@oh-my-pi/pi-coding-agent 15.13.0 → 15.13.1

package/src/mcp/manager.ts

@@ -27,7 +27,12 @@ import {
 	unsubscribeFromResources,
 } from "./client";
 import { loadAllMCPConfigs, validateServerConfig } from "./config";
-import { refreshMCPOAuthToken } from "./oauth-flow";
+import {
+	lookupMcpOAuthCredential,
+	type MCPOAuthCredentialLookup,
+	selectMcpOAuthRefreshMaterial,
+} from "./oauth-credentials";
+import { type MCPStoredOAuthCredential, refreshMCPOAuthToken } from "./oauth-flow";
 import type { MCPToolDetails } from "./tool-bridge";
 import { DeferredMCPTool, MCPTool } from "./tool-bridge";
 import type { MCPToolCache } from "./tool-cache";
@@ -400,9 +405,15 @@ export class MCPManager {
 					}
 
 					// Wire auth refresh for HTTP transports so 401s trigger token refresh.
-					if (connection.transport instanceof HttpTransport && config.auth?.type === "oauth") {
+					// Gate on a resolvable managed credential, not on the auth block:
+					// definition-only configs (url-keyed fallback) get Bearer injection
+					// too and need the same mid-session refresh hook.
+					if (
+						connection.transport instanceof HttpTransport &&
+						lookupMcpOAuthCredential(this.#authStorage, config)
+					) {
 						connection.transport.onAuthError = async () => {
-							const refreshed = await this.#resolveAuthConfig(config, true);
+							const refreshed = await this.#resolveAuthConfig(config, { forceRefresh: true });
 							if (refreshed.type === "http" || refreshed.type === "sse") {
 								return refreshed.headers ?? null;
 							}
@@ -673,9 +684,11 @@ export class MCPManager {
 
 	/**
 	 * Resolve auth and shell-command substitutions in config before connecting.
+	 * Pass `oauth: false` to skip OAuth credential injection (used by reauth's
+	 * unauthenticated probe, which must observe the server's bare 401).
 	 */
-	async prepareConfig(config: MCPServerConfig): Promise<MCPServerConfig> {
-		return this.#resolveAuthConfig(config);
+	async prepareConfig(config: MCPServerConfig, options?: { oauth?: boolean }): Promise<MCPServerConfig> {
+		return this.#resolveAuthConfig(config, options);
 	}
 
 	/**
@@ -925,9 +938,10 @@ export class MCPManager {
 		this.#connections.set(name, connection);
 
 		// Wire auth refresh for HTTP transports, and reconnect for any transport.
-		if (connection.transport instanceof HttpTransport && config.auth?.type === "oauth") {
+		// Same gate as connectServers: any resolvable managed credential.
+		if (connection.transport instanceof HttpTransport && lookupMcpOAuthCredential(this.#authStorage, config)) {
 			connection.transport.onAuthError = async () => {
-				const refreshed = await this.#resolveAuthConfig(config, true);
+				const refreshed = await this.#resolveAuthConfig(config, { forceRefresh: true });
 				if (refreshed.type === "http" || refreshed.type === "sse") {
 					return refreshed.headers ?? null;
 				}
@@ -1169,78 +1183,101 @@ export class MCPManager {
 
 	/**
 	 * Resolve OAuth credentials and shell commands in config.
+	 * `oauth: false` skips credential injection (reauth's unauthenticated probe);
+	 * `forceRefresh` bypasses the expiry buffer (401/403 auth-error hook).
 	 */
-	async #resolveAuthConfig(config: MCPServerConfig, forceRefresh = false): Promise<MCPServerConfig> {
+	async #resolveAuthConfig(
+		config: MCPServerConfig,
+		opts?: { forceRefresh?: boolean; oauth?: boolean },
+	): Promise<MCPServerConfig> {
 		let resolved: MCPServerConfig = { ...config };
 
 		const auth = config.auth;
-		if (auth?.type === "oauth" && auth.credentialId && this.#authStorage) {
-			const credentialId = auth.credentialId;
+		const lookup: MCPOAuthCredentialLookup | undefined =
+			opts?.oauth !== false ? lookupMcpOAuthCredential(this.#authStorage, config) : undefined;
+		if (lookup && this.#authStorage) {
+			const { credentialId } = lookup;
 			try {
-				let credential = this.#authStorage.get(credentialId);
-				if (credential?.type === "oauth") {
-					// Proactive refresh: 5-minute buffer before expiry
-					// Force refresh: on 401/403 auth errors (revoked tokens, clock skew, missing expires)
-					const REFRESH_BUFFER_MS = 5 * 60_000;
-					const shouldRefresh =
-						forceRefresh || (credential.expires && Date.now() >= credential.expires - REFRESH_BUFFER_MS);
-					if (shouldRefresh && credential.refresh && auth.tokenUrl) {
-						const resource =
-							auth.resource ?? (config.type === "http" || config.type === "sse" ? config.url : undefined);
-						try {
-							const refreshed = await refreshMCPOAuthToken(
-								auth.tokenUrl,
-								credential.refresh,
-								auth.clientId,
-								auth.clientSecret,
-								resource,
-							);
-							const refreshedCredential = { type: "oauth" as const, ...refreshed };
-							await this.#authStorage.set(credentialId, refreshedCredential);
-							credential = refreshedCredential;
-						} catch (refreshError) {
-							const errorMsg = refreshError instanceof Error ? refreshError.message : String(refreshError);
-							if (isDefinitiveOAuthFailure(errorMsg)) {
-								// `invalid_grant` / `invalid_token` / 401 from the token endpoint means
-								// the server has retired this credential — keeping the stale access
-								// token would just re-fail with 401 on every MCP request and leave a
-								// poisoned row in agent.db that survives restarts. Drop it now so the
-								// next connect attempt surfaces a clean "needs reauth" failure and
-								// the user can recover with `/mcp reauth <server>` (or `/mcp unauth`
-								// to forget the server entirely).
-								logger.warn("MCP OAuth refresh failed definitively; cleared credential", {
-									credentialId,
-									error: errorMsg,
-								});
-								await this.#authStorage.remove(credentialId);
-								credential = undefined;
-							} else {
-								logger.warn("MCP OAuth refresh failed, using existing token", {
-									credentialId,
-									error: refreshError,
-								});
-							}
+				let credential: MCPStoredOAuthCredential | undefined = lookup.credential;
+				// Refresh material comes from ONE source: the credential's embedded
+				// fields (written atomically with the tokens they minted — tokenUrl
+				// always present) or, for legacy rows that predate embedding, the
+				// config auth block. Never mix the two: a shared file's auth block
+				// can belong to another profile, whose client the grant is NOT
+				// bound to.
+				const material = selectMcpOAuthRefreshMaterial(credential, auth);
+				const tokenUrl = material?.tokenUrl;
+				const clientId = material?.clientId;
+				const clientSecret = material?.clientSecret;
+				const resource =
+					material?.resource ?? (config.type === "http" || config.type === "sse" ? config.url : undefined);
+				// Proactive refresh: 5-minute buffer before expiry
+				// Force refresh: on 401/403 auth errors (revoked tokens, clock skew, missing expires)
+				const REFRESH_BUFFER_MS = 5 * 60_000;
+				const shouldRefresh =
+					opts?.forceRefresh || (credential.expires && Date.now() >= credential.expires - REFRESH_BUFFER_MS);
+				if (shouldRefresh && credential.refresh && tokenUrl) {
+					try {
+						const refreshed = await refreshMCPOAuthToken(
+							tokenUrl,
+							credential.refresh,
+							clientId,
+							clientSecret,
+							resource,
+						);
+						// Spread the old credential first so embedded refresh material survives rotation.
+						const refreshedCredential: MCPStoredOAuthCredential = {
+							...credential,
+							...refreshed,
+							tokenUrl,
+							clientId,
+							clientSecret,
+							resource,
+						};
+						await this.#authStorage.set(credentialId, refreshedCredential);
+						credential = refreshedCredential;
+					} catch (refreshError) {
+						const errorMsg = refreshError instanceof Error ? refreshError.message : String(refreshError);
+						if (isDefinitiveOAuthFailure(errorMsg)) {
+							// `invalid_grant` / `invalid_token` / 401 from the token endpoint means
+							// the server has retired this credential — keeping the stale access
+							// token would just re-fail with 401 on every MCP request and leave a
+							// poisoned row in agent.db that survives restarts. Drop it now so the
+							// next connect attempt surfaces a clean "needs reauth" failure and
+							// the user can recover with `/mcp reauth <server>` (or `/mcp unauth`
+							// to forget the server entirely).
+							logger.warn("MCP OAuth refresh failed definitively; cleared credential", {
+								credentialId,
+								error: errorMsg,
+							});
+							await this.#authStorage.remove(credentialId);
+							credential = undefined;
+						} else {
+							logger.warn("MCP OAuth refresh failed, using existing token", {
+								credentialId,
+								error: refreshError,
+							});
 						}
 					}
+				}
 
-					if (credential?.type === "oauth") {
-						if (resolved.type === "http" || resolved.type === "sse") {
-							resolved = {
-								...resolved,
-								headers: {
-									...resolved.headers,
-									Authorization: `Bearer ${credential.access}`,
-								},
-							};
-						} else {
-							resolved = {
-								...resolved,
-								env: {
-									...resolved.env,
-									OAUTH_ACCESS_TOKEN: credential.access,
-								},
-							};
-						}
+				if (credential) {
+					if (resolved.type === "http" || resolved.type === "sse") {
+						resolved = {
+							...resolved,
+							headers: {
+								...resolved.headers,
+								Authorization: `Bearer ${credential.access}`,
+							},
+						};
+					} else {
+						resolved = {
+							...resolved,
+							env: {
+								...resolved.env,
+								OAUTH_ACCESS_TOKEN: credential.access,
+							},
+						};
 					}
 				}
 			} catch (error) {

package/src/mcp/oauth-credentials.ts

@@ -0,0 +1,104 @@
+import { getActiveProfile } from "@oh-my-pi/pi-utils/dirs";
+import { expandEnvVarsDeep } from "../discovery/helpers";
+import type { AuthStorage } from "../session/auth-storage";
+import {
+	isManagedMCPOAuthCredentialId,
+	type MCPStoredOAuthCredential,
+	mcpOAuthCredentialId,
+	mcpOAuthCredentialProfile,
+} from "./oauth-flow";
+import type { MCPAuthConfig, MCPServerConfig } from "./types";
+
+export interface MCPOAuthCredentialLookup {
+	credentialId: string;
+	credential: MCPStoredOAuthCredential;
+}
+
+export type MCPOAuthRefreshMaterial = MCPStoredOAuthCredential | MCPAuthConfig | undefined;
+
+export function mcpOAuthCredentialIdsForServerUrl(serverUrl: string | undefined): string[] {
+	if (!serverUrl) return [];
+	const ids: string[] = [];
+	for (const url of [expandEnvVarsDeep(serverUrl), serverUrl]) {
+		const id = mcpOAuthCredentialId(url);
+		if (!ids.includes(id)) ids.push(id);
+	}
+	return ids;
+}
+
+export function hasMcpAuthorizationHeader(config: MCPServerConfig): boolean {
+	if (config.type !== "http" && config.type !== "sse") return false;
+	return Object.keys(config.headers ?? {}).some(header => header.toLowerCase() === "authorization");
+}
+
+export function lookupMcpOAuthCredentialForServer(
+	authStorage: AuthStorage | null | undefined,
+	auth: MCPAuthConfig | undefined,
+	serverUrl: string | undefined,
+	options: { allowUrlKeyedFallback?: boolean } = {},
+): MCPOAuthCredentialLookup | undefined {
+	if (!authStorage) return undefined;
+	if (auth && auth.type !== "oauth") return undefined;
+	const urlKeyedCredentialIds = mcpOAuthCredentialIdsForServerUrl(serverUrl);
+	if (
+		auth?.credentialId &&
+		(!auth.credentialId.startsWith("mcp_oauth:profile:") || urlKeyedCredentialIds.includes(auth.credentialId))
+	) {
+		const credential = authStorage.get(auth.credentialId);
+		if (credential?.type === "oauth") {
+			return { credentialId: auth.credentialId, credential };
+		}
+	}
+	if (options.allowUrlKeyedFallback === false) return undefined;
+	for (const credentialId of urlKeyedCredentialIds) {
+		const credential = authStorage.get(credentialId);
+		if (credential?.type === "oauth") {
+			return { credentialId, credential };
+		}
+	}
+	return undefined;
+}
+
+export function lookupMcpOAuthCredential(
+	authStorage: AuthStorage | null | undefined,
+	config: MCPServerConfig,
+): MCPOAuthCredentialLookup | undefined {
+	const auth = config.auth;
+	if (config.type !== "http" && config.type !== "sse") {
+		return lookupMcpOAuthCredentialForServer(authStorage, auth, undefined);
+	}
+	if (hasMcpAuthorizationHeader(config)) {
+		return lookupMcpOAuthCredentialForServer(authStorage, auth, config.url, { allowUrlKeyedFallback: false });
+	}
+	return lookupMcpOAuthCredentialForServer(authStorage, auth, config.url);
+}
+
+export function selectMcpOAuthRefreshMaterial(
+	credential: MCPStoredOAuthCredential,
+	auth: MCPAuthConfig | undefined,
+): MCPOAuthRefreshMaterial {
+	return credential.tokenUrl ? credential : auth;
+}
+
+export async function removeManagedMcpOAuthCredential(
+	authStorage: AuthStorage,
+	credentialId: string | undefined,
+): Promise<boolean> {
+	if (!isManagedMCPOAuthCredentialId(credentialId)) return false;
+	const scopedProfile = mcpOAuthCredentialProfile(credentialId);
+	if (scopedProfile !== undefined && scopedProfile !== (getActiveProfile() ?? "default")) return false;
+	if (authStorage.get(credentialId)?.type !== "oauth") return false;
+	await authStorage.remove(credentialId);
+	return true;
+}
+
+export async function removeManagedMcpOAuthCredentials(
+	authStorage: AuthStorage,
+	credentialIds: readonly (string | undefined)[],
+): Promise<boolean> {
+	let removed = false;
+	for (const credentialId of credentialIds) {
+		removed = (await removeManagedMcpOAuthCredential(authStorage, credentialId)) || removed;
+	}
+	return removed;
+}

package/src/mcp/oauth-flow.ts

@@ -9,6 +9,60 @@ import type { OAuthCallbackFlowOptions } from "@oh-my-pi/pi-ai/oauth/callback-se
 import { OAuthCallbackFlow } from "@oh-my-pi/pi-ai/oauth/callback-server";
 import type { OAuthController, OAuthCredentials } from "@oh-my-pi/pi-ai/oauth/types";
 import type { FetchImpl } from "@oh-my-pi/pi-ai/types";
+import { getActiveProfile } from "@oh-my-pi/pi-utils/dirs";
+import type { OAuthCredential } from "../session/auth-storage";
+
+/** Credential-id prefix for OMP-managed MCP OAuth credentials keyed by profile and server URL. */
+const MCP_OAUTH_URL_CREDENTIAL_PREFIX = "mcp_oauth:";
+
+/** Credential-id prefix for profile-scoped MCP OAuth credentials (`mcp_oauth:profile:<profile>:<serverUrl>`). */
+const MCP_OAUTH_PROFILE_CREDENTIAL_PREFIX = `${MCP_OAUTH_URL_CREDENTIAL_PREFIX}profile:`;
+
+/**
+ * Deterministic credential id for an MCP server URL scoped to an OMP profile.
+ *
+ * Local profile stores are already separate, but auth-broker storage shares one
+ * provider namespace across profiles. Including the profile in the provider key
+ * keeps a shared project `mcp.json` definition from making profile B overwrite
+ * or read profile A's OAuth row for the same server URL. The URL is used
+ * verbatim (query string included) because it can carry tenant selectors such
+ * as `?project_ref=`.
+ */
+export function mcpOAuthCredentialId(serverUrl: string, profile: string | undefined = getActiveProfile()): string {
+	return `${MCP_OAUTH_PROFILE_CREDENTIAL_PREFIX}${profile ?? "default"}:${serverUrl}`;
+}
+
+/** Whether a credential id was minted by OMP's MCP OAuth flows (either era). */
+export function isManagedMCPOAuthCredentialId(credentialId: string | undefined): credentialId is string {
+	return (
+		!!credentialId &&
+		(credentialId.startsWith("mcp_oauth_") || credentialId.startsWith(MCP_OAUTH_URL_CREDENTIAL_PREFIX))
+	);
+}
+
+/**
+ * Profile segment of a profile-scoped `mcp_oauth:profile:<profile>:<serverUrl>`
+ * credential id, or `undefined` for legacy non-profile-scoped managed ids
+ * (`mcp_oauth:<url>`, `mcp_oauth_<rand>`). The server URL itself contains `:`
+ * and `/`, so only the segment between the prefix and the FIRST subsequent `:`
+ * is the profile; everything after it is the URL.
+ */
+export function mcpOAuthCredentialProfile(credentialId: string): string | undefined {
+	if (!credentialId.startsWith(MCP_OAUTH_PROFILE_CREDENTIAL_PREFIX)) return undefined;
+	const separator = credentialId.indexOf(":", MCP_OAUTH_PROFILE_CREDENTIAL_PREFIX.length);
+	return separator === -1 ? undefined : credentialId.slice(MCP_OAUTH_PROFILE_CREDENTIAL_PREFIX.length, separator);
+}
+
+/**
+ * Stored MCP OAuth credential. Refresh material is embedded so token refresh
+ * works without any `auth` block persisted in (possibly shared) config files.
+ */
+export interface MCPStoredOAuthCredential extends OAuthCredential {
+	tokenUrl?: string;
+	clientId?: string;
+	clientSecret?: string;
+	resource?: string;
+}
 
 const DEFAULT_PORT = 3000;
 const CALLBACK_PATH = "/callback";
@@ -126,6 +180,15 @@ export interface MCPOAuthConfig {
 	clientSecret?: string;
 	/** OAuth scopes (space-separated) */
 	scopes?: string;
+	/**
+	 * `prompt` parameter for the authorization request. Defaults to `"consent"`
+	 * so the provider always shows its authorize screen instead of silently
+	 * re-approving the browser's current session — without it, reauthorizing to
+	 * switch accounts/workspaces is impossible once a session cookie exists
+	 * (RFC 6749 §3.1 requires servers to ignore the param when unsupported).
+	 * Set to `""` to omit the parameter entirely.
+	 */
+	prompt?: string;
 	/** Exact redirect URI to advertise to the provider */
 	redirectUri?: string;
 	/** Custom callback port (default: 3000) */
@@ -202,6 +265,10 @@ export class MCPOAuthFlow extends OAuthCallbackFlow {
 		if (this.config.scopes && !params.get("scope")) {
 			params.set("scope", this.config.scopes);
 		}
+		const prompt = this.config.prompt ?? "consent";
+		if (prompt && !params.get("prompt")) {
+			params.set("prompt", prompt);
+		}
 		const existingResource = params.get("resource")?.trim();
 		if (existingResource) {
 			this.#resource = resolveResourceUri(existingResource);

package/src/mcp/types.ts

@@ -74,6 +74,8 @@ interface MCPServerConfigBase {
 		redirectUri?: string;
 		callbackPort?: number;
 		callbackPath?: string;
+		/** `prompt` param for the authorization request (default "consent"; "" to omit) */
+		prompt?: string;
 	};
 }
 

package/src/modes/components/agent-hub.ts

@@ -28,6 +28,7 @@ import { AgentLifecycleManager } from "../../registry/agent-lifecycle";
 import { type AgentRef, AgentRegistry, type AgentStatus, MAIN_AGENT_ID } from "../../registry/agent-registry";
 import type { AgentSession } from "../../session/agent-session";
 import {
+	BACKGROUND_TAN_DISPATCH_MESSAGE_TYPE,
 	type CustomMessage,
 	isSilentAbort,
 	LSP_LATE_DIAGNOSTIC_MESSAGE_TYPE,
@@ -45,6 +46,7 @@ import type { ObservableSession, SessionObserverRegistry } from "../session-obse
 import { getEditorTheme, theme } from "../theme/theme";
 import { matchesSelectDown, matchesSelectUp } from "../utils/keybinding-matchers";
 import { AssistantMessageComponent } from "./assistant-message";
+import { createBackgroundTanDispatchBlock } from "./background-tan-message";
 import { BashExecutionComponent } from "./bash-execution";
 import { BranchSummaryMessageComponent } from "./branch-summary-message";
 import { CollabPromptMessageComponent } from "./collab-prompt-message";
@@ -1215,6 +1217,10 @@ export class AgentHubOverlayComponent extends Container {
 			this.#chatLog.addChild(card);
 			return;
 		}
+		if (message.customType === BACKGROUND_TAN_DISPATCH_MESSAGE_TYPE) {
+			this.#chatLog.addChild(createBackgroundTanDispatchBlock(message as CustomMessage<unknown>));
+			return;
+		}
 		const handoffComponent = createHandoffSummaryMessageComponent(
 			message as CustomMessage<unknown>,
 			this.#chatExpanded,

package/src/modes/components/background-tan-message.ts

@@ -0,0 +1,36 @@
+import { Text } from "@oh-my-pi/pi-tui";
+import type { BackgroundTanDispatchDetails, CustomMessage } from "../../session/messages";
+import { replaceTabs } from "../../tools/render-utils";
+import { theme } from "../theme/theme";
+import { TranscriptBlock } from "./transcript-container";
+
+const TAN_WORK_PREVIEW_LENGTH = 56;
+
+function previewWork(work: string): string {
+	const singleLine = replaceTabs(work).trim().replace(/\s+/g, " ");
+	if (singleLine.length <= TAN_WORK_PREVIEW_LENGTH) return singleLine;
+	return `${singleLine.slice(0, TAN_WORK_PREVIEW_LENGTH - 1)}…`;
+}
+
+/**
+ * Single-line transcript pill for a `/tan` background-dispatch breadcrumb,
+ * styled as a sibling of the "Background job completed" line. The full
+ * system-notice content (the persisted `content`) is for the model only — the
+ * user sees one compact line, not the raw `<system-notice>` block.
+ */
+export function createBackgroundTanDispatchBlock(message: CustomMessage<unknown>): TranscriptBlock {
+	const details = (message as CustomMessage<Partial<BackgroundTanDispatchDetails>>).details;
+	const jobId = details?.jobId ?? "unknown";
+	const work = details?.work ? previewWork(details.work) : undefined;
+	const line = [
+		theme.fg("muted", `${theme.icon.output} Tangent dispatched`),
+		theme.fg("dim", "[task]"),
+		theme.fg("accent", jobId),
+		work ? theme.fg("dim", `${theme.format.dash} ${work}`) : undefined,
+	]
+		.filter(Boolean)
+		.join(" ");
+	const block = new TranscriptBlock();
+	block.addChild(new Text(line, 1, 0));
+	return block;
+}

package/src/modes/components/mcp-add-wizard.ts

@@ -49,14 +49,19 @@ type WizardStep =
 
 /**
  * Result of the wizard's OAuth callback. `credentialId` is mandatory;
- * `clientId`/`clientSecret` are populated when the OAuth provider performed
- * dynamic client registration (or when the caller pre-supplied them) so the
- * wizard can fold them into the final `mcp.json` entry for refresh.
+ * `clientId` is populated when the OAuth provider performed dynamic client
+ * registration (or when the caller pre-supplied it) so the wizard can fold it
+ * into the final `mcp.json` entry. Refresh material (including any DCR client
+ * secret) is embedded in the stored credential, never written to config files.
  */
 export interface MCPAddWizardOAuthResult {
 	credentialId: string;
 	clientId?: string;
-	clientSecret?: string;
+	resource?: string;
+}
+
+interface MCPAddWizardOAuthOptions {
+	serverUrl?: string;
 	resource?: string;
 }
 
@@ -125,7 +130,7 @@ export class MCPAddWizard extends Container {
 				clientId: string,
 				clientSecret: string,
 				scopes: string,
-				resource?: string,
+				options?: MCPAddWizardOAuthOptions,
 		  ) => Promise<MCPAddWizardOAuthResult>)
 		| null = null;
 	#onTestConnectionCallback: ((config: MCPServerConfig) => Promise<void>) | null = null;
@@ -140,7 +145,7 @@ export class MCPAddWizard extends Container {
 			clientId: string,
 			clientSecret: string,
 			scopes: string,
-			resource?: string,
+			options?: MCPAddWizardOAuthOptions,
 		) => Promise<MCPAddWizardOAuthResult>,
 		onTestConnection?: (config: MCPServerConfig) => Promise<void>,
 		onRender?: () => void,
@@ -1157,14 +1162,16 @@ export class MCPAddWizard extends Container {
 				this.#state.oauthClientId,
 				this.#state.oauthClientSecret,
 				this.#state.oauthScopes,
-				oauthResource || undefined,
+				{
+					serverUrl: this.#state.url || undefined,
+					resource: oauthResource || undefined,
+				},
 			);
 
-			// Store credential ID + any dynamically-registered client credentials,
-			// so the final mcp.json entry persists everything needed for refresh.
+			// Store credential ID + any dynamically-registered client id. DCR client
+			// secrets stay embedded in the stored credential, never in mcp.json.
 			this.#state.oauthCredentialId = oauthResult.credentialId;
 			if (oauthResult.clientId) this.#state.oauthClientId = oauthResult.clientId;
-			if (oauthResult.clientSecret) this.#state.oauthClientSecret = oauthResult.clientSecret;
 			this.#state.oauthResource = oauthResult.resource ?? oauthResource;
 
 			// Show success message

package/src/modes/components/model-selector.ts

@@ -936,7 +936,8 @@ export class ModelSelectorComponent extends Container {
 			// Build role badges. Solid badges are configured; outlined badges are auto-selected defaults.
 			const roleBadgeTokens: string[] = [];
 			for (const role of MODEL_ROLE_IDS) {
-				const { tag, color } = getRoleInfo(role, this.#settings);
+				const { tag, color, hidden } = getRoleInfo(role, this.#settings);
+				if (hidden) continue;
 				const assigned = this.#roles[role];
 				if (!tag || !assigned || !modelsAreEqual(assigned.model, item.model)) continue;
 
@@ -1053,6 +1054,10 @@ export class ModelSelectorComponent extends Container {
 		this.#menuStep = "role";
 		this.#menuSelectedRole = null;
 		this.#menuSelectedIndex = 0;
+		// Collapse the model list while the action/thinking menu is open so the
+		// menu owns the full viewport instead of stacking below a now-irrelevant
+		// (and often off-screen) list.
+		this.#listContainer.clear();
 		this.#updateMenu();
 	}
 
@@ -1061,6 +1066,8 @@ export class ModelSelectorComponent extends Container {
 		this.#menuStep = "role";
 		this.#menuSelectedRole = null;
 		this.#menuContainer.clear();
+		// Restore the model list that #openMenu collapsed.
+		this.#updateList();
 	}
 
 	#updateMenu(): void {
@@ -1088,11 +1095,21 @@ export class ModelSelectorComponent extends Container {
 				? `  Thinking for: ${selectedRoleName} (${selectedItem.id})`
 				: `  Action for: ${selectedItem.id}`;
 		const hintText = showingThinking ? "  Enter: confirm  Esc: back" : "  Enter: continue  Esc: cancel";
-		const menuWidth = Math.max(
+		// Window the option list so a long action/thinking menu scrolls inside the
+		// viewport instead of running off the bottom of the screen.
+		const maxVisible = this.#getMenuVisibleCount(optionLines.length);
+		const needsScroll = optionLines.length > maxVisible;
+		const startIndex = needsScroll
+			? Math.max(0, Math.min(this.#menuSelectedIndex - Math.floor(maxVisible / 2), optionLines.length - maxVisible))
+			: 0;
+		const endIndex = needsScroll ? startIndex + maxVisible : optionLines.length;
+		const contentWidth = Math.max(
 			visibleWidth(headerText),
 			visibleWidth(hintText),
 			...optionLines.map(line => visibleWidth(line)),
 		);
+		// Reserve one column for the scrollbar when the list overflows.
+		const menuWidth = contentWidth + (needsScroll ? 1 : 0);
 
 		this.#menuContainer.addChild(new Spacer(1));
 		this.#menuContainer.addChild(new Text(theme.fg("border", theme.boxSharp.horizontal.repeat(menuWidth)), 0, 0));
@@ -1109,12 +1126,28 @@ export class ModelSelectorComponent extends Container {
 		}
 		this.#menuContainer.addChild(new Spacer(1));
 
-		for (let i = 0; i < optionLines.length; i++) {
+		const visibleRows: string[] = [];
+		for (let i = startIndex; i < endIndex; i++) {
 			const lineText = optionLines[i];
-			if (!lineText) continue;
+			if (lineText === undefined) continue;
 			const isSelected = i === this.#menuSelectedIndex;
-			const line = isSelected ? theme.fg("accent", lineText) : theme.fg("muted", lineText);
-			this.#menuContainer.addChild(new Text(line, 0, 0));
+			visibleRows.push(isSelected ? theme.fg("accent", lineText) : theme.fg("muted", lineText));
+		}
+		if (needsScroll) {
+			const sv = new ScrollView(visibleRows, {
+				height: visibleRows.length,
+				scrollbar: "auto",
+				totalRows: optionLines.length,
+				theme: { track: t => theme.fg("muted", t), thumb: t => theme.fg("accent", t) },
+			});
+			sv.setScrollOffset(startIndex);
+			for (const row of sv.render(menuWidth)) {
+				this.#menuContainer.addChild(new Text(row, 0, 0));
+			}
+		} else {
+			for (const row of visibleRows) {
+				this.#menuContainer.addChild(new Text(row, 0, 0));
+			}
 		}
 
 		this.#menuContainer.addChild(new Spacer(1));
@@ -1122,6 +1155,17 @@ export class ModelSelectorComponent extends Container {
 		this.#menuContainer.addChild(new Text(theme.fg("border", theme.boxSharp.horizontal.repeat(menuWidth)), 0, 0));
 	}
 
+	#getMenuVisibleCount(optionCount: number): number {
+		// Rows the selector chrome and the menu's own header/hint/borders/spacers
+		// consume, leaving the remainder of the viewport for the scrollable option
+		// window. Without a known terminal height (e.g. tests) show every option.
+		const MENU_CHROME_ROWS = 19;
+		const MIN_VISIBLE_OPTIONS = 4;
+		const terminalRows = this.#tui.terminal?.rows ?? 0;
+		if (!Number.isFinite(terminalRows) || terminalRows <= 0) return optionCount;
+		return Math.max(MIN_VISIBLE_OPTIONS, Math.min(optionCount, terminalRows - MENU_CHROME_ROWS));
+	}
+
 	handleInput(keyData: string): void {
 		if (this.#isMenuOpen) {
 			this.#handleMenuInput(keyData);