@oh-my-pi/pi-coding-agent 11.8.3 → 11.9.0

package/CHANGELOG.md

@@ -2,6 +2,48 @@
 
 ## [Unreleased]
 
+## [11.9.0] - 2026-02-10
+
+### Added
+
+- Added `/mcp` slash command for runtime MCP server management (add, list, remove, enable, disable, test, reauth)
+- Added interactive multi-step wizard for adding MCP servers with transport auto-detection
+- Added OAuth auto-discovery and authentication flow for MCP servers requiring authorization
+- Added MCP config file writer for persisting server configurations at user and project level
+- Added `enabled` and `timeout` fields to MCP server configuration
+- Added runtime MCP manager reload and active tool registry rebind without restart
+- Added MCP command guide documentation
+
+### Changed
+
+- Replaced `setTimeout` with `Bun.sleep()` for improved performance in file lock retry logic
+- Refactored component invalidation handling to use dedicated helper function for cleaner code
+- Improved error handling in worktree baseline application to use `isEnoent()` utility instead of file existence checks
+- Updated bash tool to use standard Node.js `fs.promises.stat()` with `isEnoent()` error handling
+- Replaced `tmpdir()` named import with `os` namespace import for consistency
+- Migrated logging from `chalk` and `console.error` to structured logger from `@oh-my-pi/pi-utils`
+
+### Fixed
+
+- Improved browser script evaluation to handle both expression and statement forms, fixing evaluation failures for certain script types
+- Fixed unsafe OAuth endpoint extraction that could redirect token exchange to attacker-controlled URLs
+- Fixed PKCE code verifier stored via untyped property; now uses typed private field
+- Fixed refresh token fallback incorrectly using access token when no refresh token provided
+- Fixed MCP config files written with default permissions; now enforces 0o700/0o600 for secret protection
+- Fixed add wizard ignoring user-chosen environment variable name and auth header name
+- Fixed reauth endpoint discovery misclassifying non-OAuth servers as discovery failures
+- Fixed resolved OAuth tokens leaking into connection config, causing cache churn on token rotation
+- Fixed unvalidated type assertions for `enabled`/`timeout` config fields from user-controlled JSON
+- Fixed uncaught exceptions in `/mcp add` quick-add flow crashing the interactive loop
+- Fixed greedy `/mcp` prefix match routing `/mcpfoo` to MCP controller
+- Fixed stdio transport timeout timer leak keeping process alive after request completion
+
+### Removed
+
+- Removed `GrepOperations` interface from public API exports
+- Removed `GrepToolOptions` interface from public API exports
+- Removed unused `_options` parameter from `GrepTool` constructor
+
 ## [11.8.1] - 2026-02-10
 
 ### Added

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@oh-my-pi/pi-coding-agent",
-	"version": "11.8.3",
+	"version": "11.9.0",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"type": "module",
 	"ompConfig": {
@@ -90,12 +90,12 @@
 		"@mozilla/readability": "0.6.0",
 		"@oclif/core": "^4.8.0",
 		"@oclif/plugin-autocomplete": "^3.2.40",
-		"@oh-my-pi/omp-stats": "11.8.3",
-		"@oh-my-pi/pi-agent-core": "11.8.3",
-		"@oh-my-pi/pi-ai": "11.8.3",
-		"@oh-my-pi/pi-natives": "11.8.3",
-		"@oh-my-pi/pi-tui": "11.8.3",
-		"@oh-my-pi/pi-utils": "11.8.3",
+		"@oh-my-pi/omp-stats": "11.9.0",
+		"@oh-my-pi/pi-agent-core": "11.9.0",
+		"@oh-my-pi/pi-ai": "11.9.0",
+		"@oh-my-pi/pi-natives": "11.9.0",
+		"@oh-my-pi/pi-tui": "11.9.0",
+		"@oh-my-pi/pi-utils": "11.9.0",
 		"@sinclair/typebox": "^0.34.48",
 		"ajv": "^8.17.1",
 		"chalk": "^5.6.2",

package/src/capability/mcp.ts

@@ -13,6 +13,10 @@ import type { SourceMeta } from "./types";
 export interface MCPServer {
 	/** Server name (unique key) */
 	name: string;
+	/** Whether this server is enabled (default: true) */
+	enabled?: boolean;
+	/** Connection timeout in milliseconds */
+	timeout?: number;
 	/** Command to run (for stdio transport) */
 	command?: string;
 	/** Command arguments */
@@ -23,6 +27,11 @@ export interface MCPServer {
 	url?: string;
 	/** HTTP headers (for HTTP transport) */
 	headers?: Record<string, string>;
+	/** Authentication configuration */
+	auth?: {
+		type: "oauth" | "apikey";
+		credentialId?: string;
+	};
 	/** Transport type */
 	transport?: "stdio" | "sse" | "http";
 	/** Source metadata (added by loader) */

package/src/config/file-lock.ts

@@ -101,7 +101,7 @@ async function acquireLock(filePath: string, options: FileLockOptions = {}): Pro
 			continue;
 		}
 
-		await new Promise(resolve => setTimeout(resolve, opts.retryDelayMs));
+		await Bun.sleep(opts.retryDelayMs);
 	}
 
 	throw new Error(`Failed to acquire lock for ${filePath} after ${opts.retries} attempts`);

package/src/discovery/builtin.ts

@@ -5,6 +5,7 @@
  * .pi is an alias for backwards compatibility.
  */
 import * as path from "node:path";
+import { logger } from "@oh-my-pi/pi-utils";
 import { registerProvider } from "../capability";
 import { type ContextFile, contextFileCapability } from "../capability/context-file";
 import { type Extension, type ExtensionManifest, extensionCapability } from "../capability/extension";
@@ -79,13 +80,60 @@ async function loadMCPServers(ctx: LoadContext): Promise<LoadResult<MCPServer>>
 		const expanded = expandEnvVarsDeep(data.mcpServers);
 		for (const [serverName, config] of Object.entries(expanded)) {
 			const serverConfig = config as Record<string, unknown>;
+
+			// Validate enabled: coerce string "true"/"false", warn on other types
+			let enabled: boolean | undefined;
+			if (serverConfig.enabled === undefined || serverConfig.enabled === null) {
+				enabled = undefined;
+			} else if (typeof serverConfig.enabled === "boolean") {
+				enabled = serverConfig.enabled;
+			} else if (typeof serverConfig.enabled === "string") {
+				const lower = serverConfig.enabled.toLowerCase();
+				if (lower === "false" || lower === "0") enabled = false;
+				else if (lower === "true" || lower === "1") enabled = true;
+				else {
+					logger.warn(`MCP server "${serverName}": invalid enabled value "${serverConfig.enabled}", ignoring`);
+					enabled = undefined;
+				}
+			} else {
+				logger.warn(`MCP server "${serverName}": invalid enabled type ${typeof serverConfig.enabled}, ignoring`);
+				enabled = undefined;
+			}
+
+			// Validate timeout: coerce numeric strings, warn on invalid
+			let timeout: number | undefined;
+			if (serverConfig.timeout === undefined || serverConfig.timeout === null) {
+				timeout = undefined;
+			} else if (typeof serverConfig.timeout === "number") {
+				if (Number.isFinite(serverConfig.timeout) && serverConfig.timeout > 0) {
+					timeout = serverConfig.timeout;
+				} else {
+					logger.warn(`MCP server "${serverName}": invalid timeout ${serverConfig.timeout}, ignoring`);
+					timeout = undefined;
+				}
+			} else if (typeof serverConfig.timeout === "string") {
+				const parsed = Number(serverConfig.timeout);
+				if (Number.isFinite(parsed) && parsed > 0) {
+					timeout = parsed;
+				} else {
+					logger.warn(`MCP server "${serverName}": invalid timeout "${serverConfig.timeout}", ignoring`);
+					timeout = undefined;
+				}
+			} else {
+				logger.warn(`MCP server "${serverName}": invalid timeout type ${typeof serverConfig.timeout}, ignoring`);
+				timeout = undefined;
+			}
+
 			result.push({
 				name: serverName,
+				enabled,
+				timeout,
 				command: serverConfig.command as string | undefined,
 				args: serverConfig.args as string[] | undefined,
 				env: serverConfig.env as Record<string, string> | undefined,
 				url: serverConfig.url as string | undefined,
 				headers: serverConfig.headers as Record<string, string> | undefined,
+				auth: serverConfig.auth as { type: "oauth" | "apikey"; credentialId?: string } | undefined,
 				transport: serverConfig.type as "stdio" | "sse" | "http" | undefined,
 				_source: createSourceMeta(PROVIDER_ID, path, level),
 			});

package/src/discovery/mcp-json.ts

@@ -7,6 +7,7 @@
  * Priority: 5 (low, as this is a fallback after tool-specific providers)
  */
 import * as path from "node:path";
+import { logger } from "@oh-my-pi/pi-utils";
 import { registerProvider } from "../capability";
 import { readFile } from "../capability/fs";
 import { type MCPServer, mcpCapability } from "../capability/mcp";
@@ -23,11 +24,17 @@ interface MCPConfigFile {
 	mcpServers?: Record<
 		string,
 		{
+			enabled?: boolean;
+			timeout?: number;
 			command?: string;
 			args?: string[];
 			env?: Record<string, string>;
 			url?: string;
 			headers?: Record<string, string>;
+			auth?: {
+				type: "oauth" | "apikey";
+				credentialId?: string;
+			};
 			type?: "stdio" | "sse" | "http";
 		}
 	>;
@@ -41,13 +48,39 @@ function transformMCPConfig(config: MCPConfigFile, source: SourceMeta): MCPServe
 
 	if (config.mcpServers) {
 		for (const [name, serverConfig] of Object.entries(config.mcpServers)) {
+			// Runtime type validation for user-controlled JSON values
+			let enabled: boolean | undefined;
+			if (serverConfig.enabled !== undefined) {
+				if (typeof serverConfig.enabled === "boolean") {
+					enabled = serverConfig.enabled;
+				} else {
+					logger.warn("MCP server has invalid 'enabled' value, ignoring", { name, value: serverConfig.enabled });
+				}
+			}
+
+			let timeout: number | undefined;
+			if (serverConfig.timeout !== undefined) {
+				if (
+					typeof serverConfig.timeout === "number" &&
+					Number.isFinite(serverConfig.timeout) &&
+					serverConfig.timeout > 0
+				) {
+					timeout = serverConfig.timeout;
+				} else {
+					logger.warn("MCP server has invalid 'timeout' value, ignoring", { name, value: serverConfig.timeout });
+				}
+			}
+
 			const server: MCPServer = {
 				name,
+				enabled,
+				timeout,
 				command: serverConfig.command,
 				args: serverConfig.args,
 				env: serverConfig.env,
 				url: serverConfig.url,
 				headers: serverConfig.headers,
+				auth: serverConfig.auth,
 				transport: serverConfig.type,
 				_source: source,
 			};

package/src/extensibility/slash-commands.ts

@@ -34,6 +34,7 @@ export const BUILTIN_SLASH_COMMANDS: ReadonlyArray<BuiltinSlashCommand> = [
 	{ name: "tree", description: "Navigate session tree (switch branches)" },
 	{ name: "login", description: "Login with OAuth provider" },
 	{ name: "logout", description: "Logout from OAuth provider" },
+	{ name: "mcp", description: "Manage MCP servers (add, list, remove, test)" },
 	{ name: "new", description: "Start a new session" },
 	{ name: "compact", description: "Manually compact the session context" },
 	{ name: "handoff", description: "Hand off session context to a new session" },

package/src/index.ts

@@ -248,10 +248,8 @@ export {
 	type FindToolInput,
 	type FindToolOptions,
 	formatSize,
-	type GrepOperations,
 	type GrepToolDetails,
 	type GrepToolInput,
-	type GrepToolOptions,
 	type PythonToolDetails,
 	type ReadToolDetails,
 	type ReadToolInput,

package/src/mcp/config-writer.ts

@@ -0,0 +1,194 @@
+/**
+ * MCP Configuration File Writer
+ *
+ * Utilities for reading/writing .omp/mcp.json files at user or project level.
+ */
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { isEnoent } from "@oh-my-pi/pi-utils";
+import { validateServerConfig } from "./config";
+import type { MCPConfigFile, MCPServerConfig } from "./types";
+
+/**
+ * Get the path to the MCP config file.
+ * @param scope - "user" for ~/.omp/mcp.json or "project" for .omp/mcp.json
+ * @param cwd - Current working directory (used for project scope)
+ */
+export function getMCPConfigPath(scope: "user" | "project", cwd: string): string {
+	if (scope === "user") {
+		return path.join(os.homedir(), ".omp", "mcp.json");
+	}
+	return path.join(cwd, ".omp", "mcp.json");
+}
+
+/**
+ * Read an MCP config file.
+ * Returns empty config if file doesn't exist.
+ */
+export async function readMCPConfigFile(filePath: string): Promise<MCPConfigFile> {
+	try {
+		const content = await fs.promises.readFile(filePath, "utf-8");
+		const parsed = JSON.parse(content) as MCPConfigFile;
+		return parsed;
+	} catch (error) {
+		if (isEnoent(error)) {
+			// File doesn't exist, return empty config
+			return { mcpServers: {} };
+		}
+		throw error;
+	}
+}
+
+/**
+ * Write an MCP config file atomically.
+ * Creates parent directories if they don't exist.
+ */
+export async function writeMCPConfigFile(filePath: string, config: MCPConfigFile): Promise<void> {
+	// Ensure parent directory exists
+	const dir = path.dirname(filePath);
+	await fs.promises.mkdir(dir, { recursive: true, mode: 0o700 });
+
+	// Write to temp file first (atomic write)
+	const tmpPath = `${filePath}.tmp`;
+	const content = JSON.stringify(config, null, 2);
+	await fs.promises.writeFile(tmpPath, content, { encoding: "utf-8", mode: 0o600 });
+
+	// Rename to final path (atomic on most systems)
+	await fs.promises.rename(tmpPath, filePath);
+}
+
+/**
+ * Validate server name.
+ * @returns Error message if invalid, undefined if valid
+ */
+export function validateServerName(name: string): string | undefined {
+	if (!name) {
+		return "Server name cannot be empty";
+	}
+	if (name.length > 100) {
+		return "Server name is too long (max 100 characters)";
+	}
+	// Check for invalid characters (only allow alphanumeric, dash, underscore, dot)
+	if (!/^[a-zA-Z0-9_.-]+$/.test(name)) {
+		return "Server name can only contain letters, numbers, dash, underscore, and dot";
+	}
+	return undefined;
+}
+
+/**
+ * Add an MCP server to a config file.
+ * Validates the config before writing.
+ *
+ * @throws Error if server name already exists or validation fails
+ */
+export async function addMCPServer(filePath: string, name: string, config: MCPServerConfig): Promise<void> {
+	// Validate server name
+	const nameError = validateServerName(name);
+	if (nameError) {
+		throw new Error(nameError);
+	}
+
+	// Validate the config
+	const errors = validateServerConfig(name, config);
+	if (errors.length > 0) {
+		throw new Error(`Invalid server config: ${errors.join("; ")}`);
+	}
+
+	// Read existing config
+	const existing = await readMCPConfigFile(filePath);
+
+	// Check for duplicate name
+	if (existing.mcpServers?.[name]) {
+		throw new Error(`Server "${name}" already exists in ${filePath}`);
+	}
+
+	// Add server
+	const updated: MCPConfigFile = {
+		...existing,
+		mcpServers: {
+			...existing.mcpServers,
+			[name]: config,
+		},
+	};
+
+	// Write back
+	await writeMCPConfigFile(filePath, updated);
+}
+
+/**
+ * Update an existing MCP server in a config file.
+ * If the server doesn't exist, this will add it.
+ *
+ * @throws Error if validation fails
+ */
+export async function updateMCPServer(filePath: string, name: string, config: MCPServerConfig): Promise<void> {
+	// Validate server name
+	const nameError = validateServerName(name);
+	if (nameError) {
+		throw new Error(nameError);
+	}
+
+	// Validate the config
+	const errors = validateServerConfig(name, config);
+	if (errors.length > 0) {
+		throw new Error(`Invalid server config: ${errors.join("; ")}`);
+	}
+
+	// Read existing config
+	const existing = await readMCPConfigFile(filePath);
+
+	// Update server
+	const updated: MCPConfigFile = {
+		...existing,
+		mcpServers: {
+			...existing.mcpServers,
+			[name]: config,
+		},
+	};
+
+	// Write back
+	await writeMCPConfigFile(filePath, updated);
+}
+
+/**
+ * Remove an MCP server from a config file.
+ *
+ * @throws Error if server doesn't exist
+ */
+export async function removeMCPServer(filePath: string, name: string): Promise<void> {
+	// Read existing config
+	const existing = await readMCPConfigFile(filePath);
+
+	// Check if server exists
+	if (!existing.mcpServers?.[name]) {
+		throw new Error(`Server "${name}" not found in ${filePath}`);
+	}
+
+	// Remove server
+	const { [name]: _removed, ...remaining } = existing.mcpServers;
+	const updated: MCPConfigFile = {
+		...existing,
+		mcpServers: remaining,
+	};
+
+	// Write back
+	await writeMCPConfigFile(filePath, updated);
+}
+
+/**
+ * Get a specific server config from a file.
+ * Returns undefined if server doesn't exist.
+ */
+export async function getMCPServer(filePath: string, name: string): Promise<MCPServerConfig | undefined> {
+	const config = await readMCPConfigFile(filePath);
+	return config.mcpServers?.[name];
+}
+
+/**
+ * List all server names in a config file.
+ */
+export async function listMCPServers(filePath: string): Promise<string[]> {
+	const config = await readMCPConfigFile(filePath);
+	return Object.keys(config.mcpServers ?? {});
+}

package/src/mcp/config.ts

@@ -4,6 +4,7 @@
  * Uses the capability system to load MCP servers from multiple sources.
  */
 import { mcpCapability } from "../capability/mcp";
+import type { SourceMeta } from "../capability/types";
 import type { MCPServer } from "../discovery";
 import { loadCapability } from "../discovery";
 import type { MCPServerConfig } from "./types";
@@ -23,7 +24,7 @@ export interface LoadMCPConfigsResult {
 	/** Extracted Exa API keys (if any were filtered) */
 	exaApiKeys: string[];
 	/** Source metadata for each server */
-	sources: Record<string, import("../capability/types").SourceMeta>;
+	sources: Record<string, SourceMeta>;
 }
 
 /**
@@ -32,9 +33,15 @@ export interface LoadMCPConfigsResult {
 function convertToLegacyConfig(server: MCPServer): MCPServerConfig {
 	// Determine transport type
 	const transport = server.transport ?? (server.command ? "stdio" : server.url ? "http" : "stdio");
+	const shared = {
+		enabled: server.enabled,
+		timeout: server.timeout,
+		auth: server.auth,
+	};
 
 	if (transport === "stdio") {
 		const config: MCPServerConfig = {
+			...shared,
 			type: "stdio" as const,
 			command: server.command ?? "",
 		};
@@ -45,6 +52,7 @@ function convertToLegacyConfig(server: MCPServer): MCPServerConfig {
 
 	if (transport === "http") {
 		const config: MCPServerConfig = {
+			...shared,
 			type: "http" as const,
 			url: server.url ?? "",
 		};
@@ -54,6 +62,7 @@ function convertToLegacyConfig(server: MCPServer): MCPServerConfig {
 
 	if (transport === "sse") {
 		const config: MCPServerConfig = {
+			...shared,
 			type: "sse" as const,
 			url: server.url ?? "",
 		};
@@ -63,6 +72,7 @@ function convertToLegacyConfig(server: MCPServer): MCPServerConfig {
 
 	// Fallback to stdio
 	return {
+		...shared,
 		type: "stdio" as const,
 		command: server.command ?? "",
 	};
@@ -89,9 +99,13 @@ export async function loadAllMCPConfigs(cwd: string, options?: LoadMCPConfigsOpt
 
 	// Convert to legacy format and preserve source metadata
 	const configs: Record<string, MCPServerConfig> = {};
-	const sources: Record<string, import("../capability/types").SourceMeta> = {};
+	const sources: Record<string, SourceMeta> = {};
 	for (const server of servers) {
-		configs[server.name] = convertToLegacyConfig(server);
+		const config = convertToLegacyConfig(server);
+		if (config.enabled === false) {
+			continue;
+		}
+		configs[server.name] = config;
 		sources[server.name] = server._source;
 	}
 
@@ -179,7 +193,7 @@ export interface ExaFilterResult {
 	/** Extracted Exa API keys (if any) */
 	exaApiKeys: string[];
 	/** Source metadata for remaining servers */
-	sources: Record<string, import("../capability/types").SourceMeta>;
+	sources: Record<string, SourceMeta>;
 }
 
 /**
@@ -188,10 +202,10 @@ export interface ExaFilterResult {
  */
 export function filterExaMCPServers(
 	configs: Record<string, MCPServerConfig>,
-	sources: Record<string, import("../capability/types").SourceMeta>,
+	sources: Record<string, SourceMeta>,
 ): ExaFilterResult {
 	const filtered: Record<string, MCPServerConfig> = {};
-	const filteredSources: Record<string, import("../capability/types").SourceMeta> = {};
+	const filteredSources: Record<string, SourceMeta> = {};
 	const exaApiKeys: string[] = [];
 
 	for (const [name, config] of Object.entries(configs)) {

package/src/mcp/index.ts

@@ -16,6 +16,7 @@ export {
 	loadAllMCPConfigs,
 	validateServerConfig,
 } from "./config";
+export { validateServerName } from "./config-writer";
 // JSON-RPC (lightweight HTTP-based MCP calls)
 export type { JsonRpcResponse } from "./json-rpc";
 export { callMCP, parseSSE } from "./json-rpc";
@@ -25,6 +26,9 @@ export { discoverAndLoadMCPTools } from "./loader";
 // Manager
 export type { MCPDiscoverOptions, MCPLoadResult } from "./manager";
 export { createMCPManager, MCPManager } from "./manager";
+// OAuth Discovery
+export type { AuthDetectionResult, OAuthEndpoints } from "./oauth-discovery";
+export { analyzeAuthError, detectAuthError, discoverOAuthEndpoints, extractOAuthEndpoints } from "./oauth-discovery";
 // Tool bridge
 export type { MCPToolDetails } from "./tool-bridge";
 export { createMCPToolName, DeferredMCPTool, MCPTool, parseMCPToolName } from "./tool-bridge";

package/src/mcp/loader.ts

@@ -6,6 +6,7 @@
 import { logger } from "@oh-my-pi/pi-utils";
 import type { LoadedCustomTool } from "../extensibility/custom-tools/types";
 import { AgentStorage } from "../session/agent-storage";
+import type { AuthStorage } from "../session/auth-storage";
 import { type MCPLoadResult, MCPManager } from "./manager";
 import { MCPToolCache } from "./tool-cache";
 
@@ -33,6 +34,8 @@ export interface MCPToolsLoadOptions {
 	filterExa?: boolean;
 	/** SQLite storage for MCP tool cache (null disables cache) */
 	cacheStorage?: AgentStorage | null;
+	/** Auth storage used to resolve OAuth credentials before initial MCP connect */
+	authStorage?: AuthStorage;
 }
 
 async function resolveToolCache(storage: AgentStorage | null | undefined): Promise<MCPToolCache | null> {
@@ -56,6 +59,9 @@ async function resolveToolCache(storage: AgentStorage | null | undefined): Promi
 export async function discoverAndLoadMCPTools(cwd: string, options?: MCPToolsLoadOptions): Promise<MCPToolsLoadResult> {
 	const toolCache = await resolveToolCache(options?.cacheStorage);
 	const manager = new MCPManager(cwd, toolCache);
+	if (options?.authStorage) {
+		manager.setAuthStorage(options.authStorage);
+	}
 
 	let result: MCPLoadResult;
 	try {