feat(cli): MCP server management CLI + OAuth 2.1 PKCE auth (#497, #690)

[imnotdev25]

What changed

OAuth 2.1 PKCE & Transport Upgrades (tools/mcp_oauth.py, tools/mcp_tool.py) — #497

• RFC 7636 PKCE flow with S256 challenge for MCP HTTP servers
• RFC 9728 Protected Resource Metadata discovery: Robustly identifies authorization servers via /.well-known/oauth-protected-resource or WWW-Authenticate response headers (handles external auth providers like Clerk).
• RFC 8707 Resource Indicators: Added the resource parameter to authorization URLs to explicitly identify the target MCP server.
• WAF Avoidance: Injected browser-like User-Agent (Hermes-Agent/1.0 (OAuth PKCE Client)) headers into all OAuth HTTP requests. This bypasses Cloudflare 403 Forbidden limits during dynamic client registration.
• Safe Scope Registration: Restricts dynamic client registration to standard, safe scopes (openid profile email offline_access) to prevent registration rejections from identity providers advertising restricted scopes (e.g., public_metadata).
• Strict Token Casing: Fixed handling of the Authorization header to always strictly enforce a capitalized Bearer prefix (resolves 401 Unauthorized disconnects for servers like Notion that return token_type: "bearer").
• Transport Architecture: Intercepts mcp-[your-server] connections to attempt Streamable HTTP with an automatic fallback mechanism to SSE (Server-Sent Events). Enables compatibility with older v1 MCP endpoints (like alphaxiv).
• Browser-based authorization with localhost callback and manual authorization fallback (headless/SSH environments).
• Token caching in ~/.hermes/mcp-tokens/ (permissions 0600) and automatic token refresh with expiry buffer.

MCP CLI (hermes_cli/mcp_config.py & hermes_cli/main.py) — #690

• hermes mcp add — discovery-first install: connect → discover tools → interactive selection → save
  • Supports --url (HTTP) and --command (stdio) transports
  • --auth oauth triggers OAuth PKCE flow during add
  • API keys stored in ~/.hermes/.env with ${ENV_VAR} interpolation in config
• Dispatch Fixes: Corrected an argparse nested subparser bug that previously misrouted hermes mcp add to the chat REPL.
• Error Surfacing: Implemented un-wrapping of anyio's opaque ExceptionGroup/TaskGroup errors. CLI now elegantly surfaces underlying HTTPStatusError messages (e.g. 401 Unauthorized).
• hermes mcp remove — removes config entry + cleans up OAuth tokens
• hermes mcp list — table view with transport, tool count, enabled/disabled status
• hermes mcp test — connection test with latency, masked auth info, and tool listing
• hermes mcp configure — interactive curses checklist to toggle which tools are enabled

Env var interpolation (tools/mcp_tool.py)

• ${ENV_VAR} syntax in MCP server config values, resolved from os.environ + ~/.hermes/.env
• Keeps API keys out of config.yaml

Documentation

• Updated website/docs/user-guide/features/mcp.md — OAuth, CLI management, env vars, updated quick start
• Updated website/docs/reference/cli-commands.md — full hermes mcp reference
• Updated website/docs/reference/mcp-config-reference.md — auth key, OAuth, env vars
• Updated README.md, AGENTS.md, cli-config.yaml.example

How to test

# Run the test suites
pytest tests/tools/test_mcp_oauth.py -v      # 44 tests — OAuth module
pytest tests/hermes_cli/test_mcp_config.py -v # 22 tests — MCP CLI

# Smoke test CLI
hermes mcp --help
hermes mcp add --help
hermes mcp list
hermes mcp test <configured-server>

Files changed (12 files, +2684 −10)

File	Change
tools/mcp_oauth.py	[NEW] OAuth 2.1 PKCE module (613 lines)
tools/mcp_tool.py	_interpolate_env_vars() + env var resolution in _load_mcp_config()
hermes_cli/mcp_config.py	[NEW] 5 MCP CLI subcommands (608 lines)
hermes_cli/main.py	Argparse registration for hermes mcp
tests/tools/test_mcp_oauth.py	[NEW] 44 OAuth tests (678 lines)
tests/hermes_cli/test_mcp_config.py	[NEW] 22 MCP CLI tests (400 lines)
website/docs/user-guide/features/mcp.md	OAuth, CLI management, env vars
website/docs/reference/cli-commands.md	hermes mcp reference
website/docs/reference/mcp-config-reference.md	auth key, OAuth, env vars
README.md	Getting Started section
AGENTS.md	Project structure
cli-config.yaml.example	Env var interpolation + CLI examples

Platform tested

• macOS (Apple Silicon)

[teknium1]

Merged via PR #2465. Core OAuth module rewritten to use the MCP SDK's built-in OAuthClientProvider (210 lines vs 715). CLI and mcp_tool wiring written fresh against current main. Env var interpolation and argparse registration preserved. Thanks for the solid original implementation — the architecture was right, we just leaned on the SDK for the heavy lifting.