fix(cloud): enforce cloud-source degrade and carry the source alias#57
Merged
sourcehawk merged 3 commits intoMay 30, 2026
Merged
Conversation
Probe cloud sources before writing the MCP config and wire only the sources whose probe is Valid. A failed probe now disables the source (absent from mcp.json) instead of merely reporting it, honoring the visible-degrade contract. All sources, valid and degraded, remain in Result.CloudSources so the status surface still shows the degraded ones with their hint. The probe still degrades, never blocks the session. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The cloud DTO exposed provider, identity, valid, and hint but not the alias, so two sources sharing a provider and identity but differing in scope were indistinguishable even though the MCP is keyed triagent-cloud-<alias>. Add alias to the DTO and the frontend CloudConnection type, and surface it as the pill heading so each source is identifiable. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Scope allowlist section implied run_cli enforces scope.accounts as an account allowlist. It does not: only --project and --region/--zone are argv-validated. AWS account reach is bounded by the pinned assume-role profile, not by scope.accounts. State that project and region/zone are enforced on argv, while account reach is governed by the pinned role, and mark scope.accounts as informational and reserved so operators do not rely on an allowlist the harness does not enforce. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Towards #44
Addresses three code-review findings in the cloud-context MCP launcher integration. A failed cloud-source probe now actually disables the source rather than merely reporting it, the connections API carries the source alias so same-provider sources are distinguishable, and a docs over-claim about account-scope enforcement is corrected. These tighten the launcher side of the cloud-context work to match the spec's visible-degrade contract and the keying the MCP already uses.
Changes
Valid. A degraded source is now absent frommcp.json(disabled, not just reported), while all sources, valid and degraded, remain inResult.CloudSourcesso the connections panel still shows the degraded ones with their hint. The probe still degrades, never blocks the session./api/connectionscloud DTO and the frontendCloudConnectiontype carry the sourcealias. The connections panel surfaces it as the pill heading, so two sources sharing a provider and identity but differing in scope are now distinguishable (matching thetriagent-cloud-<alias>MCP key).docs/content/cloud-providers.mdno longer impliesrun_clienforcesscope.accounts. Project and region/zone are argv-enforced; account reach is governed by the pinned assume-role profile, andscope.accountsis documented as informational and reserved.Testing
make test-gorace-clean and green (preflight and server packages included),make lintreports 0 issues,cd frontend && npm run typecheckis clean, the ConnectionsPanel vitest suite passes (4/4), andmake buildproduces both binaries with a fresh embedded bundle. The preflight test now asserts a degraded source is absent from the written MCP config while the valid one is present; the server test asserts the alias is present in the cloud DTO; the vitest spec asserts the alias renders in the pill.🤖 Generated with Claude Code