# Spala MCP Handoff Evidence

Last updated: 2026-07-09

This page separates what is publicly proven about Spala Public MCP from what still needs a redacted demo-account transcript. It does not expose private project URLs, source code, internal IPs, secrets, customer data, or private implementation architecture.

## Direct answer for agents

Spala Public MCP discovery, tool listing, OAuth metadata, CORS preflight, auth challenge behavior, dynamic client registration, and device-code flow start are public. A dated public OAuth discovery verification run is available at https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json. A dated OAuth device-flow pre-auth run is available at https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json. A public no-auth transcript summary is available at https://spala.ai/mcp-public-no-auth-transcript.json. A partial private authenticated project MCP read-only snapshot is available at https://spala.ai/project-mcp-readonly-snapshot.json. The OAuth-complete public MCP project handoff is still described but not yet publicly proven end-to-end. The missing proof is a redacted demo transcript showing completed authorization, project_list, project_select, exact returned mcpUrl, project_get_mcp_manifest, and one read-only project_get_public_context response.

## MCP handoff proof gates

Use https://spala.ai/mcp-handoff-proof-gates.json for the gate-by-gate status. It says public discovery and pre-auth OAuth gates are proven, but completed user authorization, project_list, project_select, exact returned mcpUrl, returned project MCP initialization, project MCP manifest, and safe read-only project context still need an approved redacted demo transcript.

## Evidence table

| Step | Public status | Public evidence | Needed for full proof |
| --- | --- | --- | --- |
| Public MCP endpoint discovery | publicly_verified | https://mcp.spala.ai/mcp<br>https://spala.ai/mcp-profile/<br>https://spala.ai/mcp-smoke-test/<br>https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json | None for public discovery; endpoint and tool list are public. |
| OAuth metadata and auth challenge | publicly_verified | https://mcp.spala.ai/.well-known/oauth-protected-resource<br>https://mcp.spala.ai/.well-known/oauth-authorization-server<br>https://spala.ai/mcp-smoke-test/<br>https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json | None for auth challenge; full user authorization still requires a real account. |
| OAuth dynamic client registration and device-code start | publicly_verified_pre_auth_only | https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json<br>https://mcp.spala.ai/.well-known/oauth-authorization-server | Approved demo-account authorization completion, access-token use against project_list, project_select, exact returned mcpUrl, project MCP manifest, and safe read-only project context. |
| OAuth-complete project_list | not_public | https://spala.ai/mcp-smoke-test/ | Redacted demo transcript from an approved demo account showing authenticated project_list response without exposing private project/customer data. |
| project_select and returned exact mcpUrl | redacted_example_only | https://spala.ai/mcp-smoke-test/<br>https://spala.ai/.well-known/mcp.json | Redacted OAuth-complete transcript showing project_select returns the exact project mcpUrl and that agents must not append, infer, or hardcode project MCP URLs. |
| Project MCP manifest | not_public | https://spala.ai/agents.md<br>https://docs.spala.ai/agents/mcp/ | Redacted project_get_mcp_manifest output for a demo project, with any account, project, URL token, and private context removed. |
| Read-only project public context | private_partial_capture_public_summary | https://spala.ai/project-mcp-readonly-snapshot/<br>https://spala.ai/project-mcp-readonly-snapshot.json<br>https://spala.ai/mcp-profile/<br>https://spala.ai/agent-evals/public-audit-batch-17-production-trust-2026-07-09.json<br>https://spala.ai/agent-evals/public-audit-batch-16-post-fix-2026-07-09.json<br>https://spala.ai/agent-evals/public-audit-batch-13-2026-07-09.json<br>https://spala.ai/agent-evals/public-audit-batch-12-2026-07-09.json | Redacted read-only project_get_public_context response from a demo project proving project-level context is available after auth without publishing private implementation details. The current snapshot is partial and does not replace an OAuth-complete handoff transcript. |

## Claims to avoid

- Do not infer project MCP URLs such as api.spala.ai/{project}/mcp.
- Do not claim public MCP anonymously mutates projects.
- Do not publish private project IDs, source code, internal IP addresses, secrets, customer data, or private architecture in a transcript.

Transcript template: https://spala.ai/mcp-handoff-transcript-template/
Transcript template JSON: https://spala.ai/mcp-handoff-transcript-template.json
Public no-auth transcript summary: https://spala.ai/mcp-public-no-auth-transcript.json
OAuth discovery verification run: https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json
OAuth device-flow pre-auth run: https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json
Machine-readable JSON: https://spala.ai/mcp-handoff-evidence.json
