fix: complete MCP discovery flow and setup guides

[Timmyy3000]

Summary

Complete the Claude connector discovery flow and replace the one-off MCP token snippet with connector-specific setup guides.

What's Included

• Fix MCP OAuth discovery by advertising the path-aware auth server, serving auth metadata at /.well-known/oauth-authorization-server/api/auth, and challenging unauthenticated GET/DELETE requests on /api/mcp
• Align MCP JWT verification with the canonical audience and /api/auth issuer
• Redesign the Service Tokens settings panel with tabs for Claude Web, Claude Code, Codex, and generic MCP clients, including copyable platform-specific snippets
• Add focused tests for MCP discovery behavior and token connection guide generation

Tests

• �un run lint: passed
• �un run typecheck: passed
• TEST_DATABASE_URL=postgres://arin:arin@localhost:5434/arin_test bun test: passed
• �un run build: passed

Test Plan

• Verified OAuth discovery metadata points Claude Web at the correct auth server and that unauthenticated MCP discovery methods return the expected challenge
• Verified the new token setup guide renders client-specific copyable values and command snippets for Claude Web, Claude Code, Codex, and generic HTTP MCP clients
• Confirmed the full Bun test suite, lint, typecheck, and production build all succeed on the branch

Local Review Findings

• P0: none
• P1: none
• P2: none

[github-actions]

 enkii  ·  code review

Working on this PR…

View job run

[github-actions]

 enkii  ·  code review

Summary

This PR completes the MCP discovery flow and replaces the old one-off MCP token snippet with a tabbed connection guide for Claude Web, Claude Code, Codex, and generic HTTP MCP clients. It also adds discovery and token-guide tests. Overall the implementation is clean and well-tested. There is one P2 UX issue: the "Copied" indicator bleeds across the Claude Code and Codex tabs due to duplicate label keys used for copy-state tracking. Fix that, and this is safe to merge.

Mergeability Score: 4/5

Likely mergeable after reviewing the flagged low-risk comments.

[github-actions]

Copied indicator bleeds across tabs due to duplicate label keys

The CodeBlock component uses its label prop as the copy-state key, and both the "Claude Code" and "Codex" tabs use identical labels: "macOS / Linux" and "Windows PowerShell". Because copiedKey is a single shared state, copying a snippet in one tab (e.g., the Claude Code macOS command) and then switching to the Codex tab shows a stale "Copied" indicator on the Codex macOS command — misleading the user into thinking they already copied a value they haven't.

Fix: give CodeBlock an explicit copyKey prop, or prefix the labels with the tab name (e.g. "claude-code-macos", "codex-macos").

[github-actions]

 enkii  ·  security review

Summary

Security surface reviewed: MCP client connection guides, token settings UI, and MCP OAuth discovery routes. The PR adds UI-only connection snippets for Claude Web/Code/Codex/generic MCP clients and passes env.APP_URL (server-side, Zod-validated) to the client component — replacing the old window.location.origin usage, which is a net security improvement. Token values are base64url-encoded and rendered through React's JSX escaping, eliminating injection risk. No new trust boundaries, no authentication/authorization changes, no exploitable vulnerabilities found. Safe to merge.

Mergeability Score: 5/5

Safe to merge from this review's perspective.

[github-actions]

 enkii  ·  code review

Working on this PR…

View job run

[github-actions]

 enkii  ·  code review

Summary

This PR completes the MCP connector discovery flow and replaces the one-off token snippet with a rich, tabbed connection guide covering Claude Web, Claude Code, Codex, and generic MCP clients. The OAuth discovery routes are correctly wired (protected resource metadata at /.well-known/oauth-protected-resource, path-aware auth server metadata at /.well-known/oauth-authorization-server/api/auth), and GET/DELETE on /api/mcp correctly challenge unauthenticated requests. The connection-guides module produces syntactically valid commands for all four client targets. The existing P2 finding about copied-state bleeding across tabs has been addressed via the copyKey prop. No new issues found — safe to merge.

Mergeability Score: 5/5

Safe to merge from this review's perspective.

[github-actions]

 enkii  ·  security review

Summary

Security review: no exploitable vulnerabilities found. The PR adds MCP client connection guides (pure string-formatting functions) and UI tabs to the service tokens settings page. The only data crossing from server to client is env.APP_URL (the app's public URL, not a secret) and server-generated service tokens (base64url-encoded random bytes, safe for display). No user-controlled input reaches a dangerous sink. The old window.location.origin approach is replaced with the canonical server-side APP_URL, which fixes a SSR display bug with no security impact. Safe to merge.

Mergeability Score: 5/5

Safe to merge from this review's perspective.