Skip to content

docs: sync ADP changes from cloudv2 (2026-07-01)#118

Merged
micheleRP merged 5 commits into
mainfrom
claude/sync-cloudv2-2026-07-01
Jul 1, 2026
Merged

docs: sync ADP changes from cloudv2 (2026-07-01)#118
micheleRP merged 5 commits into
mainfrom
claude/sync-cloudv2-2026-07-01

Conversation

@micheleRP

@micheleRP micheleRP commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Syncs a user-facing AI Gateway change from cloudv2 into the ADP docs: OAuth 2.0 Dynamic Client Registration (DCR, RFC 7591) is now enabled by default across gateway clusters, so spec-conformant MCP clients (Claude Code, Cursor, ChatGPT) can self-register instead of requiring a manually provisioned OAuth client.

Preview pages

cloudv2 change documented

  • d274f01adp: enable Dynamic Client Registration globally on aigw. Flips the operator-level DCR gate (ingress.idp.dcr.global_enabled) to true in the base and integration aigw configs, so every cluster mounts /oauth/idp/register and advertises registration_endpoint in the OAuth authorization-server discovery document. Per-tenant admission stays gated by the DCR settings row (enabled + admission_mode), managed via rpk ai oauth-client dcr.

What changed in the docs

modules/connect/pages/remote-mcp-clients.adoc:

  • Added a Let clients self-register with Dynamic Client Registration section covering: enabling per-tenant self-registration with rpk ai oauth-client dcr update, the open and initial-access-token admission modes (and that software-statement is reserved), registration caps and rate limits (--allowed-resource, --client-cap, --rate-per-hour, --inactive-ttl-days), Initial Access Token mint/list/revoke, and how DCR-issued clients appear (dcr-<id> name, DCR badge, PKCE with no secret).
  • Pointed the manual Register an OAuth Client section at the new self-registration path.
  • Removed the now-incorrect No Dynamic Client Registration (RFC 7591) limitation.

Grounded the CLI surface and admission-mode behavior in cloudv2 source: apps/rpai/internal/cmd/oauthclient/dcr.go, adp/manifests/aigw/base/config.toml, and apps/aigw/demos/idp-local/DCR-DEMO.md.

Not documented (intentionally)

  • 3c20658 — deps: bump ai-sdk-go (Claude Sonnet 5). The docs describe models generically ("Claude Opus, Sonnet, and Haiku") and state that Redpanda maintains the model catalog, which auto-updates without a Redpanda release (configure-provider.adoc). No specific model versions are enumerated, so this dependency bump needs no docs change.
  • The remaining ADP commits in the window are alpha/frontend adp-ui work (release-notes panel, MCP connect panel styling, agent inspector), internal release tooling, and e2e test changes — none are user-facing backend changes.

Reviewer

Added @birdayz (author of the cloudv2 DCR commit) as an optional reviewer for a source-accuracy check. Their approval is not blocking.

Verification

npm run build completes; the new <<self-register-with-dcr>> anchor resolves and the page renders. (Unrelated pre-existing build warnings about GitHub API credentials and missing attributes in other files are not affected by this change.)

🤖 Generated with Claude Code

https://claude.ai/code/session_01JQB7JbF6ZT53Jx2J5RchsZ

…ients

AI Gateway now enables OAuth 2.0 Dynamic Client Registration (RFC 7591)
globally, so its authorization-server metadata advertises a
registration_endpoint and spec-conformant MCP clients (Claude Code,
Cursor, ChatGPT) can self-register instead of requiring a manually
provisioned OAuth client.

Update the remote MCP clients guide to:

- Add a section covering how to enable per-tenant self-registration with
  `rpk ai oauth-client dcr`, the open and initial-access-token admission
  modes, registration caps and rate limits, Initial Access Token
  lifecycle, and how to review DCR-issued clients.
- Point the manual registration section at the self-registration path.
- Remove the outdated "No Dynamic Client Registration" limitation.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JQB7JbF6ZT53Jx2J5RchsZ
@micheleRP micheleRP requested a review from a team as a code owner July 1, 2026 12:20
@micheleRP micheleRP requested a review from birdayz July 1, 2026 12:20
@netlify

netlify Bot commented Jul 1, 2026

Copy link
Copy Markdown

Deploy Preview for redpanda-agentic-data-plane ready!

Name Link
🔨 Latest commit bac2095
🔍 Latest deploy log https://app.netlify.com/projects/redpanda-agentic-data-plane/deploys/6a452c68e38418000836f5fe
😎 Deploy Preview https://deploy-preview-118--redpanda-agentic-data-plane.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copy link
Copy Markdown
Contributor Author

[adp-docs PR critic]

Verdict: looks accurate. I verified every factual claim in the diff against cloudv2 source and they match. One suggestion about a precision nuance, plus one optional enhancement. No critical or blocking issues.

What I verified against source (all correct):

  • CLI surface — dcr get, dcr update --enabled --admission-mode open, the caps flags (--allowed-resource, --client-cap, --rate-per-hour, --inactive-ttl-days), and dcr iat mint/list/revoke — all match apps/rpai/internal/cmd/oauthclient/dcr.go (command names, flag names, and the --label/--ttl mint example).
  • Admission modes: open and initial-access-token supported; software-statement reserved/not-yet-supported — confirmed by parseAdmissionMode in dcr.go and apps/aigw/internal/idp/register.go ("Phase 1 rejects software_statement always").
  • dcr-<id> naming, DCR badge, PKCE-with-no-secret — confirmed: register.go ("client_id as dcr- plus a random … suffix"; token_endpoint_auth_method = none) and adp/rfcs/2605271400-aigw-dcr.md §10 ("Source column with a 'DCR' badge for dcr_issued").
  • IAT one-shot / consumed-on-first-registration / plaintext-shown-once — confirmed in dcr.go (runIATMint) and RFC §5.
  • Two-stage inactive cleanup ("disables and then removes") — confirmed by RFC §8 (dcr_sweeper disables, then deletes after a further 2×ttl); --inactive-ttl-days 0 = never expire matches the flag help.
  • rpk ai oauth-client delete <name> revokes the client's refresh tokens — confirmed: newDeleteCmd in apps/rpai/internal/cmd/oauthclient/cmd.go and the TestDeleteOAuthClient_RevokesTokens test.
  • Removing the old "No Dynamic Client Registration" limitation is correct now that DCR ships.

Suggestion (precision):

  • modules/connect/pages/remote-mcp-clients.adoc, intro of the new section: it states unconditionally that AI Gateway "advertises a registration_endpoint in its authorization-server metadata at /.well-known/oauth-authorization-server." Per cloudv2, that advertisement is conditional on the org having DCR enabled — RFC §1 ("If DCR is off, registration_endpoint is omitted") and apps/aigw/demos/idp-local/DCR-DEMO.md (disabled tenants return registration_endpoint: null). Since the next sentence correctly says self-registration is off by default, consider tightening the intro so readers don't expect discovery to advertise the endpoint before they run dcr update --enabled (e.g. "…advertises a registration_endpoint once you enable DCR for the org").

Minor (optional enhancement):

  • The "Review self-registered clients" section documents oauth-client delete to revoke a client's tokens. cloudv2 also ships rpk ai oauth-client revoke-tokens <name> ("Revoke every refresh token issued to an OAuth client" — cmd.go), which revokes tokens without deleting the client. Worth mentioning as the less-destructive option if you want to cut off a client but keep the registration.

Reviewed at head 2fdc4d0.


Generated by Claude Code

Address docs-team-standards review suggestions on the Dynamic Client
Registration section: clarify the authorization-code flow phrasing and
use sentence case for the "Mint initial access tokens" heading.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copy link
Copy Markdown
Contributor Author

[adp-docs PR critic]

Re-review of new commit ea24f720 — no new issues; verdict still looks accurate.

Since my earlier review at 2fdc4d0, one commit landed with two cosmetic wording fixes, both of which are correct:

  • Intro of the DCR section: "run authorization-code and PKCE" → "run the authorization-code flow with PKCE". Grammar/clarity improvement; no change in meaning.
  • Heading: === Mint Initial Access Tokens=== Mint initial access tokens. This is the right call per docs-team-standards, which requires sentence case for H2+ headings (resources/writing-style/style-guide.md: "Use sentence case for all headings except the page title"; also commands/pr-review.md).

Neither change introduces or alters any factual claim, so nothing new to verify against cloudv2. The source-accuracy checks from my prior review still hold.

For the record, the one advisory suggestion from my earlier review is still open (not a blocker): the section intro still states unconditionally that AI Gateway "advertises a registration_endpoint," whereas per cloudv2 that advertisement is conditional on the org having DCR enabled (RFC §1; apps/aigw/demos/idp-local/DCR-DEMO.md). Acting on it is the team's call.

Reviewed at head ea24f720.


Generated by Claude Code

micheleRP and others added 2 commits July 1, 2026 08:36
The authorization-server metadata advertises registration_endpoint only
after DCR is enabled for the organization (disabled tenants return
registration_endpoint: null, per adp/aigw DCR-DEMO.md and RFC section 1).
Reorder the section intro so the "off by default" fact precedes the
endpoint-advertisement claim, matching source behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ources row

The bare `*` in the monospace default value paired with the `*Restrict*`
bold marker later in the cell, so AsciiDoc bolded the wrong span. Use the
{asterisk} attribute for the literal wildcard so the code renders `*` and
`*Restrict*` bolds correctly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Per the docs-team-standards terminology list, "once" is ambiguous (one
time vs. as soon as); use "after". Applies to the two temporal uses in
the self-registration intro and the admission-modes lead-in.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copy link
Copy Markdown
Contributor Author

[adp-docs PR critic]

Re-review of commits 0f0142f8, eb86f93, bac2095 — no new issues; verdict still looks accurate.

Three commits landed since my last review at ea24f720. All are wording/rendering fixes that introduce no new factual claims, so there's nothing new to verify against cloudv2. Each checks out:

  • 0f0142f8 — reorder the DCR section intro. The intro now reads "self-registration is off for each organization by default. After you enable it, the gateway advertises a registration_endpoint…", so the endpoint-advertisement claim is correctly conditioned on the org having DCR enabled. This matches RFC §1 and apps/aigw/demos/idp-local/DCR-DEMO.md (disabled tenants return registration_endpoint: null) and resolves the one open advisory suggestion from my earlier reviews. 👍
  • eb86f93{asterisk} in the Allowed MCP Resources row. Correct fix: {asterisk} is a built-in AsciiDoc replacement that renders *, and using it avoids the bare * pairing with the later *Restrict* bold marker in the same cell. The remaining bare * in the caps table (`*` allows any MCP server) and in the dcr get example output (ALLOWED_RESOURCES: ["*"]) are single asterisks inside monospace with no other bold marker in the cell, so they render fine.
  • bac2095 — "once" → "after". Clean grammar/terminology fix in the two temporal uses; no change in meaning.

The source-accuracy checks from my prior reviews still hold, and the earlier suggestion is now addressed. Nothing outstanding on my end.

Reviewed at head bac2095.


Generated by Claude Code

@micheleRP micheleRP merged commit dcfb9fb into main Jul 1, 2026
3 of 4 checks passed
@micheleRP micheleRP deleted the claude/sync-cloudv2-2026-07-01 branch July 1, 2026 15:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants