mcp-data-platform-v1.57.1
v1.57.1 — Gateway OAuth UX fix
This release makes the MCP gateway's OAuth authorization_code flow usable from the admin UI and ships the redesigned documentation site. No config changes, no migrations.
Highlights
🔌 Gateway OAuth authorization_code is usable again (#347)
In v1.57.0, saving an OAuth connection with authorization_code + PKCE (browser sign-in) silently failed in two compounding ways:
- The Connect button promised by the form text never rendered after saving — the entire OAuth status panel disappeared.
- Clicking Test connection returned a generic "Failed" with no actionable diagnostic.
Both are fixed.
Operator-visible behaviour after upgrade
After saving an authorization_code connection (Salesforce Hosted MCP, Keycloak-protected MCP servers, etc.):
- The OAuth status panel now appears under Test/Refresh with
Token: not yet acquired,Refresh token: none,Grant: authorization_code. - A Connect button is rendered alongside an amber "Not connected. Click Connect to authorize…" notice.
- Clicking Test connection shows a clear "Not connected: this OAuth connection needs browser sign-in. Use the Connect button in the OAuth status panel to authorize, then test again." message instead of an opaque failure.
- Clicking Connect opens the upstream
/authorizeURL in a new tab. After sign-in, the platform exchanges the code, persists the tokens, and the panel flips toToken: acquiredwith Reconnect and Refresh now controls.
Once authorized, refresh tokens are persisted (encrypted at rest when ENCRYPTION_KEY is set) and the platform automatically refreshes access tokens 30 seconds before expiry on every tool call. Cron jobs and scheduled prompts work without re-authorization until the upstream invalidates the refresh token.
What was actually broken
| Layer | Bug |
|---|---|
pkg/toolkits/gateway/toolkit.go |
Status() only populated the OAuth field when client != nil. Freshly-saved authcode connections record a placeholder upstream (no client) until the operator authorizes; with OAuth: null the admin UI's OAuthStatusCard early-returned and the Connect button never rendered. |
pkg/admin/gateway_handler.go |
testGatewayConnection always called Probe with nil for the token store. For unauthorized authcode connections the dial failed on cryptic upstream IdP errors (typically a 401 on the token endpoint with no useful body). |
ui/src/api/admin/client.ts |
apiFetch extracted only body.detail from non-OK responses, so the gateway test endpoint's {healthy: false, error: "..."} shape lost its diagnostic content entirely — operators saw an empty "Failed" indicator. |
What changed
Status()now synthesizes theOAuthfield from the persisted token store for placeholder connections, distinguishing never authorized (NeedsReauth=true, render Connect) from authorized but upstream sick (NeedsReauth=false, render Reconnect).testGatewayConnectionshort-circuits unauthorized authcode connections with HTTP 200 + a clear "click Connect first" message instead of running Probe.- The admin API client falls back through
detail → error → message → statusText, so endpoint-shaped error responses across the entire admin API surface useful diagnostics — not justproblemDetail-shaped ones.
Test coverage
- Patch coverage: 100 % (43/43 changed lines on
pkg/admin/gateway_handler.go). - New Go tests:
TestStatus_PlaceholderReturnsOAuthNeedsReauth,TestStatus_PlaceholderWithStoredTokenReportsAuthorized,TestTestGatewayConnection_AuthCodeUnauthorizedReturnsFriendlyMessage, plus three branch tests forconnectionHasOAuthToken. - New TypeScript tests (
ui/src/api/admin/client.test.ts): four cases covering thedetail → error → message → statusTextfallback chain.
📚 Documentation site redesigned (#346)
The documentation at https://mcp-data-platform.txn2.com adopts the txn2/www design system at level-2 (token alignment), matching sister projects mcp-datahub, mcp-trino, and mcp-s3.
- New homepage with hero, two flagship install cards (standalone platform, Go library composition), and an eight-row capability stack covering cross-enrichment, composability, OAuth 2.1 inbound and outbound, personas, audit, gateway, portal, and the knowledge / memory layer.
- Full SEO surface inherited by every page: Open Graph, Twitter
summary_large_image, JSON-LDSoftwareApplication, canonical link, Google Fonts preconnect. - 1200×630 social card, restructured
llms.txt(llmstxt.org convention), restyled 404, and aDESIGN.mdadoption record. - Memory Layer pages wired into the Features nav.
Other changes
Full changelog
- 6f56390: fix(gateway): surface OAuth Connect button and friendly Test errors (#347)
- bf1dab5: docs: redesign site to txn2 visual identity (#346)
- 7882b0e: build(deps): bump postcss (#345)
- 094ed73: ci: bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 (#344)
Compare: v1.57.0...v1.57.1
Upgrade notes
- No config changes required.
- No database migrations.
- Existing OAuth connections (both
client_credentialsandauthorization_codegrants) keep working without reconfiguration. - Operators with
authorization_codeconnections that previously appeared "broken" (no Connect button, generic Test failures) will see the connection become operable immediately after upgrade — no need to recreate the row.
Installation
Homebrew (macOS)
brew install txn2/tap/mcp-data-platformClaude Code CLI
claude mcp add mcp-data-platform -- mcp-data-platformDocker
docker pull ghcr.io/txn2/mcp-data-platform:v1.57.1Go (library composition)
go get github.com/txn2/mcp-data-platform@v1.57.1Verification
All release artifacts are signed with Cosign (keyless, GitHub Actions OIDC) and ship with SBOMs. Verify with:
cosign verify-blob --bundle mcp-data-platform_1.57.1_linux_amd64.tar.gz.sigstore.json \
mcp-data-platform_1.57.1_linux_amd64.tar.gzContainer images:
cosign verify ghcr.io/txn2/mcp-data-platform:v1.57.1 \
--certificate-identity-regexp='https://github.com/txn2/mcp-data-platform/.+' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'