@aiwerk/mcp-bridge 2.5.2 → 2.6.0

package/dist/src/mcp-router.js

@@ -11,6 +11,7 @@ import { AdaptivePromotion } from "./adaptive-promotion.js";
 import { ResultCache, createResultCacheKey } from "./result-cache.js";
 import { ToolResolver } from "./tool-resolution.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
+import { FileTokenStore } from "./token-store.js";
 const DEFAULT_IDLE_TIMEOUT_MS = 10 * 60 * 1000;
 const DEFAULT_CONNECT_ERROR_COOLDOWN_MS = 10 * 1000;
 const DEFAULT_MAX_CONCURRENT = 5;
@@ -53,7 +54,7 @@ export class McpRouter {
             : null;
         this.maxBatchSize = clientConfig.maxBatchSize ?? DEFAULT_MAX_BATCH_SIZE;
         this.toolResolver = new ToolResolver(Object.keys(servers));
-        this.tokenManager = new OAuth2TokenManager(logger);
+        this.tokenManager = new OAuth2TokenManager(logger, new FileTokenStore());
         if (clientConfig.adaptivePromotion?.enabled) {
             this.promotion = new AdaptivePromotion(clientConfig.adaptivePromotion, logger);
         }
@@ -98,28 +99,41 @@ export class McpRouter {
                 if (calls.length > this.maxBatchSize) {
                     return this.error("invalid_params", `batch size exceeds maxBatchSize (${this.maxBatchSize})`);
                 }
-                const results = await Promise.all(calls.map(async (call) => {
-                    const callServer = typeof call?.server === "string" ? call.server : "";
-                    const callTool = typeof call?.tool === "string" ? call.tool : "";
-                    const response = await this.dispatch(callServer, "call", callTool, call?.params);
-                    if ("error" in response) {
-                        return {
-                            server: callServer,
-                            tool: callTool,
-                            error: {
-                                error: response.error,
-                                message: response.message,
-                                ...(response.available ? { available: response.available } : {}),
-                                ...(typeof response.code === "number" ? { code: response.code } : {})
-                            }
-                        };
+                // Throttled batch execution: max 3 concurrent calls per server
+                // to avoid overloading individual backend servers.
+                const MAX_BATCH_CONCURRENCY = 3;
+                const results = new Array(calls.length);
+                let nextIndex = 0;
+                const executeNext = async () => {
+                    while (nextIndex < calls.length) {
+                        const idx = nextIndex++;
+                        const call = calls[idx];
+                        const callServer = typeof call?.server === "string" ? call.server : "";
+                        const callTool = typeof call?.tool === "string" ? call.tool : "";
+                        const response = await this.dispatch(callServer, "call", callTool, call?.params);
+                        if ("error" in response) {
+                            results[idx] = {
+                                server: callServer,
+                                tool: callTool,
+                                error: {
+                                    error: response.error,
+                                    message: response.message,
+                                    ...(response.available ? { available: response.available } : {}),
+                                    ...(typeof response.code === "number" ? { code: response.code } : {})
+                                }
+                            };
+                        }
+                        else {
+                            results[idx] = {
+                                server: callServer,
+                                tool: callTool,
+                                result: "result" in response ? response.result : response
+                            };
+                        }
                     }
-                    return {
-                        server: callServer,
-                        tool: callTool,
-                        result: "result" in response ? response.result : response
-                    };
-                }));
+                };
+                const workers = Array.from({ length: Math.min(MAX_BATCH_CONCURRENCY, calls.length) }, () => executeNext());
+                await Promise.all(workers);
                 return { action: "batch", results };
             }
             if (normalizedAction === "list") {
@@ -431,6 +445,15 @@ export class McpRouter {
         }
         return null;
     }
+    /**
+     * Call a tool with automatic retry on transient transport errors.
+     *
+     * NOTE: Only transport-level errors (timeout, connection_error) are retried.
+     * MCP protocol errors (valid JSON-RPC responses with error fields) are NOT
+     * retried, because they typically indicate non-transient issues (unknown tool,
+     * invalid params, server-side validation failures). The retryOn config
+     * intentionally only accepts "timeout" | "connection_error" categories.
+     */
     async callToolWithRetry(server, tool, args, transport) {
         const retryPolicy = this.getRetryPolicy(server);
         let retries = 0;
@@ -543,14 +566,17 @@ export class McpRouter {
                 };
                 throw normalizedError;
             }
+            finally {
+                // Clear initPromise here (inside the async IIFE) so concurrent
+                // callers that await the same promise see it cleared atomically
+                // with the lastConnectError being set. Previously this was in the
+                // outer finally block, creating a window where a concurrent caller
+                // could bypass the cooldown check.
+                state.initPromise = undefined;
+            }
         })();
-        try {
-            await state.initPromise;
-            return state;
-        }
-        finally {
-            state.initPromise = undefined;
-        }
+        await state.initPromise;
+        return state;
     }
     async enforceMaxConcurrent(activeServer) {
         const connectedServers = [...this.states.entries()]
@@ -621,13 +647,13 @@ export class McpRouter {
             this.resultCache?.invalidate(`${serverName}:`);
         };
         if (serverConfig.transport === "sse") {
-            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
         }
         if (serverConfig.transport === "stdio") {
             return new this.transportRefs.stdio(serverConfig, this.clientConfig, this.logger, onReconnected, () => this.nextRequestId());
         }
         if (serverConfig.transport === "streamable-http") {
-            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
         }
         throw new Error(`Unsupported transport: ${serverConfig.transport}`);
     }

package/dist/src/oauth2-token-manager.d.ts

@@ -1,4 +1,5 @@
 import type { Logger } from "./types.js";
+import type { TokenStore } from "./token-store.js";
 export interface OAuth2Config {
     clientId: string;
     clientSecret: string;
@@ -6,14 +7,43 @@ export interface OAuth2Config {
     scopes?: string[];
     audience?: string;
 }
+export interface AuthCodeOAuth2Config {
+    grantType: "authorization_code";
+    tokenUrl: string;
+    clientId?: string;
+    clientSecret?: string;
+    scopes?: string[];
+}
+export interface DeviceCodeOAuth2Config {
+    grantType: "device_code";
+    tokenUrl: string;
+    clientId: string;
+    scopes?: string[];
+}
 export declare class OAuth2TokenManager {
     private readonly logger;
     private readonly tokenCache;
     private readonly inflight;
-    constructor(logger: Logger);
+    private readonly authCodeInflight;
+    private readonly tokenStore?;
+    constructor(logger: Logger, tokenStore?: TokenStore);
     getToken(config: OAuth2Config): Promise<string>;
     invalidate(tokenUrl: string, clientId: string): void;
     clear(): void;
+    /**
+     * Get a token for an authorization_code flow server.
+     * Checks TokenStore, refreshes if expired, throws if unavailable.
+     */
+    getTokenForAuthCode(serverName: string, config: AuthCodeOAuth2Config): Promise<string>;
+    /**
+     * Get a token for a device_code flow server.
+     * Checks TokenStore, refreshes if expired, throws if unavailable.
+     */
+    getTokenForDeviceCode(serverName: string, config: DeviceCodeOAuth2Config): Promise<string>;
+    private doDeviceCodeRefresh;
+    private refreshDeviceCodeToken;
+    private doAuthCodeRefresh;
+    private refreshAuthCodeToken;
     private makeKey;
     private fetchToken;
     private exchangeToken;

package/dist/src/oauth2-token-manager.js

@@ -4,8 +4,11 @@ export class OAuth2TokenManager {
     logger;
     tokenCache = new Map();
     inflight = new Map();
-    constructor(logger) {
+    authCodeInflight = new Map();
+    tokenStore;
+    constructor(logger, tokenStore) {
         this.logger = logger;
+        this.tokenStore = tokenStore;
     }
     async getToken(config) {
         const key = this.makeKey(config.tokenUrl, config.clientId);
@@ -38,6 +41,173 @@ export class OAuth2TokenManager {
         this.tokenCache.clear();
         this.inflight.clear();
     }
+    /**
+     * Get a token for an authorization_code flow server.
+     * Checks TokenStore, refreshes if expired, throws if unavailable.
+     */
+    async getTokenForAuthCode(serverName, config) {
+        if (!this.tokenStore) {
+            throw new Error(`Authentication required for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+        }
+        const stored = this.tokenStore.load(serverName);
+        if (!stored) {
+            const err = new Error(`Authentication required for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+            err.code = -32007;
+            throw err;
+        }
+        const now = Date.now();
+        if (stored.expiresAt > now) {
+            return stored.accessToken;
+        }
+        // Token expired — try refresh with inflight dedup to avoid
+        // concurrent requests both trying to refresh the same token
+        // (the second refresh would fail because the first invalidated the refresh_token)
+        const existingInflight = this.authCodeInflight.get(serverName);
+        if (existingInflight) {
+            return existingInflight;
+        }
+        const refreshPromise = this.doAuthCodeRefresh(serverName, stored, config);
+        this.authCodeInflight.set(serverName, refreshPromise);
+        try {
+            return await refreshPromise;
+        }
+        finally {
+            this.authCodeInflight.delete(serverName);
+        }
+    }
+    /**
+     * Get a token for a device_code flow server.
+     * Checks TokenStore, refreshes if expired, throws if unavailable.
+     */
+    async getTokenForDeviceCode(serverName, config) {
+        if (!this.tokenStore) {
+            throw new Error(`Authentication required for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+        }
+        const stored = this.tokenStore.load(serverName);
+        if (!stored) {
+            const err = new Error(`Authentication required for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+            err.code = -32007;
+            throw err;
+        }
+        const now = Date.now();
+        if (stored.expiresAt > now) {
+            return stored.accessToken;
+        }
+        // Token expired — try refresh with inflight dedup
+        const existingInflight = this.authCodeInflight.get(serverName);
+        if (existingInflight) {
+            return existingInflight;
+        }
+        const refreshPromise = this.doDeviceCodeRefresh(serverName, stored, config);
+        this.authCodeInflight.set(serverName, refreshPromise);
+        try {
+            return await refreshPromise;
+        }
+        finally {
+            this.authCodeInflight.delete(serverName);
+        }
+    }
+    async doDeviceCodeRefresh(serverName, stored, config) {
+        if (stored.refreshToken) {
+            try {
+                const refreshed = await this.refreshDeviceCodeToken(stored, config);
+                this.tokenStore.save(serverName, refreshed);
+                return refreshed.accessToken;
+            }
+            catch (err) {
+                this.logger.warn("[mcp-bridge] Device code token refresh failed:", err);
+            }
+        }
+        // Refresh failed or no refresh token
+        this.tokenStore.remove(serverName);
+        const error = new Error(`Authentication expired for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+        error.code = -32006;
+        throw error;
+    }
+    async refreshDeviceCodeToken(stored, config) {
+        const formData = new URLSearchParams();
+        formData.set("grant_type", "refresh_token");
+        formData.set("refresh_token", stored.refreshToken);
+        formData.set("client_id", config.clientId);
+        if (config.scopes?.length)
+            formData.set("scope", config.scopes.join(" "));
+        const response = await fetch(stored.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: formData.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`OAuth2 refresh token exchange failed: HTTP ${response.status}`);
+        }
+        const payload = (await response.json());
+        if (!payload.access_token) {
+            throw new Error("OAuth2 refresh response missing access_token");
+        }
+        const expiresIn = Number.isFinite(payload.expires_in)
+            ? Number(payload.expires_in)
+            : DEFAULT_EXPIRES_IN_SECONDS;
+        const expiresAt = Date.now() + Math.max(0, expiresIn - EXPIRY_BUFFER_SECONDS) * 1000;
+        return {
+            accessToken: payload.access_token,
+            refreshToken: payload.refresh_token ?? stored.refreshToken,
+            expiresAt,
+            tokenUrl: stored.tokenUrl,
+            clientId: config.clientId,
+            scopes: config.scopes,
+        };
+    }
+    async doAuthCodeRefresh(serverName, stored, config) {
+        if (stored.refreshToken) {
+            try {
+                const refreshed = await this.refreshAuthCodeToken(stored, config);
+                this.tokenStore.save(serverName, refreshed);
+                return refreshed.accessToken;
+            }
+            catch (err) {
+                this.logger.warn("[mcp-bridge] Auth code token refresh failed:", err);
+            }
+        }
+        // Refresh failed or no refresh token
+        this.tokenStore.remove(serverName);
+        const error = new Error(`Authentication expired for server "${serverName}". Run: mcp-bridge auth login ${serverName}`);
+        error.code = -32006;
+        throw error;
+    }
+    async refreshAuthCodeToken(stored, config) {
+        const formData = new URLSearchParams();
+        formData.set("grant_type", "refresh_token");
+        formData.set("refresh_token", stored.refreshToken);
+        if (config.clientId)
+            formData.set("client_id", config.clientId);
+        if (config.clientSecret)
+            formData.set("client_secret", config.clientSecret);
+        if (config.scopes?.length)
+            formData.set("scope", config.scopes.join(" "));
+        const response = await fetch(stored.tokenUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: formData.toString(),
+        });
+        if (!response.ok) {
+            throw new Error(`OAuth2 refresh token exchange failed: HTTP ${response.status}`);
+        }
+        const payload = (await response.json());
+        if (!payload.access_token) {
+            throw new Error("OAuth2 refresh response missing access_token");
+        }
+        const expiresIn = Number.isFinite(payload.expires_in)
+            ? Number(payload.expires_in)
+            : DEFAULT_EXPIRES_IN_SECONDS;
+        const expiresAt = Date.now() + Math.max(0, expiresIn - EXPIRY_BUFFER_SECONDS) * 1000;
+        return {
+            accessToken: payload.access_token,
+            refreshToken: payload.refresh_token ?? stored.refreshToken,
+            expiresAt,
+            tokenUrl: stored.tokenUrl,
+            clientId: config.clientId,
+            scopes: config.scopes,
+        };
+    }
     makeKey(tokenUrl, clientId) {
         return `${tokenUrl}::${clientId}`;
     }

package/dist/src/security.d.ts

@@ -16,6 +16,10 @@ export declare function isToolAllowed(toolName: string, serverConfig: McpServerC
 /**
  * Apply max result size truncation.
  * Returns the result as-is or a truncation wrapper.
+ *
+ * Uses JSON-aware truncation: tries to produce valid JSON by truncating
+ * at the object/array level rather than slicing raw JSON strings
+ * (which produces invalid JSON that LLMs may hallucinate around).
  */
 export declare function applyMaxResultSize(result: any, serverConfig: McpServerConfig, clientConfig: McpClientConfig): any;
 /**

package/dist/src/security.js

@@ -87,6 +87,10 @@ export function isToolAllowed(toolName, serverConfig) {
 /**
  * Apply max result size truncation.
  * Returns the result as-is or a truncation wrapper.
+ *
+ * Uses JSON-aware truncation: tries to produce valid JSON by truncating
+ * at the object/array level rather than slicing raw JSON strings
+ * (which produces invalid JSON that LLMs may hallucinate around).
  */
 export function applyMaxResultSize(result, serverConfig, clientConfig) {
     const limit = serverConfig.maxResultChars ?? clientConfig.maxResultChars;
@@ -95,12 +99,95 @@ export function applyMaxResultSize(result, serverConfig, clientConfig) {
     const serialized = JSON.stringify(result);
     if (serialized.length <= limit)
         return result;
+    // Try JSON-aware truncation: if the result is an array, take fewer elements;
+    // if it's an object with a nested array, truncate the largest array.
+    const truncated = truncateJsonAware(result, limit);
+    if (truncated !== null) {
+        return {
+            _truncated: true,
+            _originalLength: serialized.length,
+            result: truncated,
+        };
+    }
+    // Fallback: stringify and cut at a safe boundary, then wrap as a string
+    // to ensure the consumer always gets valid JSON
+    let cutPoint = Math.min(limit, serialized.length);
+    // Try to cut at the last complete JSON token boundary (comma, closing bracket, or newline)
+    const lastSafe = Math.max(serialized.lastIndexOf(",", cutPoint), serialized.lastIndexOf("}", cutPoint), serialized.lastIndexOf("]", cutPoint), serialized.lastIndexOf("\n", cutPoint));
+    if (lastSafe > cutPoint * 0.5) {
+        cutPoint = lastSafe + 1;
+    }
     return {
         _truncated: true,
         _originalLength: serialized.length,
-        result: serialized.slice(0, limit),
+        result: serialized.slice(0, cutPoint) + "…",
+        _note: "Result truncated. Original response exceeded size limit.",
     };
 }
+/**
+ * JSON-aware truncation: reduce array sizes to fit within the char limit.
+ * Returns the truncated value or null if not applicable.
+ */
+function truncateJsonAware(value, limit) {
+    if (Array.isArray(value)) {
+        return truncateArray(value, limit);
+    }
+    if (value !== null && typeof value === "object") {
+        // Find the largest array field and truncate it
+        let largestKey = null;
+        let largestLen = 0;
+        for (const [k, v] of Object.entries(value)) {
+            if (Array.isArray(v) && v.length > largestLen) {
+                largestKey = k;
+                largestLen = v.length;
+            }
+        }
+        if (largestKey && largestLen > 1) {
+            const copy = { ...value };
+            copy[largestKey] = truncateArray(value[largestKey], limit);
+            if (JSON.stringify(copy).length <= limit) {
+                return copy;
+            }
+            // Still too large — try with fewer elements
+            return truncateObjectWithArrays(value, limit);
+        }
+    }
+    return null;
+}
+function truncateArray(arr, limit) {
+    // Binary search for the number of elements that fit
+    let lo = 0;
+    let hi = arr.length;
+    while (lo < hi) {
+        const mid = (lo + hi + 1) >>> 1;
+        const slice = arr.slice(0, mid);
+        if (JSON.stringify(slice).length <= limit) {
+            lo = mid;
+        }
+        else {
+            hi = mid - 1;
+        }
+    }
+    return arr.slice(0, Math.max(1, lo));
+}
+function truncateObjectWithArrays(obj, limit) {
+    const copy = { ...obj };
+    // Progressively halve all arrays until it fits
+    for (let attempt = 0; attempt < 10; attempt++) {
+        let changed = false;
+        for (const [k, v] of Object.entries(copy)) {
+            if (Array.isArray(v) && v.length > 1) {
+                copy[k] = v.slice(0, Math.max(1, Math.ceil(v.length / 2)));
+                changed = true;
+            }
+        }
+        if (JSON.stringify(copy).length <= limit)
+            return copy;
+        if (!changed)
+            break;
+    }
+    return null;
+}
 /**
  * Apply trust level wrapping/sanitization.
  */

package/dist/src/standalone-server.js

@@ -6,6 +6,7 @@ import { SseTransport } from "./transport-sse.js";
 import { StdioTransport } from "./transport-stdio.js";
 import { StreamableHttpTransport } from "./transport-streamable-http.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
+import { FileTokenStore } from "./token-store.js";
 /**
  * Standalone MCP server that wraps the router.
  * Implements the MCP protocol (initialize, tools/list, tools/call)
@@ -25,7 +26,7 @@ export class StandaloneServer {
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
-        this.tokenManager = new OAuth2TokenManager(logger);
+        this.tokenManager = new OAuth2TokenManager(logger, new FileTokenStore());
         if (this.isRouterMode()) {
             this.router = new McpRouter(config.servers || {}, config, logger);
         }
@@ -408,11 +409,11 @@ export class StandaloneServer {
         };
         switch (serverConfig.transport) {
             case "sse":
-                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
             case "stdio":
                 return new StdioTransport(serverConfig, this.config, this.logger, onReconnected, () => this.nextRequestId());
             case "streamable-http":
-                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
+                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId(), serverName);
             default:
                 throw new Error(`Unsupported transport: ${serverConfig.transport}`);
         }

package/dist/src/token-store.d.ts

@@ -0,0 +1,30 @@
+export interface StoredToken {
+    accessToken: string;
+    refreshToken?: string;
+    expiresAt: number;
+    tokenUrl: string;
+    clientId?: string;
+    scopes?: string[];
+}
+export interface TokenStore {
+    load(serverName: string): StoredToken | null;
+    save(serverName: string, token: StoredToken): void;
+    remove(serverName: string): void;
+    list(): {
+        serverName: string;
+        token: StoredToken;
+    }[];
+}
+export declare class FileTokenStore implements TokenStore {
+    private readonly tokensDir;
+    constructor(tokensDir?: string);
+    load(serverName: string): StoredToken | null;
+    save(serverName: string, token: StoredToken): void;
+    remove(serverName: string): void;
+    list(): {
+        serverName: string;
+        token: StoredToken;
+    }[];
+    private tokenPath;
+    private ensureDir;
+}

package/dist/src/token-store.js

@@ -0,0 +1,69 @@
+import { readFileSync, writeFileSync, unlinkSync, readdirSync, existsSync, mkdirSync, chmodSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+const DEFAULT_TOKENS_DIR = join(homedir(), ".mcp-bridge", "tokens");
+export class FileTokenStore {
+    tokensDir;
+    constructor(tokensDir) {
+        this.tokensDir = tokensDir ?? DEFAULT_TOKENS_DIR;
+    }
+    load(serverName) {
+        const filePath = this.tokenPath(serverName);
+        if (!existsSync(filePath))
+            return null;
+        try {
+            const raw = JSON.parse(readFileSync(filePath, "utf-8"));
+            if (!raw.accessToken || !raw.tokenUrl || typeof raw.expiresAt !== "number") {
+                return null;
+            }
+            return raw;
+        }
+        catch {
+            return null;
+        }
+    }
+    save(serverName, token) {
+        this.ensureDir();
+        const filePath = this.tokenPath(serverName);
+        writeFileSync(filePath, JSON.stringify(token, null, 2) + "\n", "utf-8");
+        try {
+            chmodSync(filePath, 0o600);
+        }
+        catch { /* Windows doesn't support chmod */ }
+    }
+    remove(serverName) {
+        const filePath = this.tokenPath(serverName);
+        if (existsSync(filePath)) {
+            unlinkSync(filePath);
+        }
+    }
+    list() {
+        if (!existsSync(this.tokensDir))
+            return [];
+        const results = [];
+        for (const file of readdirSync(this.tokensDir)) {
+            if (!file.endsWith(".json"))
+                continue;
+            const serverName = file.slice(0, -5);
+            const token = this.load(serverName);
+            if (token) {
+                results.push({ serverName, token });
+            }
+        }
+        return results;
+    }
+    tokenPath(serverName) {
+        // Sanitize server name to prevent path traversal
+        const safe = serverName.replace(/[^a-zA-Z0-9_-]/g, "_");
+        return join(this.tokensDir, `${safe}.json`);
+    }
+    ensureDir() {
+        if (!existsSync(this.tokensDir)) {
+            mkdirSync(this.tokensDir, { recursive: true });
+            try {
+                chmodSync(this.tokensDir, 0o700);
+            }
+            catch { /* Windows */ }
+        }
+    }
+}

package/dist/src/transport-base.d.ts

@@ -1,5 +1,5 @@
 import { McpTransport, McpRequest, McpResponse, McpServerConfig, McpClientConfig, Logger, JsonRpcMessage, RequestIdGenerator } from "./types.js";
-import type { OAuth2Config, OAuth2TokenManager } from "./oauth2-token-manager.js";
+import type { OAuth2Config, AuthCodeOAuth2Config, DeviceCodeOAuth2Config, OAuth2TokenManager } from "./oauth2-token-manager.js";
 export type PendingRequest = {
     resolve: (value: McpResponse) => void;
     reject: (reason: Error) => void;
@@ -78,13 +78,25 @@ export declare function resolveArgs(args: string[], extraEnv?: Record<string, st
  * Resolve auth config into HTTP headers.
  */
 export declare function resolveAuthHeaders(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Record<string, string>;
+/** Check whether an oauth2 auth config uses the authorization_code grant type. */
+export declare function isAuthCodeOAuth2(auth: {
+    type: "oauth2";
+    grantType?: string;
+}): boolean;
+/** Check whether an oauth2 auth config uses the device_code grant type. */
+export declare function isDeviceCodeOAuth2(auth: {
+    type: "oauth2";
+    grantType?: string;
+}): boolean;
 export declare function resolveOAuth2Config(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): OAuth2Config;
-export declare function resolveAuthHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Promise<Record<string, string>>;
+export declare function resolveAuthCodeOAuth2Config(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): AuthCodeOAuth2Config;
+export declare function resolveDeviceCodeOAuth2Config(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): DeviceCodeOAuth2Config;
+export declare function resolveAuthHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>, serverName?: string): Promise<Record<string, string>>;
 /**
  * Resolve server headers and merge auth headers (auth takes precedence).
  */
 export declare function resolveServerHeaders(config: McpServerConfig, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Record<string, string>;
-export declare function resolveServerHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>): Promise<Record<string, string>>;
+export declare function resolveServerHeadersAsync(config: McpServerConfig, tokenManager: OAuth2TokenManager, extraEnv?: Record<string, string | undefined>, envFallback?: () => Record<string, string>, serverName?: string): Promise<Record<string, string>>;
 /**
  * Warn if a URL uses non-TLS HTTP to a remote (non-localhost) host.
  */