@oh-my-pi/pi-coding-agent 15.10.12 → 15.11.1

package/src/mcp/oauth-discovery.ts

@@ -11,6 +11,7 @@ export interface OAuthEndpoints {
 	tokenUrl: string;
 	clientId?: string;
 	scopes?: string;
+	resource?: string;
 }
 
 export interface AuthDetectionResult {
@@ -94,7 +95,12 @@ export function extractOAuthEndpoints(error: Error): OAuthEndpoints | null {
 			(obj.default_client_id as string | undefined) ||
 			(obj.public_client_id as string | undefined);
 
-		return { authorizationUrl, tokenUrl, clientId, scopes };
+		const resource =
+			(obj.resource as string | undefined) ||
+			(obj.resource_uri as string | undefined) ||
+			(obj.resourceUri as string | undefined);
+
+		return { authorizationUrl, tokenUrl, clientId, scopes, resource };
 	};
 
 	const clientIdFromAuthUrl = (authorizationUrl: string): string | undefined => {
@@ -161,6 +167,7 @@ export function extractOAuthEndpoints(error: Error): OAuthEndpoints | null {
 			challengeValues.get("realm");
 		const tokenUrl =
 			challengeValues.get("token_url") || challengeValues.get("token_uri") || challengeValues.get("token_endpoint");
+		const resource = challengeValues.get("resource") || challengeValues.get("resource_uri");
 
 		if (authorizationUrl && tokenUrl) {
 			return {
@@ -168,6 +175,7 @@ export function extractOAuthEndpoints(error: Error): OAuthEndpoints | null {
 				tokenUrl,
 				clientId: challengeValues.get("client_id") || clientIdFromAuthUrl(authorizationUrl),
 				scopes: challengeValues.get("scope") || challengeValues.get("scopes") || scopeFromAuthUrl(authorizationUrl),
+				resource,
 			};
 		}
 	}
@@ -250,7 +258,7 @@ export async function discoverOAuthEndpoints(
 	serverUrl: string,
 	authServerUrl?: string,
 	resourceMetadataUrl?: string,
-	opts?: { fetch?: FetchImpl },
+	opts?: { fetch?: FetchImpl; protectedResource?: string },
 ): Promise<OAuthEndpoints | null> {
 	const fetchImpl: FetchImpl = opts?.fetch ?? fetch;
 	const wellKnownPaths = [
@@ -264,6 +272,8 @@ export async function discoverOAuthEndpoints(
 	const urlsToQuery: string[] = [];
 	const visitedAuthServers = new Set<string>();
 
+	let protectedResource = opts?.protectedResource;
+
 	// Step 1: If a resource_metadata URL was provided, fetch it to discover auth servers.
 	// This follows the RFC 9728 chain: resource_metadata → authorization_servers.
 	if (resourceMetadataUrl && !visitedAuthServers.has(resourceMetadataUrl)) {
@@ -276,6 +286,9 @@ export async function discoverOAuthEndpoints(
 			});
 			if (metaResp.ok) {
 				const meta = (await metaResp.json()) as Record<string, unknown>;
+				if (typeof meta.resource === "string" && meta.resource.trim() !== "") {
+					protectedResource = meta.resource;
+				}
 				const authServers = Array.isArray(meta.authorization_servers)
 					? meta.authorization_servers.filter((entry): entry is string => typeof entry === "string")
 					: [];
@@ -304,6 +317,8 @@ export async function discoverOAuthEndpoints(
 			const scopesSupported = Array.isArray(metadata.scopes_supported)
 				? metadata.scopes_supported.filter((scope): scope is string => typeof scope === "string").join(" ")
 				: undefined;
+			const resource = typeof metadata.resource === "string" ? metadata.resource : protectedResource;
+
 			return {
 				authorizationUrl: String(metadata.authorization_endpoint),
 				tokenUrl: String(metadata.token_endpoint),
@@ -324,12 +339,15 @@ export async function discoverOAuthEndpoints(
 						: typeof metadata.scope === "string"
 							? metadata.scope
 							: undefined),
+				resource,
 			};
 		}
 
 		if (metadata.oauth || metadata.authorization || metadata.auth) {
 			const oauthData = (metadata.oauth || metadata.authorization || metadata.auth) as Record<string, unknown>;
 			if (typeof oauthData.authorization_url === "string" && typeof oauthData.token_url === "string") {
+				const resource = typeof oauthData.resource === "string" ? oauthData.resource : protectedResource;
+
 				return {
 					authorizationUrl: oauthData.authorization_url || String(oauthData.authorizationUrl),
 					tokenUrl: oauthData.token_url || String(oauthData.tokenUrl),
@@ -349,6 +367,7 @@ export async function discoverOAuthEndpoints(
 							: typeof oauthData.scope === "string"
 								? oauthData.scope
 								: undefined,
+					resource,
 				};
 			}
 		}
@@ -378,12 +397,18 @@ export async function discoverOAuthEndpoints(
 								? metadata.authorization_servers.filter((entry): entry is string => typeof entry === "string")
 								: [];
 
+							const discoveredProtectedResource =
+								typeof metadata.resource === "string" && metadata.resource.trim() !== ""
+									? metadata.resource
+									: protectedResource;
+
 							for (const discoveredAuthServer of authServers) {
 								if (visitedAuthServers.has(discoveredAuthServer)) {
 									continue;
 								}
 								const discovered = await discoverOAuthEndpoints(serverUrl, discoveredAuthServer, undefined, {
 									fetch: fetchImpl,
+									protectedResource: discoveredProtectedResource,
 								});
 								if (discovered) return discovered;
 							}

package/src/mcp/oauth-flow.ts

@@ -98,6 +98,23 @@ function resolveCallbackOptions(config: MCPOAuthConfig): OAuthCallbackFlowOption
 	};
 }
 
+function resolveResourceUri(resource: string | undefined): string | undefined {
+	const trimmed = resource?.trim();
+	if (!trimmed) return undefined;
+	if (trimmed !== resource) {
+		throw new Error("OAuth resource URI must not include surrounding whitespace");
+	}
+
+	const parsed = new URL(trimmed);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+		throw new Error("OAuth resource URI must use http or https");
+	}
+	if (parsed.hash) {
+		throw new Error("OAuth resource URI must not include a fragment");
+	}
+	return trimmed;
+}
+
 export interface MCPOAuthConfig {
 	/** Authorization endpoint URL */
 	authorizationUrl: string;
@@ -115,6 +132,8 @@ export interface MCPOAuthConfig {
 	callbackPort?: number;
 	/** Custom callback path (default: /callback or redirectUri pathname) */
 	callbackPath?: string;
+	/** MCP resource URI for RFC 8707 resource indicators */
+	resource?: string;
 	/** Fetch implementation for token exchange and discovery requests. */
 	fetch?: FetchImpl;
 }
@@ -128,6 +147,7 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 	#registeredClientSecret?: string;
 	#codeVerifier?: string;
 	#fetch: FetchImpl;
+	#resource?: string;
 
 	constructor(
 		private config: MCPOAuthConfig,
@@ -136,6 +156,9 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		super(ctrl, resolveCallbackOptions(config));
 		this.#resolvedClientId = this.#resolveClientId(config);
 		this.#fetch = config.fetch ?? ctrl.fetch ?? fetch;
+		this.#resource = resolveResourceUri(
+			config.resource ?? this.#resourceFromAuthorizationUrl(config.authorizationUrl),
+		);
 	}
 
 	/**
@@ -157,6 +180,9 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 	get registeredClientSecret(): string | undefined {
 		return this.#registeredClientSecret;
 	}
+	get resource(): string | undefined {
+		return this.#resource;
+	}
 
 	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
 		if (!this.#resolvedClientId) {
@@ -176,6 +202,12 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		if (this.config.scopes && !params.get("scope")) {
 			params.set("scope", this.config.scopes);
 		}
+		const existingResource = params.get("resource")?.trim();
+		if (existingResource) {
+			this.#resource = resolveResourceUri(existingResource);
+		} else if (this.#resource) {
+			params.set("resource", this.#resource);
+		}
 		params.set("redirect_uri", redirectUri);
 		params.set("state", state);
 
@@ -212,6 +244,9 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		this.#codeVerifier = undefined;
 
 		// Add client secret if provided
+		if (this.#resource) {
+			params.set("resource", this.#resource);
+		}
 		const clientSecret = this.config.clientSecret ?? this.#registeredClientSecret;
 		if (clientSecret) {
 			params.set("client_secret", clientSecret);
@@ -285,6 +320,13 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 			return undefined;
 		}
 	}
+	#resourceFromAuthorizationUrl(authorizationUrl: string): string | undefined {
+		try {
+			return new URL(authorizationUrl).searchParams.get("resource") ?? undefined;
+		} catch {
+			return undefined;
+		}
+	}
 
 	/**
 	 * Try OAuth dynamic client registration when provider requires a client_id.
@@ -407,14 +449,18 @@ export async function refreshMCPOAuthToken(
 	refreshToken: string,
 	clientId?: string,
 	clientSecret?: string,
+	resourceOrOpts?: string | { fetch?: FetchImpl },
 	opts?: { fetch?: FetchImpl },
 ): Promise<OAuthCredentials> {
-	const fetchImpl: FetchImpl = opts?.fetch ?? fetch;
+	const fetchImpl: FetchImpl = (typeof resourceOrOpts === "string" ? opts?.fetch : resourceOrOpts?.fetch) ?? fetch;
+	const resource = typeof resourceOrOpts === "string" ? resourceOrOpts : undefined;
 	const params = new URLSearchParams({
 		grant_type: "refresh_token",
 		refresh_token: refreshToken,
 	});
 	if (clientId) params.set("client_id", clientId);
+	const resolvedResource = resolveResourceUri(resource);
+	if (resolvedResource) params.set("resource", resolvedResource);
 	if (clientSecret) params.set("client_secret", clientSecret);
 
 	const response = await fetchImpl(tokenUrl, {

package/src/mcp/transports/stdio.ts

@@ -25,6 +25,7 @@ import { isMCPTimeoutEnabled, resolveMCPTimeoutMs } from "../timeout";
 /** Subprocess argv for launching an MCP stdio server. */
 export interface StdioSpawnCommand {
 	cmd: string[];
+	windowsHide?: boolean;
 }
 
 /** Inputs used to resolve platform-specific stdio spawn behavior. */
@@ -153,6 +154,7 @@ export async function resolveStdioSpawnCommand(
 
 	return {
 		cmd: [resolveComSpec(options.env), "/d", "/s", "/c", buildCmdExeCommand(resolvedCommand, args)],
+		windowsHide: true,
 	};
 }
 
@@ -255,6 +257,7 @@ export class StdioTransport implements MCPTransport {
 			stdin: "pipe",
 			stdout: "pipe",
 			stderr: "pipe",
+			windowsHide: spawnCommand.windowsHide,
 		});
 
 		this.#connected = true;

package/src/mcp/types.ts

@@ -55,6 +55,8 @@ export interface MCPAuthConfig {
 	clientId?: string;
 	/** Client secret — persisted for token refresh */
 	clientSecret?: string;
+	/** MCP resource URI — persisted for OAuth resource indicators during refresh */
+	resource?: string;
 }
 
 /** Base server config with shared options */