@oh-my-pi/pi-coding-agent 15.11.0 → 15.11.2

package/src/irc/bus.ts

@@ -7,7 +7,11 @@
  * AgentLifecycleManager, idle agents are woken with a real turn, and busy
  * agents receive the message as a non-interrupting aside at the next step
  * boundary (see AgentSession.deliverIrcMessage). Replies are real turns by
- * the recipient, observed via `wait`.
+ * the recipient, observed via `wait` — with one exception: when the sender
+ * awaits a reply and the recipient is mid-turn with async execution
+ * disabled, the recipient session generates an ephemeral side-channel
+ * auto-reply (it may be blocked in a synchronous task spawn whose batch
+ * includes the sender, so a real turn could never happen in time).
  */
 
 import { logger, Snowflake } from "@oh-my-pi/pi-utils";
@@ -80,8 +84,15 @@ export class IrcBus {
 	 * context, so buffering it too would double-deliver via a later
 	 * `wait`/`inbox` and inflate unread counts. Only a failed live hand-off
 	 * is buffered for the recipient to drain later.
+	 *
+	 * `opts.expectsReply` marks sends whose caller is blocked on an answer
+	 * (`send await:true`). It is forwarded to the recipient session so a
+	 * mid-turn recipient that cannot reach a step boundary (async execution
+	 * disabled — e.g. blocked in a synchronous task spawn awaiting the
+	 * sender's own batch) can generate an ephemeral side-channel auto-reply
+	 * instead of stranding the sender until timeout.
 	 */
-	async send(msg: Omit<IrcMessage, "id" | "ts">): Promise<IrcDeliveryReceipt> {
+	async send(msg: Omit<IrcMessage, "id" | "ts">, opts?: { expectsReply?: boolean }): Promise<IrcDeliveryReceipt> {
 		const message: IrcMessage = { ...msg, id: Snowflake.next(), ts: Date.now() };
 		const ref = this.#registry.get(message.to);
 		if (!ref || ref.status === "aborted") {
@@ -118,7 +129,7 @@ export class IrcBus {
 		}
 
 		try {
-			const delivery = await session.deliverIrcMessage(message);
+			const delivery = await session.deliverIrcMessage(message, opts);
 			this.#relayToMainUi(message);
 			return { to: message.to, outcome: revived ? "revived" : delivery };
 		} catch (error) {

package/src/lsp/defaults.json

@@ -248,6 +248,12 @@
 			}
 		}
 	},
+	"expert": {
+		"command": "expert",
+		"args": ["--stdio"],
+		"fileTypes": [".ex", ".exs", ".heex", ".eex"],
+		"rootMarkers": ["mix.exs", "mix.lock"]
+	},
 	"erlangls": {
 		"command": "erlang_ls",
 		"args": [],

package/src/lsp/render.ts

@@ -8,9 +8,8 @@
  * - Collapsible/expandable views
  */
 import type { RenderResultOptions } from "@oh-my-pi/pi-agent-core";
-import { type HighlightColors, highlightCode as nativeHighlightCode, supportsLanguage } from "@oh-my-pi/pi-natives";
 import { type Component, Text } from "@oh-my-pi/pi-tui";
-import { getLanguageFromPath, type Theme } from "../modes/theme/theme";
+import { getLanguageFromPath, highlightCode as highlightThemeCode, type Theme } from "../modes/theme/theme";
 import {
 	formatExpandHint,
 	formatMoreItems,
@@ -219,7 +218,7 @@ function renderHover(
 	const beforeCode = fullText.slice(0, codeStart).trimEnd();
 	const afterCode = fullText.slice(fullText.indexOf("```", 3) + 3).trim();
 
-	const codeLines = highlightCode(code, lang, theme);
+	const codeLines = highlightThemeCode(code, lang, theme);
 	const icon = theme.styledSymbol("status.info", "accent");
 	const langLabel = lang ? theme.fg("mdCodeBlockBorder", ` ${lang}`) : "";
 
@@ -274,31 +273,6 @@ function renderHover(
 	return output.split("\n");
 }
 
-/**
- * Syntax highlight code using native highlighter.
- */
-function highlightCode(codeText: string, language: string, theme: Theme): string[] {
-	const validLang = language && supportsLanguage(language) ? language : undefined;
-	try {
-		const colors: HighlightColors = {
-			comment: theme.getFgAnsi("syntaxComment"),
-			keyword: theme.getFgAnsi("syntaxKeyword"),
-			function: theme.getFgAnsi("syntaxFunction"),
-			variable: theme.getFgAnsi("syntaxVariable"),
-			string: theme.getFgAnsi("syntaxString"),
-			number: theme.getFgAnsi("syntaxNumber"),
-			type: theme.getFgAnsi("syntaxType"),
-			operator: theme.getFgAnsi("syntaxOperator"),
-			punctuation: theme.getFgAnsi("syntaxPunctuation"),
-			inserted: theme.getFgAnsi("toolDiffAdded"),
-			deleted: theme.getFgAnsi("toolDiffRemoved"),
-		};
-		return nativeHighlightCode(codeText, validLang, colors).split("\n");
-	} catch {
-		return codeText.split("\n");
-	}
-}
-
 // =============================================================================
 // Diagnostics Rendering
 // =============================================================================

package/src/mcp/manager.ts

@@ -1174,12 +1174,15 @@ export class MCPManager {
 					const shouldRefresh =
 						forceRefresh || (credential.expires && Date.now() >= credential.expires - REFRESH_BUFFER_MS);
 					if (shouldRefresh && credential.refresh && auth.tokenUrl) {
+						const resource =
+							auth.resource ?? (config.type === "http" || config.type === "sse" ? config.url : undefined);
 						try {
 							const refreshed = await refreshMCPOAuthToken(
 								auth.tokenUrl,
 								credential.refresh,
 								auth.clientId,
 								auth.clientSecret,
+								resource,
 							);
 							const refreshedCredential = { type: "oauth" as const, ...refreshed };
 							await this.#authStorage.set(credentialId, refreshedCredential);

package/src/mcp/oauth-discovery.ts

@@ -11,6 +11,7 @@ export interface OAuthEndpoints {
 	tokenUrl: string;
 	clientId?: string;
 	scopes?: string;
+	resource?: string;
 }
 
 export interface AuthDetectionResult {
@@ -94,7 +95,12 @@ export function extractOAuthEndpoints(error: Error): OAuthEndpoints | null {
 			(obj.default_client_id as string | undefined) ||
 			(obj.public_client_id as string | undefined);
 
-		return { authorizationUrl, tokenUrl, clientId, scopes };
+		const resource =
+			(obj.resource as string | undefined) ||
+			(obj.resource_uri as string | undefined) ||
+			(obj.resourceUri as string | undefined);
+
+		return { authorizationUrl, tokenUrl, clientId, scopes, resource };
 	};
 
 	const clientIdFromAuthUrl = (authorizationUrl: string): string | undefined => {
@@ -161,6 +167,7 @@ export function extractOAuthEndpoints(error: Error): OAuthEndpoints | null {
 			challengeValues.get("realm");
 		const tokenUrl =
 			challengeValues.get("token_url") || challengeValues.get("token_uri") || challengeValues.get("token_endpoint");
+		const resource = challengeValues.get("resource") || challengeValues.get("resource_uri");
 
 		if (authorizationUrl && tokenUrl) {
 			return {
@@ -168,6 +175,7 @@ export function extractOAuthEndpoints(error: Error): OAuthEndpoints | null {
 				tokenUrl,
 				clientId: challengeValues.get("client_id") || clientIdFromAuthUrl(authorizationUrl),
 				scopes: challengeValues.get("scope") || challengeValues.get("scopes") || scopeFromAuthUrl(authorizationUrl),
+				resource,
 			};
 		}
 	}
@@ -250,7 +258,7 @@ export async function discoverOAuthEndpoints(
 	serverUrl: string,
 	authServerUrl?: string,
 	resourceMetadataUrl?: string,
-	opts?: { fetch?: FetchImpl },
+	opts?: { fetch?: FetchImpl; protectedResource?: string },
 ): Promise<OAuthEndpoints | null> {
 	const fetchImpl: FetchImpl = opts?.fetch ?? fetch;
 	const wellKnownPaths = [
@@ -264,6 +272,8 @@ export async function discoverOAuthEndpoints(
 	const urlsToQuery: string[] = [];
 	const visitedAuthServers = new Set<string>();
 
+	let protectedResource = opts?.protectedResource;
+
 	// Step 1: If a resource_metadata URL was provided, fetch it to discover auth servers.
 	// This follows the RFC 9728 chain: resource_metadata → authorization_servers.
 	if (resourceMetadataUrl && !visitedAuthServers.has(resourceMetadataUrl)) {
@@ -276,6 +286,9 @@ export async function discoverOAuthEndpoints(
 			});
 			if (metaResp.ok) {
 				const meta = (await metaResp.json()) as Record<string, unknown>;
+				if (typeof meta.resource === "string" && meta.resource.trim() !== "") {
+					protectedResource = meta.resource;
+				}
 				const authServers = Array.isArray(meta.authorization_servers)
 					? meta.authorization_servers.filter((entry): entry is string => typeof entry === "string")
 					: [];
@@ -304,6 +317,8 @@ export async function discoverOAuthEndpoints(
 			const scopesSupported = Array.isArray(metadata.scopes_supported)
 				? metadata.scopes_supported.filter((scope): scope is string => typeof scope === "string").join(" ")
 				: undefined;
+			const resource = typeof metadata.resource === "string" ? metadata.resource : protectedResource;
+
 			return {
 				authorizationUrl: String(metadata.authorization_endpoint),
 				tokenUrl: String(metadata.token_endpoint),
@@ -324,12 +339,15 @@ export async function discoverOAuthEndpoints(
 						: typeof metadata.scope === "string"
 							? metadata.scope
 							: undefined),
+				resource,
 			};
 		}
 
 		if (metadata.oauth || metadata.authorization || metadata.auth) {
 			const oauthData = (metadata.oauth || metadata.authorization || metadata.auth) as Record<string, unknown>;
 			if (typeof oauthData.authorization_url === "string" && typeof oauthData.token_url === "string") {
+				const resource = typeof oauthData.resource === "string" ? oauthData.resource : protectedResource;
+
 				return {
 					authorizationUrl: oauthData.authorization_url || String(oauthData.authorizationUrl),
 					tokenUrl: oauthData.token_url || String(oauthData.tokenUrl),
@@ -349,6 +367,7 @@ export async function discoverOAuthEndpoints(
 							: typeof oauthData.scope === "string"
 								? oauthData.scope
 								: undefined,
+					resource,
 				};
 			}
 		}
@@ -378,12 +397,18 @@ export async function discoverOAuthEndpoints(
 								? metadata.authorization_servers.filter((entry): entry is string => typeof entry === "string")
 								: [];
 
+							const discoveredProtectedResource =
+								typeof metadata.resource === "string" && metadata.resource.trim() !== ""
+									? metadata.resource
+									: protectedResource;
+
 							for (const discoveredAuthServer of authServers) {
 								if (visitedAuthServers.has(discoveredAuthServer)) {
 									continue;
 								}
 								const discovered = await discoverOAuthEndpoints(serverUrl, discoveredAuthServer, undefined, {
 									fetch: fetchImpl,
+									protectedResource: discoveredProtectedResource,
 								});
 								if (discovered) return discovered;
 							}

package/src/mcp/oauth-flow.ts

@@ -98,6 +98,23 @@ function resolveCallbackOptions(config: MCPOAuthConfig): OAuthCallbackFlowOption
 	};
 }
 
+function resolveResourceUri(resource: string | undefined): string | undefined {
+	const trimmed = resource?.trim();
+	if (!trimmed) return undefined;
+	if (trimmed !== resource) {
+		throw new Error("OAuth resource URI must not include surrounding whitespace");
+	}
+
+	const parsed = new URL(trimmed);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+		throw new Error("OAuth resource URI must use http or https");
+	}
+	if (parsed.hash) {
+		throw new Error("OAuth resource URI must not include a fragment");
+	}
+	return trimmed;
+}
+
 export interface MCPOAuthConfig {
 	/** Authorization endpoint URL */
 	authorizationUrl: string;
@@ -115,6 +132,8 @@ export interface MCPOAuthConfig {
 	callbackPort?: number;
 	/** Custom callback path (default: /callback or redirectUri pathname) */
 	callbackPath?: string;
+	/** MCP resource URI for RFC 8707 resource indicators */
+	resource?: string;
 	/** Fetch implementation for token exchange and discovery requests. */
 	fetch?: FetchImpl;
 }
@@ -128,6 +147,7 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 	#registeredClientSecret?: string;
 	#codeVerifier?: string;
 	#fetch: FetchImpl;
+	#resource?: string;
 
 	constructor(
 		private config: MCPOAuthConfig,
@@ -136,6 +156,9 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		super(ctrl, resolveCallbackOptions(config));
 		this.#resolvedClientId = this.#resolveClientId(config);
 		this.#fetch = config.fetch ?? ctrl.fetch ?? fetch;
+		this.#resource = resolveResourceUri(
+			config.resource ?? this.#resourceFromAuthorizationUrl(config.authorizationUrl),
+		);
 	}
 
 	/**
@@ -157,6 +180,9 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 	get registeredClientSecret(): string | undefined {
 		return this.#registeredClientSecret;
 	}
+	get resource(): string | undefined {
+		return this.#resource;
+	}
 
 	async generateAuthUrl(state: string, redirectUri: string): Promise<{ url: string; instructions?: string }> {
 		if (!this.#resolvedClientId) {
@@ -176,6 +202,12 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		if (this.config.scopes && !params.get("scope")) {
 			params.set("scope", this.config.scopes);
 		}
+		const existingResource = params.get("resource")?.trim();
+		if (existingResource) {
+			this.#resource = resolveResourceUri(existingResource);
+		} else if (this.#resource) {
+			params.set("resource", this.#resource);
+		}
 		params.set("redirect_uri", redirectUri);
 		params.set("state", state);
 
@@ -212,6 +244,9 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		this.#codeVerifier = undefined;
 
 		// Add client secret if provided
+		if (this.#resource) {
+			params.set("resource", this.#resource);
+		}
 		const clientSecret = this.config.clientSecret ?? this.#registeredClientSecret;
 		if (clientSecret) {
 			params.set("client_secret", clientSecret);
@@ -285,6 +320,13 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 			return undefined;
 		}
 	}
+	#resourceFromAuthorizationUrl(authorizationUrl: string): string | undefined {
+		try {
+			return new URL(authorizationUrl).searchParams.get("resource") ?? undefined;
+		} catch {
+			return undefined;
+		}
+	}
 
 	/**
 	 * Try OAuth dynamic client registration when provider requires a client_id.
@@ -407,14 +449,18 @@ export async function refreshMCPOAuthToken(
 	refreshToken: string,
 	clientId?: string,
 	clientSecret?: string,
+	resourceOrOpts?: string | { fetch?: FetchImpl },
 	opts?: { fetch?: FetchImpl },
 ): Promise<OAuthCredentials> {
-	const fetchImpl: FetchImpl = opts?.fetch ?? fetch;
+	const fetchImpl: FetchImpl = (typeof resourceOrOpts === "string" ? opts?.fetch : resourceOrOpts?.fetch) ?? fetch;
+	const resource = typeof resourceOrOpts === "string" ? resourceOrOpts : undefined;
 	const params = new URLSearchParams({
 		grant_type: "refresh_token",
 		refresh_token: refreshToken,
 	});
 	if (clientId) params.set("client_id", clientId);
+	const resolvedResource = resolveResourceUri(resource);
+	if (resolvedResource) params.set("resource", resolvedResource);
 	if (clientSecret) params.set("client_secret", clientSecret);
 
 	const response = await fetchImpl(tokenUrl, {

package/src/mcp/transports/stdio.ts

@@ -25,6 +25,7 @@ import { isMCPTimeoutEnabled, resolveMCPTimeoutMs } from "../timeout";
 /** Subprocess argv for launching an MCP stdio server. */
 export interface StdioSpawnCommand {
 	cmd: string[];
+	windowsHide?: boolean;
 }
 
 /** Inputs used to resolve platform-specific stdio spawn behavior. */
@@ -153,6 +154,7 @@ export async function resolveStdioSpawnCommand(
 
 	return {
 		cmd: [resolveComSpec(options.env), "/d", "/s", "/c", buildCmdExeCommand(resolvedCommand, args)],
+		windowsHide: true,
 	};
 }
 
@@ -255,6 +257,7 @@ export class StdioTransport implements MCPTransport {
 			stdin: "pipe",
 			stdout: "pipe",
 			stderr: "pipe",
+			windowsHide: spawnCommand.windowsHide,
 		});
 
 		this.#connected = true;

package/src/mcp/types.ts

@@ -55,6 +55,8 @@ export interface MCPAuthConfig {
 	clientId?: string;
 	/** Client secret — persisted for token refresh */
 	clientSecret?: string;
+	/** MCP resource URI — persisted for OAuth resource indicators during refresh */
+	resource?: string;
 }
 
 /** Base server config with shared options */

package/src/memories/index.ts

@@ -11,6 +11,7 @@ import type { ModelRegistry } from "../config/model-registry";
 import { getModelMatchPreferences, resolveModelRoleValue } from "../config/model-resolver";
 import type { Settings } from "../config/settings";
 import consolidationTemplate from "../prompts/memories/consolidation.md" with { type: "text" };
+import consolidationSystemTemplate from "../prompts/memories/consolidation_system.md" with { type: "text" };
 import readPathTemplate from "../prompts/memories/read-path.md" with { type: "text" };
 import stageOneInputTemplate from "../prompts/memories/stage_one_input.md" with { type: "text" };
 import stageOneSystemTemplate from "../prompts/memories/stage_one_system.md" with { type: "text" };
@@ -752,6 +753,7 @@ async function runConsolidationModel(options: {
 	const response = await completeSimple(
 		model,
 		{
+			systemPrompt: [consolidationSystemTemplate],
 			messages: [{ role: "user", content: [{ type: "text", text: input }], timestamp: Date.now() }],
 		},
 		{

package/src/modes/acp/acp-agent.ts

@@ -56,7 +56,7 @@ import {
 } from "../../extensibility/extensions";
 import { runExtensionCompact } from "../../extensibility/extensions/compact-handler";
 import { getSessionSlashCommands } from "../../extensibility/extensions/get-commands-handler";
-import { buildSkillPromptMessage, getSkillSlashCommandName } from "../../extensibility/skills";
+import { buildSkillPromptMessage } from "../../extensibility/skills";
 import { loadSlashCommands } from "../../extensibility/slash-commands";
 import { resolveLocalUrlToPath } from "../../internal-urls";
 import { MCPManager } from "../../mcp/manager";
@@ -71,12 +71,8 @@ import {
 	type SessionInfo as StoredSessionInfo,
 	type UsageStatistics,
 } from "../../session/session-manager";
-import {
-	ACP_BUILTIN_RESERVED_NAMES,
-	ACP_BUILTIN_SLASH_COMMANDS,
-	executeAcpBuiltinSlashCommand,
-	isAcpBuiltinShadowedName,
-} from "../../slash-commands/acp-builtins";
+import { executeAcpBuiltinSlashCommand } from "../../slash-commands/acp-builtins";
+import { buildAvailableSlashCommands, toAcpAvailableCommands } from "../../slash-commands/available-commands";
 import { AUTO_THINKING, parseConfiguredThinkingLevel } from "../../thinking";
 import { normalizeLocalScheme } from "../../tools/path-utils";
 import { runResolveInvocation } from "../../tools/resolve";
@@ -1662,66 +1658,7 @@ export class AcpAgent implements Agent {
 	}
 
 	async #buildAvailableCommands(session: AgentSession): Promise<AvailableCommand[]> {
-		const commands: AvailableCommand[] = [];
-		const seenNames = new Set<string>();
-		const appendCommand = (command: AvailableCommand): void => {
-			if (seenNames.has(command.name)) {
-				return;
-			}
-			seenNames.add(command.name);
-			commands.push(command);
-		};
-
-		// Advertise in the order dispatch resolves them (mirrors AgentSession
-		// dispatch: builtins → skills → extensions → custom TS → file-based).
-		// `appendCommand` dedupes by name so earlier entries win; extension
-		// commands therefore correctly shadow custom TS commands of the same
-		// name, matching the runtime behaviour of #tryExecuteExtensionCommand
-		// running before #tryExecuteCustomCommand.
-		for (const command of ACP_BUILTIN_SLASH_COMMANDS) {
-			appendCommand(command);
-		}
-
-		if (session.skillsSettings?.enableSkillCommands) {
-			for (const skill of session.skills) {
-				appendCommand({
-					name: getSkillSlashCommandName(skill),
-					description: skill.description || `Run ${skill.name} skill`,
-					input: { hint: "arguments" },
-				});
-			}
-		}
-
-		for (const command of session.extensionRunner?.getRegisteredCommands(ACP_BUILTIN_RESERVED_NAMES) ?? []) {
-			// Reserved-set filtering in getRegisteredCommands only covers exact
-			// names; colon-namespaced names whose prefix is a builtin (e.g.
-			// `model:foo`) would still dispatch to the builtin in ACP.
-			if (isAcpBuiltinShadowedName(command.name)) {
-				continue;
-			}
-			appendCommand({
-				name: command.name,
-				description: command.description ?? "(extension command)",
-				input: { hint: "arguments" },
-			});
-		}
-
-		for (const command of session.customCommands) {
-			appendCommand({
-				name: command.command.name,
-				description: command.command.description,
-				input: { hint: "arguments" },
-			});
-		}
-
-		for (const command of await loadSlashCommands({ cwd: session.sessionManager.getCwd() })) {
-			appendCommand({
-				name: command.name,
-				description: command.description,
-			});
-		}
-
-		return commands;
+		return toAcpAvailableCommands(await buildAvailableSlashCommands(session));
 	}
 
 	#toSessionInfo(session: StoredSessionInfo): SessionInfo {

package/src/modes/components/assistant-message.ts

@@ -36,6 +36,16 @@ export class AssistantMessageComponent extends Container {
 	 * transcript keeps the error in history.
 	 */
 	#errorPinned = false;
+	/**
+	 * Monotonic content version reported to the transcript container via
+	 * {@link getTranscriptBlockVersion}. Bumped by {@link updateContent} — the
+	 * choke point every mutator funnels through, including the post-finalize
+	 * ones: `setErrorPinned(false)` restoring the inline error at the next
+	 * turn's `agent_start`, late tool-result images, async Kitty conversions,
+	 * and `setUsageInfo`. Without it, the container's committed-scrollback
+	 * bypass would replay this block's pre-mutation bytes forever.
+	 */
+	#blockVersion = 0;
 	/** Whether the last updateContent carried an in-flight streaming partial; such
 	 *  renders bypass the markdown module LRU (see Markdown.transientRenderCache). */
 	#lastUpdateTransient = false;
@@ -86,6 +96,10 @@ export class AssistantMessageComponent extends Container {
 		return this.#transcriptBlockFinalized;
 	}
 
+	getTranscriptBlockVersion(): number {
+		return this.#blockVersion;
+	}
+
 	markTranscriptBlockFinalized(): void {
 		this.#transcriptBlockFinalized = true;
 	}
@@ -215,6 +229,7 @@ export class AssistantMessageComponent extends Container {
 	}
 
 	updateContent(message: AssistantMessage, opts?: { transient?: boolean }): void {
+		this.#blockVersion++;
 		this.#lastMessage = message;
 		this.#lastUpdateTransient = opts?.transient === true;
 

package/src/modes/components/btw-panel.ts

@@ -73,7 +73,11 @@ export class BtwPanelComponent extends Container {
 		this.addChild(new Text(this.#footerLine(), 1, 0));
 		this.addChild(new Spacer(1));
 		this.addChild(new DynamicBorder(str => theme.fg("dim", str)));
-		this.#tui.requestRender();
+		// Component-scoped: a rebuild replaces only this panel's own children
+		// (streaming deltas arrive per token, and a full compose would re-walk
+		// the whole transcript each time). Before the panel is mounted the TUI
+		// cannot resolve it and falls back to a full compose on its own.
+		this.#tui.requestComponentRender(this);
 	}
 
 	#footerLine(): string {

package/src/modes/components/mcp-add-wizard.ts

@@ -57,6 +57,7 @@ export interface MCPAddWizardOAuthResult {
 	credentialId: string;
 	clientId?: string;
 	clientSecret?: string;
+	resource?: string;
 }
 
 interface WizardState {
@@ -71,6 +72,7 @@ interface WizardState {
 	oauthClientId: string;
 	oauthClientSecret: string;
 	oauthScopes: string;
+	oauthResource: string;
 	oauthCredentialId: string | null;
 	apiKey: string;
 	authLocation: AuthLocation | null;
@@ -101,6 +103,7 @@ export class MCPAddWizard extends Container {
 		oauthClientId: "",
 		oauthClientSecret: "",
 		oauthScopes: "",
+		oauthResource: "",
 		oauthCredentialId: null,
 		apiKey: "",
 		authLocation: null,
@@ -122,6 +125,7 @@ export class MCPAddWizard extends Container {
 				clientId: string,
 				clientSecret: string,
 				scopes: string,
+				resource?: string,
 		  ) => Promise<MCPAddWizardOAuthResult>)
 		| null = null;
 	#onTestConnectionCallback: ((config: MCPServerConfig) => Promise<void>) | null = null;
@@ -136,6 +140,7 @@ export class MCPAddWizard extends Container {
 			clientId: string,
 			clientSecret: string,
 			scopes: string,
+			resource?: string,
 		) => Promise<MCPAddWizardOAuthResult>,
 		onTestConnection?: (config: MCPServerConfig) => Promise<void>,
 		onRender?: () => void,
@@ -987,6 +992,7 @@ export class MCPAddWizard extends Container {
 					this.#state.oauthTokenUrl = oauth.tokenUrl;
 					this.#state.oauthClientId = oauth.clientId || "";
 					this.#state.oauthScopes = oauth.scopes || "";
+					this.#state.oauthResource = oauth.resource || (this.#state.transport === "stdio" ? "" : this.#state.url);
 					this.#state.authMethod = "oauth";
 
 					this.#contentContainer.clear();
@@ -1054,6 +1060,7 @@ export class MCPAddWizard extends Container {
 					type: "oauth",
 					credentialId: this.#state.oauthCredentialId,
 					tokenUrl: this.#state.oauthTokenUrl || undefined,
+					resource: this.#state.oauthResource || undefined,
 					clientId: this.#state.oauthClientId || undefined,
 					clientSecret: this.#state.oauthClientSecret || undefined,
 				};
@@ -1081,6 +1088,7 @@ export class MCPAddWizard extends Container {
 				type: "oauth",
 				credentialId: this.#state.oauthCredentialId,
 				tokenUrl: this.#state.oauthTokenUrl || undefined,
+				resource: this.#state.oauthResource || undefined,
 				clientId: this.#state.oauthClientId || undefined,
 				clientSecret: this.#state.oauthClientSecret || undefined,
 			};
@@ -1142,12 +1150,14 @@ export class MCPAddWizard extends Container {
 
 		try {
 			// Call OAuth handler
+			const oauthResource = this.#state.oauthResource || (this.#state.transport === "stdio" ? "" : this.#state.url);
 			const oauthResult = await this.#onOAuthCallback(
 				this.#state.oauthAuthUrl,
 				this.#state.oauthTokenUrl,
 				this.#state.oauthClientId,
 				this.#state.oauthClientSecret,
 				this.#state.oauthScopes,
+				oauthResource || undefined,
 			);
 
 			// Store credential ID + any dynamically-registered client credentials,
@@ -1155,6 +1165,7 @@ export class MCPAddWizard extends Container {
 			this.#state.oauthCredentialId = oauthResult.credentialId;
 			if (oauthResult.clientId) this.#state.oauthClientId = oauthResult.clientId;
 			if (oauthResult.clientSecret) this.#state.oauthClientSecret = oauthResult.clientSecret;
+			this.#state.oauthResource = oauthResult.resource ?? oauthResource;
 
 			// Show success message
 			this.#contentContainer.clear();
@@ -1284,6 +1295,7 @@ export class MCPAddWizard extends Container {
 					type: "oauth",
 					credentialId: this.#state.oauthCredentialId,
 					tokenUrl: this.#state.oauthTokenUrl || undefined,
+					resource: this.#state.oauthResource || undefined,
 					clientId: this.#state.oauthClientId || undefined,
 					clientSecret: this.#state.oauthClientSecret || undefined,
 				};
@@ -1312,6 +1324,7 @@ export class MCPAddWizard extends Container {
 				type: "oauth",
 				credentialId: this.#state.oauthCredentialId,
 				tokenUrl: this.#state.oauthTokenUrl || undefined,
+				resource: this.#state.oauthResource || undefined,
 				clientId: this.#state.oauthClientId || undefined,
 				clientSecret: this.#state.oauthClientSecret || undefined,
 			};