While exploring MCPs (starting with Gmail), I noticed that tools don’t respect granted OAuth scopes.
Issue
If a user grants only partial scopes (e.g. metadata but not read):
- UI still shows all tools as available
- Calling restricted tools results in a generic MCP error
This makes it unclear which permissions are actually missing from the user’s side, or even that missing scopes is the issue in teh first place.
Proposed / implemented fix
- Keep all tools visible
- Disable tools based on granted scopes (with clear UI indication)
- Enforce the same restriction at the MCP level
Current status
Implementation is mostly done - I’m trying to validate it end-to-end locally.
Blocker
I’m having trouble getting the backend + DB fully running from the OSS repo.
The self-hosting guide seems geared towards full deployment, and I’m likely missing the minimal setup needed for local development.
Ask
Is there a recommended lightweight way to run the backend (especially DB setup) for local dev?
Happy to share the fix once I validate it.
While exploring MCPs (starting with Gmail), I noticed that tools don’t respect granted OAuth scopes.
Issue
If a user grants only partial scopes (e.g. metadata but not read):
This makes it unclear which permissions are actually missing from the user’s side, or even that missing scopes is the issue in teh first place.
Proposed / implemented fix
Current status
Implementation is mostly done - I’m trying to validate it end-to-end locally.
Blocker
I’m having trouble getting the backend + DB fully running from the OSS repo.
The self-hosting guide seems geared towards full deployment, and I’m likely missing the minimal setup needed for local development.
Ask
Is there a recommended lightweight way to run the backend (especially DB setup) for local dev?
Happy to share the fix once I validate it.