ulysses/routes
Abylaikhan Zulbukharov 1d80bf5e65
feat(mcp): add Streamable HTTP transport with OAuth 2.0 (#1033)
* feat(mcp): add Streamable HTTP transport with OAuth 2.0

  Odysseus could only reach MCP servers over stdio and SSE, so modern
  remote servers like https://mcp.higgsfield.ai/mcp (Streamable HTTP,
  gated behind OAuth) could not be connected.

  Add an `http` transport that connects via the SDK's
  streamablehttp_client and authenticates with the SDK's
  OAuthClientProvider: RFC 9728 protected-resource discovery, RFC 8414
  authorization-server metadata, Dynamic Client Registration,
  authorization-code + PKCE, and token refresh. A small bridge
  (src/mcp_oauth.py) connects the SDK's blocking callback to the existing
  web callback route via an asyncio.Future keyed by the OAuth `state`,
  and the dynamic client registration plus tokens persist per-server in a
  new encrypted `oauth_tokens` column.

  The connect runs as a bounded background task so the "Add server"
  request returns immediately; redirect_handler publishes needs_auth +
  auth_url to connection state as soon as discovery/DCR completes (which
  can exceed the bounded wait), and the UI polls until connected. Remote
  users finish via the existing paste-back flow. The Google OAuth path is
  left unchanged.

  - core/database.py: encrypted oauth_tokens column + migration
  - src/mcp_oauth.py: OAuth provider, DB-backed TokenStorage, state registry
  - src/mcp_manager.py: http dispatch, background connect, _connect_http
  - routes/mcp_routes.py: http validation, needs_auth/auth_url, callback bridge
  - static/js/settings.js: Streamable HTTP option + OAuth flow with polling
  - tests: 5 new unit tests (transport dispatch, registry, token storage)

  Verified against the live Higgsfield server: discovery, DCR (client_id
  issued), loopback redirect accepted, and a PKCE authorization URL with
  needs_auth status. No regressions (full suite delta is only the 5 added
  passing tests).

* fix(mcp): address PR #1033 review feedback

  - mcp_oauth: derive redirect URI from OAUTH_REDIRECT_BASE_URL/APP_PUBLIC_URL
    (default http://localhost:7000) instead of hardcoding the port
  - mcp_oauth: leave OAuth scope unset so the SDK derives it from the server's
    WWW-Authenticate/protected-resource metadata; hardcoding an OIDC scope broke
    non-OpenID MCP servers (verified: Higgsfield still gets its server-derived
    scope)
  - mcp_oauth: prune abandoned OAuth flows (_prune_stale + _pending_ts) so the
    module-level registries can't grow unbounded
  - mcp_oauth: persist tokens/client-info in a single DB session/commit
    (_update) instead of a load+save double round-trip
  - mcp_manager: cancel and drop the background connect task in
    disconnect_server so a deleted server stops publishing status
  - database: document why the oauth_tokens migration uses TEXT while the model
    declares EncryptedText (encryption is applied at the Python layer)
  - settings.js: surface persistent OAuth-poll failures and an explicit timeout
    message instead of silently swallowing errors
  - tests: cover the stale-flow pruning

* static/js/settings.js now shows an in-flight loading state on the buttons that fire requests:
2026-06-05 02:40:52 +02:00
..
__init__.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
admin_wipe_routes.py Admin: wipe gallery albums with images 2026-06-02 20:35:57 +09:00
api_token_routes.py Codex Agent integration: HTTP surface + plugin bundle + Settings UI 2026-06-03 22:49:09 +09:00
assistant_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
auth_routes.py feat: round-limit handling — Continue affordance at the cap + configurable cap (#1999) 2026-06-04 22:36:05 +02:00
backup_routes.py fix: backup import drops a user's memory when its text matches another user's (#1743) 2026-06-03 13:29:14 +09:00
calendar_routes.py Fix calendar routing and user-local time context (#408) 2026-06-04 13:20:04 +01:00
chat_helpers.py fix: normalize Gemma 4 thought-channel output (#2224) 2026-06-04 19:26:58 +02:00
chat_routes.py feat: Add workspace: confine agent tools to a folder (#1103) 2026-06-05 00:06:37 +02:00
cleanup_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
codex_routes.py feat: Claude Agent integration + cookbook reconnect + UI polish 2026-06-04 08:27:26 +09:00
compare_routes.py fix(compare): stop blind mode leaking model identities via session names (#1318) 2026-06-04 04:39:01 +01:00
contacts_routes.py fix(contacts): parse Apple/iCloud item-grouped vCard EMAIL/TEL properties (#1438) 2026-06-03 14:24:04 +09:00
cookbook_helpers.py [Bash] Fix Windows cookbook background tasks (#676) 2026-06-04 04:30:01 +01:00
cookbook_routes.py [Bash] Fix Windows cookbook background tasks (#676) 2026-06-04 04:30:01 +01:00
copilot_routes.py feat(provider): add GitHub Copilot provider with device-flow auth (#1480) 2026-06-04 21:13:14 +02:00
diagnostics_routes.py Fix email-thread HTML injection, attachment path traversal, and missing authz (#475) 2026-06-01 22:20:17 +09:00
document_helpers.py fix: _resolve_user_upload_path crashes on a non-dict resolve_upload result (#1715) 2026-06-03 13:34:33 +09:00
document_routes.py Remove unused UPLOAD_DIR imports in document_routes 2026-06-04 13:17:21 +02:00
editor_draft_routes.py Ignore invalid editor draft payloads (#1533) 2026-06-03 14:07:03 +09:00
email_helpers.py fix(email): scope AI caches by owner (#2695) 2026-06-05 02:21:50 +02:00
email_pollers.py fix(email): scope AI caches by owner (#2695) 2026-06-05 02:21:50 +02:00
email_routes.py fix(email): scope AI caches by owner (#2695) 2026-06-05 02:21:50 +02:00
embedding_routes.py Ignore non-object embedding endpoint config (#1260) 2026-06-03 14:12:41 +09:00
emoji_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
font_routes.py Keep compact font family names together (#1263) 2026-06-03 14:24:30 +09:00
gallery_helpers.py fix: gallery records raw instead of display dimensions for EXIF-rotated photos (#1667) 2026-06-03 14:23:04 +09:00
gallery_routes.py fix(uploads): bound direct upload reads 2026-06-04 00:32:50 +01:00
history_routes.py fix(history): block compact during active runs (#2635) 2026-06-04 21:50:16 +02:00
hwfit_routes.py Merge remote-tracking branch 'origin/main' into visual-pr-playground 2026-06-03 16:49:10 +09:00
mcp_routes.py feat(mcp): add Streamable HTTP transport with OAuth 2.0 (#1033) 2026-06-05 02:40:52 +02:00
memory_routes.py fix(uploads): bound direct upload reads 2026-06-04 00:32:50 +01:00
model_routes.py fix: bool('false') is True coerces endpoint toggles incorrectly (#2361) 2026-06-04 19:43:38 +02:00
note_routes.py fix: fire-reminder endpoint crashes with NameError on _gcu (#1250) 2026-06-03 01:02:25 +09:00
personal_routes.py fix: personal-docs path confinement used abspath, allowing symlink escape (#1728) 2026-06-03 13:29:57 +09:00
prefs_routes.py Persist user prefs atomically (#1840) 2026-06-04 03:55:22 +01:00
preset_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
research_routes.py fix(research): owner-scope endpoint resolution 2026-06-03 23:19:28 +01:00
search_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
session_routes.py fix(history): block compact during active runs (#2635) 2026-06-04 21:50:16 +02:00
shell_routes.py Add a 'Rebuild llama.cpp' Cookbook action to force a fresh GPU build (#1787) 2026-06-03 13:28:19 +09:00
signature_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
skills_routes.py fix: skill test-task / precision helpers crash on a non-dict skill (#1638) 2026-06-03 08:59:24 +09:00
stt_routes.py fix(uploads): bound direct upload reads 2026-06-04 00:32:50 +01:00
task_routes.py fix(email): scope AI caches by owner (#2695) 2026-06-05 02:21:50 +02:00
tts_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
upload_routes.py fix: use safe .get for id lookup in uploads.json to prevent KeyError (#1465) 2026-06-03 14:12:00 +09:00
vault_routes.py Keep Bitwarden unlock password off argv (#1311) 2026-06-03 02:13:51 +09:00
webhook_routes.py Reapply "Merge branch 'main' of github.com:pewdiepie-archdaemon/odysseus" 2026-06-03 22:47:00 +09:00
workspace_routes.py feat: Add workspace: confine agent tools to a folder (#1103) 2026-06-05 00:06:37 +02:00