Major changes to ADR-002 (Vector Database Background Sync Authentication):
1. Reordered authentication tiers:
- Tier 1: Service Account Token (client_credentials) - most compatible
- Tier 2: Token Exchange with Impersonation - not implemented
- Tier 3: Token Exchange with Delegation - implemented
2. Removed admin credentials fallback:
- ADR now focuses exclusively on OAuth mode
- Background sync unavailable without proper OAuth configuration
- BasicAuth mode out of scope (credentials already available)
3. Clarified testing status:
- Tier 1: Implemented but only manual tests exist
- Tier 3: Implemented but only manual tests exist
- Added TODO for automated integration tests
4. Removed "Offline Access with Refresh Tokens":
- Documented as "Will Not Implement"
- MCP protocol architecture prevents server from accessing refresh tokens
- Violates OAuth security model (tokens must stay with client)
5. Simplified configuration:
- Removed all admin credential references
- OAuth-only environment variables
- Automatic tier detection based on provider capabilities
The ADR now accurately reflects that refresh tokens should never be shared
between MCP client and server, following OAuth best practices and the
FastMCP SDK architecture.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Chris Coutinho
76430bec21