@mcp-ts/sdk 1.5.0 → 1.5.1

package/src/server/mcp/oauth-client.ts

@@ -500,16 +500,10 @@ export class MCPClient {
       this.emitStateChange('CONNECTED');
       this.emitProgress('Connected successfully');
 
-      // Promote short-lived OAuth-pending session TTL to long-lived active TTL once.
-      // Also persist when transport negotiation changed the effective transport.
-      const existingSession = await storage.getSession(this.identity, this.sessionId);
-      const needsTransportUpdate = !existingSession || existingSession.transportType !== this.transportType;
-      const needsTtlPromotion = !existingSession || existingSession.active !== true;
-
-      if (needsTransportUpdate || needsTtlPromotion) {
-        console.log(`[MCPClient] Saving session ${this.sessionId} with 12hr TTL (connect success)`);
-        await this.saveSession(SESSION_TTL_SECONDS, true);
-      }
+      // Refresh session metadata on every successful connect so active sessions
+      // record ongoing usage and don't look dormant to storage cleanup jobs.
+      console.log(`[MCPClient] Saving session ${this.sessionId} with 12hr TTL (connect success)`);
+      await this.saveSession(SESSION_TTL_SECONDS, true);
     } catch (error) {
       /** Handle Authentication Errors */
       if (
@@ -537,11 +531,17 @@ export class MCPClient {
               : `OAuth authorization URL not available: ${detail}`;
           this.emitError(message, 'auth');
           this.emitStateChange('FAILED');
+          
+          // Proactive Cleanup: This session has reached a terminal failure state. 
+          // We remove it now to ensure the database remains lean, bypassing the 
+          // automated lifecycle sweep.
           try {
             await storage.removeSession(this.identity, this.sessionId);
           } catch {
-            // best-effort cleanup
+            // Non-blocking: Proactive cleanup failures are suppressed to prioritize 
+            // the original error context.
           }
+          
           throw new Error(message);
         }
 
@@ -571,6 +571,19 @@ export class MCPClient {
       const errorMessage = error instanceof Error ? error.message : 'Connection failed';
       this.emitError(errorMessage, 'connection');
       this.emitStateChange('FAILED');
+
+      // Terminal Handshake Failure: only purge transient sessions. Active
+      // sessions may still hold valid credentials for a later reconnect.
+      try {
+        const existingSession = await storage.getSession(this.identity, this.sessionId);
+        if (!existingSession || existingSession.active !== true) {
+          await storage.removeSession(this.identity, this.sessionId);
+        }
+      } catch {
+        // Non-blocking: Cleanup is performed on a best-effort basis and should
+        // not interfere with the primary error propagation.
+      }
+
       throw error;
     }
   }
@@ -606,6 +619,7 @@ export class MCPClient {
 
     let lastError: unknown;
     let tokensExchanged = false;
+    let authenticatedStateEmitted = false;
 
     for (const currentType of transportsToTry) {
       const isLastAttempt = currentType === transportsToTry[transportsToTry.length - 1];
@@ -623,10 +637,11 @@ export class MCPClient {
           this.emitProgress(`Tokens already exchanged, skipping auth step for ${currentType}...`);
         }
 
-        /** Success! Update transport type */
-        this.transportType = currentType;
+        if (!authenticatedStateEmitted) {
+          this.emitStateChange('AUTHENTICATED');
+          authenticatedStateEmitted = true;
+        }
 
-        this.emitStateChange('AUTHENTICATED');
         this.emitProgress('Creating authenticated client...');
 
         this.client = new Client(
@@ -650,6 +665,9 @@ export class MCPClient {
         /** We explicitly try to connect with the transport we just auth'd with first */
         await this.client.connect(this.transport);
 
+        /** Connection succeeded — lock in the transport type */
+        this.transportType = currentType;
+
         this.emitStateChange('CONNECTED');
         // Update session with 12hr TTL after successful OAuth
         console.log(`[MCPClient] Updating session ${this.sessionId} to 12hr TTL (OAuth complete)`);

package/supabase/migrations/20260421010000_add_session_cleanup_cron.sql

@@ -0,0 +1,32 @@
+-- Enable the pg_cron extension (available on all Supabase plans).
+-- This is idempotent and safe to run multiple times.
+CREATE EXTENSION IF NOT EXISTS pg_cron;
+
+-- ─────────────────────────────────────────────────────────────────────────────
+-- Stage 1: Short-term Transient Purge (every 5 minutes)
+-- ─────────────────────────────────────────────────────────────────────────────
+-- Targets sessions that are NOT active (failed connections, abandoned OAuth
+-- flows, mid-flow errors) whose TTL has expired. Active sessions are explicitly
+-- excluded from this sweep to preserve automation credentials.
+--
+-- The idx_mcp_sessions_expires_at index ensures this is a fast indexed scan.
+SELECT cron.schedule(
+    'cleanup-transient-sessions',
+    '*/5 * * * *',
+    $$DELETE FROM public.mcp_sessions WHERE expires_at < now() AND active IS NOT TRUE;$$
+);
+
+-- ─────────────────────────────────────────────────────────────────────────────
+-- Stage 2: Long-term Dormancy Eviction (daily at midnight UTC)
+-- ─────────────────────────────────────────────────────────────────────────────
+-- Safety net for sessions that were successfully established (active = true)
+-- but have been completely untouched for 30+ days. This prevents "active"
+-- records from persisting indefinitely if they are genuinely abandoned.
+SELECT cron.schedule(
+    'cleanup-dormant-sessions',
+    '0 0 * * *',
+    $$DELETE FROM public.mcp_sessions WHERE active = true AND updated_at < now() - interval '30 days';$$
+);
+
+-- Add a comment on the extension for visibility in Supabase Dashboard
+COMMENT ON EXTENSION pg_cron IS 'Automated Session Lifecycle Management.';