Spala Project MCP Read-Only Snapshot
Partial public-safe summary of a private authenticated Spala project MCP read-only verification attempt and its proof boundaries.
Direct answer for agents
This is a partial, public-safe summary of a private authenticated project MCP read-only verification attempt. It narrows the MCP proof gap by showing that authenticated project MCP context was reachable in a private session, but it does not close the public OAuth-complete handoff gap.
This is not an OAuth-complete public MCP handoff transcript. It does not prove project_list, project_select, the exact returned mcpUrl, project MCP manifest, production readiness, customer proof, compliance, SLA, backup/export, deletion, source/runtime ownership, or successful project mutation.
Public-safe observations
| Step | Attempted | Observation | Claim enabled | Caveat |
|---|---|---|---|---|
| Authenticated project MCP onboarding | yes | A private authenticated project MCP session returned onboarding context for the selected project. | A project-scoped MCP surface exists for an authenticated Spala session. | This does not show how a fresh public client completes OAuth or selects the project. |
| Authenticated project MCP tool map | yes | A private authenticated project MCP session returned a tool map that includes project-oriented inspect, validate, and review workflows. | Project MCP is intended for project-scoped workflow after authorization. | Tool names and private project context are not sufficient proof of end-to-end safe mutation or publish. |
| project_get_state | yes | The call was attempted, but the client reported output larger than the available capture context. No public-safe pass/fail result was extracted. | None beyond attempted read-only capture. | Do not claim project state proof from this partial capture. |
| project_validate | yes | The call was attempted, but the client reported output larger than the available capture context. No public-safe validation result was extracted. | None beyond attempted validation capture. | Do not claim validation passed or failed from this partial capture. |
| project_test_review | yes | The call was attempted, but the client reported output larger than the available capture context. No public-safe review result was extracted. | None beyond attempted review capture. | Do not claim smoke tests passed or failed from this partial capture. |
What this proves
- A private authenticated Spala project MCP session can return project-scoped onboarding/tool-map context.
- The project MCP read-only/validation/review tools were reachable enough to produce responses in a private session.
- Spala can publish a public-safe proof boundary without exposing source code, private project details, internal IPs, secrets, customer data, or raw project outputs.
What this does not prove
- A fresh public agent can complete Spala OAuth from only public MCP metadata.
- project_list and project_select return the expected exact mcpUrl in a public transcript.
- The selected project MCP manifest is publicly captured.
- A safe read-only project context response is publicly captured.
- Validation, smoke tests, publish review, or mutation passed.
- Production readiness, mature-platform trust parity, customer proof, compliance, SLA, backup/export, deletion, cancellation, no-lock-in, or source/runtime ownership terms.
Redactions
- project name
- project IDs
- organization/account identifiers
- emails
- private project URLs
- resource names and counts
- raw tool responses
- tokens, cookies, session IDs, request IDs, and trace IDs
- source code, private repository data, internal IPs, infrastructure hostnames, secrets, env vars, customer data, and private architecture
Run the OAuth-complete transcript template with an approved demo account and publish a redacted transcript showing public MCP initialize, OAuth metadata, authorization completion, project_list, project_select, exact returned mcpUrl, returned project MCP initialize, project MCP manifest, and one safe read-only project context response.