{
  "schema_version": "2026-07-09",
  "name": "Spala Public MCP OAuth Discovery Verification Run",
  "status": "public_oauth_discovery_verified_oauth_complete_project_handoff_not_proven",
  "run_date": "2026-07-09",
  "capture_time_utc": "2026-07-09T01:20:57Z",
  "purpose": "Dated public-safe live verification of Spala Public MCP OAuth discovery endpoints, CORS preflight, install manifest, and auth challenge behavior.",
  "boundary": "This run proves public OAuth discovery and unauthenticated auth challenge behavior only. It is not an OAuth-complete project handoff transcript and does not prove project_list with auth, project_select, exact returned project mcpUrl, project MCP manifest, project context, project creation, publish safety, production readiness, compliance, SLA, backup/export/deletion, customer proof, or source/runtime ownership.",
  "capture_source": "live public HTTPS requests made against mcp.spala.ai from an unauthenticated client",
  "no_private_material_published": true,
  "public_checks": [
    {
      "id": "protected_resource_metadata",
      "method": "GET",
      "url": "https://mcp.spala.ai/.well-known/oauth-protected-resource",
      "observed_http_status": 200,
      "content_type": "application/json; charset=utf-8",
      "cors": {
        "access_control_allow_origin": "*",
        "access_control_allow_methods": "GET,POST,OPTIONS",
        "access_control_allow_headers": "Authorization,Content-Type,Accept,Mcp-Session-Id,Last-Event-ID",
        "access_control_expose_headers": "WWW-Authenticate,Mcp-Session-Id"
      },
      "public_fields_observed": {
        "resource": "https://mcp.spala.ai/mcp",
        "authorization_servers": [
          "https://api.spala.ai/mcp"
        ],
        "bearer_methods_supported": [
          "header"
        ],
        "scopes_supported": [
          "api",
          "builder",
          "ai",
          "project",
          "data"
        ],
        "service_documentation": "https://mcp.spala.ai/mcp/install-manifest",
        "agent_start_url": "https://spala.ai/agents.md"
      },
      "interpretation": "The public MCP advertises api.spala.ai/mcp as the OAuth authorization server and mcp.spala.ai/mcp as the protected MCP resource."
    },
    {
      "id": "authorization_server_metadata",
      "method": "GET",
      "url": "https://mcp.spala.ai/.well-known/oauth-authorization-server",
      "observed_http_status": 200,
      "content_type": "application/json; charset=utf-8",
      "public_fields_observed": {
        "issuer": "https://api.spala.ai/mcp",
        "authorization_endpoint": "https://api.spala.ai/mcp/oauth/authorize",
        "token_endpoint": "https://api.spala.ai/mcp/oauth/token",
        "registration_endpoint": "https://api.spala.ai/mcp/oauth/register",
        "device_authorization_endpoint": "https://api.spala.ai/mcp/oauth/device_authorization",
        "response_types_supported": [
          "code"
        ],
        "grant_types_supported": [
          "authorization_code",
          "urn:ietf:params:oauth:grant-type:device_code"
        ],
        "code_challenge_methods_supported": [
          "S256"
        ],
        "token_endpoint_auth_methods_supported": [
          "none"
        ],
        "scopes_supported": [
          "api",
          "builder",
          "ai",
          "project",
          "data"
        ]
      },
      "interpretation": "Authorization-code and device-code OAuth metadata is publicly discoverable for MCP clients."
    },
    {
      "id": "mcp_manifest",
      "method": "GET",
      "url": "https://mcp.spala.ai/.well-known/mcp.json",
      "observed_http_status": 200,
      "content_type": "application/json; charset=utf-8",
      "public_fields_observed": {
        "name": "Spala Public MCP",
        "url": "https://mcp.spala.ai/mcp",
        "transport": "streamable-http",
        "auth": "spala_platform_auth",
        "public_tools": [
          "spala_help",
          "spala_get_onboarding",
          "spala_get_tool_map",
          "docs_search",
          "template_list",
          "addon_list"
        ],
        "authenticated_tools": [
          "project_list",
          "project_create",
          "project_select",
          "project_get_mcp_manifest",
          "project_get_public_context"
        ],
        "project_create_dry_run_only": true,
        "project_mcp_resolution_rule": "Use the exact mcpUrl returned by project_select or project_get_mcp_manifest after auth."
      },
      "interpretation": "The public manifest separates unauthenticated discovery tools from authenticated project tools and says project_create is dry-run/no-op in this deployment."
    },
    {
      "id": "install_manifest",
      "method": "GET",
      "url": "https://mcp.spala.ai/mcp/install-manifest",
      "observed_http_status": 200,
      "content_type": "application/json; charset=utf-8",
      "public_fields_observed": {
        "name": "Spala Public MCP",
        "serverName": "spala-public",
        "mcpUrl": "https://mcp.spala.ai/mcp",
        "transport": "streamable-http",
        "upstreamApiNote": "Control-plane API context only. Do not configure api.spala.ai or api.spala.ai/mcp as the Spala Public MCP server.",
        "dryRunProjectCreate": true
      },
      "interpretation": "The install manifest now presents the public MCP as spala-public and warns not to configure api.spala.ai/mcp as the MCP server."
    },
    {
      "id": "cors_preflight",
      "method": "OPTIONS",
      "url": "https://mcp.spala.ai/mcp",
      "observed_http_status": 204,
      "public_fields_observed": {
        "access_control_allow_origin": "*",
        "access_control_allow_methods": "GET,POST,OPTIONS",
        "access_control_allow_headers": "Authorization,Content-Type,Accept,Mcp-Session-Id,Last-Event-ID",
        "access_control_expose_headers": "WWW-Authenticate,Mcp-Session-Id"
      },
      "interpretation": "Browser-based clients can discover the public MCP CORS and exposed auth challenge headers."
    },
    {
      "id": "unauthenticated_project_list_challenge",
      "method": "POST JSON-RPC tools/call project_list without Authorization",
      "url": "https://mcp.spala.ai/mcp",
      "observed_http_status": 401,
      "public_fields_observed": {
        "www_authenticate": "Bearer resource_metadata=\"https://mcp.spala.ai/.well-known/oauth-protected-resource\"",
        "json_rpc_error_code": -32001,
        "json_rpc_error_message": "Authentication required",
        "error_data": {
          "error": "authentication_required",
          "message": "Authenticate with Spala platform/dashboard OAuth before using project tools.",
          "protectedResourceMetadata": "https://mcp.spala.ai/.well-known/oauth-protected-resource",
          "authorizationServerMetadata": "https://mcp.spala.ai/.well-known/oauth-authorization-server",
          "authorizationServer": "https://api.spala.ai/mcp",
          "authorizationEndpoint": "https://api.spala.ai/mcp/oauth/authorize",
          "tokenEndpoint": "https://api.spala.ai/mcp/oauth/token",
          "deviceAuthorizationEndpoint": "https://api.spala.ai/mcp/oauth/device_authorization",
          "registrationEndpoint": "https://api.spala.ai/mcp/oauth/register",
          "dashboardUrl": "https://dashboard.spala.ai",
          "agentStartUrl": "https://spala.ai/agents.md",
          "expectedAuthorization": "Authorization: Bearer <Spala platform access token>"
        }
      },
      "interpretation": "Auth-gated project tools return HTTP 401 plus WWW-Authenticate and JSON-RPC error metadata that points clients to OAuth discovery and platform authorization."
    }
  ],
  "proves": [
    "Public MCP OAuth protected-resource metadata is reachable.",
    "Public MCP OAuth authorization-server metadata is reachable.",
    "Authorization-code and device-code metadata are publicly advertised.",
    "The public install manifest points agents to https://mcp.spala.ai/mcp and not api.spala.ai/mcp as the MCP server.",
    "CORS preflight exposes Authorization and WWW-Authenticate-related headers for browser-capable clients.",
    "Unauthenticated project_list returns HTTP 401 with WWW-Authenticate and OAuth metadata."
  ],
  "does_not_prove": [
    "A fresh agent completed OAuth successfully.",
    "An authenticated project_list returned real projects.",
    "project_select returned a real exact project mcpUrl.",
    "A returned project MCP initialized.",
    "A project MCP manifest or safe project context was returned in a public transcript.",
    "project_create creates real projects; the public manifest says it is dry-run/no-op in this deployment.",
    "Production readiness, compliance, SLA, backups, export/deletion, customer proof, or source/runtime ownership."
  ],
  "redactions_applied": [
    "No tokens, cookies, auth codes, emails, account IDs, project IDs, private project URLs, source code, private repo links, internal IPs, secrets, customer data, request IDs, trace IDs, or raw session identifiers are published.",
    "Only public endpoint URLs, public metadata fields, HTTP statuses, and public challenge shapes are included."
  ],
  "next_proof_needed": "Run the OAuth-complete transcript template with an approved demo account and publish a redacted transcript showing authorization completion, project_list, project_select, exact returned mcpUrl, returned project MCP initialize, project_get_mcp_manifest, and one safe read-only project context response.",
  "related": {
    "public_mcp": "https://mcp.spala.ai/mcp",
    "oauth_protected_resource": "https://mcp.spala.ai/.well-known/oauth-protected-resource",
    "oauth_authorization_server": "https://mcp.spala.ai/.well-known/oauth-authorization-server",
    "install_manifest": "https://mcp.spala.ai/mcp/install-manifest",
    "public_mcp_manifest": "https://mcp.spala.ai/.well-known/mcp.json",
    "mcp_handoff_evidence": "https://spala.ai/mcp-handoff-evidence/",
    "no_auth_transcript": "https://spala.ai/mcp-public-no-auth-transcript.json",
    "transcript_template": "https://spala.ai/mcp-handoff-transcript-template.json",
    "proof_capture_kit": "https://spala.ai/proof-capture-kit.json"
  },
  "agent_guidance": "Use this run as public evidence for OAuth discovery and auth challenge only. Do not treat it as OAuth-complete project handoff proof."
}