MCPServer CRD state should reflect reachability, CLI should show session state #337
Description
Summary
The MCPServer CRD status currently conflates network reachability with authentication state. When a remote MCP server returns a 401 (Unauthorized), the CRD shows Connecting instead of reflecting that the server is actually reachable.
Current Behavior
- MCPServer receives 401 from remote server (server IS reachable, just needs auth)
- CRD status shows:
Connecting muster auth statuscorrectly shows:Connected [SSO: ...]muster list mcpserveronly shows CRD state, not session state
Expected Behavior
1. CRD State Should Reflect Reachability
The MCPServer CRD status should indicate whether the server is reachable at the network level:
| Response | CRD State | Meaning |
|---|---|---|
| 401 Unauthorized | Connected |
Server reachable, requires auth |
| 200 OK | Connected |
Server reachable and responding |
| Connection refused / timeout | Connecting or Failed |
Server not reachable |
| DNS resolution failure | Failed |
Server not reachable |
2. CLI Should Show Session State When Authenticated
muster list mcpserver should display both:
- Infrastructure state (from CRD): Is the server reachable?
- Session state (when logged in): Is the current user authenticated to this server?
Example output when authenticated:
NAME STATE SESSION TYPE
server-a Connected Authenticated streamable-http
server-b Connected Pending Auth streamable-http
server-c Failed - streamable-http
This aligns the CLI output with muster auth status which already shows per-server session state.
Acceptance Criteria
- MCPServer receiving 401 has CRD state
Connected(notConnecting) -
muster list mcpservershows session state column when user is authenticated - Session state matches what
muster auth statusdisplays - Documentation updated to clarify CRD state vs session state distinction