@stigmer/react 0.0.79 → 0.0.81

package/src/mcp-server/McpServerDetailView.tsx

@@ -10,7 +10,7 @@ import type {
 } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/status_pb";
 import type { ToolApprovalPolicy, McpServerSpec } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/spec_pb";
 import { ValidationState } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/status_pb";
-import type { EnvironmentValue } from "@stigmer/protos/ai/stigmer/agentic/environment/v1/spec_pb";
+import type { EnvVarDeclaration } from "@stigmer/protos/ai/stigmer/agentic/environment/v1/spec_pb";
 import { ApiResourceVisibility } from "@stigmer/protos/ai/stigmer/commons/apiresource/enum_pb";
 import { useMcpServer } from "./useMcpServer";
 import { useMcpServerConnect } from "./useMcpServerConnect";
@@ -73,6 +73,13 @@ export interface McpServerDetailViewProps {
   readonly credentialPoolValues?: (
     key: string,
   ) => import("@stigmer/sdk").EnvVarInput | undefined;
+  /**
+   * The authenticated user's active organization slug.
+   * Used for OAuth token storage — tokens are stored in the user's personal
+   * environment within this org, not the MCP server's org.
+   * When omitted, falls back to the `org` prop (MCP server's org).
+   */
+  readonly activeOrg?: string;
   /** Additional CSS classes for the root container. */
   readonly className?: string;
 }
@@ -110,6 +117,7 @@ export function McpServerDetailView({
   defaultCapabilityTab = "tools",
   defaultShowCredentialForm = false,
   credentialPoolValues,
+  activeOrg,
   className,
 }: McpServerDetailViewProps) {
   const { mcpServer, isLoading, error, refetch } = useMcpServer(org, slug);
@@ -132,8 +140,9 @@ export function McpServerDetailView({
   const handleOAuthSignIn = useCallback(async () => {
     if (!mcpServer?.metadata?.id) return;
 
+    const envKeys = Object.keys(mcpServer.spec?.env ?? {});
     try {
-      await oauth.startOAuth(mcpServer.metadata.id, org);
+      await oauth.startOAuth(mcpServer.metadata.id, activeOrg ?? org, envKeys);
       credentials.refetch();
       refetch();
     } catch {
@@ -154,8 +163,9 @@ export function McpServerDetailView({
       return;
     }
 
+    const envKeys = Object.keys(mcpServer.spec?.env ?? {});
     try {
-      await connection.connect(mcpServer.metadata.id);
+      await connection.connect(mcpServer.metadata.id, activeOrg ?? org, undefined, envKeys);
       refetch();
     } catch {
       // error state is managed by the hook
@@ -176,10 +186,12 @@ export function McpServerDetailView({
         setShowCredentialForm(false);
 
         if (mcpServer?.metadata?.id) {
+          const envKeys = Object.keys(mcpServer.spec?.env ?? {});
+          const connectOrg = activeOrg ?? org;
           if (options.saveForFuture) {
-            await connection.connect(mcpServer.metadata.id);
+            await connection.connect(mcpServer.metadata.id, connectOrg, undefined, envKeys);
           } else {
-            await connection.connect(mcpServer.metadata.id, values);
+            await connection.connect(mcpServer.metadata.id, connectOrg, values, envKeys);
           }
           refetch();
         }
@@ -258,9 +270,9 @@ export function McpServerDetailView({
         <ServerConfigSection serverType={spec.serverType} />
       )}
 
-      {spec?.envSpec && Object.keys(spec.envSpec.data).length > 0 && (
-        <EnvSpecSection
-          data={spec.envSpec.data}
+      {spec?.env && Object.keys(spec.env).length > 0 && (
+        <EnvSection
+          data={spec.env}
           oauthTargetEnvVar={credentials.oauthTargetEnvVar}
         />
       )}
@@ -278,6 +290,7 @@ export function McpServerDetailView({
           oauthPhase={oauth.phase}
           authMode={credentials.authMode}
           isOAuthConnected={credentials.isOAuthConnected}
+          accessTokenExpiresAt={credentials.accessTokenExpiresAt}
           tokenLifetimeHint={credentials.tokenLifetimeHint}
         />
 
@@ -346,6 +359,7 @@ function ConnectBar({
   oauthPhase,
   authMode,
   isOAuthConnected,
+  accessTokenExpiresAt,
   tokenLifetimeHint,
 }: {
   readonly isConnecting: boolean;
@@ -359,6 +373,7 @@ function ConnectBar({
   readonly oauthPhase: OAuthConnectPhase;
   readonly authMode: "manual" | "oauth";
   readonly isOAuthConnected: boolean;
+  readonly accessTokenExpiresAt: bigint;
   readonly tokenLifetimeHint: string | null;
 }) {
   const isOAuthBusy =
@@ -384,6 +399,8 @@ function ConnectBar({
 
   const statusText = (() => {
     if (authMode === "oauth" && isOAuthConnected) {
+      const expiryLabel = formatTokenExpiry(accessTokenExpiresAt);
+      if (expiryLabel) return `Tokens refresh automatically \u00B7 ${expiryLabel}`;
       const hint = tokenLifetimeHint && tokenLifetimeHint !== "never"
         ? ` \u00B7 Session lasts ~${tokenLifetimeHint}`
         : "";
@@ -480,6 +497,20 @@ function formatConnectionSummary(toolCount: number, policyCount: number): string
   return `${toolLabel}, ${policyLabel}`;
 }
 
+function formatTokenExpiry(expiresAtSeconds: bigint): string | null {
+  if (expiresAtSeconds === BigInt(0)) return null;
+  const nowSeconds = BigInt(Math.floor(Date.now() / 1000));
+  const remainingSeconds = expiresAtSeconds - nowSeconds;
+  if (remainingSeconds <= BigInt(0)) return "Token expired";
+  const minutes = Number(remainingSeconds / BigInt(60));
+  if (minutes < 1) return "Expires in <1 min";
+  if (minutes < 60) return `Expires in ${minutes} min`;
+  const hours = Math.floor(minutes / 60);
+  if (hours < 24) return `Expires in ${hours}h ${minutes % 60}m`;
+  const days = Math.floor(hours / 24);
+  return `Expires in ${days}d`;
+}
+
 // ---------------------------------------------------------------------------
 // Internal section components
 // ---------------------------------------------------------------------------
@@ -760,11 +791,11 @@ function ResourceTemplatesList({
   );
 }
 
-function EnvSpecSection({
+function EnvSection({
   data,
   oauthTargetEnvVar,
 }: {
-  readonly data: { [key: string]: EnvironmentValue };
+  readonly data: { [key: string]: EnvVarDeclaration };
   readonly oauthTargetEnvVar: string | null;
 }) {
   const entries = Object.entries(data).sort(([a], [b]) =>
@@ -789,6 +820,11 @@ function EnvSpecSection({
                   oauth
                 </span>
               )}
+              {env.optional && (
+                <span className="shrink-0 rounded bg-muted px-1.5 py-0.5 text-[10px] font-medium text-muted-foreground/70">
+                  optional
+                </span>
+              )}
               {env.description && (
                 <span className="text-xs text-muted-foreground">
                   {env.description}

package/src/mcp-server/McpServerPicker.tsx

@@ -155,6 +155,13 @@ export interface McpServerPickerProps {
    * pre-populated.
    */
   readonly poolValues?: (key: string) => EnvVarInput | undefined;
+  /**
+   * The authenticated user's active organization slug.
+   * Used for OAuth token storage — tokens are stored in the user's personal
+   * environment within this org, not the MCP server's org.
+   * When omitted, falls back to the `org` prop.
+   */
+  readonly activeOrg?: string;
 }
 
 // ---------------------------------------------------------------------------
@@ -250,6 +257,7 @@ export function McpServerPicker({
   setup,
   initialServerKey,
   poolValues,
+  activeOrg,
 }: McpServerPickerProps) {
   const instanceId = useId();
   const listId = `${instanceId}-list`;
@@ -408,7 +416,7 @@ export function McpServerPicker({
           onSignIn: async () => {
             if (!entry.mcpServer.metadata?.id) return;
             try {
-              await oauth.startOAuth(entry.mcpServer.metadata.id, org);
+              await oauth.startOAuth(entry.mcpServer.metadata.id, activeOrg ?? org);
               setup.onServerAdded(ref);
             } catch {
               // error state managed by oauth hook

package/src/mcp-server/index.ts

@@ -19,6 +19,9 @@ export type {
 export { useMcpServer } from "./useMcpServer";
 export type { UseMcpServerReturn } from "./useMcpServer";
 
+export { useOAuthGrantStatus } from "./useOAuthGrantStatus";
+export type { UseOAuthGrantStatusReturn } from "./useOAuthGrantStatus";
+
 export { McpServerPicker } from "./McpServerPicker";
 export type {
   McpServerPickerProps,

package/src/mcp-server/mcpServerSetupReducer.ts

@@ -35,15 +35,15 @@ export function toServerKey(ref: ResourceRef): string {
  *
  * Phases:
  * - `"loading"` — Fetching the full `McpServer` resource (spec + status).
- * - `"needsSetup"` — The server has an `env_spec` with variables missing
- *   from the user's personal environment. The UI should present a
- *   credential collection form.
+ * - `"needsSetup"` — The server has `env` declarations with variables
+ *   missing from the user's personal environment. The UI should present
+ *   a credential collection form.
  * - `"submitting"` — Environment variables are being persisted (save path)
  *   or collected (one-time path). The UI should show a loading indicator
  *   on the submit button.
  * - `"ready"` — The server is fully configured and ready for session
  *   creation. Carries the effective `enabledTools` list. Covers both
- *   the "no env_spec needed" and "env vars resolved" cases.
+ *   the "no env needed" and "env vars resolved" cases.
  */
 export type McpServerSetupPhase =
   | {

package/src/mcp-server/useMcpServerConnect.ts

@@ -6,7 +6,7 @@ import type { McpServer } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/
 import { ConnectInputSchema } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/io_pb";
 import type { EnvVarInput } from "@stigmer/sdk";
 import { useStigmer } from "../hooks";
-import { resolveSystemEnvVarValues } from "../environment/systemEnvVars";
+import { resolveDeclaredSystemEnvVars } from "../environment/systemEnvVars";
 import { toError } from "../internal/toError";
 
 /** Return value of {@link useMcpServerConnect}. */
@@ -20,20 +20,30 @@ export interface UseMcpServerConnectReturn {
    * (typically 5-15 seconds, ~30s timeout).
    *
    * Platform system env vars (`STIGMER_SERVER_ADDRESS`,
-   * `STIGMER_API_KEY`) are always injected automatically from
-   * the current SDK context. When `runtimeEnv` is also provided,
-   * those values are merged on top (caller values win). The backend
-   * merges the result on top of the user's personal environment so
-   * saved credentials (e.g., OAuth tokens) are still resolved.
+   * `STIGMER_API_KEY`) are injected only when the MCP server
+   * declares them in its `spec.env`. Pass `declaredEnvKeys` so the
+   * hook can determine which system vars the server actually needs.
+   * When omitted, no system vars are injected.
+   *
+   * When `runtimeEnv` is provided, those values are merged on top
+   * (caller values win). The backend merges the result on top of
+   * the user's personal environment so saved credentials (e.g.,
+   * OAuth tokens) are still resolved.
    *
    * @param mcpServerId - System-generated ID of the MCP server (metadata.id).
+   * @param org - The caller's active organization slug. Required for
+   *   OAuth grant lookup and personal environment resolution.
    * @param runtimeEnv - Optional additional environment variables.
+   * @param declaredEnvKeys - Keys from the server's `spec.env` declaration.
+   *   System vars are only injected when declared here.
    * @returns The updated McpServer with populated status.discovered_capabilities
    *          and status.tool_approvals.
    */
   readonly connect: (
     mcpServerId: string,
+    org: string,
     runtimeEnv?: Record<string, EnvVarInput>,
+    declaredEnvKeys?: readonly string[],
   ) => Promise<McpServer>;
   /** `true` while the connect RPC is in flight. */
   readonly isConnecting: boolean;
@@ -52,10 +62,10 @@ export interface UseMcpServerConnectReturn {
  * approval policy via a structured-output LLM call.
  *
  * Platform system env vars (`STIGMER_SERVER_ADDRESS`,
- * `STIGMER_API_KEY`) are always injected from the current SDK
- * context. The backend merges these on top of the caller's personal
- * environment, so saved credentials (e.g., OAuth tokens) are still
- * resolved while platform addresses are always up to date.
+ * `STIGMER_API_KEY`) are injected only when the target MCP server
+ * declares them in `spec.env`. Pass the server's declared env keys
+ * via `declaredEnvKeys` so the hook knows which system vars to
+ * include. When not provided, no system vars are injected.
  *
  * Additional one-time credentials can be passed via `runtimeEnv`
  * and will override both system vars and personal env values.
@@ -67,13 +77,15 @@ export interface UseMcpServerConnectReturn {
  *
  * // Saved credentials: already in personal environment
  * async function handleConnectSaved() {
- *   await connect(mcpServer.metadata.id);
+ *   const envKeys = Object.keys(mcpServer.spec?.env ?? {});
+ *   await connect(mcpServer.metadata.id, undefined, envKeys);
  *   refetch();
  * }
  *
  * // One-time use: pass credentials directly
  * async function handleConnectTemporary(values: Record<string, EnvVarInput>) {
- *   await connect(mcpServer.metadata.id, values);
+ *   const envKeys = Object.keys(mcpServer.spec?.env ?? {});
+ *   await connect(mcpServer.metadata.id, values, envKeys);
  *   refetch();
  * }
  * ```
@@ -88,13 +100,17 @@ export function useMcpServerConnect(): UseMcpServerConnectReturn {
   const connect = useCallback(
     async (
       mcpServerId: string,
+      org: string,
       runtimeEnv?: Record<string, EnvVarInput>,
+      declaredEnvKeys?: readonly string[],
     ): Promise<McpServer> => {
       setIsConnecting(true);
       setError(null);
 
       try {
-        const systemEnv = await resolveSystemEnvVarValues(stigmer);
+        const systemEnv = declaredEnvKeys
+          ? await resolveDeclaredSystemEnvVars(stigmer, declaredEnvKeys)
+          : {};
         const mergedEnv = { ...systemEnv, ...(runtimeEnv ?? {}) };
 
         const runtimeEnvMap: Record<string, { value: string; isSecret: boolean }> = {};
@@ -107,7 +123,10 @@ export function useMcpServerConnect(): UseMcpServerConnectReturn {
 
         const input = create(ConnectInputSchema, {
           mcpServerId,
-          runtimeEnv: runtimeEnvMap,
+          org,
+          ...(Object.keys(runtimeEnvMap).length > 0
+            ? { runtimeEnv: runtimeEnvMap }
+            : {}),
         });
 
         return await stigmer.mcpServer.connect(input);

package/src/mcp-server/useMcpServerCredentials.ts

@@ -4,9 +4,10 @@ import { useCallback, useMemo } from "react";
 import type { EnvVarInput } from "@stigmer/sdk";
 import type { McpServer } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/api_pb";
 import { usePersonalEnvironment } from "../environment/usePersonalEnvironment";
-import { diffEnvSpec } from "../environment/diffEnvSpec";
+import { diffEnv } from "../environment/diffEnv";
 import { SYSTEM_ENV_VAR_KEYS } from "../environment/systemEnvVars";
 import type { EnvVarFormVariable } from "../environment/EnvVarForm";
+import { useOAuthGrantStatus } from "./useOAuthGrantStatus";
 
 /**
  * Credential acquisition mode for an MCP server.
@@ -34,37 +35,50 @@ export interface UseMcpServerCredentialsReturn {
    */
   readonly oauthTargetEnvVar: string | null;
   /**
-   * `true` when the OAuth-managed env var exists in the personal
-   * environment. Always `false` when `authMode` is `"manual"`.
+   * `true` when the user has an active OAuth grant for this server.
+   * Derived from the `getOAuthGrantStatus` API, not from personal
+   * environment key presence. Always `false` when `authMode` is `"manual"`.
    */
   readonly isOAuthConnected: boolean;
+  /**
+   * When the OAuth access token expires (Unix timestamp seconds).
+   * `BigInt(0)` when no grant exists, `authMode` is `"manual"`, or the token
+   * does not expire. Useful for showing actual expiry in the UI.
+   */
+  readonly accessTokenExpiresAt: bigint;
   /**
    * Informational hint about expected token lifetime, or `null`.
    * Sourced from `spec.auth.token_lifetime_hint`.
    */
   readonly tokenLifetimeHint: string | null;
   /**
-   * Variables required by the MCP server that are missing from the
-   * user's personal environment. Empty when all variables are present
-   * or the server has no `env_spec`.
+   * Required variables (non-optional) missing from the user's personal
+   * environment. Empty when all required variables are present, the
+   * server has no `env` declarations, or all declarations are optional.
    *
    * When `authMode` is `"oauth"`, the OAuth-managed `target_env_var`
    * is excluded from this list — it is acquired via the OAuth flow,
-   * not via a manual form. Only additional non-OAuth vars appear here.
+   * not via a manual form. Only additional non-OAuth required vars
+   * appear here.
+   *
+   * Optional env vars are never included — they are discoverable in
+   * the read-only EnvSection but do not block connect.
    *
    * Suitable as direct input to {@link EnvVarForm}.
    */
   readonly missingVariables: EnvVarFormVariable[];
   /**
-   * `true` when all required credentials are available — both
-   * OAuth-managed and manual variables. For OAuth servers this means
-   * the OAuth token is in the personal env AND any additional manual
-   * vars are also present.
+   * `true` when all required (non-optional) credentials are available
+   * — both OAuth-managed and manual variables. For OAuth servers this
+   * means the OAuth grant is connected AND any additional required
+   * manual vars are present in the personal environment.
+   *
+   * Servers whose env vars are all optional are always ready.
    */
   readonly isReady: boolean;
-  /** `true` while the personal environment is being fetched. */
+  /** `true` while the personal environment or grant status is being fetched. */
   readonly isLoading: boolean;
-  /** Error from the personal environment fetch, or `null`. */
+  /** Error from the personal environment or grant status fetch, or `null`. */
   readonly error: Error | null;
   /**
    * Save the provided credentials to the user's personal environment.
@@ -81,7 +95,7 @@ export interface UseMcpServerCredentialsReturn {
 
 /**
  * Checks the user's personal environment against an MCP server's
- * `env_spec` and provides a mechanism to save missing credentials.
+ * `env` declarations and provides a mechanism to save missing credentials.
  *
  * Designed for the discovery flow on the MCP server detail page:
  * before triggering discovery, the UI needs to ensure all required
@@ -90,10 +104,12 @@ export interface UseMcpServerCredentialsReturn {
  * them.
  *
  * **Auth-mode-aware**: when `spec.auth` is configured, the hook
- * identifies the OAuth-managed variable (`target_env_var`) and
- * excludes it from `missingVariables` — that variable is acquired
- * via {@link useMcpServerOAuthConnect}, not a manual form. Additional
- * non-OAuth vars still appear in `missingVariables` (mixed mode).
+ * composes {@link useOAuthGrantStatus} to determine whether the
+ * OAuth-managed variable (`target_env_var`) is connected via an
+ * active grant. The OAuth variable is excluded from `missingVariables`
+ * — it is acquired via {@link useMcpServerOAuthConnect}, not a manual
+ * form. Additional non-OAuth vars still appear in `missingVariables`
+ * (mixed mode).
  *
  * Unlike {@link useMcpServerSetup} which manages multi-server setup
  * for session creation, this hook is scoped to a single server and
@@ -134,32 +150,43 @@ export function useMcpServerCredentials(
   const oauthTargetEnvVar = auth?.targetEnvVar || null;
   const tokenLifetimeHint = auth?.tokenLifetimeHint || null;
 
+  const grantStatus = useOAuthGrantStatus(
+    authMode === "oauth" ? (mcpServer?.metadata?.id ?? null) : null,
+    authMode === "oauth" ? org : null,
+  );
+
+  const isOAuthConnected = authMode === "oauth" && grantStatus.connected;
+
   const existingKeys = useMemo(
     () => new Set(Object.keys(personalEnv.environment?.spec?.data ?? {})),
     [personalEnv.environment],
   );
 
-  const isOAuthConnected = authMode === "oauth"
-    && oauthTargetEnvVar !== null
-    && existingKeys.has(oauthTargetEnvVar);
-
   const allMissingVariables = useMemo(() => {
     if (!mcpServer) return [];
-    const envSpecData = mcpServer.spec?.envSpec?.data;
-    if (!envSpecData || Object.keys(envSpecData).length === 0) return [];
+    const envDeclarations = mcpServer.spec?.env;
+    if (!envDeclarations || Object.keys(envDeclarations).length === 0) return [];
 
-    return diffEnvSpec(envSpecData, existingKeys).filter(
+    return diffEnv(envDeclarations, existingKeys).filter(
       (v) => !SYSTEM_ENV_VAR_KEYS.has(v.key),
     );
   }, [mcpServer, existingKeys]);
 
+  const requiredMissing = useMemo(
+    () => allMissingVariables.filter((v) => !v.optional),
+    [allMissingVariables],
+  );
+
   const missingVariables = useMemo(() => {
-    if (!oauthTargetEnvVar) return allMissingVariables;
-    return allMissingVariables.filter((v) => v.key !== oauthTargetEnvVar);
-  }, [allMissingVariables, oauthTargetEnvVar]);
+    if (!oauthTargetEnvVar) return requiredMissing;
+    return requiredMissing.filter((v) => v.key !== oauthTargetEnvVar);
+  }, [requiredMissing, oauthTargetEnvVar]);
 
   const isReady =
-    !personalEnv.isLoading && allMissingVariables.length === 0;
+    !personalEnv.isLoading &&
+    !grantStatus.isLoading &&
+    missingVariables.length === 0 &&
+    (authMode === "manual" || isOAuthConnected);
 
   const saveCredentials = useCallback(
     async (values: Record<string, EnvVarInput>): Promise<void> => {
@@ -169,17 +196,23 @@ export function useMcpServerCredentials(
     [personalEnv],
   );
 
+  const refetch = useCallback(() => {
+    personalEnv.refetch();
+    grantStatus.refetch();
+  }, [personalEnv, grantStatus]);
+
   return {
     authMode,
     oauthTargetEnvVar,
     isOAuthConnected,
+    accessTokenExpiresAt: grantStatus.accessTokenExpiresAt,
     tokenLifetimeHint,
     missingVariables,
     isReady,
-    isLoading: personalEnv.isLoading,
-    error: personalEnv.error,
+    isLoading: personalEnv.isLoading || grantStatus.isLoading,
+    error: personalEnv.error ?? grantStatus.error,
     saveCredentials,
     isSaving: personalEnv.isMutating,
-    refetch: personalEnv.refetch,
+    refetch,
   };
 }

package/src/mcp-server/useMcpServerOAuthConnect.ts

@@ -9,7 +9,7 @@ import {
   ConnectInputSchema,
 } from "@stigmer/protos/ai/stigmer/agentic/mcpserver/v1/io_pb";
 import { useStigmer } from "../hooks";
-import { resolveSystemEnvVarValues } from "../environment/systemEnvVars";
+import { resolveDeclaredSystemEnvVars } from "../environment/systemEnvVars";
 import { toError } from "../internal/toError";
 
 /**
@@ -55,9 +55,11 @@ export interface UseMcpServerOAuthConnectReturn {
    *
    * @param mcpServerId - System-generated ID (metadata.id) of the MCP server.
    * @param org - Organization context for token storage (caller's active org).
+   * @param declaredEnvKeys - Keys from the server's `spec.env` declaration.
+   *   System vars are only injected when declared here.
    * @returns The updated McpServer after tool discovery completes.
    */
-  readonly startOAuth: (mcpServerId: string, org: string) => Promise<McpServer>;
+  readonly startOAuth: (mcpServerId: string, org: string, declaredEnvKeys?: readonly string[]) => Promise<McpServer>;
   /** `true` while any phase of the OAuth flow is in progress. */
   readonly isInProgress: boolean;
   /** Current phase of the OAuth flow. */
@@ -125,7 +127,7 @@ export function useMcpServerOAuthConnect(): UseMcpServerOAuthConnectReturn {
   }, []);
 
   const startOAuth = useCallback(
-    async (mcpServerId: string, org: string): Promise<McpServer> => {
+    async (mcpServerId: string, org: string, declaredEnvKeys?: readonly string[]): Promise<McpServer> => {
       setPhase("initiating");
       setError(null);
 
@@ -179,7 +181,9 @@ export function useMcpServerOAuthConnect(): UseMcpServerOAuthConnectReturn {
 
         setPhase("connecting");
 
-        const systemEnv = await resolveSystemEnvVarValues(stigmer);
+        const systemEnv = declaredEnvKeys
+          ? await resolveDeclaredSystemEnvVars(stigmer, declaredEnvKeys)
+          : {};
         const runtimeEnvMap: Record<string, { value: string; isSecret: boolean }> = {};
         for (const [key, envInput] of Object.entries(systemEnv)) {
           runtimeEnvMap[key] = {
@@ -188,12 +192,15 @@ export function useMcpServerOAuthConnect(): UseMcpServerOAuthConnectReturn {
           };
         }
 
-        const server = await stigmer.mcpServer.connect(
-          create(ConnectInputSchema, {
-            mcpServerId,
-            runtimeEnv: runtimeEnvMap,
-          }),
-        );
+        const input = create(ConnectInputSchema, {
+          mcpServerId,
+          org,
+          ...(Object.keys(runtimeEnvMap).length > 0
+            ? { runtimeEnv: runtimeEnvMap }
+            : {}),
+        });
+
+        const server = await stigmer.mcpServer.connect(input);
 
         setPhase("done");
         return server;