Skip to content

docs(mcp): warn about webhook signing secret in cloud mode + brand assets#89

Merged
jiashuoz merged 3 commits into
mainfrom
docs/mcp-cloud-webhook-warning
May 18, 2026
Merged

docs(mcp): warn about webhook signing secret in cloud mode + brand assets#89
jiashuoz merged 3 commits into
mainfrom
docs/mcp-cloud-webhook-warning

Conversation

@jiashuoz

@jiashuoz jiashuoz commented May 18, 2026

Copy link
Copy Markdown
Member

Summary

The MCP create_agent tool exposes agent_mode: 'cloud' as an option an LLM can choose on the user's behalf, but the description (and the README tool table) didn't mention that cloud-mode users must HMAC-verify webhook deliveries against E2A_WEBHOOK_SECRET. Without this, an LLM walking a user into cloud mode would leave them with an unverified webhook handler.

This PR adds the warning in the two MCP places it was missing:

The same warning has been added to the open adk-docs PR (google/adk-docs#1766), now also linking to the runnable examples/adk-cloud-webhook demo as the canonical cloud-mode + ADK setup.

External docs audit

While I was there, audited the rest of the repo for webhook signing coverage. Already well-covered:

Only the MCP-adjacent docs were silent on it — fixed here.

Brand assets

Also stages three logos at assets/ for use across npm / Smithery / dashboard / future integrations. Not packaged for npm publish (mcp's files: ["dist"] is unaffected).

Test plan

  • tsc clean
  • vitest passes (18/18, no behavior change)

🤖 Generated with Claude Code

jiashuoz and others added 3 commits May 18, 2026 14:59
@jiashuoz @claude
docs(mcp): add runnable end-to-end examples for ADK, LangChain, OpenA…
daf852b 
…I Agents

Three self-contained agent demos under mcp/examples/ that drive the
published @e2a/mcp-server over stdio. Each has README + requirements.txt
+ a minimal agent.py — runnable with one pip install and an LLM key.

Doubles as living docs for the README snippets and as the canonical
"does the published package work?" verification harness.

Verified end-to-end: spawned npx -y @e2a/mcp-server@0.1.1 from the
LangChain example, confirmed all 11 tools load with correct schemas.
ADK and OpenAI Agents use the same stdio wire-up so high confidence,
not directly invoked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jiashuoz @claude
docs(mcp): add system prompt to LangChain example
ac8f8bc 
Parity with the ADK and OpenAI Agents examples — tells the model to
use whoami first and prefer reply_to_message over send_email for
threaded replies. Without it, the LangChain agent had no guidance on
tool selection.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jiashuoz @claude
docs(mcp): warn about webhook signing secret in cloud mode + stage br…
5d05b9b 
…and assets

The `create_agent` MCP tool exposes `agent_mode: 'cloud'` to the LLM,
but the description (and the README's tool table) didn't mention that
cloud-mode users must HMAC-verify webhook deliveries against
E2A_WEBHOOK_SECRET. Without this, an LLM walking a user into cloud
mode leaves them with an unverified webhook handler. Add the warning
to:

- mcp/src/tools/agents.ts — the source-of-truth tool description that
  every MCP host surfaces
- mcp/README.md — npm registry page

The adk-docs PR (google/adk-docs#1766) was updated separately with the
same warning, plus a link to the existing runnable example at
examples/adk-cloud-webhook.

Also stage brand assets at assets/ (square logo, 256px variant, wordmark)
for npm/Smithery/dashboard/etc. usage. Audit of the rest of the docs
confirms webhook signing is already well-covered in the root README and
both SDK READMEs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jiashuoz jiashuoz merged commit 8ce8bf3 into main May 18, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jiashuoz