@aiwerk/mcp-bridge 2.5.2 → 2.5.3

package/dist/bin/mcp-bridge.js

@@ -8,6 +8,8 @@ import { loadConfig, initConfigDir } from "../src/config.js";
 import { StandaloneServer } from "../src/standalone-server.js";
 import { PACKAGE_VERSION } from "../src/protocol.js";
 import { checkForUpdate, runUpdate } from "../src/update-checker.js";
+import { FileTokenStore } from "../src/token-store.js";
+import { performAuthCodeLogin } from "../src/cli-auth.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 // After tsc, this file lives at dist/bin/mcp-bridge.js.
@@ -111,6 +113,17 @@ function parseArgs(argv) {
             case "update":
                 args.command = "update";
                 break;
+            case "auth":
+                args.command = "auth";
+                // Consume subcommand
+                if (i + 1 < argv.length) {
+                    const sub = argv[i + 1];
+                    if (sub === "login" || sub === "logout" || sub === "status") {
+                        args.authSubcommand = sub;
+                        i++;
+                    }
+                }
+                break;
             default:
                 if (!arg.startsWith("-")) {
                     args.positional.push(arg);
@@ -139,6 +152,9 @@ Usage:
   mcp-bridge servers                List configured servers
   mcp-bridge search <query>         Search catalog by keyword
   mcp-bridge update [--check]       Check for / install updates
+  mcp-bridge auth login <server>    Authenticate with an OAuth2 server
+  mcp-bridge auth logout <server>   Remove stored token for a server
+  mcp-bridge auth status            Show auth status for all servers
 
 Options:
   --config PATH     Custom config file (default: ~/.mcp-bridge/config.json)
@@ -257,6 +273,115 @@ async function cmdUpdate(logger, checkOnly) {
     const result = await runUpdate(logger);
     process.stdout.write(result + "\n");
 }
+async function cmdAuth(args, logger) {
+    const sub = args.authSubcommand;
+    if (!sub) {
+        process.stderr.write("Usage: mcp-bridge auth <login|logout|status> [server-name]\n");
+        process.exit(1);
+    }
+    const tokenStore = new FileTokenStore();
+    if (sub === "status") {
+        let config;
+        try {
+            config = loadConfig({ configPath: args.configPath, logger });
+        }
+        catch {
+            config = null;
+        }
+        const stored = tokenStore.list();
+        if (stored.length === 0 && !config) {
+            process.stdout.write("No stored tokens.\n");
+            return;
+        }
+        process.stdout.write("\nAuth status:\n\n");
+        process.stdout.write("  Server          Auth Type              Token Status\n");
+        process.stdout.write("  " + "\u2500".repeat(60) + "\n");
+        // Show configured servers
+        const shown = new Set();
+        if (config) {
+            for (const [name, serverConfig] of Object.entries(config.servers)) {
+                const authType = serverConfig.auth?.type ?? "none";
+                const grantType = serverConfig.auth?.type === "oauth2" && "grantType" in serverConfig.auth
+                    ? serverConfig.auth.grantType
+                    : serverConfig.auth?.type === "oauth2" ? "client_credentials" : "";
+                const label = authType === "oauth2" ? `oauth2 (${grantType})` : authType;
+                const token = tokenStore.load(name);
+                let status;
+                if (token) {
+                    const now = Date.now();
+                    if (token.expiresAt > now) {
+                        const mins = Math.round((token.expiresAt - now) / 60000);
+                        status = `valid (expires in ${mins}m)`;
+                    }
+                    else {
+                        status = token.refreshToken ? "expired (refresh available)" : "expired";
+                    }
+                }
+                else if (grantType === "authorization_code") {
+                    status = "not authenticated";
+                }
+                else {
+                    status = "-";
+                }
+                process.stdout.write(`  ${name.padEnd(16)}${label.padEnd(23)}${status}\n`);
+                shown.add(name);
+            }
+        }
+        // Show stored tokens not in config
+        for (const { serverName, token } of stored) {
+            if (shown.has(serverName))
+                continue;
+            const now = Date.now();
+            const status = token.expiresAt > now
+                ? `valid (expires in ${Math.round((token.expiresAt - now) / 60000)}m)`
+                : "expired";
+            process.stdout.write(`  ${serverName.padEnd(16)}${"oauth2 (stored)".padEnd(23)}${status}\n`);
+        }
+        process.stdout.write("\n");
+        return;
+    }
+    // login / logout need a server name
+    const serverName = args.positional[0];
+    if (!serverName) {
+        process.stderr.write(`Usage: mcp-bridge auth ${sub} <server-name>\n`);
+        process.exit(1);
+    }
+    if (sub === "logout") {
+        tokenStore.remove(serverName);
+        process.stdout.write(`Removed stored token for ${serverName}\n`);
+        return;
+    }
+    // login
+    let config;
+    try {
+        config = loadConfig({ configPath: args.configPath, logger });
+    }
+    catch (err) {
+        logger.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+    const serverConfig = config.servers[serverName];
+    if (!serverConfig) {
+        logger.error(`Server "${serverName}" not found in config`);
+        process.exit(1);
+    }
+    const auth = serverConfig.auth;
+    if (!auth || auth.type !== "oauth2" || !("grantType" in auth) || auth.grantType !== "authorization_code") {
+        logger.error(`Server "${serverName}" is not configured for OAuth2 authorization_code flow`);
+        process.exit(1);
+    }
+    const authCodeAuth = auth;
+    const token = await performAuthCodeLogin(serverName, {
+        authorizationUrl: authCodeAuth.authorizationUrl,
+        tokenUrl: authCodeAuth.tokenUrl,
+        clientId: authCodeAuth.clientId,
+        clientSecret: authCodeAuth.clientSecret,
+        scopes: authCodeAuth.scopes,
+        callbackPort: authCodeAuth.callbackPort,
+    }, logger);
+    tokenStore.save(serverName, token);
+    process.stdout.write(`Authentication successful for ${serverName}. Token stored.\n`);
+}
 async function cmdServe(args, logger) {
     let config;
     try {
@@ -325,6 +450,9 @@ async function main() {
         case "update":
             await cmdUpdate(logger, args.checkOnly);
             break;
+        case "auth":
+            await cmdAuth(args, logger);
+            break;
         case "serve":
             await cmdServe(args, logger);
             break;

package/dist/src/cli-auth.d.ts

@@ -0,0 +1,27 @@
+import type { Logger } from "./types.js";
+import type { StoredToken } from "./token-store.js";
+export interface AuthCodeConfig {
+    authorizationUrl: string;
+    tokenUrl: string;
+    clientId?: string;
+    clientSecret?: string;
+    scopes?: string[];
+    callbackPort?: number;
+}
+/**
+ * Generate a PKCE code_verifier: 43-128 URL-safe characters.
+ */
+export declare function generateCodeVerifier(length?: number): string;
+/**
+ * Compute S256 code_challenge from code_verifier.
+ */
+export declare function computeCodeChallenge(verifier: string): string;
+/**
+ * Perform the full OAuth2 Authorization Code flow with PKCE.
+ *
+ * 1. Start local HTTP server on callbackPort
+ * 2. Open browser to authorization URL
+ * 3. Receive callback with authorization code
+ * 4. Exchange code for tokens
+ */
+export declare function performAuthCodeLogin(serverName: string, authConfig: AuthCodeConfig, logger: Logger): Promise<StoredToken>;

package/dist/src/cli-auth.js

@@ -0,0 +1,199 @@
+import { createServer } from "http";
+import { randomBytes, createHash } from "crypto";
+import { exec } from "child_process";
+import { platform } from "os";
+/** Escape HTML special characters to prevent XSS in callback responses. */
+function escapeHtml(str) {
+    return str
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+const LOGIN_TIMEOUT_MS = 120_000;
+/**
+ * Generate a PKCE code_verifier: 43-128 URL-safe characters.
+ */
+export function generateCodeVerifier(length = 64) {
+    const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+    const bytes = randomBytes(length);
+    let result = "";
+    for (let i = 0; i < length; i++) {
+        result += charset[bytes[i] % charset.length];
+    }
+    return result;
+}
+/**
+ * Compute S256 code_challenge from code_verifier.
+ */
+export function computeCodeChallenge(verifier) {
+    return createHash("sha256")
+        .update(verifier, "ascii")
+        .digest("base64url");
+}
+/**
+ * Open a URL in the default browser using platform-specific commands.
+ */
+function openBrowser(url, logger) {
+    const os = platform();
+    let cmd;
+    if (os === "darwin") {
+        cmd = `open "${url}"`;
+    }
+    else if (os === "win32") {
+        cmd = `start "" "${url}"`;
+    }
+    else {
+        cmd = `xdg-open "${url}"`;
+    }
+    exec(cmd, (err) => {
+        if (err) {
+            logger.warn(`[mcp-bridge] Could not open browser automatically. Please visit:\n${url}`);
+        }
+    });
+}
+const DEFAULT_EXPIRES_IN = 3600;
+const EXPIRY_BUFFER_SECONDS = 60;
+/**
+ * Perform the full OAuth2 Authorization Code flow with PKCE.
+ *
+ * 1. Start local HTTP server on callbackPort
+ * 2. Open browser to authorization URL
+ * 3. Receive callback with authorization code
+ * 4. Exchange code for tokens
+ */
+export async function performAuthCodeLogin(serverName, authConfig, logger) {
+    const port = authConfig.callbackPort ?? 9876;
+    const redirectUri = `http://localhost:${port}/callback`;
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = computeCodeChallenge(codeVerifier);
+    const state = randomBytes(16).toString("hex");
+    return new Promise((resolve, reject) => {
+        let settled = false;
+        const timeout = setTimeout(() => {
+            if (!settled) {
+                settled = true;
+                server.close();
+                reject(new Error("Authentication timed out after 120 seconds"));
+            }
+        }, LOGIN_TIMEOUT_MS);
+        const server = createServer((req, res) => {
+            if (!req.url?.startsWith("/callback")) {
+                res.writeHead(404);
+                res.end("Not found");
+                return;
+            }
+            const url = new URL(req.url, `http://localhost:${port}`);
+            const error = url.searchParams.get("error");
+            if (error) {
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end(`<html><body><h2>Authentication failed</h2><p>${escapeHtml(error)}: ${escapeHtml(url.searchParams.get("error_description") || "")}</p></body></html>`);
+                if (!settled) {
+                    settled = true;
+                    clearTimeout(timeout);
+                    server.close();
+                    reject(new Error(`Authorization failed: ${error}`));
+                }
+                return;
+            }
+            const returnedState = url.searchParams.get("state");
+            if (returnedState !== state) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<html><body><h2>Invalid state parameter</h2></body></html>");
+                if (!settled) {
+                    settled = true;
+                    clearTimeout(timeout);
+                    server.close();
+                    reject(new Error("OAuth2 state mismatch — possible CSRF attack"));
+                }
+                return;
+            }
+            const code = url.searchParams.get("code");
+            if (!code) {
+                res.writeHead(400, { "Content-Type": "text/html" });
+                res.end("<html><body><h2>Missing authorization code</h2></body></html>");
+                if (!settled) {
+                    settled = true;
+                    clearTimeout(timeout);
+                    server.close();
+                    reject(new Error("No authorization code in callback"));
+                }
+                return;
+            }
+            res.writeHead(200, { "Content-Type": "text/html" });
+            res.end(`<html><body><h2>Authentication successful!</h2><p>You can close this window and return to the terminal.</p></body></html>`);
+            if (!settled) {
+                settled = true;
+                clearTimeout(timeout);
+                server.close();
+                exchangeCodeForToken(authConfig, code, redirectUri, codeVerifier, logger)
+                    .then(resolve)
+                    .catch(reject);
+            }
+        });
+        server.listen(port, () => {
+            const params = new URLSearchParams();
+            params.set("response_type", "code");
+            if (authConfig.clientId)
+                params.set("client_id", authConfig.clientId);
+            params.set("redirect_uri", redirectUri);
+            if (authConfig.scopes?.length)
+                params.set("scope", authConfig.scopes.join(" "));
+            params.set("state", state);
+            params.set("code_challenge", codeChallenge);
+            params.set("code_challenge_method", "S256");
+            const authUrl = `${authConfig.authorizationUrl}?${params.toString()}`;
+            logger.info(`[mcp-bridge] Opening browser for ${serverName} authentication...`);
+            logger.info(`[mcp-bridge] If the browser doesn't open, visit: ${authUrl}`);
+            openBrowser(authUrl, logger);
+        });
+        server.on("error", (err) => {
+            if (!settled) {
+                settled = true;
+                clearTimeout(timeout);
+                reject(new Error(`Failed to start callback server on port ${port}: ${err.message}`));
+            }
+        });
+    });
+}
+async function exchangeCodeForToken(config, code, redirectUri, codeVerifier, logger) {
+    const formData = new URLSearchParams();
+    formData.set("grant_type", "authorization_code");
+    formData.set("code", code);
+    formData.set("redirect_uri", redirectUri);
+    formData.set("code_verifier", codeVerifier);
+    if (config.clientId)
+        formData.set("client_id", config.clientId);
+    if (config.clientSecret)
+        formData.set("client_secret", config.clientSecret);
+    const response = await fetch(config.tokenUrl, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: formData.toString(),
+    });
+    if (!response.ok) {
+        const text = await response.text().catch(() => "");
+        throw new Error(`Token exchange failed: HTTP ${response.status} ${text}`);
+    }
+    const payload = (await response.json());
+    if (payload.error) {
+        throw new Error(`Token exchange error: ${payload.error} — ${payload.error_description || ""}`);
+    }
+    if (!payload.access_token) {
+        throw new Error("Token exchange response missing access_token");
+    }
+    const expiresIn = Number.isFinite(payload.expires_in)
+        ? Number(payload.expires_in)
+        : DEFAULT_EXPIRES_IN;
+    const expiresAt = Date.now() + Math.max(0, expiresIn - EXPIRY_BUFFER_SECONDS) * 1000;
+    logger.info(`[mcp-bridge] Authentication successful. Token expires in ${expiresIn}s.`);
+    return {
+        accessToken: payload.access_token,
+        refreshToken: payload.refresh_token,
+        expiresAt,
+        tokenUrl: config.tokenUrl,
+        clientId: config.clientId,
+        scopes: config.scopes,
+    };
+}

package/dist/src/config.js

@@ -49,10 +49,15 @@ export function parseEnvFile(content) {
             continue;
         const key = trimmed.substring(0, eqIdx).trim();
         let value = trimmed.substring(eqIdx + 1).trim();
-        // Strip surrounding quotes
+        // Strip surrounding quotes and handle escaped quotes within
         if ((value.startsWith('"') && value.endsWith('"')) ||
             (value.startsWith("'") && value.endsWith("'"))) {
+            const quote = value[0];
             value = value.slice(1, -1);
+            // Unescape escaped quotes: \" → " or \' → '
+            value = value.replace(new RegExp(`\\\\${quote}`, "g"), quote);
+            // Unescape escaped backslashes: \\ → \
+            value = value.replace(/\\\\/g, "\\");
         }
         if (key)
             env[key] = value;
@@ -100,7 +105,10 @@ export function loadConfig(options = {}) {
             options.logger?.warn(`[mcp-bridge] Failed to parse .env file: ${err instanceof Error ? err.message : err}`);
         }
     }
-    // Merge .env into process.env (don't overwrite existing)
+    // Populate process.env with .env values for child processes (don't overwrite
+    // existing env vars — this matches dotenv's default behavior). This is separate
+    // from the config resolution below, which uses a different merge order where
+    // .env values win over process.env.
     for (const [key, value] of Object.entries(dotEnv)) {
         if (process.env[key] === undefined) {
             process.env[key] = value;

package/dist/src/index.d.ts

@@ -1,9 +1,13 @@
-export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveAuthHeadersAsync, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
+export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveAuthHeadersAsync, isAuthCodeOAuth2, resolveOAuth2Config, resolveAuthCodeOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export { StdioTransport } from "./transport-stdio.js";
 export { SseTransport } from "./transport-sse.js";
 export { StreamableHttpTransport } from "./transport-streamable-http.js";
 export { OAuth2TokenManager } from "./oauth2-token-manager.js";
-export type { OAuth2Config } from "./oauth2-token-manager.js";
+export type { OAuth2Config, AuthCodeOAuth2Config } from "./oauth2-token-manager.js";
+export { FileTokenStore } from "./token-store.js";
+export type { TokenStore, StoredToken } from "./token-store.js";
+export { performAuthCodeLogin, generateCodeVerifier, computeCodeChallenge } from "./cli-auth.js";
+export type { AuthCodeConfig } from "./cli-auth.js";
 export { McpRouter } from "./mcp-router.js";
 export type { RouterToolHint, RouterServerStatus, RouterDispatchResponse, RouterTransportRefs } from "./mcp-router.js";
 export { ResultCache, createResultCacheKey, stableStringify } from "./result-cache.js";

package/dist/src/index.js

@@ -1,10 +1,14 @@
 // Core exports for @aiwerk/mcp-bridge
 // Transport classes
-export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveAuthHeadersAsync, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
+export { BaseTransport, resolveEnvVars, resolveEnvRecord, resolveArgs, resolveAuthHeaders, resolveAuthHeadersAsync, isAuthCodeOAuth2, resolveOAuth2Config, resolveAuthCodeOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export { StdioTransport } from "./transport-stdio.js";
 export { SseTransport } from "./transport-sse.js";
 export { StreamableHttpTransport } from "./transport-streamable-http.js";
 export { OAuth2TokenManager } from "./oauth2-token-manager.js";
+// Token store
+export { FileTokenStore } from "./token-store.js";
+// CLI auth
+export { performAuthCodeLogin, generateCodeVerifier, computeCodeChallenge } from "./cli-auth.js";
 // Router
 export { McpRouter } from "./mcp-router.js";
 // Result cache

package/dist/src/mcp-router.d.ts

@@ -93,9 +93,9 @@ export type RouterDispatchResponse = {
     code?: number;
 };
 export interface RouterTransportRefs {
-    sse: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: () => number) => McpTransport;
+    sse: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: () => number, serverName?: string) => McpTransport;
     stdio: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, requestIdGenerator?: () => number) => McpTransport;
-    streamableHttp: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: () => number) => McpTransport;
+    streamableHttp: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: () => number, serverName?: string) => McpTransport;
 }
 export declare class McpRouter {
     private readonly servers;
@@ -129,6 +129,15 @@ export declare class McpRouter {
     private getPromotionStats;
     private getRetryPolicy;
     private classifyTransientError;
+    /**
+     * Call a tool with automatic retry on transient transport errors.
+     *
+     * NOTE: Only transport-level errors (timeout, connection_error) are retried.
+     * MCP protocol errors (valid JSON-RPC responses with error fields) are NOT
+     * retried, because they typically indicate non-transient issues (unknown tool,
+     * invalid params, server-side validation failures). The retryOn config
+     * intentionally only accepts "timeout" | "connection_error" categories.
+     */
     private callToolWithRetry;
     disconnectAll(): Promise<void>;
     shutdown(timeoutMs?: number): Promise<void>;

package/dist/src/mcp-router.js

@@ -11,6 +11,7 @@ import { AdaptivePromotion } from "./adaptive-promotion.js";
 import { ResultCache, createResultCacheKey } from "./result-cache.js";
 import { ToolResolver } from "./tool-resolution.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
+import { FileTokenStore } from "./token-store.js";
 const DEFAULT_IDLE_TIMEOUT_MS = 10 * 60 * 1000;
 const DEFAULT_CONNECT_ERROR_COOLDOWN_MS = 10 * 1000;
 const DEFAULT_MAX_CONCURRENT = 5;
@@ -53,7 +54,7 @@ export class McpRouter {
             : null;
         this.maxBatchSize = clientConfig.maxBatchSize ?? DEFAULT_MAX_BATCH_SIZE;
         this.toolResolver = new ToolResolver(Object.keys(servers));
-        this.tokenManager = new OAuth2TokenManager(logger);
+        this.tokenManager = new OAuth2TokenManager(logger, new FileTokenStore());
         if (clientConfig.adaptivePromotion?.enabled) {
             this.promotion = new AdaptivePromotion(clientConfig.adaptivePromotion, logger);
         }
@@ -98,28 +99,41 @@ export class McpRouter {
                 if (calls.length > this.maxBatchSize) {
                     return this.error("invalid_params", `batch size exceeds maxBatchSize (${this.maxBatchSize})`);
                 }
-                const results = await Promise.all(calls.map(async (call) => {
-                    const callServer = typeof call?.server === "string" ? call.server : "";
-                    const callTool = typeof call?.tool === "string" ? call.tool : "";
-                    const response = await this.dispatch(callServer, "call", callTool, call?.params);
-                    if ("error" in response) {
-                        return {
-                            server: callServer,
-                            tool: callTool,
-                            error: {
-                                error: response.error,
-                                message: response.message,
-                                ...(response.available ? { available: response.available } : {}),
-                                ...(typeof response.code === "number" ? { code: response.code } : {})
-                            }
-                        };
+                // Throttled batch execution: max 3 concurrent calls per server
+                // to avoid overloading individual backend servers.
+                const MAX_BATCH_CONCURRENCY = 3;
+                const results = new Array(calls.length);
+                let nextIndex = 0;
+                const executeNext = async () => {
+                    while (nextIndex < calls.length) {
+                        const idx = nextIndex++;
+                        const call = calls[idx];
+                        const callServer = typeof call?.server === "string" ? call.server : "";
+                        const callTool = typeof call?.tool === "string" ? call.tool : "";
+                        const response = await this.dispatch(callServer, "call", callTool, call?.params);
+                        if ("error" in response) {
+                            results[idx] = {
+                                server: callServer,
+                                tool: callTool,
+                                error: {
+                                    error: response.error,
+                                    message: response.message,
+                                    ...(response.available ? { available: response.available } : {}),
+                                    ...(typeof response.code === "number" ? { code: response.code } : {})
+                                }
+                            };
+                        }
+                        else {
+                            results[idx] = {
+                                server: callServer,
+                                tool: callTool,
+                                result: "result" in response ? response.result : response
+                            };
+                        }
                     }
-                    return {
-                        server: callServer,
-                        tool: callTool,
-                        result: "result" in response ? response.result : response
-                    };
-                }));
+                };
+                const workers = Array.from({ length: Math.min(MAX_BATCH_CONCURRENCY, calls.length) }, () => executeNext());
+                await Promise.all(workers);
                 return { action: "batch", results };
             }
             if (normalizedAction === "list") {
@@ -431,6 +445,15 @@ export class McpRouter {
         }
         return null;
     }
+    /**
+     * Call a tool with automatic retry on transient transport errors.
+     *
+     * NOTE: Only transport-level errors (timeout, connection_error) are retried.
+     * MCP protocol errors (valid JSON-RPC responses with error fields) are NOT
+     * retried, because they typically indicate non-transient issues (unknown tool,
+     * invalid params, server-side validation failures). The retryOn config
+     * intentionally only accepts "timeout" | "connection_error" categories.
+     */
     async callToolWithRetry(server, tool, args, transport) {
         const retryPolicy = this.getRetryPolicy(server);
         let retries = 0;
@@ -543,14 +566,17 @@ export class McpRouter {
                 };
                 throw normalizedError;
             }
+            finally {
+                // Clear initPromise here (inside the async IIFE) so concurrent
+                // callers that await the same promise see it cleared atomically
+                // with the lastConnectError being set. Previously this was in the
+                // outer finally block, creating a window where a concurrent caller
+                // could bypass the cooldown check.
+                state.initPromise = undefined;
+            }
         })();
-        try {
-            await state.initPromise;
-            return state;
-        }
-        finally {
-            state.initPromise = undefined;
-        }
+        await state.initPromise;
+        return state;
     }
     async enforceMaxConcurrent(activeServer) {
         const connectedServers = [...this.states.entries()]
@@ -621,13 +647,13 @@ export class McpRouter {
             this.resultCache?.invalidate(`${serverName}:`);
         };
         if (serverConfig.transport === "sse") {
-            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
         }
         if (serverConfig.transport === "stdio") {
             return new this.transportRefs.stdio(serverConfig, this.clientConfig, this.logger, onReconnected, () => this.nextRequestId());
         }
         if (serverConfig.transport === "streamable-http") {
-            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
         }
         throw new Error(`Unsupported transport: ${serverConfig.transport}`);
     }

package/dist/src/oauth2-token-manager.d.ts

@@ -1,4 +1,5 @@
 import type { Logger } from "./types.js";
+import type { TokenStore } from "./token-store.js";
 export interface OAuth2Config {
     clientId: string;
     clientSecret: string;
@@ -6,14 +7,30 @@ export interface OAuth2Config {
     scopes?: string[];
     audience?: string;
 }
+export interface AuthCodeOAuth2Config {
+    grantType: "authorization_code";
+    tokenUrl: string;
+    clientId?: string;
+    clientSecret?: string;
+    scopes?: string[];
+}
 export declare class OAuth2TokenManager {
     private readonly logger;
     private readonly tokenCache;
     private readonly inflight;
-    constructor(logger: Logger);
+    private readonly authCodeInflight;
+    private readonly tokenStore?;
+    constructor(logger: Logger, tokenStore?: TokenStore);
     getToken(config: OAuth2Config): Promise<string>;
     invalidate(tokenUrl: string, clientId: string): void;
     clear(): void;
+    /**
+     * Get a token for an authorization_code flow server.
+     * Checks TokenStore, refreshes if expired, throws if unavailable.
+     */
+    getTokenForAuthCode(serverName: string, config: AuthCodeOAuth2Config): Promise<string>;
+    private doAuthCodeRefresh;
+    private refreshAuthCodeToken;
     private makeKey;
     private fetchToken;
     private exchangeToken;