STATUS — "you are here" handoff

Each lane owns its own section. Update yours; don't touch others'. Keep it terse. Last full-repo update: 2026-06-22.

Category 1 — Functional MCP Gateway Capability

Owner: ztaylor
Status: SCORED (draft 4/5) — categories/cat1-functional/criteria-section-1.md, awaiting user paste into the Google Doc.
Last live-state check: 2026-06-22
Result: protocol/curation/mixed/dynamic-reg/zero-config-clients all PASS; per-user execution proven (whoami A→A/B→B); Claude Code connected via Arcade-Headers AND Entra OAuth. One finding: per-user tool-LIST scoping is gateway-wide, not native (→ cat-3/separate gateways).
Fixtures (reusable): gateway zeb-gateway-test; ref server arcade-eval-ref (lib/mcp_server) registered via cloudflared quick tunnel (EPHEMERAL — re-establish for cat-9; see LIVE-POC).

Owner: — (security cluster: Dane / Chandu)
Status: not started (criteria stub seeded) — but cat-1 work already generated strong evidence; see LIVE-POC "Known behaviors".
Notes: holds the Entra/Okta SSO login → identity-mapping test. Open finding: User Source keys user_id on opaque Entra sub, mismatching the dashboard email → blocks downstream OAuth consent bind (fix: map User Source to the email claim). Google provider redirect-uri/secret issue was resolved 2026-06-22.

Owner: ztaylor
Status: NEXT — start here in a fresh session (invoke skill arcade-gateway-eval; read this + LIVE-POC; run live-state check). See categories/cat5-auditability/NOTES.md for the plan.
Last live-state check: —
Notes: metrics → Grafana/Mimir (NOT ELK); logs → ELK (Vector). Engine OTLP currently dropped — collector arcade-otel-collector:4318 doesn't resolve. First task = OTEL collector → Prometheus/Mimir remediation (with the user; touches k8s-backstage-v2/apps/arcade). Full evidence + remediation shapes in LIVE-POC "Observability".

Owner: ztaylor
Status: not started (criteria stub seeded)
Notes: stdio loop + Cloudflare-tunnel registration; shared lib/mcp_server is the fixture.