Skip to content

MCP Revamp#1120

Open
Prasanna721 wants to merge 8 commits into
mainfrom
Prasanna721/dalat-v1
Open

MCP Revamp#1120
Prasanna721 wants to merge 8 commits into
mainfrom
Prasanna721/dalat-v1

Conversation

@Prasanna721

@Prasanna721 Prasanna721 commented Jun 15, 2026

Copy link
Copy Markdown
Member

Relocates the revamped MCP (formerly "enterprise-mcp") into apps/mcp as the public MCP, renamed to SupermemoryMCP. The old apps/mcp is replaced; functionality is unchanged. Location, config, and naming change only.

Changes:

  • apps/mcp/src/**: the revamped MCP code (server + widget + tools). EnterpriseMCP to SupermemoryMCP, branding Enterprise MCP to Supermemory MCP (functionality identical; demo/mock text left as-is).
  • apps/mcp/package.json: worker supermemory-mcp; catalog: refs pinned to explicit versions (this repo has no catalog); portless dev:app.
  • apps/mcp/wrangler.jsonc: name supermemory-mcp, route mcp.supermemory.ai, DO SupermemoryMCP.

Verified locally: builds (vite widget bundle), boots, and OAuth discovery + the 401 handshake + the worker to api /v3/mcp/session-with-key path all work at the valid-audience host.

Deploy notes:

  • The DO class is SupermemoryMCP, the same as the existing supermemory-mcp worker's v1 migration, so the cutover is a no-op for the DO (no transition, no session reset).
  • Set a real AUTH_CACHE KV id (placeholder for now).
  • Coordinate with the OAuth provider migration (mono #1812) so existing OAuth clients reconnect once.

Draft until the cutover plan is finalized.

@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 15, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs
supermemory-mcp d36aa64 Jul 02 2026, 11:56 AM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 15, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
supermemory-app d36aa64 Commit Preview URL

Branch Preview URL
Jul 02 2026, 11:58 AM

@Prasanna721 Prasanna721 changed the title mcp: relocate enterprise-mcp as the public MCP revamp MCP Revamp Jun 15, 2026
@Prasanna721 Prasanna721 force-pushed the Prasanna721/dalat-v1 branch from 888e7c7 to 06f62ec Compare June 19, 2026 16:55
Prasanna721 and others added 5 commits June 19, 2026 09:55
Replaces the old apps/mcp with the enterprise-mcp code (functionality unchanged). package.json: worker supermemory-mcp, catalog deps pinned to explicit versions, portless dev:app. wrangler: name supermemory-mcp, route mcp.supermemory.ai, DO EnterpriseMCP. Builds + boots + OAuth discovery/401/worker-to-api verified locally.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Functionality unchanged; just the name. The DO class is now SupermemoryMCP, which matches the existing supermemory-mcp worker's v1 migration -> the cutover is a no-op, no DO session reset. Demo/mock 'enterprise buyers' text left as-is.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Consumers think in "spaces", not "container tags". Renames the tool to
listSpaces and updates its description + text output to say "spaces".
Internal plumbing is unchanged: the client method listContainerTags() and
the structuredContent.containerTags key (widget contract) keep their names.
@Prasanna721 Prasanna721 force-pushed the Prasanna721/dalat-v1 branch from 06f62ec to f887bd6 Compare June 19, 2026 16:55
Prasanna721 and others added 3 commits June 19, 2026 13:02
Resolve MCP revamp conflicts by keeping the new server layout, deleting legacy root MCP files, and carrying forward API timeout handling into the new auth/client modules.
@ved015 ved015 marked this pull request as ready for review June 30, 2026 14:41
@graphite-app graphite-app Bot requested a review from Dhravya June 30, 2026 14:41
@claude

claude Bot commented Jun 30, 2026

Copy link
Copy Markdown

Claude finished @ishaanxgupta's task in 2m 7s —— View job


Code Review: MCP Revamp

  • Fetching PR diff and existing comments
  • Analyzing changed files for bugs and security issues
  • Checking auth/RBAC implementation
  • Reviewing tool permission checks
  • Submitting review

Summary: Reviewed the auth caching system, RBAC implementation, and all tool permission checks. The code is well-structured with proper security controls:

  • Auth tokens are SHA-256 hashed before caching (never stored raw)
  • Fail-closed behavior on RBAC fetch failures prevents privilege escalation
  • All tools consistently check canRead/canWrite permissions before operations

Issues found: None — this looks good to ship.

Score: 9/10 (minor deduction for placeholder KV ID that needs replacement at deploy time, but this is documented)

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: MCP Revamp

Overview: Relocates the revamped MCP server into apps/mcp, replacing the old implementation with a new architecture featuring RBAC, auth caching, and a React-based widget UI.

Security & Auth Analysis

Auth Caching (auth/cache.ts): Properly implemented with:

  • SHA-256 hashing of tokens before storage (never stores raw tokens)
  • 5-minute TTL matching Better Auth's session cache
  • Defensive validators that treat malformed cache entries as misses
  • Fail-open on KV errors (request still succeeds via upstream validation)

RBAC (auth/rbac.ts, auth/index.ts): Correctly implemented:

  • validateOAuthToken returns null on RBAC fetch failure (fail-closed) — this prevents silent privilege escalation if the RBAC endpoint is unreachable
  • buildRbacContext properly gates canRead/canWrite on accessType === "restricted"
  • All tools consistently check RBAC permissions before operations

Tool Permissions: Each tool properly validates access:

  • Write tools (add-memory, save-memory, upload-file-submit) check deps.rbac.canWrite(containerTag)
  • Read tools (search-memory, fetch-graph-data, memory-graph) check deps.rbac.canRead(containerTag)

Config Notes

The AUTH_CACHE KV namespace in wrangler.jsonc uses a placeholder ID (REPLACE_WITH_KV_NAMESPACE_ID). This is correctly documented in the PR description as a deploy-time task.

Code Quality

  • Clean separation between server, auth, tools, and widget
  • Shared types (shared/types.ts) provide a single source of truth for server↔widget contract
  • Error handling consistently uses deps.errorResult() pattern
  • PostHog analytics removed from this implementation (was in the old code)

Issues found: None — this looks good to ship.

Score: 9/10

Minor deduction for the placeholder KV ID that needs manual replacement before deploy, but this is properly documented.

@linear-code

linear-code Bot commented Jul 1, 2026

Copy link
Copy Markdown

ENG-948

ENG-947

ENG-949

@ishaanxgupta ishaanxgupta force-pushed the Prasanna721/dalat-v1 branch from 55fc0d5 to d36aa64 Compare July 2, 2026 11:50

ishaanxgupta commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

How to use the Graphite Merge Queue

Add the label Main to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: MCP Revamp

Overview: Relocates the revamped MCP server into apps/mcp, replacing the old implementation with a new architecture featuring RBAC, auth caching, and a React-based widget UI.

Security & Auth Analysis

Auth Caching (auth/cache.ts): Properly implemented:

  • SHA-256 hashing of tokens before storage (never stores raw tokens)
  • 5-minute TTL matching Better Auth's session cache
  • Defensive validators that treat malformed cache entries as misses
  • Fail-open on KV errors (request still succeeds via upstream validation)

RBAC (auth/rbac.ts, auth/index.ts): Correctly implemented:

  • validateOAuthToken returns null on RBAC fetch failure (fail-closed) — prevents silent privilege escalation if the RBAC endpoint is unreachable
  • buildRbacContext properly gates canRead/canWrite on accessType === "restricted"
  • All tools consistently check RBAC permissions before operations

Tool Permissions: Each tool properly validates access:

  • Write tools (add-memory, save-memory, upload-file-submit) check deps.rbac.canWrite(containerTag)
  • Read tools (search-memory, fetch-graph-data, memory-graph) check deps.rbac.canRead(containerTag)

Config Notes

The AUTH_CACHE KV namespace in wrangler.jsonc uses a placeholder ID (REPLACE_WITH_KV_NAMESPACE_ID). This is correctly documented in the PR description as a deploy-time task.

Code Quality

  • Clean separation between server, auth, tools, and widget
  • Shared types (shared/types.ts) provide a single source of truth for server↔widget contract
  • Error handling consistently uses deps.errorResult() pattern
  • PostHog analytics removed from this implementation (was in the old code)

Issues found: None — this looks good to ship.

Score: 9/10

Minor deduction for the placeholder KV ID that needs manual replacement before deploy, but this is properly documented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants