@loop_ouroboros/mcp-hub-lite 1.2.6 → 1.2.8

package/dist/server/src/services/connection/connection-manager.js

@@ -1,5 +1,7 @@
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { TransportFactory } from '../../utils/transports/transport-factory.js';
+import { UnauthorizedError, auth } from '@modelcontextprotocol/sdk/client/auth.js';
+import { StreamableHttpTransport } from '../../utils/transports/streamable-http-transport.js';
 import { logger, LOG_MODULES, formatMcpMessageForLogging, logNotificationMessage } from '../../utils/logger.js';
 import { getAppVersion } from '../../utils/version.js';
 import { getMcpCommDebugSetting } from '../../utils/json-utils.js';
@@ -98,6 +100,10 @@ export class McpConnectionManager {
         const serverId = server.id || 'unknown';
         const compositeKey = getCompositeKey(serverName, serverIndex);
         const { maxRetries, baseRetryDelay } = this.getRetryConfig();
+        // Create OAuth provider once per-connect (shared across retries)
+        const isStreamableHttp = server.type === 'streamable-http' || server.type === 'http';
+        let oauthProvider = null;
+        let oauthStarted = false;
         // Retry loop for connection attempts
         let lastError;
         for (let attempt = 1; attempt <= maxRetries; attempt++) {
@@ -111,7 +117,21 @@ export class McpConnectionManager {
                 // 4. Get server info
                 const serverInfo = this.getServerInfo(serverId);
                 // 5. Create transport and set up callbacks
-                const { transport, pid } = this.initializeTransport(server, serverInfo, compositeKey, serverName, serverIndex);
+                const { transport, pid } = this.initializeTransport(server, serverInfo, compositeKey, serverName, serverIndex, oauthProvider ?? undefined);
+                // Capture OAuth provider from the transport (reuse across retries)
+                if (!oauthProvider && transport instanceof StreamableHttpTransport) {
+                    const provider = transport.getOAuthProvider();
+                    if (provider) {
+                        oauthProvider =
+                            provider;
+                    }
+                }
+                // Start OAuth callback server once before connecting
+                if (oauthProvider && !oauthStarted) {
+                    await oauthProvider.startCallbackServer();
+                    oauthStarted = true;
+                    logger.info(`OAuth callback server started for [${compositeKey}]`, LOG_MODULES.CONNECTION_MANAGER);
+                }
                 // 6. Establish client connection
                 const client = await this.establishClientConnection(transport);
                 // 7. Register connection
@@ -122,12 +142,30 @@ export class McpConnectionManager {
                 this.publishConnectionEvents(serverName, serverIndex);
                 // 10. Refresh resources
                 await this.refreshServerResources(serverName, serverIndex, server.type);
+                // 11. Request log notifications from downstream server
+                await this.requestLoggingFromServer(compositeKey, client, server.type);
                 return true;
             }
             catch (error) {
+                // Handle OAuth flow for Streamable HTTP servers (only on first attempt)
+                if (isStreamableHttp &&
+                    oauthProvider &&
+                    error instanceof UnauthorizedError &&
+                    attempt === 1) {
+                    logger.info(`OAuth required for server [${compositeKey}], waiting for browser auth...`, LOG_MODULES.CONNECTION_MANAGER);
+                    const oauthHandled = await this.handleOAuthFlow(oauthProvider, server.url || '', compositeKey);
+                    if (oauthHandled) {
+                        logger.info(`OAuth flow completed for [${compositeKey}], retrying connection...`, LOG_MODULES.CONNECTION_MANAGER);
+                        continue; // Retry connection — authProvider now has tokens
+                    }
+                }
                 lastError = await this.handleConnectionError(error, compositeKey, attempt, maxRetries, baseRetryDelay);
             }
         }
+        // Clean up callback server
+        if (oauthProvider) {
+            await oauthProvider.stopCallbackServer();
+        }
         // All retries failed
         this.handleFinalFailure(compositeKey, serverName, serverIndex, lastError);
         return false;
@@ -186,7 +224,7 @@ export class McpConnectionManager {
     /**
      * Creates transport and sets up all callbacks.
      */
-    initializeTransport(server, serverInfo, compositeKey, serverName, serverIndex) {
+    initializeTransport(server, serverInfo, compositeKey, serverName, serverIndex, authProvider) {
         const readyPatterns = server.type === 'stdio' ? (serverInfo.config.template.readyPatterns ?? []) : undefined;
         const readyTimeout = configManager.getConfig().system.startup?.readyTimeout ?? 120000;
         const transport = TransportFactory.createTransport({
@@ -194,7 +232,8 @@ export class McpConnectionManager {
             name: serverName
         }, compositeKey, {
             readyPatterns,
-            readyTimeout
+            readyTimeout,
+            authProvider
         });
         // Set up message handler for notifications/message
         transport.onmessage = (message) => {
@@ -357,6 +396,76 @@ export class McpConnectionManager {
             resources
         });
     }
+    /**
+     * Sends logging/setLevel request to downstream server to start receiving log notifications.
+     * This is a best-effort request — servers that don't support logging will silently ignore it.
+     */
+    async requestLoggingFromServer(compositeKey, client, serverType) {
+        // SSE is unidirectional — cannot send requests to the server
+        if (serverType === 'sse')
+            return;
+        try {
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            await client.request({ method: 'logging/setLevel', params: { level: 'info' } }, { timeout: 5000 });
+            logger.info(`Sent logging/setLevel to server [${compositeKey}]`, LOG_MODULES.CONNECTION_MANAGER);
+        }
+        catch {
+            // Server may not support logging — not an error condition
+            logger.debug(`Server [${compositeKey}] does not support logging/setLevel`, LOG_MODULES.CONNECTION_MANAGER);
+        }
+    }
+    /**
+     * Handles the OAuth authorization flow for Streamable HTTP servers.
+     * Starts a local callback server, waits for the user to complete auth in the browser,
+     * then finishes the auth on the transport.
+     *
+     * @returns true if OAuth was handled successfully, false otherwise
+     */
+    async handleOAuthFlow(provider, serverUrl, compositeKey) {
+        try {
+            const callbackServer = provider.getCallbackServer();
+            if (!callbackServer) {
+                logger.warn(`No callback server for [${compositeKey}]`, LOG_MODULES.CONNECTION_MANAGER);
+                return false;
+            }
+            // SDK has already called redirectToAuthorization via authProvider
+            // Wait for the auth code from the callback server
+            const authCode = await new Promise((resolve, reject) => {
+                const timeout = setTimeout(() => {
+                    callbackServer.removeAllListeners('auth-code-received');
+                    resolve(null);
+                }, 5 * 60 * 1000);
+                callbackServer.once('auth-code-received', (code) => {
+                    clearTimeout(timeout);
+                    resolve(code);
+                });
+                callbackServer.once('error', (err) => {
+                    clearTimeout(timeout);
+                    reject(err);
+                });
+            });
+            if (!authCode) {
+                logger.warn(`OAuth flow timed out for server [${compositeKey}]`, LOG_MODULES.CONNECTION_MANAGER);
+                return false;
+            }
+            // Exchange the authorization code for tokens via SDK
+            logger.info(`Exchanging OAuth code for tokens for [${compositeKey}]...`, LOG_MODULES.CONNECTION_MANAGER);
+            const result = await auth(provider, {
+                serverUrl,
+                authorizationCode: authCode
+            });
+            if (result === 'AUTHORIZED') {
+                logger.info(`OAuth token exchange succeeded for [${compositeKey}]`, LOG_MODULES.CONNECTION_MANAGER);
+                return true;
+            }
+            logger.warn(`OAuth token exchange returned ${result} for [${compositeKey}]`, LOG_MODULES.CONNECTION_MANAGER);
+            return false;
+        }
+        catch (error) {
+            logger.error(`OAuth flow error for server [${compositeKey}]: ${error instanceof Error ? error.message : String(error)}`, LOG_MODULES.CONNECTION_MANAGER);
+            return false;
+        }
+    }
     /**
      * Handles connection error with logging and retry delay.
      */
@@ -375,10 +484,18 @@ export class McpConnectionManager {
      */
     handleFinalFailure(compositeKey, serverName, serverIndex, lastError) {
         const errorMessage = lastError?.message || 'Connection failed after all retries';
+        // Fetch recent error logs (stderr) to help diagnose startup failures
+        const recentErrorLogs = logStorage.getLogs(compositeKey, { level: 'error', limit: 10 });
+        const logDetail = recentErrorLogs.length > 0
+            ? '\n\n--- Recent stderr output ---\n' + recentErrorLogs.map((l) => l.message).join('\n')
+            : '';
+        // Write connection error to logStorage so it appears in the log viewer
+        // This ensures errors from all transport types (stdio, streamable-http, sse) are visible
+        logStorage.append(compositeKey, 'error', `[CONNECTION] ${errorMessage}`);
         logger.error(`Failed to connect to server ${compositeKey} after retries:`, lastError, LOG_MODULES.CONNECTION_MANAGER);
         this.serverStatus.set(compositeKey, {
             connected: false,
-            error: errorMessage,
+            error: errorMessage + logDetail,
             lastCheck: Date.now(),
             toolsCount: 0,
             resourcesCount: 0
@@ -387,7 +504,7 @@ export class McpConnectionManager {
             serverName,
             serverIndex,
             status: 'error',
-            error: errorMessage,
+            error: errorMessage + logDetail,
             timestamp: Date.now()
         });
     }

package/dist/server/src/services/event-bus.service.d.ts

@@ -159,11 +159,7 @@ export declare const EventTypes: {
     readonly TOOL_CALL_ERROR: "tool-call-error";
     readonly RESOURCES_UPDATED: "resources";
     readonly LOG_ENTRY: "log";
-    readonly LOGS_CLEARED: "logs-cleared";
-    readonly SYSTEM_HEALTH: "system-health";
     readonly CONFIGURATION_UPDATED: "configuration-updated";
-    readonly CLIENT_CONNECTED: "client-connected";
-    readonly CLIENT_DISCONNECTED: "client-disconnected";
 };
 export declare const eventBus: EventBusService;
 //# sourceMappingURL=event-bus.service.d.ts.map

package/dist/server/src/services/event-bus.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"event-bus.service.d.ts","sourceRoot":"","sources":["../../../../src/services/event-bus.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAExD;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;CACjB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,SAAS,CAAqD;IAEtE;;;;;;;;;;;;;;;;OAgBG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI;IAajD;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,GAAG,MAAM,IAAI;IAU7E;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,WAAW;IAWnB;;;;;;;;;;;;;;OAcG;IACH,cAAc,IAAI,IAAI;IAItB;;;;;;;;;;;;;;OAcG;IACH,aAAa,IAAI,MAAM,EAAE;IAIzB;;;;;;;;;;;;;;;OAeG;IACH,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAI5C;AAGD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;;;;;CAkCb,CAAC;AAGX,eAAO,MAAM,QAAQ,iBAAwB,CAAC"}
+{"version":3,"file":"event-bus.service.d.ts","sourceRoot":"","sources":["../../../../src/services/event-bus.service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAExD;;;;;;GAMG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,CAAC;CACjB;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,SAAS,CAAqD;IAEtE;;;;;;;;;;;;;;;;OAgBG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,IAAI;IAajD;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,IAAI,EAAE,SAAS,KAAK,IAAI,GAAG,MAAM,IAAI;IAU7E;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,WAAW;IAWnB;;;;;;;;;;;;;;OAcG;IACH,cAAc,IAAI,IAAI;IAItB;;;;;;;;;;;;;;OAcG;IACH,aAAa,IAAI,MAAM,EAAE;IAIzB;;;;;;;;;;;;;;;OAeG;IACH,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAI5C;AAGD,eAAO,MAAM,UAAU;;;;;;;;;;;;;;;;;CA4Bb,CAAC;AAGX,eAAO,MAAM,QAAQ,iBAAwB,CAAC"}

package/dist/server/src/services/event-bus.service.js

@@ -188,13 +188,8 @@ export const EventTypes = {
     RESOURCES_UPDATED: 'resources',
     // Log related events
     LOG_ENTRY: 'log',
-    LOGS_CLEARED: 'logs-cleared',
     // System related events
-    SYSTEM_HEALTH: 'system-health',
-    CONFIGURATION_UPDATED: 'configuration-updated',
-    // Client related events
-    CLIENT_CONNECTED: 'client-connected',
-    CLIENT_DISCONNECTED: 'client-disconnected'
+    CONFIGURATION_UPDATED: 'configuration-updated'
 };
 // Create global event bus instance
 export const eventBus = new EventBusService();

package/dist/server/src/services/gateway/request-handlers/initialize-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"initialize-handler.d.ts","sourceRoot":"","sources":["../../../../../../src/services/gateway/request-handlers/initialize-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAYpE;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAqElE"}
+{"version":3,"file":"initialize-handler.d.ts","sourceRoot":"","sources":["../../../../../../src/services/gateway/request-handlers/initialize-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAYpE;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CAsElE"}

package/dist/server/src/services/gateway/request-handlers/initialize-handler.js

@@ -36,6 +36,7 @@ export function registerInitializeHandlers(server) {
                     list: true,
                     read: true
                 },
+                logging: {},
                 experimental: {}
             }
         };

package/dist/server/src/services/mcp-oauth/index.d.ts

@@ -0,0 +1,5 @@
+export { McpOAuthClientProvider } from './oauth-provider.js';
+export { OAuthCallbackServer } from './oauth-callback-server.js';
+export { OAuthTokenStorage } from './oauth-token-storage.js';
+export type { McpOAuthConfig, McpOAuthProviderOptions } from './oauth-types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/src/services/mcp-oauth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,YAAY,EAAE,cAAc,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/server/src/services/mcp-oauth/index.js

@@ -0,0 +1,3 @@
+export { McpOAuthClientProvider } from './oauth-provider.js';
+export { OAuthCallbackServer } from './oauth-callback-server.js';
+export { OAuthTokenStorage } from './oauth-token-storage.js';

package/dist/server/src/services/mcp-oauth/oauth-callback-server.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Local HTTP server for OAuth callback handling.
+ *
+ * Listens on 127.0.0.1 with a dynamic port, captures the authorization code
+ * from the OAuth redirect, displays a success page to the user, and emits
+ * the code via EventEmitter. Auto-closes after 5 minutes of inactivity.
+ */
+import { EventEmitter } from 'node:events';
+export declare class OAuthCallbackServer extends EventEmitter {
+    private server;
+    private port;
+    private timeout;
+    constructor(port?: number);
+    get callbackUrl(): string;
+    get redirectUrl(): string;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+}
+//# sourceMappingURL=oauth-callback-server.d.ts.map

package/dist/server/src/services/mcp-oauth/oauth-callback-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-callback-server.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/oauth-callback-server.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA2B3C,qBAAa,mBAAoB,SAAQ,YAAY;IACnD,OAAO,CAAC,MAAM,CAA4B;IAC1C,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,OAAO,CAA+B;gBAElC,IAAI,GAAE,MAAU;IAK5B,IAAI,WAAW,IAAI,MAAM,CAExB;IAED,IAAI,WAAW,IAAI,MAAM,CAExB;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA6CtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;CAkB5B"}

package/dist/server/src/services/mcp-oauth/oauth-callback-server.js

@@ -0,0 +1,100 @@
+/**
+ * Local HTTP server for OAuth callback handling.
+ *
+ * Listens on 127.0.0.1 with a dynamic port, captures the authorization code
+ * from the OAuth redirect, displays a success page to the user, and emits
+ * the code via EventEmitter. Auto-closes after 5 minutes of inactivity.
+ */
+import http from 'node:http';
+import { EventEmitter } from 'node:events';
+import { logger, LOG_MODULES } from '../../utils/logger/index.js';
+const CALLBACK_PATH = '/oauth/callback';
+const CALLBACK_TIMEOUT = 5 * 60 * 1000; // 5 minutes
+const SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authentication Successful</title>
+  <style>
+    body { font-family: system-ui, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #f5f5f5; }
+    .card { background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); text-align: center; max-width: 400px; }
+    h1 { color: #22c55e; margin: 0 0 0.5rem; }
+    p { color: #666; margin: 0; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Authentication Successful</h1>
+    <p>You can close this page and return to MCP Hub Lite.</p>
+  </div>
+</body>
+</html>`;
+export class OAuthCallbackServer extends EventEmitter {
+    server = null;
+    port;
+    timeout = null;
+    constructor(port = 0) {
+        super();
+        this.port = port;
+    }
+    get callbackUrl() {
+        return `http://127.0.0.1:${this.port}${CALLBACK_PATH}`;
+    }
+    get redirectUrl() {
+        return this.callbackUrl;
+    }
+    async start() {
+        return new Promise((resolve, reject) => {
+            this.server = http.createServer((req, res) => {
+                if (!req.url)
+                    return;
+                const url = new URL(req.url, `http://127.0.0.1:${this.port}`);
+                if (url.pathname === CALLBACK_PATH) {
+                    const code = url.searchParams.get('code');
+                    if (code) {
+                        logger.info('OAuth callback received authorization code', LOG_MODULES.dynamic('oauth'));
+                        this.emit('auth-code-received', code);
+                    }
+                    res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+                    res.end(SUCCESS_HTML);
+                }
+                else {
+                    res.writeHead(404);
+                    res.end('Not found');
+                }
+            });
+            this.server.on('error', (err) => {
+                logger.error(`OAuth callback server error: ${err.message}`, LOG_MODULES.dynamic('oauth'));
+                reject(err);
+            });
+            this.server.listen(this.port, '127.0.0.1', () => {
+                const addr = this.server.address();
+                if (addr && typeof addr === 'object') {
+                    this.port = addr.port;
+                }
+                logger.info(`OAuth callback server started on ${this.callbackUrl}`, LOG_MODULES.dynamic('oauth'));
+                this.timeout = setTimeout(() => this.stop(), CALLBACK_TIMEOUT);
+                resolve();
+            });
+        });
+    }
+    async stop() {
+        if (this.timeout) {
+            clearTimeout(this.timeout);
+            this.timeout = null;
+        }
+        return new Promise((resolve) => {
+            if (this.server) {
+                this.server.close(() => {
+                    logger.info('OAuth callback server stopped', LOG_MODULES.dynamic('oauth'));
+                    this.server = null;
+                    resolve();
+                });
+            }
+            else {
+                resolve();
+            }
+        });
+    }
+}

package/dist/server/src/services/mcp-oauth/oauth-provider.d.ts

@@ -0,0 +1,42 @@
+/**
+ * MCP OAuth Client Provider implementing the SDK's OAuthClientProvider interface.
+ *
+ * Handles the full OAuth 2.0 authorization code flow with PKCE for MCP servers:
+ * - Persists tokens and client info to JSON files
+ * - Opens system browser for user authorization
+ * - Manages a local HTTP callback server for auth code capture
+ * - Supports token refresh and credential invalidation
+ */
+import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
+import type { OAuthClientInformationMixed, OAuthTokens, OAuthClientMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';
+import { OAuthCallbackServer } from './oauth-callback-server.js';
+import type { McpOAuthProviderOptions } from './oauth-types.js';
+export declare class McpOAuthClientProvider implements OAuthClientProvider {
+    private _callbackServer;
+    private storage;
+    private _configDir;
+    private _callbackPort;
+    private _serverUrlHash;
+    constructor(options: McpOAuthProviderOptions);
+    get redirectUrl(): string;
+    get clientMetadata(): OAuthClientMetadata;
+    clientInformation(): OAuthClientInformationMixed | undefined;
+    saveClientInformation(info: OAuthClientInformationMixed): void;
+    tokens(): OAuthTokens | undefined;
+    saveTokens(tokens: OAuthTokens): void;
+    redirectToAuthorization(authorizationUrl: URL): Promise<void>;
+    saveCodeVerifier(codeVerifier: string): void;
+    codeVerifier(): string;
+    invalidateCredentials(scope: 'all' | 'client' | 'tokens' | 'verifier' | 'discovery'): Promise<void>;
+    /**
+     * Starts the local callback server for auth code capture.
+     * Idempotent — returns existing server if already running.
+     */
+    startCallbackServer(): Promise<OAuthCallbackServer>;
+    /**
+     * Stops the callback server after auth flow completes.
+     */
+    stopCallbackServer(): Promise<void>;
+    getCallbackServer(): OAuthCallbackServer | null;
+}
+//# sourceMappingURL=oauth-provider.d.ts.map

package/dist/server/src/services/mcp-oauth/oauth-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-provider.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/oauth-provider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AACpF,OAAO,KAAK,EACV,2BAA2B,EAC3B,WAAW,EACX,mBAAmB,EACpB,MAAM,0CAA0C,CAAC;AAElD,OAAO,EAAE,mBAAmB,EAAE,MAAM,4BAA4B,CAAC;AACjE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAMhE,qBAAa,sBAAuB,YAAW,mBAAmB;IAChE,OAAO,CAAC,eAAe,CAAoC;IAC3D,OAAO,CAAC,OAAO,CAAoB;IACnC,OAAO,CAAC,UAAU,CAAS;IAC3B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,cAAc,CAAS;gBAEnB,OAAO,EAAE,uBAAuB;IAO5C,IAAI,WAAW,IAAI,MAAM,CAGxB;IAED,IAAI,cAAc,IAAI,mBAAmB,CAQxC;IAED,iBAAiB,IAAI,2BAA2B,GAAG,SAAS;IAI5D,qBAAqB,CAAC,IAAI,EAAE,2BAA2B,GAAG,IAAI;IAI9D,MAAM,IAAI,WAAW,GAAG,SAAS;IAIjC,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAI/B,uBAAuB,CAAC,gBAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC;IA4BnE,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,IAAI;IAI5C,YAAY,IAAI,MAAM;IAIhB,qBAAqB,CACzB,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,WAAW,GAC5D,OAAO,CAAC,IAAI,CAAC;IAKhB;;;OAGG;IACG,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,CAAC;IASzD;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,IAAI,CAAC;IAOzC,iBAAiB,IAAI,mBAAmB,GAAG,IAAI;CAGhD"}

package/dist/server/src/services/mcp-oauth/oauth-provider.js

@@ -0,0 +1,121 @@
+/**
+ * MCP OAuth Client Provider implementing the SDK's OAuthClientProvider interface.
+ *
+ * Handles the full OAuth 2.0 authorization code flow with PKCE for MCP servers:
+ * - Persists tokens and client info to JSON files
+ * - Opens system browser for user authorization
+ * - Manages a local HTTP callback server for auth code capture
+ * - Supports token refresh and credential invalidation
+ */
+import { exec } from 'node:child_process';
+import { promisify } from 'node:util';
+import path from 'node:path';
+import os from 'node:os';
+import { OAuthTokenStorage } from './oauth-token-storage.js';
+import { OAuthCallbackServer } from './oauth-callback-server.js';
+const execAsync = promisify(exec);
+const DEFAULT_CONFIG_DIR = path.join(os.homedir(), '.mcp-hub-lite', 'oauth');
+export class McpOAuthClientProvider {
+    _callbackServer = null;
+    storage;
+    _configDir;
+    _callbackPort;
+    _serverUrlHash;
+    constructor(options) {
+        this._serverUrlHash = options.serverUrlHash;
+        this._configDir = options.configDir || DEFAULT_CONFIG_DIR;
+        this._callbackPort = options.callbackPort || 0;
+        this.storage = new OAuthTokenStorage(this._configDir, this._serverUrlHash);
+    }
+    get redirectUrl() {
+        if (!this._callbackServer)
+            return '';
+        return this._callbackServer.redirectUrl;
+    }
+    get clientMetadata() {
+        return {
+            redirect_uris: [this.redirectUrl],
+            token_endpoint_auth_method: 'none',
+            grant_types: ['authorization_code', 'refresh_token'],
+            response_types: ['code'],
+            client_name: 'MCP Hub Lite'
+        };
+    }
+    clientInformation() {
+        return this.storage.getClientInfo();
+    }
+    saveClientInformation(info) {
+        this.storage.saveClientInfo(info);
+    }
+    tokens() {
+        return this.storage.getTokens();
+    }
+    saveTokens(tokens) {
+        this.storage.saveTokens(tokens);
+    }
+    async redirectToAuthorization(authorizationUrl) {
+        const urlStr = authorizationUrl.toString();
+        const platform = process.platform;
+        let command;
+        if (platform === 'win32') {
+            command = `start "" "${urlStr}"`;
+        }
+        else if (platform === 'darwin') {
+            command = `open "${urlStr}"`;
+        }
+        else {
+            command = `xdg-open "${urlStr}"`;
+        }
+        try {
+            await execAsync(command);
+        }
+        catch {
+            // Fallback: spawn detached
+            const { spawn } = await import('node:child_process');
+            if (platform === 'win32') {
+                spawn('cmd', ['/c', 'start', '', urlStr], { detached: true, stdio: 'ignore' }).unref();
+            }
+            else if (platform === 'darwin') {
+                spawn('open', [urlStr], { detached: true, stdio: 'ignore' }).unref();
+            }
+            else {
+                spawn('xdg-open', [urlStr], { detached: true, stdio: 'ignore' }).unref();
+            }
+        }
+    }
+    saveCodeVerifier(codeVerifier) {
+        this.storage.saveCodeVerifier(codeVerifier);
+    }
+    codeVerifier() {
+        return this.storage.getCodeVerifier() || '';
+    }
+    async invalidateCredentials(scope) {
+        if (scope === 'discovery')
+            return; // Not persisted
+        this.storage.clear(scope);
+    }
+    /**
+     * Starts the local callback server for auth code capture.
+     * Idempotent — returns existing server if already running.
+     */
+    async startCallbackServer() {
+        if (this._callbackServer) {
+            return this._callbackServer;
+        }
+        this._callbackServer = new OAuthCallbackServer(this._callbackPort);
+        await this._callbackServer.start();
+        return this._callbackServer;
+    }
+    /**
+     * Stops the callback server after auth flow completes.
+     */
+    async stopCallbackServer() {
+        if (this._callbackServer) {
+            await this._callbackServer.stop();
+            this._callbackServer = null;
+        }
+    }
+    getCallbackServer() {
+        return this._callbackServer;
+    }
+}

package/dist/server/src/services/mcp-oauth/oauth-token-storage.d.ts

@@ -0,0 +1,23 @@
+/**
+ * JSON file-based OAuth token persistence.
+ *
+ * Stores OAuth credentials (client info, tokens, code verifier) as JSON files
+ * in the config directory. Uses atomic writes (tmp + rename) to prevent corruption.
+ */
+import type { OAuthClientInformationMixed, OAuthTokens } from './oauth-types.js';
+export declare class OAuthTokenStorage {
+    private cache;
+    private filePath;
+    constructor(configDir: string, serverUrlHash: string);
+    private ensureDir;
+    private loadFromFile;
+    private saveToFile;
+    getClientInfo(): OAuthClientInformationMixed | undefined;
+    saveClientInfo(info: OAuthClientInformationMixed): void;
+    getTokens(): OAuthTokens | undefined;
+    saveTokens(tokens: OAuthTokens): void;
+    getCodeVerifier(): string | undefined;
+    saveCodeVerifier(verifier: string): void;
+    clear(scope: 'all' | 'client' | 'tokens' | 'verifier'): void;
+}
+//# sourceMappingURL=oauth-token-storage.d.ts.map

package/dist/server/src/services/mcp-oauth/oauth-token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-token-storage.d.ts","sourceRoot":"","sources":["../../../../../src/services/mcp-oauth/oauth-token-storage.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,OAAO,KAAK,EACV,2BAA2B,EAC3B,WAAW,EAEZ,MAAM,kBAAkB,CAAC;AAE1B,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,KAAK,CAA4B;IACzC,OAAO,CAAC,QAAQ,CAAS;gBAEb,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM;IAIpD,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,YAAY;IAepB,OAAO,CAAC,UAAU;IAclB,aAAa,IAAI,2BAA2B,GAAG,SAAS;IAOxD,cAAc,CAAC,IAAI,EAAE,2BAA2B,GAAG,IAAI;IAKvD,SAAS,IAAI,WAAW,GAAG,SAAS;IAOpC,UAAU,CAAC,MAAM,EAAE,WAAW,GAAG,IAAI;IAKrC,eAAe,IAAI,MAAM,GAAG,SAAS;IAOrC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAKxC,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,IAAI;CAiB7D"}