[ { "id": "F001", "group": "presets", "implemented": true, "prdRefs": ["Data model"], "description": "Migration: agent_idp_providers gains kind ('google'|'microsoft'|'custom', default 'custom') + entra_tenant_id (nullable); existing rows = custom" }, { "id": "F002", "group": "presets", "implemented": true, "prdRefs": ["Data model", "Risks"], "description": "OIDC discovery helper: fetch .well-known/openid-configuration -> { issuer, jwks_uri }, cached, reusing jose/fetch" }, { "id": "F003", "group": "presets", "implemented": true, "prdRefs": ["Primary flows", "Data model"], "description": "Provider presets module: google (fixed issuer accounts.google.com + well-known JWKS, default subject_claim 'sub'); microsoft (issuer from entra tenant id, discover JWKS, default subject_claim 'azp')" }, { "id": "F004", "group": "presets", "implemented": true, "prdRefs": ["Primary flows"], "description": "addTrustedIdp accepts { kind, entraTenantId } and resolves issuer/jwks_uri/subject_claim via preset + discovery; custom still accepts raw issuer/jwks/audience/claim" }, { "id": "F005", "group": "presets", "implemented": true, "prdRefs": ["Data model"], "description": "/api/v1/mcp/idp-providers route + @product/mcp seam pass kind + entraTenantId through to addTrustedIdp" }, { "id": "F006", "group": "presets", "implemented": true, "prdRefs": ["Primary flows", "UX"], "description": "Admin UI: provider dropdown (Microsoft Entra / Google / Custom) with conditional fields (Microsoft: tenant id; Google: none; Custom: raw)" }, { "id": "F007", "group": "presets", "implemented": true, "prdRefs": ["Risks"], "description": "Admin UI shows the resolved issuer + JWKS read-only after a preset is chosen (transparency)" }, { "id": "F008", "group": "reuse", "implemented": true, "prdRefs": ["Goals"], "description": "Service: detect tenant's existing Microsoft/Entra connection (microsoft_profiles / entra_managed_tenants / known tid) -> suggested entra tenant id" }, { "id": "F009", "group": "reuse", "implemented": true, "prdRefs": ["Primary flows"], "description": "Admin UI: 'You're already connected to Microsoft — enable agent access?' one-click prefill of the Microsoft preset" }, { "id": "F010", "group": "hosted", "implemented": true, "prdRefs": ["Goals", "Data model"], "description": "Hosted detection helper (SaaS): shared app secrets present + hosted flag" }, { "id": "F011", "group": "hosted", "implemented": true, "prdRefs": ["Goals"], "description": "Built-in trusted issuers for Google + Microsoft (shared-app audience), available on hosted without per-tenant agent_idp_providers rows" }, { "id": "F012", "group": "hosted", "implemented": true, "prdRefs": ["Data model"], "description": "idpToken validation consults built-in hosted issuers in addition to agent_idp_providers" }, { "id": "F013", "group": "hosted", "implemented": true, "prdRefs": ["Primary flows"], "description": "PRM (/.well-known/oauth-protected-resource) advertises the built-in authorization_servers on hosted" }, { "id": "F014", "group": "hosted", "implemented": true, "prdRefs": ["The key distinction"], "description": "Hosted: bind an agent to a built-in issuer + subject without manual IdP registration (interactive/human-delegated path)" }, { "id": "F015", "group": "guidance", "implemented": true, "prdRefs": ["Risks"], "description": "Per-provider subject-claim guidance in the UI (Microsoft app token azp/appid vs user oid/sub; Google service account sub), preset-defaulted + editable" }, { "id": "F016", "group": "guidance", "implemented": true, "prdRefs": ["Risks"], "description": "Friendly error on duplicate (issuer, subject) binding (one agent per identity)" }, { "id": "F017", "group": "guidance", "implemented": false, "prdRefs": ["The key distinction"], "description": "Guided wizard: copy-paste steps/values to create the agent's directory identity (Entra app registration / Google service account) for unattended agents" }, { "id": "F018", "group": "guidance", "implemented": false, "prdRefs": ["DoD"], "description": "Docs update (docs/mcp-server.md): the easy path (presets, reuse, hosted) + the irreducible unattended-machine-agent caveat" } ]