You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Phase 1 made the official MCP providers register and connect correctly (the ~/.claude.json / claude mcp registration root-cause family is fixed). However, an installed official provider is currently unusable because mureo never supplies it any credentials. This issue tracks the Phase 2 work that catalog.py notes already defer ("OAuth Proxy and ADC modes are deferred to Phase 2").
Scope: google-ads-official and ga4-official (the pipx-based official providers). meta-ads-official is hosted-OAuth and out of scope.
Problem detail
No env injection. The install path writes only command/args into ~/.claude.json. ProviderSpec.required_env is declared in catalog.py but nothing reads it to populate the MCP server's env block. The official server therefore starts with no credentials.
No credential acquisition path. The configure wizard's official-provider branch has no Developer Token / OAuth step — only meta-ads-official (hosted OAuth) is special-cased in auth_wizards.js. ~/.mureo/credentials.json (the mureo auth setup output) is never wired into the official provider's environment.
Coexistence regression. Installing an official provider sets MUREO_DISABLE_<PLATFORM>=1 on the mureo native block, disabling mureo's own tools for that platform. Net result today: official has no creds AND native is disabled → the user is left with both unusable.
Auth-mode mismatch to resolve.catalog.py assumes Google Ads Client-Library mode (GOOGLE_ADS_DEVELOPER_TOKEN, GOOGLE_ADS_CLIENT_ID, GOOGLE_ADS_CLIENT_SECRET, GOOGLE_ADS_REFRESH_TOKEN). The upstream googleads/google-ads-mcp README documents ADC mode (GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_PROJECT_ID + GOOGLE_ADS_DEVELOPER_TOKEN). ga4-official needs a service-account JSON (GOOGLE_APPLICATION_CREDENTIALS + GOOGLE_PROJECT_ID). The supported auth mode(s) must be verified against the real upstream packages before implementing.
Decisions required (product/architecture)
A. Credential delivery: inject ~/.mureo/credentials.jsonGOOGLE_ADS_* values into the official MCP env block at install time?
Security tradeoff: this writes secrets into ~/.claude.json. Need a decision on acceptability / masking / file perms, and whether values are injected by reference vs. literal.
B. Credential acquisition: add a Developer Token + OAuth (or ADC service-account) step to the wizard for google-ads-official / ga4-official when credentials are missing, or require mureo auth setup as a prerequisite.
C. Coexistence gating: do NOT set MUREO_DISABLE_<PLATFORM>=1 until the official provider is actually credentialed, so the user is never left with zero working tools.
D. Auth-mode alignment: resolve Client-Library vs ADC for google-ads-mcp, align catalog.pyrequired_env + notes + docs accordingly.
Acceptance criteria
Installing google-ads-official / ga4-official via the configure wizard results in a server that is ✓ Connectedand can execute an authenticated call (not just connect).
If credentials are missing, the wizard guides the user to provide them (or clearly states the prerequisite) rather than silently producing a dead server.
mureo native tools for a platform are never disabled unless the official replacement is verified working (decision C).
catalog.pyrequired_env, notes, and user docs match the auth mode actually implemented.
Tests cover: env injection from credentials.json, missing-credential UX, coexistence gating; validated against the real artifact (claude mcp get + an authenticated provider call), not only green unit tests.
Summary
Phase 1 made the official MCP providers register and connect correctly (the
~/.claude.json/claude mcpregistration root-cause family is fixed). However, an installed official provider is currently unusable because mureo never supplies it any credentials. This issue tracks the Phase 2 work thatcatalog.pynotes already defer ("OAuth Proxy and ADC modes are deferred to Phase 2").Scope:
google-ads-officialandga4-official(thepipx-based official providers).meta-ads-officialis hosted-OAuth and out of scope.Problem detail
envinjection. The install path writes onlycommand/argsinto~/.claude.json.ProviderSpec.required_envis declared incatalog.pybut nothing reads it to populate the MCP server'senvblock. The official server therefore starts with no credentials.meta-ads-official(hosted OAuth) is special-cased inauth_wizards.js.~/.mureo/credentials.json(themureo auth setupoutput) is never wired into the official provider's environment.MUREO_DISABLE_<PLATFORM>=1on the mureo native block, disabling mureo's own tools for that platform. Net result today: official has no creds AND native is disabled → the user is left with both unusable.catalog.pyassumes Google Ads Client-Library mode (GOOGLE_ADS_DEVELOPER_TOKEN,GOOGLE_ADS_CLIENT_ID,GOOGLE_ADS_CLIENT_SECRET,GOOGLE_ADS_REFRESH_TOKEN). The upstreamgoogleads/google-ads-mcpREADME documents ADC mode (GOOGLE_APPLICATION_CREDENTIALS+GOOGLE_PROJECT_ID+GOOGLE_ADS_DEVELOPER_TOKEN).ga4-officialneeds a service-account JSON (GOOGLE_APPLICATION_CREDENTIALS+GOOGLE_PROJECT_ID). The supported auth mode(s) must be verified against the real upstream packages before implementing.Decisions required (product/architecture)
~/.mureo/credentials.jsonGOOGLE_ADS_*values into the official MCPenvblock at install time?~/.claude.json. Need a decision on acceptability / masking / file perms, and whether values are injected by reference vs. literal.google-ads-official/ga4-officialwhen credentials are missing, or requiremureo auth setupas a prerequisite.MUREO_DISABLE_<PLATFORM>=1until the official provider is actually credentialed, so the user is never left with zero working tools.google-ads-mcp, aligncatalog.pyrequired_env+ notes + docs accordingly.Acceptance criteria
google-ads-official/ga4-officialvia the configure wizard results in a server that is✓ Connectedand can execute an authenticated call (not just connect).catalog.pyrequired_env, notes, and user docs match the auth mode actually implemented.credentials.json, missing-credential UX, coexistence gating; validated against the real artifact (claude mcp get+ an authenticated provider call), not only green unit tests.References
mureo/providers/catalog.py(required_env + Phase-2 notes),mureo/providers/config_writer.py(provider registration),mureo/providers/mureo_env.py(MUREO_DISABLE_*),mureo/_data/web/auth_wizards.js(wizard official branch),mureo/web/setup_actions.py,mureo/web/status_collector.py.settings.json→~/.claude.jsonMCP registration root cause; this issue is the deferred credentialing follow-up.