Skip to content

Commit fd63bc5

Browse files
Dumbrisclaude
andauthored
docs(roadmap): track Go tray OAuth config-file read as tray-api-purity debt (#806)
Found during the PR #805 architecture review: the tray must use only the socket/REST API, but the OAuth login path still parses mcp_config.json directly (pre-existing). Swift tray audited clean. Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
1 parent 16c0b27 commit fd63bc5

2 files changed

Lines changed: 20 additions & 1 deletion

File tree

ROADMAP.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,10 @@ graph TD
113113
telemetry_machineid_dash["Dashboard identityExpr prefers machine_id; exclude %-dev versions from human cohort; fix launch_source 79% unknown (repo mcpproxy-dash)"]
114114
telemetry_snapshot_alerting["Alerting on external-downloads snapshot cron (34-day outage went unnoticed)"]
115115
end
116+
subgraph sg_tray_api_purity["Tray↔core decoupling: socket/REST API only, no config-file reads"]
117+
tray_api_purity["Tray↔core decoupling: socket/REST API only, no config-file reads"]
118+
tray_oauth_config_read["Go tray OAuth login path loads mcp_config.json directly (internal/tray/tray.go:~1734 config.LoadFromFile via GetConfigPath) — replace with REST (server config / OAuth endpoints), then remove GetConfigPath from the tray server interface if no consumers remain"]
119+
end
116120
subgraph sg_planning_hygiene["Planning/docs truth automation"]
117121
planning_hygiene["Planning/docs truth automation"]
118122
hygiene_roadmap_github_check["gen-roadmap --check-github: cross-check roadmap.yaml statuses vs gh PR state + dangling spec links"]
@@ -171,7 +175,7 @@ graph TD
171175
class upgrade_nudge,connect_trust,telemetry_identity in_progress;
172176
class windows_tray,windows_tray_window in_review;
173177
class mcp_2026_upgrade blocked;
174-
class windows_tray_funnel_qa,ux_audit,ux_audit_webui_sweep,ux_audit_macos_sweep,action_log_transparency,action_log_glance_view,action_log_retention_tie_in,analytics_dashboard,analytics_token_drain_graphs,analytics_default_landing,registries_search_add,registries_search_ux,upgrade_nudge_surfacing,upgrade_nudge_channel,upgrade_nudge_quiet,connect_trust_undo,connect_trust_tcc_copy,telemetry_machineid_worker,telemetry_machineid_dash,telemetry_snapshot_alerting,planning_hygiene,hygiene_tasks_reconcile,hygiene_docs_facts,hygiene_quickstart_contract,security_gateway_cd,discovery_eval_harness todo;
178+
class windows_tray_funnel_qa,ux_audit,ux_audit_webui_sweep,ux_audit_macos_sweep,action_log_transparency,action_log_glance_view,action_log_retention_tie_in,analytics_dashboard,analytics_token_drain_graphs,analytics_default_landing,registries_search_add,registries_search_ux,upgrade_nudge_surfacing,upgrade_nudge_channel,upgrade_nudge_quiet,connect_trust_undo,connect_trust_tcc_copy,telemetry_machineid_worker,telemetry_machineid_dash,telemetry_snapshot_alerting,tray_api_purity,tray_oauth_config_read,planning_hygiene,hygiene_tasks_reconcile,hygiene_docs_facts,hygiene_quickstart_contract,security_gateway_cd,discovery_eval_harness todo;
175179
class marketplace,siem,paid_tier,sdk_v1_migration,sso parked;
176180
```
177181

@@ -188,6 +192,7 @@ graph TD
188192
| Action log / transparency — info at a glance | Todo | unassigned | P0 || | |
189193
| Analytics dashboard as default page | Todo | unassigned | P1 | 16/26 (62%) | [069-observability-usage-graphs](./specs/069-observability-usage-graphs/) | |
190194
| Registries — easier search + add-server | Todo | unassigned | P1 | 3/24 (12%) | [070-registry-easy-upstream-add](./specs/070-registry-easy-upstream-add/) | |
195+
| Tray↔core decoupling: socket/REST API only, no config-file reads | Todo | unassigned | P2 || | |
191196
| Planning/docs truth automation | Todo | unassigned | P2 || | |
192197
| Security gateway Tracks C/D (per-arg least-privilege + signature provenance) | Todo | | P3 || [054-mcp-security-gateway](./specs/054-mcp-security-gateway/) | |
193198
| Discovery-quality eval harness (Spec 065 second half) | Todo | | P3 || [065-evaluation-foundation](./specs/065-evaluation-foundation/) | |

roadmap.yaml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -412,6 +412,20 @@ epics:
412412
status: todo
413413
depends_on: []
414414

415+
- id: tray-api-purity
416+
title: "Tray↔core decoupling: socket/REST API only, no config-file reads"
417+
status: todo
418+
assignee: unassigned
419+
priority: P2
420+
depends_on: []
421+
note: "Architecture rule (CLAUDE.md): the tray holds no state and talks to the core only via socket/REST + SSE. 2026-07-03 audit: Swift tray clean (opens config in editor only, never parses); Go tray's update-check gate was caught reading mcp_config.json in PR #805 review and reworked to core-API gating — but one pre-existing violation remains."
422+
tasks:
423+
- id: tray-oauth-config-read
424+
title: "Go tray OAuth login path loads mcp_config.json directly (internal/tray/tray.go:~1734 config.LoadFromFile via GetConfigPath) — replace with REST (server config / OAuth endpoints), then remove GetConfigPath from the tray server interface if no consumers remain"
425+
status: todo
426+
priority: P2
427+
depends_on: []
428+
415429
- id: planning-hygiene
416430
title: Planning/docs truth automation
417431
status: todo

0 commit comments

Comments
 (0)