docs: sync ADP changes from cloudv2 (2026-06-03)

[micheleRP]

Summary

Syncs user-facing ADP changes merged to redpanda-data/cloudv2 main in the last 24 hours into the docs.

Preview

Rendered preview of the main new page (404s until Netlify finishes the build):
https://deploy-preview-52--redpanda-agentic-data-plane.netlify.app/agentic-data-plane/connect/managed/sharepoint/

1. SharePoint managed MCP server (new feature)

A new managed MCP type that exposes eight read/write tools over the Microsoft Graph API for SharePoint sites, document libraries, lists, and files, authenticated per-user through user-delegated OAuth (Microsoft Entra ID). The type is gated behind the alpha feature gate.

Documented:

• New page modules/connect/pages/managed/sharepoint.adoc (how-to), following the existing managed-server template (for example, Zendesk/Slack): what the server does, the eight tools, Entra app + Graph scopes (Sites.ReadWrite.All / Sites.Read.All), OAuth Provider setup, server creation (UI + rpk ai mcp create), authorize-and-test, and troubleshooting.
• Added SharePoint to the Utility table in modules/connect/pages/managed/managed-catalog.adoc and to the nav.

Based on:

• redpanda-data/cloudv2@3e1f6171a3 — aigw: add SharePoint managed MCP (8 tools over Microsoft Graph)
• redpanda-data/cloudv2@0704164c14 — aigw: gate SharePoint MCP behind the alpha feature gate
• redpanda-data/cloudv2@2c70ad82fb — recommend Sites.ReadWrite.All, not Files.ReadWrite.All
• redpanda-data/cloudv2@04c402a991 — fix list_lists (drop unsupported $filter)
• redpanda-data/cloudv2@8a8be9e9b7 — SharePoint setup guide moved to user-docs/
• Merged in redpanda-data/cloudv2#26291 (c2022e6fac)

2. Spending user_id → user_email rename (breaking field rename)

cloudv2 renamed the spending subsystem's user_id field to user_email (it always carried the caller's email). This touches the public SpendingFilter AIP-160 filter field and the spending screens.

Documented:

• Updated modules/control/pages/budgets.adoc to use user_email everywhere it referenced the SpendingFilter field (What ADP records, the breakdown/filter description, the request-shape table, and the multi-tenant viewing section). The BREAKDOWN_DIMENSION_USER enum value is unchanged and was left as-is.

Based on:

• redpanda-data/cloudv2@3c2a90e7cf — refactor(aigw)!: rename spending user_id to user_email
• Merged in redpanda-data/cloudv2#26668 (2e8447057c)

Reviewers

Requested the cloudv2 source authors as optional reviewers for a source-accuracy courtesy check: @birdayz (SharePoint MCP) and @alenkacz (spending rename). Both are collaborators on adp-docs and were added successfully. Their approval is not blocking and isn't required to merge.

TODOs / not documented (flagged for human review)

These ADP-adjacent changes also merged in the window but I didn't document them confidently this run:

• Guardrails for non-Bedrock providers (a29bb12905, fde5a275e7, merged #26663/#26698): ApplyGuardrail now wraps OpenAI and other non-Bedrock providers, plus new GuardrailService UI data hooks. The existing control/guardrails/ pages already describe guardrails generically (no Bedrock-only caveat), so no correction was clearly required — but a human should confirm whether the provider-coverage expansion needs a callout.
• Agent triggers (8a4760d646 adp-api, e31d711e58 msteams-bridge, 875a250075 adp-ui; #26658/#26659/#26660): a new cross-component feature whose user-facing surface (and GA status) wasn't clear enough from the diffs to document confidently. Needs a human/eng pass.
• agent_uid stamped into JWT additional_claims (b38740ee38, merged #26672): likely internal; confirm whether it's user-facing.

https://claude.ai/code/session_01QQtvgw3PkKzJiMDzou2vJR

[netlify]

✅ Deploy Preview for redpanda-agentic-data-plane ready!

Name	Link
🔨 Latest commit	c53dbaa
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-agentic-data-plane/deploys/6a205f1e2eec2c00086ceb4d
😎 Deploy Preview	https://deploy-preview-52--redpanda-agentic-data-plane.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[micheleRP]

[adp-docs PR critic]

Verdict: has issues — one Critical (a documented CLI command that fails as written); the rest of the content checks out against cloudv2 source.

I verified every factual claim in the diff against redpanda-data/cloudv2. Summary of what's accurate: the 8 SharePoint tool names and behaviors match apps/aigw/docs/sharepoint-mcp.md; the alpha feature gate matches apps/aigw/internal/mcp/managed/mcps/sharepoint/register_mcp.go (FeatureGate: "alpha"); the Sites.ReadWrite.All / Sites.Read.All (not Files.*) guidance and the OAuth Provider settings (tenant-specific endpoints, client-secret-post + PKCE, the scope list) match apps/aigw/docs/user-docs/sharepoint-mcp-setup.md; the callback path /oauth/v1/callback is correct; and the SharePoint UTILITY category, nav placement, and catalog placement are all correct. The spending rename is faithful too (see Minor).

---

🔴 Critical

1. modules/connect/pages/managed/sharepoint.adoc — the rpk ai mcp create example fails as written.

The CLI block combines --managed-config with --user-oauth-provider / --user-oauth-scopes:

rpk ai mcp create --name sharepoint \
  --managed-config '{ "@type": "type.googleapis.com/redpanda.mcps.sharepoint.v1.SharePointMCPConfig" }' \
  --user-oauth-provider sharepoint \
  --user-oauth-scopes Sites.ReadWrite.All

For a managed server this is explicitly rejected by the CLI. In apps/rpai/internal/cmd/mcp/cmd.go (runCreate):

if managedCfg != "" {
    if userOAuth != nil {
        return errors.New("--user-oauth-provider/--user-oauth-scopes are flags for remote (--url) servers only; set auth.user_oauth inside --managed-config JSON instead")
    }
    ...
}

So the command errors out before doing anything. Separately, the --managed-config payload carries only @type and no user_oauth — but SharePointMCPConfig's auth oneof is required (option (buf.validate.oneof).required = true; in proto/mcps/redpanda/mcps/sharepoint/v1/sharepoint_config.proto), so even on its own that JSON is invalid. The repo's own rpk reference confirms the rule: modules/reference/pages/rpk/rpk-ai/rpk-ai-mcp-create.adoc documents --user-oauth-provider as "Ignored for managed servers — set auth.user_oauth inside --managed-config instead."

The source-correct form (matches apps/aigw/docs/sharepoint-mcp.md and the setup guide's §7) embeds user_oauth in the config JSON:

rpk ai mcp create --name sharepoint \
  --description "SharePoint MCP — Microsoft Graph, per-user OAuth" \
  --managed-config '{
    "@type": "type.googleapis.com/redpanda.mcps.sharepoint.v1.SharePointMCPConfig",
    "user_oauth": { "provider_name": "sharepoint", "required_scopes": ["Sites.ReadWrite.All"] }
  }'

Heads-up: the existing modules/connect/pages/managed/ramp.adoc CLI block uses the same broken managed-config + --user-oauth-* pattern, which looks like where this was copied from — worth fixing there too, separately.

---

🟡 Suggestion

2. modules/connect/pages/managed/sharepoint.adoc — verify the redirect-URI host. The page uses https://aigw.<dataplane-id>.clusters.rdpa.co/oauth/v1/callback. The only host in source is the integration cluster: aigw.<dataplane-id>.clusters.ign.rdpa.co (apps/aigw/docs/user-docs/sharepoint-mcp-setup.md, §2). The path /oauth/v1/callback is right; please confirm the production host segment (the .ign. may or may not belong in the generic customer-facing form).

---

⚪ Minor

3. modules/control/pages/budgets.adoc — rename is correct; one pre-existing sentence to sanity-check. The user_id → user_email rename is faithful: SpendingFilter field 5 is now string user_email in proto/public/cloud/redpanda/api/adp/v1alpha1/spending_service.proto, and provider_name/model_id/agent_id/organization_id/filter and BREAKDOWN_DIMENSION_USER = 3 are all unchanged — good call leaving the enum as-is. One thing the rename surfaces (not introduced by this PR): the line "an agent is its service-account email: the same identity that appears as user_email in spend data." Per the proto, an agent's service-account email is recorded on agent_id (the on-behalf-of path), while user_email is the caller's email. If budgets key on the agent identity, agent_id may be the more accurate field name here — worth a quick confirm.

4. modules/connect/pages/managed/sharepoint.adoc — get_site description. "Fetch a single site by ID" omits that the source tool also accepts a hostname path ("by ID or hostname path" in apps/aigw/docs/sharepoint-mcp.md). Optional.

xrefs, anchors, and AsciiDoc all check out (all four xref targets exist; the #grant-admin-consent self-anchor is defined).

---

Generated by Claude Code

[micheleRP]

Standardized the learning-objectives lead-in across all 12 managed MCP server guide pages to the canonical After reading this page, you will be able to: (per the docs-team-standards how-to and tutorial templates). Previously 10 pages used After completing this guide, you will be able to: and 2 pages (NetSuite, BambooHR) used Use this guide to:.

Preview (entry point; the catalog links out to each guide page):
https://deploy-preview-52--redpanda-agentic-data-plane.netlify.app/agentic-data-plane/connect/managed/managed-catalog/

[micheleRP]

[adp-docs PR critic]

Re-review of new commit da07141 — verdict unchanged: still has the one Critical issue.

The only change since my previous review is a one-line lead-in tweak on modules/connect/pages/managed/sharepoint.adoc:

• After completing this guide, you will be able to: → After reading this page, you will be able to:

✅ That change is correct. For a how-to page (this page's :page-topic-type:), the canonical lead-in is exactly After reading this page, you will be able to: per docs-team-standards (resources/templates/how-to-template.adoc and skills/page-templates/SKILL.md — the table maps Overview/Concept/Tutorial/How-to/Best practices to that phrasing).

⚠️ My Critical finding is still unaddressed. This commit did not touch the rpk ai mcp create block, which remains broken as written: it combines --managed-config with --user-oauth-provider/--user-oauth-scopes, which the CLI explicitly rejects for managed servers (apps/rpai/internal/cmd/mcp/cmd.go, runCreate), and the --managed-config JSON still omits the required user_oauth auth oneof (proto/mcps/redpanda/mcps/sharepoint/v1/sharepoint_config.proto). See finding #1 in my previous review for the source-correct form (embed user_oauth in the config JSON). The redirect-URI host (Suggestion #2) and the Minor items are also still open.

No new source-accuracy concerns introduced by this commit.

---

Generated by Claude Code

[micheleRP]

Thanks — verified all four against cloudv2 origin/main and pushed fixes in c53dbaa:

• Initial setup: ADP documentation repository #1 (Critical): Fixed. The CLI now embeds user_oauth (provider_name + required_scopes) inside --managed-config instead of the --user-oauth-* flags, matching the required auth oneof in SharePointMCPConfig and the runCreate validation.
• Reapply PR #559: AI Gateway documentation rewrite for ADP GA #2 (redirect host): No change. .ign.rdpa.co is integration-only; the generic aigw.<dataplane-id>.clusters.rdpa.co form in the page is correct for customer/production deployments (confirmed against a production customer doc in cloudv2).
• Reapply PR #560: Transcripts documentation rewrite for ADP GA #3 (budgets): Fixed — the agent's service-account email appears as agent_id in spend data, not user_email (the caller's email). Now consistent with the rest of the page.
• docs(mcp-servers): rewrite MCP Servers pages for ADP GA #4 (get_site): Fixed — "by ID or hostname path".

The same --managed-config + --user-oauth-* pattern on ironclad, netsuite, ramp, and zendesk is acknowledged and tracked for a separate cleanup PR (each needs its own verified config JSON).