feat: add MCP collections service, publishing, and catalog UI

[subomi]

Summary

• Adds collections CRUD endpoints (create, list, update, delete) and server attach/detach
• Adds frontend pages for collections (list, create, detail) with org sidebar navigation
• Makes registry_id optional across deployments/external MCP types for collection-backed servers
• Handles internal Gram-hosted servers in tool extraction process
• Auto-creates the default Registry collection and namespace on login and org scope switch

Rebased onto main now that #2198 is merged.

Test plan

• go test github.com/speakeasy-api/gram/server/internal/auth
• Create a collection via org settings -> collections -> create
• Publish a toolset to the collection
• Browse catalog and see collection servers
• Install a server from the collection into a project
• Verify installed server works (tools/list, tools/call)

🤖 Generated with Claude Code

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gram-docs-redirect	Ready	Preview, Comment	Apr 15, 2026 7:54pm

[changeset-bot]

🦋 Changeset detected

Latest commit: a40e3a5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
server	Minor
dashboard	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[speakeasybot]

🚀 Preview Environment (PR #2199)

Preview URL: https://pr-2199.dev.getgram.ai

Component	Status	Details	Updated (UTC)
✅ Database	Ready	Existing database reused	2026-04-15 20:00:12.
✅ Images	Available	Container images ready	2026-04-15 19:59:55.

_{Gram Preview Bot}

[devin-ai-integration]

Devin Review found 5 potential issues.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🟡 pgText treats empty string as NULL, preventing users from clearing collection description

The pgText helper at server/internal/collections/impl.go:358-363 returns {Valid: false} (SQL NULL) for both nil and empty string "". In the Update method (line 162), this means COALESCE(NULL, description) preserves the old value. A user who wants to clear a collection's description by sending description: "" will have their change silently ignored — the old description persists.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 ListServers uses zero-value registry struct when registry row not found

At server/internal/collections/impl.go:372-375, if GetOrganizationMcpCollectionRegistryByID returns pgx.ErrNoRows, the error is silently ignored and registry remains a zero-value OrganizationMcpCollectionRegistry struct. This means registry.Namespace will be "" (line 393 check passes) and registry.ID will be uuid.Nil, which gets serialized as "00000000-0000-0000-0000-000000000000" in the OrganizationMcpCollectionRegistryID field of the response (line 396). If a collection somehow doesn't have a registry row (which shouldn't happen in normal flow but could after a data inconsistency), clients would receive a nil-UUID registry ID rather than null, which could cause confusion.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 3 new potential issues.

View 7 additional findings in Devin Review.

[devin-ai-integration]

🔴 ListServers produces bogus nil-UUID collection registry ID when registry row is missing

In ListServers, when GetOrganizationMcpCollectionRegistryByID returns pgx.ErrNoRows, the error is silently swallowed (line 392) and the code continues with a zero-value registry struct. At line 415, registry.ID.String() produces "00000000-0000-0000-0000-000000000000", which is then set as OrganizationMcpCollectionRegistryID on every returned server. When the frontend subsequently installs these servers via a deployment, it sends this nil-UUID as the organization_mcp_collection_registry_id. The backend XOR validation passes (one ID is set), but during async deployment processing at server/internal/externalmcp/process.go:102, the code would try to use this invalid reference, and the FK constraint to organization_mcp_collection_registries would reject it. By contrast, the sibling List method at server/internal/collections/impl.go:174 treats a missing registry as a hard error, making this silent fallthrough inconsistent.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 registryId made optional is a breaking change for existing API consumers

The AddExternalMCPForm type's registryId field changed from required (string) to optional (*string) in the Go types at server/gen/deployments/service.go:68-69 and correspondingly in the OpenAPI spec. The Required array in the design (server/design/deployments/design.go:352) no longer includes registry_id. Existing API consumers that always provide registry_id won't break, but any consumers relying on the response always having registry_id populated (e.g., the DeploymentExternalMCP type) will see a breaking change. The client SDK was regenerated to handle this, but external SDK users or direct API consumers may need updating.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[subomi]

Not relevant. We don't have any public consumers.

[devin-ai-integration]

🚩 Collection attachedToolsetIds matching uses mcpSlug which may not be unique across projects

In CollectionDetail.tsx:146-154, attachedToolsetIds is built by matching toolsets' mcpSlug against the attachedMcpSlugs set derived from server registry specifiers. If two toolsets in different projects happen to share the same mcpSlug, both will appear as 'attached' even if only one is actually in the collection. This could cause incorrect checkbox states in the edit form and incorrect diff calculations when saving (potentially detaching the wrong toolset). The mcpSlug is extracted from the last segment of registrySpecifier at line 99-100, which further increases collision risk.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[disintegrator]

We're not patching in this operation and we generally don't have any APIs that take in patches on resources.

Suggested change

	PATCH("/rpc/collections.update")
	POST("/rpc/collections.update")

[disintegrator]

Is there a shorter name for this field? Also a little confusing to have it alongside RegistryID. Should they be named InternalRegistryID and ExternalRegistryID or something like that?

Also are they mutually exclusive? If so, should there be some logic in deployments service to ensure that only one is provided?

[subomi]

Is there a shorter name for this field? Also a little confusing to have it alongside RegistryID. Should they be named InternalRegistryID and ExternalRegistryID or something like that?

I think the current naming is clear enough in context. If you don't have any strong objections, I'm happy to keep it as is for now. WDYT?

[disintegrator]

All queries must be qualified with either project id or organization id. In this case case:

Suggested change

	WHERE id = @id AND deleted IS FALSE;
	WHERE
	id = @id
	AND organization_id = @organization_id
	AND deleted IS FALSE;

In the application layer, you pass ActiveOrganizationID and then you can check for pgx.ErrNoRows to assert that a collection exists or not.

[disintegrator]

Needs to be qualified with org id here as well (authCtx.ActiveOrganizationID in code)

[disintegrator]

Use the conv.PtrToPGTextEmpty

[disintegrator]

as above

[disintegrator]

use s.serverURL.JoinPath instead of fmt.Sprintf

[disintegrator]

use s.serverURL.JoinPath

[disintegrator]

Consider conv.FromPGText, conv.PtrEmpty

[disintegrator]

use conv.FromNullableUUID and it should help clean up the pointer assignments below

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 21 additional findings in Devin Review.

[devin-ai-integration]

🚩 useEffect dependency on existingSpecifiers may cause infinite re-partitioning loop

At useExternalMcpReleaseWorkflow.ts:197, the useEffect that initializes server configs now depends on [servers, existingSpecifiers]. Since existingSpecifiers is a useMemo that creates a new Set on every recomputation (line 130-138), it will have a new reference whenever latestDeployment?.externalMcps changes. After a deployment completes and useLatestDeployment refetches, this could trigger the useEffect to re-run and re-partition servers, potentially resetting the workflow state mid-flow. In practice, the deployment flow has already moved past the configure phase by then, but the re-partitioning could reset multiRemoteConfigs and serverConfigs unexpectedly. The Set reference stability depends on whether useMemo's [latestDeployment?.externalMcps] dependency changes reference between refetches.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[adaam2]

I don't think this is necessary

[adaam2]

I had a play with the preview app - everything seemed to work and its much improved. Had a quick breeze over the frontend code, and it looked 👍🏻

Approving for frontend. Waiting on Georges feedback on backend code.

[disintegrator]

This change isn't relevant to the PR right? Can we revert it along with the helper function introduced below.

[disintegrator]

good idea to move here versus auth service 👍

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 27 additional findings in Devin Review.

[devin-ai-integration]

🔴 Adding existingSpecifiers to useEffect deps causes phase reset mid-deployment

The useEffect at line 161 that partitions servers into multi/single remote now includes existingSpecifiers in its dependency array (line 197). When a deployment completes, latestDeployment is refetched, which causes existingSpecifiers to update (the newly installed servers are now in the set). This triggers the useEffect to re-run, which re-partitions servers (filtering out the just-installed ones), resets serverConfigs to empty, and unconditionally calls setPhase("configure") (line 195) — overwriting the current "complete" or "deploying" phase. This disrupts the completion UI (which shows toolset creation progress) by abruptly resetting to an empty configure phase.

Trigger scenario

1. User installs servers from a collection
2. Deployment starts → phase is "deploying"
3. Deployment completes → latestDeployment refetches → existingSpecifiers updates
4. useEffect re-runs, filters out all installed servers, calls setPhase("configure")
5. UI jumps from completion/deploying status to an empty configure screen

Prompt for agents

In useExternalMcpReleaseWorkflow.ts, the useEffect that partitions servers (starting around line 161) now has existingSpecifiers in its dependency array at line 197. This causes the effect to re-run when latestDeployment refetches after a successful deployment, which resets the phase and serverConfigs in the middle of active deployment or completion.

The fix should add a guard at the top of the useEffect to bail out if the workflow is in an active phase (deploying, complete, or error). For example:

  if (phase === 'deploying' || phase === 'complete' || phase === 'error') return;

This ensures the effect only partitions servers during the initial setup phases (configure/selectRemotes) when existingSpecifiers changes, not during active deployment.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 CreateCollection does not filter non-MCP-enabled toolsets during creation

In CreateCollection, the toolsetIds array is iterated and each ID is passed to attachServerToCollection. Inside that function (impl.go:440), there's a check if !toolset.McpEnabled || !toolset.McpSlug.Valid that correctly rejects non-MCP-enabled toolsets. So invalid toolset IDs will cause the entire Create to fail with an error (line 131-133 returns the error). This means if a user provides even one non-MCP toolset ID, the whole collection creation fails. This might be intentional strictness, but could also be surprising since invalid UUIDs at line 128-129 are silently skipped while valid-but-ineligible toolsets cause a hard failure.

---

Was this helpful? React with 👍 or 👎 to provide feedback.