This release adds the OAuth 2.1 browser flow built on the official MCP SDK and lands the follow-up fixes needed to make it behave cleanly in real use.
What's in here:
- browser-based
/mcp-auth <server>flow with callback handling, PKCE, dynamic client registration support, and OAuth docs inOAUTH.md - explicit
needs-authhandling across/mcp, the MCP panel,mcp({ connect }),mcp({ tool }), reconnect flow, lazy startup, and direct MCP tools - tighter auth cleanup so pending callbacks/transports are cleared correctly on failure or cancellation
- callback-port collisions now fail fast with a clear error instead of silently drifting into timeout behavior
- package manifest coverage updated for root
*.test.tsfiles - README cleanup to remove outdated OAuth limitations now that browser flow and token refresh are supported
This also carries forward the lifecycle and error-handling hardening from v2.2.2, so startup/shutdown, stale init cleanup, and init error reporting stay robust with the new OAuth paths.