v0.3.3 — Token Refresh & Auto-Update Fixes
Automatic OAuth token refresh for MCP sources and major auto-update reliability improvements.
✨ Automatic Token Refresh for MCP OAuth
OAuth tokens for MCP sources now refresh automatically when they expire.
How It Works
Seamless Authentication
When your OAuth token expires, Craft Agent automatically refreshes it in the background using the refresh token. No manual re-authentication required — your MCP connections stay alive.
✨ Multi-Header Authentication
API sources can now use multiple headers for authentication.
What's New
Flexible Auth Headers
Configure sources that require multiple authentication headers (e.g., API key + tenant ID). See the updated documentation at ~/.craft-agent/docs/sources.md.
Improvements
Auto-Update
- Fixed update detection on Windows and macOS
- Correct cache path handling on Windows (LOCALAPPDATA)
- Detect already-downloaded updates when checking for new versions
- Platform-aware progress display with reliable button visibility
- Check for existing downloads in update-available handler
OAuth & Security
- RFC 9728 protected resource metadata discovery support
- SSRF protection hardening in OAuth discovery
- Better error handling for OAuth edge cases
- OAuth success page now includes deeplink for smoother flow
Performance
- Parallelized token checks for faster startup
- Lazy loading of bundled docs fixes packaged app initialization (craft-agents-oss#162)
Bug Fixes
- Markdown: Fixed React crash on invalid HTML-like tags in markdown content
- OAuth: Pass full MCP URL to OAuth discovery for RFC 9728 compliance
- OAuth: Rate limiting for token refresh to prevent excessive requests
GitHub Issues
| Issue | Title | Status |
|---|---|---|
| #80 | Error invoking remote method 'update:install' | Fixed |
| #120 | Error when upgrading to newer version | Fixed |
| #162 | Missing documentation folder after install | Fixed |
Stats
- 42 files changed
- ~5,200 lines added
- ~4,900 lines removed
Full Changelog: v0.3.2...v0.3.3