Add multi-plugin OAuth connect UI

[ishaanxgupta]

Summary

• Adds multi-client handling to the /auth/connect UI for plugin OAuth requests with clients=....
• Shows stacked plugin logos and shared benefit copy for multi-plugin approvals.
• Gates non-free plugins by plan while preserving one shared API key flow for eligible clients.
• Returns keys for eligible clients and errors for plan-gated clients to the CLI callback.

[vorflux]

Vorflux skipped this auto review because this account has reached its Auto Review daily review limit (10/10). You can change this in Auto Review Settings: https://us1.vorflux.com/supermemory/settings?section=pull-requests

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	supermemory-mcp	d247ff6	Jun 26 2026, 02:35 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	supermemory-app	d247ff6	Commit Preview URL Branch Preview URL	Jun 26 2026, 02:37 PM

[claude]

Claude finished @ishaanxgupta's task in 2m 55s —— View job

---

Code Review Complete

• Gather context and understand the changes
• Review diff for bugs, security issues, and logic errors
• Check surrounding code for boundary issues
• Submit review findings

Overview: This PR adds multi-plugin OAuth UI that shows stacked plugin logos, handles plan-gating, and returns structured keys/errors to the CLI callback.

Issues found: 1 bug — invalid client IDs can bypass validation when a Pro user uses the single ?client= parameter. See inline comment with suggested fix.

Score: 8/10 — Solid implementation overall. The plan-gating logic, loading state handling, and multi-client response format are well done. One subtle regression on the single-client path that's easy to fix.

[claude]

Overview: Adds multi-plugin OAuth UI that shows stacked plugin logos, handles plan-gating, and returns structured keys/errors to the CLI callback.

Issues found:

• Invalid client IDs can bypass validation when a Pro user uses the single ?client= parameter (see inline comment with fix)

Score: 8/10

The implementation is solid overall — the plan-gating logic, loading state handling, and multi-client response format are all well done. The one issue is a subtle regression where invalid client IDs slip through for Pro users on the single-client path. Easy fix with the suggested change.

[claude]

Bug: Invalid client IDs bypass validation for Pro users

When using the single client parameter (not clients), raw unvalidated values are included in requestedClients. The clients array properly filters to valid plugin IDs (value in PLUGIN_INFO), but this fallback uses the raw client value.

This causes a problem when a Pro user visits ?client=invalid_id:

1. requestedClients = ["invalid_id"]
2. eligibleClients filter passes because hasProProduct || isFreeTierPlugin(...) → Pro users pass everything
3. API receives client=invalid_id which could cause server errors

The original code avoided this by using validClient (which is null for invalid clients).

Suggested change

	const requestedClients = clients.length > 0 ? clients : client ? [client] : []
	const requestedClients = clients.length > 0 ? clients : validClient ? [validClient] : []