mastracode 0.18.1 → 0.19.0-alpha.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # mastracode
 
+## 0.19.0-alpha.0
+
+### Minor Changes
+
+- Improved OpenAI Codex OAuth support in Mastra Code. When you select the Codex provider in `/login` or during onboarding, Mastra Code now asks how to sign in — **Browser (local callback)** or **Device code (headless)** — so the device-code flow is discoverable without setting an env var. `MASTRACODE_OPENAI_CODEX_AUTH_MODE=device` still works as a preselect for scripted environments. ([#16548](https://github.com/mastra-ai/mastra/pull/16548))
+
+  HTTP MCP server config can now pass OAuth client metadata to `@mastra/mcp` and store per-server OAuth state without sharing tokens across projects:
+
+  ```json
+  {
+    "mcpServers": {
+      "remote-api": {
+        "url": "https://mcp.example.com/mcp",
+        "oauth": {
+          "redirectUrl": "http://localhost:3000/oauth/callback"
+        }
+      }
+    }
+  }
+  ```
+
+### Patch Changes
+
+- Updated dependencies [[`20787de`](https://github.com/mastra-ai/mastra/commit/20787de5965234a1af28fe35f49437c537dbfa0d), [`784ad98`](https://github.com/mastra-ai/mastra/commit/784ad989549de91dc5d33ab8ef36caa6f7dcd34e), [`0d53730`](https://github.com/mastra-ai/mastra/commit/0d53730c1ed87ef80c87caa5701c4170ea8028e6)]:
+  - @mastra/core@1.34.0-alpha.0
+
 ## 0.18.1
 
 ### Patch Changes

package/dist/agents/model.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"model.d.ts","sourceRoot":"","sources":["../../src/agents/model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAsC,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAInE,OAAO,EAGL,yBAAyB,EAE1B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAIL,mBAAmB,EAEpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAgBlE,KAAK,aAAa,GACd,UAAU,CAAC,OAAO,mBAAmB,CAAC,GACtC,UAAU,CAAC,OAAO,yBAAyB,CAAC,GAC5C,UAAU,CAAC,OAAO,qBAAqB,CAAC,GACxC,wBAAwB,GACxB,UAAU,CAAC,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC,GAC9C,UAAU,CAAC,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC,CAAC;AAsBhD,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAoBrE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAQvD;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAQpD;AA0BD;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,aAAa,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAAC,cAAc,CAAC,EAAE,cAAc,CAAA;CAAE,GACzG,aAAa,CA2Jf;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,EAAE,cAAc,EAAE,EAAE;IAAE,cAAc,EAAE,cAAc,CAAA;CAAE,GAAG,aAAa,CAWrG"}
+{"version":3,"file":"model.d.ts","sourceRoot":"","sources":["../../src/agents/model.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAsC,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAChG,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAInE,OAAO,EAGL,yBAAyB,EAE1B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAIL,mBAAmB,EAEpB,MAAM,8BAA8B,CAAC;AACtC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAgBlE,KAAK,aAAa,GACd,UAAU,CAAC,OAAO,mBAAmB,CAAC,GACtC,UAAU,CAAC,OAAO,yBAAyB,CAAC,GAC5C,UAAU,CAAC,OAAO,qBAAqB,CAAC,GACxC,wBAAwB,GACxB,UAAU,CAAC,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC,GAC9C,UAAU,CAAC,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC,CAAC;AAsBhD,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAoBrE;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAQvD;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAQpD;AA0BD;;;;;;;;GAQG;AACH,wBAAgB,YAAY,CAC1B,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,aAAa,CAAC;IAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAAC,cAAc,CAAC,EAAE,cAAc,CAAA;CAAE,GACzG,aAAa,CAuJf;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,EAAE,cAAc,EAAE,EAAE;IAAE,cAAc,EAAE,cAAc,CAAA;CAAE,GAAG,aAAa,CAWrG"}

package/dist/auth/index.d.ts

@@ -5,4 +5,5 @@ export * from './types.js';
 export * from './storage.js';
 export { anthropicOAuthProvider } from './providers/anthropic.js';
 export { githubCopilotOAuthProvider } from './providers/github-copilot.js';
+export { openaiCodexOAuthProvider } from './providers/openai-codex.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,cAAc,CAAC;AAC7B,OAAO,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,+BAA+B,CAAC;AAC3E,OAAO,EAAE,wBAAwB,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/auth/providers/openai-codex.d.ts

@@ -7,7 +7,26 @@
  * NOTE: This module uses Node.js crypto and http for the OAuth callback.
  * It is only intended for CLI use, not browser environments.
  */
-import type { OAuthCredentials, OAuthPrompt, OAuthProviderInterface } from '../types.js';
+import type { AuthMode, OAuthCredentials, OAuthPrompt, OAuthProviderInterface } from '../types.js';
+export declare const OPENAI_CODEX_AUTH_MODES: ReadonlyArray<AuthMode>;
+declare const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+type JwtPayload = {
+    chatgpt_account_id?: string;
+    [JWT_CLAIM_PATH]?: {
+        chatgpt_account_id?: string;
+    };
+    [key: string]: unknown;
+};
+declare function decodeJwt(token: string): JwtPayload | null;
+declare function extractAccountIdFromClaims(payload: JwtPayload | null | undefined): string | null;
+declare function getAccountId(tokens: {
+    idToken?: string;
+    access: string;
+}, fallback?: string): string | undefined;
+declare function requireAccountId(tokens: {
+    idToken?: string;
+    access: string;
+}, fallback?: string): string;
 declare function createAuthorizationFlow(redirectUri: string, state: string, originator?: string): Promise<{
     verifier: string;
     url: string;
@@ -26,6 +45,15 @@ type CallbackPorts = {
     fallbackPort: number;
 };
 declare function startLocalOAuthServer(state: string, ports?: CallbackPorts): Promise<OAuthServerInfo>;
+declare function loginOpenAICodexDevice(options: {
+    onAuth: (info: {
+        url: string;
+        instructions?: string;
+    }) => void;
+    onProgress?: (message: string) => void;
+    signal?: AbortSignal;
+    sleep?: (ms: number) => Promise<void>;
+}): Promise<OAuthCredentials>;
 /**
  * Login with OpenAI Codex OAuth
  *
@@ -35,7 +63,7 @@ declare function startLocalOAuthServer(state: string, ports?: CallbackPorts): Pr
  * @param options.onManualCodeInput - Optional promise that resolves with user-pasted code.
  *                                    Races with browser callback - whichever completes first wins.
  *                                    Useful for showing paste input immediately alongside browser flow.
- * @param options.originator - OAuth originator parameter (defaults to "pi")
+ * @param options.originator - OAuth originator parameter (defaults to "mastracode")
  */
 export declare function loginOpenAICodex(options: {
     onAuth: (info: {
@@ -45,16 +73,23 @@ export declare function loginOpenAICodex(options: {
     onPrompt: (prompt: OAuthPrompt) => Promise<string>;
     onProgress?: (message: string) => void;
     onManualCodeInput?: () => Promise<string>;
+    signal?: AbortSignal;
     originator?: string;
+    mode?: 'browser' | 'device';
 }): Promise<OAuthCredentials>;
 export declare const __testing: {
     createAuthorizationFlow: typeof createAuthorizationFlow;
+    decodeJwt: typeof decodeJwt;
+    extractAccountIdFromClaims: typeof extractAccountIdFromClaims;
+    getAccountId: typeof getAccountId;
+    loginOpenAICodexDevice: typeof loginOpenAICodexDevice;
+    requireAccountId: typeof requireAccountId;
     startLocalOAuthServer: typeof startLocalOAuthServer;
 };
 /**
  * Refresh OpenAI Codex OAuth token
  */
-export declare function refreshOpenAICodexToken(refreshToken: string): Promise<OAuthCredentials>;
+export declare function refreshOpenAICodexToken(refreshToken: string, previousAccountId?: string): Promise<OAuthCredentials>;
 export declare const openaiCodexOAuthProvider: OAuthProviderInterface;
 export {};
 //# sourceMappingURL=openai-codex.d.ts.map

package/dist/auth/providers/openai-codex.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"openai-codex.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/openai-codex.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAyBH,OAAO,KAAK,EAAE,gBAAgB,EAAuB,WAAW,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAyK9G,iBAAe,uBAAuB,CACpC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,UAAU,GAAE,MAAa,GACxB,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAgB5C;AAED,KAAK,eAAe,GAAG;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,IAAI,CAAC;IACvB,WAAW,EAAE,MAAM,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrD,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAkDF,iBAAe,qBAAqB,CAClC,KAAK,EAAE,MAAM,EACb,KAAK,GAAE,aAAoC,GAC1C,OAAO,CAAC,eAAe,CAAC,CA4E1B;AASD;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAC9C,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/D,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA4G5B;AAED,eAAO,MAAM,SAAS;;;CAGrB,CAAC;AAEF;;GAEG;AACH,wBAAsB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAiB7F;AAED,eAAO,MAAM,wBAAwB,EAAE,sBAqBtC,CAAC"}
+{"version":3,"file":"openai-codex.d.ts","sourceRoot":"","sources":["../../../src/auth/providers/openai-codex.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA4BH,OAAO,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAuB,WAAW,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAExH,eAAO,MAAM,uBAAuB,EAAE,aAAa,CAAC,QAAQ,CAW3D,CAAC;AAeF,QAAA,MAAM,cAAc,gCAAgC,CAAC;AAwBrD,KAAK,UAAU,GAAG;IAChB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,CAAC,cAAc,CAAC,CAAC,EAAE;QACjB,kBAAkB,CAAC,EAAE,MAAM,CAAC;KAC7B,CAAC;IACF,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB,CAAC;AAwCF,iBAAS,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAcnD;AAED,iBAAS,0BAA0B,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAIzF;AAED,iBAAS,YAAY,CAAC,MAAM,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAQzG;AAED,iBAAS,gBAAgB,CAAC,MAAM,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAMjG;AAiFD,iBAAe,uBAAuB,CACpC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,MAAM,EACb,UAAU,GAAE,MAAqB,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,CAAC,CAgB5C;AAED,KAAK,eAAe,GAAG;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,IAAI,CAAC;IACvB,WAAW,EAAE,MAAM,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC,CAAC;CACrD,CAAC;AAEF,KAAK,aAAa,GAAG;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAkDF,iBAAe,qBAAqB,CAClC,KAAK,EAAE,MAAM,EACb,KAAK,GAAE,aAAoC,GAC1C,OAAO,CAAC,eAAe,CAAC,CA4E1B;AAED,iBAAe,sBAAsB,CAAC,OAAO,EAAE;IAC7C,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/D,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,KAAK,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAgG5B;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAC9C,MAAM,EAAE,CAAC,IAAI,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,IAAI,CAAC;IAC/D,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,SAAS,GAAG,QAAQ,CAAC;CAC7B,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA0H5B;AAED,eAAO,MAAM,SAAS;;;;;;;;CAQrB,CAAC;AAEF;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,YAAY,EAAE,MAAM,EACpB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,gBAAgB,CAAC,CAc3B;AAED,eAAO,MAAM,wBAAwB,EAAE,sBAyBtC,CAAC"}

package/dist/auth/types.d.ts

@@ -17,18 +17,38 @@ export interface OAuthPrompt {
     placeholder?: string;
     allowEmpty?: boolean;
 }
+/**
+ * A selectable authentication mode for an OAuth provider.
+ * Providers that support multiple flows (e.g. browser callback vs. device code)
+ * advertise them via `OAuthProviderInterface.authModes`. The TUI shows a
+ * sub-selector when more than one mode is available so users don't need to
+ * discover the flow through environment variables.
+ */
+export interface AuthMode {
+    id: string;
+    name: string;
+    description?: string;
+}
 export interface OAuthLoginCallbacks {
     onAuth: (info: OAuthAuthInfo) => void;
     onPrompt: (prompt: OAuthPrompt) => Promise<string>;
     onProgress?: (message: string) => void;
     onManualCodeInput?: () => Promise<string>;
     signal?: AbortSignal;
+    /** Selected authentication mode id (matches one of `OAuthProviderInterface.authModes`). */
+    authMode?: string;
 }
 export interface OAuthProviderInterface {
     readonly id: OAuthProviderId;
     readonly name: string;
     /** Whether this provider uses a local callback server (vs manual code paste) */
     readonly usesCallbackServer?: boolean;
+    /**
+     * Optional list of selectable auth flows. When set with two or more entries,
+     * the TUI prompts the user to pick a mode before starting the login flow and
+     * forwards the choice via `OAuthLoginCallbacks.authMode`.
+     */
+    readonly authModes?: ReadonlyArray<AuthMode>;
     /** Run the login flow, return credentials to persist */
     login(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials>;
     /** Refresh expired credentials, return updated credentials to persist */

package/dist/auth/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,CAAC,IAAI,EAAE,aAAa,KAAK,IAAI,CAAC;IACtC,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,gFAAgF;IAChF,QAAQ,CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAEtC,wDAAwD;IACxD,KAAK,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEjE,yEAAyE;IACzE,YAAY,CAAC,WAAW,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEvE,6DAA6D;IAC7D,SAAS,CAAC,WAAW,EAAE,gBAAgB,GAAG,MAAM,CAAC;CAClD;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,OAAO,CAAC;CACf,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,CAAC,IAAI,EAAE,aAAa,KAAK,IAAI,CAAC;IACtC,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACnD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;IACvC,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,2FAA2F;IAC3F,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,gFAAgF;IAChF,QAAQ,CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAEtC;;;;OAIG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IAE7C,wDAAwD;IACxD,KAAK,CAAC,SAAS,EAAE,mBAAmB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEjE,yEAAyE;IACzE,YAAY,CAAC,WAAW,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAEvE,6DAA6D;IAC7D,SAAS,CAAC,WAAW,EAAE,gBAAgB,GAAG,MAAM,CAAC;CAClD;AAED,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE,SAAS,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,OAAO,CAAC;CACf,GAAG,gBAAgB,CAAC;AAErB,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,eAAe,CAAC;AAEhE,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC"}

package/dist/{chunk-36KKPIKN.js → chunk-6NJTBUS6.js}

@@ -1,5 +1,5 @@
-import { setAuthStorage, setAuthStorage3, setAuthStorage2, loadSettings, MEMORY_GATEWAY_PROVIDER, getDynamicModel, getAvailableModePacks, getAvailableOmPacks, resolveModelDefaults, resolveOmRoleModel, mastra, releaseThreadLock, acquireThreadLock, getCustomProviderId, toCustomProviderModelId, getCopilotModelCatalog, saveSettings, resolveModel, OBSERVABILITY_AUTH_PREFIX } from './chunk-7B7SVMEN.js';
-import { AuthStorage, detectProject, getResourceIdOverride, getStorageConfig, getObservabilityDatabasePath, getVectorDatabasePath, getCurrentGitBranch, getOmScope, getDatabasePath } from './chunk-EQBHZCMR.js';
+import { setAuthStorage, setAuthStorage3, setAuthStorage2, loadSettings, MEMORY_GATEWAY_PROVIDER, getDynamicModel, getAvailableModePacks, getAvailableOmPacks, resolveModelDefaults, resolveOmRoleModel, mastra, releaseThreadLock, acquireThreadLock, getCustomProviderId, toCustomProviderModelId, getCopilotModelCatalog, saveSettings, resolveModel, OBSERVABILITY_AUTH_PREFIX } from './chunk-VCMICSFF.js';
+import { AuthStorage, detectProject, getResourceIdOverride, getStorageConfig, getObservabilityDatabasePath, getVectorDatabasePath, getCurrentGitBranch, getOmScope, getDatabasePath, getAppDataDir } from './chunk-EDDYCMKX.js';
 import { MC_TOOLS, getToolCategory, TOOL_NAME_OVERRIDES } from './chunk-TTAAM2XR.js';
 import * as path from 'path';
 import path__default, { normalize, join, dirname } from 'path';
@@ -19,14 +19,14 @@ import os__default, { homedir } from 'os';
 import { LocalFilesystem, Workspace, LocalSandbox } from '@mastra/core/workspace';
 import { z } from 'zod';
 import * as fs2 from 'fs';
-import { readFileSync, existsSync } from 'fs';
+import { readFileSync, existsSync, mkdirSync, writeFileSync, renameSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { fastembed } from '@mastra/fastembed';
 import { Memory } from '@mastra/memory';
 import { createAnthropic } from '@ai-sdk/anthropic';
 import { createOpenAI } from '@ai-sdk/openai';
 import { createScorer, filterRun } from '@mastra/core/evals';
-import { MCPClient } from '@mastra/mcp';
+import { MCPClient, MCPOAuthClientProvider } from '@mastra/mcp';
 import { LibSQLStore, LibSQLVector } from '@mastra/libsql';
 import { PostgresStore } from '@mastra/pg';
 
@@ -2246,9 +2246,15 @@ function validateConfig2(raw) {
       };
     } else if (classification.kind === "http") {
       const e = entry;
+      const oauthResult = parseOAuthConfig(e.oauth);
+      if (oauthResult.reason) {
+        skippedServers.push({ name, reason: oauthResult.reason });
+        continue;
+      }
       servers[name] = {
         url: e.url,
-        headers: typeof e.headers === "object" && e.headers !== null ? e.headers : void 0
+        headers: typeof e.headers === "object" && e.headers !== null ? e.headers : void 0,
+        oauth: oauthResult.config
       };
     } else {
       skippedServers.push({ name, reason: classification.reason });
@@ -2263,6 +2269,37 @@ function validateConfig2(raw) {
   }
   return result;
 }
+function parseOAuthConfig(raw) {
+  if (raw === void 0) return {};
+  if (!raw || typeof raw !== "object") {
+    return { reason: "Invalid OAuth config: expected an object" };
+  }
+  const obj = raw;
+  if (typeof obj.redirectUrl !== "string") {
+    return { reason: 'Invalid OAuth config: missing required field "redirectUrl"' };
+  }
+  try {
+    const redirectUrl = new URL(obj.redirectUrl);
+    const isLoopback = redirectUrl.hostname === "localhost" || redirectUrl.hostname.startsWith("127.") || redirectUrl.hostname === "[::1]";
+    if (redirectUrl.protocol !== "https:" && !(redirectUrl.protocol === "http:" && isLoopback)) {
+      return { reason: "Invalid OAuth redirectUrl: must use HTTPS unless it is a loopback HTTP URL" };
+    }
+  } catch {
+    return { reason: `Invalid OAuth redirectUrl: "${obj.redirectUrl}"` };
+  }
+  if (obj.scopes !== void 0 && (!Array.isArray(obj.scopes) || obj.scopes.some((scope) => typeof scope !== "string"))) {
+    return { reason: 'Invalid OAuth config: "scopes" must be an array of strings' };
+  }
+  return {
+    config: {
+      redirectUrl: obj.redirectUrl,
+      clientName: typeof obj.clientName === "string" ? obj.clientName : void 0,
+      scopes: obj.scopes,
+      clientId: typeof obj.clientId === "string" ? obj.clientId : void 0,
+      clientSecret: typeof obj.clientSecret === "string" ? obj.clientSecret : void 0
+    }
+  };
+}
 function mergeConfigs2(...configs) {
   const merged = {};
   const allSkipped = [];
@@ -2297,6 +2334,60 @@ var MASTRACODE_MCP_TIMEOUT_MS = 7 * 24 * 60 * 60 * 1e3;
 function getTransport(cfg) {
   return "url" in cfg ? "http" : "stdio";
 }
+var FileOAuthStorage = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  get(key) {
+    return this.read()[key];
+  }
+  set(key, value) {
+    const data = this.read();
+    data[key] = value;
+    this.write(data);
+  }
+  delete(key) {
+    const data = this.read();
+    delete data[key];
+    this.write(data);
+  }
+  read() {
+    if (!existsSync(this.filePath)) return {};
+    try {
+      return JSON.parse(readFileSync(this.filePath, "utf-8"));
+    } catch {
+      return {};
+    }
+  }
+  write(data) {
+    const dir = dirname(this.filePath);
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true, mode: 448 });
+    }
+    const tmpPath = `${this.filePath}.tmp`;
+    writeFileSync(tmpPath, JSON.stringify(data, null, 2), { encoding: "utf-8", mode: 384 });
+    renameSync(tmpPath, this.filePath);
+  }
+};
+function getOAuthStoragePath(projectDir, name, cfg) {
+  const key = JSON.stringify({
+    projectDir,
+    name,
+    url: cfg.url,
+    redirectUrl: cfg.oauth?.redirectUrl,
+    clientId: cfg.oauth?.clientId,
+    scopes: cfg.oauth?.scopes ?? []
+  });
+  return join(getAppDataDir(), "mcp-oauth", `${getStorageKeyFingerprint(key)}.json`);
+}
+function getStorageKeyFingerprint(value) {
+  let fingerprint = 0xcbf29ce484222325n;
+  for (let i = 0; i < value.length; i += 1) {
+    fingerprint ^= BigInt(value.charCodeAt(i));
+    fingerprint = BigInt.asUintN(64, fingerprint * 0x100000001b3n);
+  }
+  return fingerprint.toString(16).padStart(16, "0");
+}
 function createMcpManager(projectDir, extraServers) {
   const applyExtraServers = (base) => {
     if (!extraServers || Object.keys(extraServers).length === 0) return base;
@@ -2338,6 +2429,24 @@ function createMcpManager(projectDir, extraServers) {
       }
     });
   }
+  function createOAuthProvider(name, cfg) {
+    if (!cfg.oauth) return void 0;
+    return new MCPOAuthClientProvider({
+      redirectUrl: cfg.oauth.redirectUrl,
+      clientMetadata: {
+        redirect_uris: [cfg.oauth.redirectUrl],
+        client_name: cfg.oauth.clientName ?? `Mastra Code MCP ${name}`,
+        grant_types: ["authorization_code", "refresh_token"],
+        response_types: ["code"],
+        ...cfg.oauth.scopes?.length ? { scope: cfg.oauth.scopes.join(" ") } : {}
+      },
+      clientInformation: cfg.oauth.clientId ? {
+        client_id: cfg.oauth.clientId,
+        ...cfg.oauth.clientSecret ? { client_secret: cfg.oauth.clientSecret } : {}
+      } : void 0,
+      storage: new FileOAuthStorage(getOAuthStoragePath(projectDir, name, cfg))
+    });
+  }
   function buildServerDefs(servers) {
     const defs = {};
     for (const [name, cfg] of Object.entries(servers)) {
@@ -2345,7 +2454,8 @@ function createMcpManager(projectDir, extraServers) {
         const httpCfg = cfg;
         defs[name] = {
           url: new URL(httpCfg.url),
-          requestInit: httpCfg.headers ? { headers: httpCfg.headers } : void 0
+          requestInit: httpCfg.headers ? { headers: httpCfg.headers } : void 0,
+          authProvider: createOAuthProvider(name, httpCfg)
         };
       } else {
         defs[name] = { command: cfg.command, args: cfg.args, env: cfg.env, stderr: "pipe" };
@@ -3192,5 +3302,5 @@ async function createMastraCode(config) {
 }
 
 export { createAuthStorage, createMastraCode };
-//# sourceMappingURL=chunk-36KKPIKN.js.map
-//# sourceMappingURL=chunk-36KKPIKN.js.map
+//# sourceMappingURL=chunk-6NJTBUS6.js.map
+//# sourceMappingURL=chunk-6NJTBUS6.js.map