Include undeployed identity proxy scopes in env catalog#1314
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThe MCP proxy scope service no longer requires deployment data when listing environment scopes. Identity-enabled proxies targeting an environment are included regardless of deployed gateways, with constructor wiring, tests, and API descriptions updated accordingly. ChangesMCP proxy scope targeting
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Purpose
When building an agent-identity role (Identity Providers → env → Roles → role → Permissions), the "Add scopes" catalog was empty even when an MCP proxy defined grantable scopes (e.g.
booking:edit_booking). The catalog only listed scopes for proxies that were deployed to a gateway in the environment, so a defined-but-undeployed proxy's scopes were hidden.This gate was stricter than the flow it feeds: the catalog is sourced from the local DB (
mcp_proxy_scopes), scope registration into env-Thunder happens lazily at role-assignment time (EnsureProxyResourceServer) — never at deploy — and role assignment itself (resolveScopeGroups) never checks deployment. So a scope was assignable but not discoverable.Goals
Surface a proxy's scopes in the environment scope catalog as soon as they are defined on an identity-enabled endpoint that targets the environment, regardless of gateway-deployment state — aligning the catalog with the assignment path.
Approach
In
ListEnvironmentScopes(mcp_proxy_scope_service.go), removed theGetDeployedGatewaysByProvidergate. The remaining guards are unchanged: the endpoint must resolve for the environment, must be identity/OAuth-enabled (mcpIdentityEnabled), and must have a non-nil env artifact UUID. The artifact UUID is assigned at endpoint-config time (not deploy), so that guard does not silently re-introduce the gate. The now-unuseddeploymentRepodependency was removed from the service (field, constructor param, wire binding). Endpoint description in the OpenAPI spec updated from "deployed to this environment" to "target this environment".User stories
As a platform admin, I can grant an MCP proxy's scope to a role before (or without) deploying that proxy to a gateway in the environment.
Release note
Environment agent-identity scope catalog now lists scopes from identity-enabled MCP proxies that target the environment, whether or not the proxy is deployed to a gateway.
Documentation
N/A — no user-facing product-doc impact; the change relaxes an internal listing filter and updates only an internal OpenAPI description string.
Training
N/A — no training-content impact.
Certification
N/A — no impact on certification exams; internal API listing behavior only.
Marketing
N/A — internal behavior fix, no marketing content.
Automation tests
Security checks
go vetandgolangci-lintwere run on the changed packages with no new findings.Samples
N/A — no sample changes.
Related PRs
N/A.
Migrations (if applicable)
N/A — no schema or data migration.
Test environment
Go 1.25.11, macOS (darwin/arm64). Verified via
make test-unit,go build ./...,go vet, andmake codegenfmt-check(codegen/format clean).Learning
Traced the scope lifecycle end to end (local DB source, lazy Thunder registration at role assignment, deployment-decoupled artifact UUIDs) to confirm the deployment gate was a discovery-only restriction and safe to drop without affecting enforcement or assignment.
Summary by CodeRabbit
Documentation
Bug Fixes