MCP Revamp#1120
Open
Prasanna721 wants to merge 10 commits into
Open
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
supermemory-mcp | 75b3aaa | Jun 30 2026, 02:44 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
supermemory-app | 75b3aaa | Commit Preview URL Branch Preview URL |
Jun 30 2026, 02:45 PM |
Prasanna721
changed the title
Prasanna721
force-pushed
the
Prasanna721/dalat-v1
branch
from
888e7c7 to
06f62ec
Compare
Replaces the old apps/mcp with the enterprise-mcp code (functionality unchanged). package.json: worker supermemory-mcp, catalog deps pinned to explicit versions, portless dev:app. wrangler: name supermemory-mcp, route mcp.supermemory.ai, DO EnterpriseMCP. Builds + boots + OAuth discovery/401/worker-to-api verified locally. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Functionality unchanged; just the name. The DO class is now SupermemoryMCP, which matches the existing supermemory-mcp worker's v1 migration -> the cutover is a no-op, no DO session reset. Demo/mock 'enterprise buyers' text left as-is. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Consumers think in "spaces", not "container tags". Renames the tool to listSpaces and updates its description + text output to say "spaces". Internal plumbing is unchanged: the client method listContainerTags() and the structuredContent.containerTags key (widget contract) keep their names.
Prasanna721
force-pushed
the
Prasanna721/dalat-v1
branch
from
06f62ec to
f887bd6
Compare
Resolve MCP revamp conflicts by keeping the new server layout, deleting legacy root MCP files, and carrying forward API timeout handling into the new auth/client modules.
Make the widget fall back to dark tokens when the host does not provide an explicit theme, and expand workspace memory count labels from mem/mems to memory/memories. Co-authored-by: Ishaan Gupta <ishaankone@gmail.com>
|
Claude finished @ved015's task in 2m 54s —— View job PR Review: MCP Revamp
SummaryReviewed 87 changed files (~5100 additions, ~3000 deletions). This PR relocates the revamped MCP server with new architecture featuring RBAC, auth caching, and a React widget UI. Key findings:
Score: 9/10 — No bugs or security issues found. Ready to ship once deploy notes are addressed. |
Consolidate multi-line shadow values to single lines to match Biome formatting rules. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review: MCP Revamp
Overview: Relocates the revamped MCP server into apps/mcp, replacing the old implementation with a new architecture featuring RBAC, auth caching, and a React-based widget UI.
Security & Auth Analysis
Auth Caching (auth/cache.ts): Properly implemented with:
- SHA-256 hashing of tokens before storage (never stores raw tokens)
- 5-minute TTL matching Better Auth's session cache
- Defensive validators that treat malformed cache entries as misses
- Fail-open on KV errors (request still succeeds via upstream validation)
RBAC (auth/rbac.ts, auth/index.ts): Correctly implemented:
validateOAuthTokenreturnsnullon RBAC fetch failure (fail-closed) — this prevents silent privilege escalation if the RBAC endpoint is unreachablebuildRbacContextproperly gatescanRead/canWriteonaccessType === "restricted"- All tools consistently check RBAC permissions before operations
Tool Permissions: Each tool properly validates access:
- Write tools (
add-memory,save-memory,upload-file-submit) checkdeps.rbac.canWrite(containerTag) - Read tools (
search-memory,fetch-graph-data,memory-graph) checkdeps.rbac.canRead(containerTag)
Config Notes
The AUTH_CACHE KV namespace in wrangler.jsonc uses a placeholder ID (REPLACE_WITH_KV_NAMESPACE_ID). This is correctly documented in the PR description as a deploy-time task.
Code Quality
- Clean separation between server, auth, tools, and widget
- Shared types (
shared/types.ts) provide a single source of truth for server↔widget contract - Error handling consistently uses
deps.errorResult()pattern - PostHog analytics removed from this implementation (was in the old code)
Issues found: None — this looks good to ship.
Score: 9/10
Minor deduction for the placeholder KV ID that needs manual replacement before deploy, but this is properly documented.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Relocates the revamped MCP (formerly "enterprise-mcp") into
apps/mcpas the public MCP, renamed toSupermemoryMCP. The oldapps/mcpis replaced; functionality is unchanged. Location, config, and naming change only.Changes:
apps/mcp/src/**: the revamped MCP code (server + widget + tools).EnterpriseMCPtoSupermemoryMCP, brandingEnterprise MCPtoSupermemory MCP(functionality identical; demo/mock text left as-is).apps/mcp/package.json: workersupermemory-mcp;catalog:refs pinned to explicit versions (this repo has no catalog); portlessdev:app.apps/mcp/wrangler.jsonc: namesupermemory-mcp, routemcp.supermemory.ai, DOSupermemoryMCP.Verified locally: builds (vite widget bundle), boots, and OAuth discovery + the 401 handshake + the worker to api
/v3/mcp/session-with-keypath all work at the valid-audience host.Deploy notes:
SupermemoryMCP, the same as the existingsupermemory-mcpworker'sv1migration, so the cutover is a no-op for the DO (no transition, no session reset).AUTH_CACHEKV id (placeholder for now).Draft until the cutover plan is finalized.