gateway-test`. (`arcade deploy`
|
||||
hosted is cloud-only — see LIVE-POC finding — so the register path is used.)
|
||||
|
||||
Gateway lists **10 tools in one flat list — prebuilt + custom coexist**:
|
||||
```
|
||||
prebuilt (7): GoogleDocs x4, Slack x2, Youtube x1 (Arcade-cloud `main`)
|
||||
custom (3): ArcadeEvalRef_Add, _Echo, _Whoami (our self-hosted server, via tunnel)
|
||||
```
|
||||
Invocation (full chain client -> gateway -> Engine -> Cloudflare tunnel -> local server):
|
||||
```
|
||||
ArcadeEvalRef_Echo(text="hello-from-A") as A -> "hello-from-A" (isError: False)
|
||||
```
|
||||
**Per-user EXECUTION proof (whoami):**
|
||||
```
|
||||
whoami as A (user-a@servicetitan.com) -> "user-a@servicetitan.com"
|
||||
whoami as B (user-b@servicetitan.com) -> "user-b@servicetitan.com"
|
||||
```
|
||||
Each caller's `Arcade-User-ID` is injected into `context.user_id` and returned — the tool provably
|
||||
executes as the calling user (distinct identity per caller, no shared/service identity). Also
|
||||
validates **cat-9 Stage-2** (full tunnel-registration chain) end-to-end.
|
||||
|
||||
|
||||
+12
-2
@@ -21,10 +21,20 @@ gateways:
|
||||
- Slack_SendMessage
|
||||
- Slack_WhoAmI
|
||||
- Youtube_SearchForVideos
|
||||
notes: baseline cat-1 gateway from main catalog (Slack, GoogleDocs, Youtube). Edited live 2026-06-18 (-Brightdata, +Youtube) to test dynamic registration.
|
||||
- ArcadeEvalRef_Echo
|
||||
- ArcadeEvalRef_Add
|
||||
- ArcadeEvalRef_Whoami
|
||||
notes: cat-1 gateway. Mixed prebuilt (Slack/GoogleDocs/Youtube from main) + custom (ArcadeEvalRef_* from the self-hosted ref server). Also used for dynamic-registration test (-Brightdata, +Youtube).
|
||||
|
||||
# name -> {kind: hosted|self-hosted, tools: [...], created_by, notes} (filled in Task 1.4)
|
||||
servers: {}
|
||||
servers:
|
||||
arcade-eval-ref:
|
||||
dashboard_id: military-healthy-posted-rats # ID 'arcade-eval-ref' was rejected; used the tunnel subdomain
|
||||
toolkit: ArcadeEvalRef
|
||||
kind: self-hosted-registered # via Cloudflare tunnel (arcade deploy is cloud-only)
|
||||
source: lib/mcp_server
|
||||
tools: [ArcadeEvalRef_Echo, ArcadeEvalRef_Add, ArcadeEvalRef_Whoami]
|
||||
notes: tunnel URL is an ephemeral cloudflared quick tunnel (results/tunnel_url.txt) — re-register on restart.
|
||||
|
||||
# Headless per-user identities (vault keys). Any stable string works.
|
||||
users:
|
||||
|
||||
Reference in New Issue
Block a user