PR Custody

feat(mcp-sync): push-based MCP toolkit sync via Apollo (PLEN-2541)

@anshugarg15checks n/achecks…feat/plen-2541-mcp-sync-via-apollo → master9 files · +672 −17review: @rohanprabhureview: @sohamganatrareview: @sarthakreview: @acsrujanreview: @kaavee315updated 4d ago

GitHub

▸Description · 1 noise

Summary

Flips MCP toolkit sync from Thermos-pull to Apollo-push.

Today the Thermos Temporal workflow fetches decrypted credentials from Apollo (GET …/mcp/connected_account) and then runs the MCP-list Lambda + registry-DB upsert itself. This reverses credential ownership: Apollo resolves the connected-account creds and pushes them to Thermos's existing syncTools entrypoint — the same rail the custom-toolkit sync already uses.

The actual MCP tool discovery + registry write stays in Thermos; only who initiates and who carries the creds changes.

Changes

Apollo (push owner)

New POST /api/v3/thermos_dkjwqkjd/mcp/sync (APOLLO_ADMIN_TOKEN_THERMOS, maxDuration: 800).
New lib/mcp/syncMcpToolkit.ts — two passes: (1) resolve connected account + decrypt creds locally (reuses getConnectedAccountForToolkitForAdmin + getAuthInfoForSyncing), (2) push to thermos.syncTools. Skip-reason strings mirror Thermos's mcp.toolkit.sync.* metric mapping. No-auth toolkits push with auth: null; missing/inactive connection → skip; genuine 500s propagate.
Allowlisted the v3 path in legacy-v3-endpoints.json (frozen v3 surface).
6 unit tests.

Thermos (timer + executor)

New per-toolkit LD flag mcpSyncViaApolloPush (default false).
Workflow branches on it, read via a ShouldUseApolloPush activity so the branch stays replay-deterministic. On → single SyncViaApollo activity POSTs Apollo (passes app_url/group/no_auth/project_nano_ids in the body to avoid LD drift during rollout). Off → legacy GetConnectedAccount + SyncToolsFromMCP path, untouched. Schedule/timer unchanged.
Workflow tests updated + 3 new push-path tests.

Rollout

Flag-gated. The pull endpoint (mcp/connected_account) and the legacy Thermos activities stay live as the fallback. Ramp mcpSyncViaApolloPush per-toolkit, watch for parity on the mcp.toolkit.sync.* metrics (completed / skipped / no_connected_account / tools_synced), then a fast-follow PR deletes the pull endpoint + legacy activities.

⚠️ Watch mcp.toolkit.sync.failed for timeouts during the staging ramp — the extra Thermos→Apollo→Thermos hop eats into the existing syncTools Lambda budget for slow MCP servers.

Verification

Thermos: go build ./..., workflow tests, lint:workflows, lint:ent-client-usage ✅
Apollo: new files type-check clean; 6 unit tests pass; no-new-v3-endpoints lint clean ✅

🤖 Generated with Claude Code

▸ 1 bot/status comment hidden

@linear-code[bot]4d ago

Instead of fetching creds to Thermos and then Thermos doing it

loading diff…