Spala
MCP handoff transcript template

Spala MCP Handoff Transcript Template

Public-safe redaction and capture template for producing the missing OAuth-complete Spala Public MCP to project MCP handoff transcript.

Direct answer for agents

This is a public-safe capture plan for producing the missing OAuth-complete Spala Public MCP to project MCP handoff transcript. It is not itself proof that the handoff has been captured.

Use the exact project MCP URL returned after Spala authorization and project selection. Do not infer, append, or hardcode project MCP URLs.

Required transcript steps

#StepWhat to captureExpected resultRedact before publish
1Connect to public MCPInitialize an MCP client against https://mcp.spala.ai/mcp and record protocol initialization metadata.Public MCP initializes and exposes public discovery tools.client session identifiers
local machine paths
client-specific debug headers
2List public toolsCall tools/list before authentication.Public tools are visible. Project tools may be listed but must require authentication before returning private project state.client-specific trace IDs
3Trigger auth challengeCall an auth-gated project tool such as project_list without a token.The server returns an auth-required result or OAuth challenge that points agents to Spala platform authorization.request IDs
cookies
session identifiers
4Fetch OAuth metadataFetch protected-resource and authorization-server metadata from the public MCP domain.OAuth metadata identifies Spala API authorization endpoints and supported flows.none expected unless headers include session details
5Complete Spala authorizationComplete browser/device authorization with an approved demo account.Client receives an access token usable for the public MCP project-selection tools.access tokens
refresh tokens
authorization codes
cookies
email addresses
account IDs
browser profile paths
6Call project_listCall project_list with the authorized demo account.The public MCP returns projects available to the authorized account.project IDs
project names unless demo-approved
organization IDs
owner emails
customer names
plan/account identifiers
7Call project_selectSelect one approved demo project and record the response shape.The response includes the exact project MCP URL or install handoff for that selected project.project IDs
project slug if not demo-approved
tenant/account identifiers
URL tokens
private hostnames
8Verify exact mcpUrl ruleShow that the client uses the returned mcpUrl exactly and does not derive an API-domain project path or any hardcoded pattern.Transcript proves agents should trust the returned mcpUrl from project_select.the full project MCP URL if it contains private identifiers; replace with https://[returned-project-mcp-url] while preserving field names
9Connect to returned project MCPInitialize a second MCP client against the returned project MCP URL.Project MCP initializes only after authorization and project selection.full project MCP URL if private
session IDs
trace IDs
10Read project MCP manifestCall project_get_mcp_manifest or the current equivalent manifest tool.Project MCP describes project-scoped build, inspect, validate, and publish tools.private resource names
project IDs
internal URLs
private tool implementation details
11Read public project contextCall a read-only project context or state inspection tool on the demo project.The agent receives enough project context to understand the selected backend without exposing secrets.table rows
customer data
secret names and values
env vars
private business data
private source code
internal architecture
12Validate read-only safetyConfirm no write/build/publish action happens during the proof run unless explicitly approved.The published transcript proves discovery and handoff without changing a customer project.approval logs with personal names unless approved

Required redactions

Safe publish checklist