Context
While recovering a PlotLink OWS operator session, the Operator MCP documentation turned out to be technically correct, but the VPS path was still easy to misread during troubleshooting.
The confusion was around these points:
quadwork-mcp-operator --port 8400 always connects to 127.0.0.1:8400 from the machine where the MCP command runs.- If QuadWork runs on a VPS,
178.x.x.x:8400 refusing a direct connection is expected when the backend is bound to VPS loopback only.
- A local MCP client needs an SSH tunnel, not direct TCP access to the VPS backend port.
ssh <alias> may use a configured VPS user, while ssh <ip> may silently use the local username, so direct-IP checks can test the wrong SSH identity.
Observed example:
ssh -G quadwork
# user quadwork
# hostname 178.105.192.232
ssh -G 178.105.192.232
# user <local macOS username>
# hostname 178.105.192.232
nc -vz 178.105.192.232 22
# succeeds
nc -vz 178.105.192.232 8400
# connection refused; expected if backend is loopback-only
ssh -N -L 8400:127.0.0.1:8400 quadwork
quadwork-mcp-operator --port 8400
# list_projects works through the forwarded local loopback
Request
Update docs/operator-mcp.md to make VPS troubleshooting more explicit.
Suggested additions:
- Add a short "Expected failures" note under Remote / VPS registration:
- Direct
nc/browser access to <vps-ip>:8400 may fail and that is normal if the backend is not exposed publicly.
- Do not open the backend port publicly to fix this.
- Prefer this exact tunnel command in examples:
ssh -N -L 8400:127.0.0.1:8400 <ssh-alias-or-user@vps>
- Add a verification checklist:
ssh -G <alias> | sed -n '1,20p'
lsof -iTCP:8400 -sTCP:LISTEN -n -P
quadwork-mcp-operator --port 8400
- Warn that
ssh <ip> and ssh <alias> can resolve to different users/identity files, so users should verify ssh -G before assuming the target is the intended VPS login.
- Clarify that the stdio JSON-RPC examples may need a short
sleep after sending requests so the MCP server has time to return tool responses.
Acceptance Criteria
- A user can tell the difference between:
- SSH access to the VPS working,
- direct public access to
<vps-ip>:8400 failing normally,
- local forwarded
127.0.0.1:8400 working.
- The doc includes a copy-pasteable SSH tunnel command using
-N -L.
- The doc explains why opening port
8400 publicly is not the right fix.
- The doc calls out SSH alias vs direct IP username/identity differences.
- The direct stdio examples remain accurate and mention response wait timing.
Context
While recovering a PlotLink OWS operator session, the Operator MCP documentation turned out to be technically correct, but the VPS path was still easy to misread during troubleshooting.
The confusion was around these points:
quadwork-mcp-operator --port 8400always connects to127.0.0.1:8400from the machine where the MCP command runs.178.x.x.x:8400refusing a direct connection is expected when the backend is bound to VPS loopback only.ssh <alias>may use a configured VPS user, whilessh <ip>may silently use the local username, so direct-IP checks can test the wrong SSH identity.Observed example:
Request
Update
docs/operator-mcp.mdto make VPS troubleshooting more explicit.Suggested additions:
nc/browser access to<vps-ip>:8400may fail and that is normal if the backend is not exposed publicly.ssh <ip>andssh <alias>can resolve to different users/identity files, so users should verifyssh -Gbefore assuming the target is the intended VPS login.sleepafter sending requests so the MCP server has time to return tool responses.Acceptance Criteria
<vps-ip>:8400failing normally,127.0.0.1:8400working.-N -L.8400publicly is not the right fix.