Summary
Lens access scoping is non-deterministic for identical MCP calls. Three invocations of the same query (project_slug='tlf', same caller, same MCP) returned three different results:
- Cross-foundation data
- TLF-only data
- Refusal
Observed behaviour
Call 1 → cross-foundation aggregated data
Call 2 → TLF-only data
Call 3 → access refused
Same MCP server, same authenticated caller, same parameters.
Impact
Automation and tooling cannot rely on consistent results. Any pipeline that calls lens MCP may silently return different data on retry, making debugging and validation impossible.
Location
Lens MCP — access scoping / session handling
Severity
P1 — non-deterministic behaviour breaks reliable automation
Suggested fix
Access scope for a given caller + query combination should be deterministic. Investigate whether session state, token caching, or load-balancer routing is causing scope to vary across calls.
Reported by Stephan Ebers — found while building NPS survey automation against the LFX APIs.
Summary
Lens access scoping is non-deterministic for identical MCP calls. Three invocations of the same query (
project_slug='tlf', same caller, same MCP) returned three different results:Observed behaviour
Same MCP server, same authenticated caller, same parameters.
Impact
Automation and tooling cannot rely on consistent results. Any pipeline that calls lens MCP may silently return different data on retry, making debugging and validation impossible.
Location
Lens MCP — access scoping / session handling
Severity
P1 — non-deterministic behaviour breaks reliable automation
Suggested fix
Access scope for a given caller + query combination should be deterministic. Investigate whether session state, token caching, or load-balancer routing is causing scope to vary across calls.
Reported by Stephan Ebers — found while building NPS survey automation against the LFX APIs.