fix(mcp): repair OAuth redirect, errors, and unicode schema patterns

[LiuwqGit]

Summary

• Keep the legacy 127.0.0.1 OAuth redirect default for upgrade compatibility, and retry dynamic client registration with http://localhost:8989/oauth/callback when an authorization server rejects the IP loopback redirect.
• Surface real OAuth error bodies instead of "[object Response]" by normalizing body-less MCP HTTP fetch responses to global Response objects the MCP SDK can read.
• Prevent post-auth MCP probe crashes on PayPal-like tool schemas whose JSON Schema pattern values use redundant \: escapes that are invalid under TypeBox's unicode RegExp compile path.

Why does this matter now?

Remote streamable-http MCP servers with OAuth (PayPal, Calendly) are currently unusable or fail with opaque errors after login.

What is the intended outcome?

Operators can run openclaw mcp login / openclaw mcp probe against OAuth MCP servers without regex compile crashes, with readable DCR errors, and with a tested localhost fallback for ASes that reject 127.0.0.1.

What is intentionally out of scope?

• Live end-to-end OAuth against PayPal/Calendly in this PR environment
• Upstream MCP SDK changes

What does success look like?

Regression tests cover all three failure modes; maintainers can confirm live OAuth on PayPal/Calendly with the reporter's repro steps.

What should reviewers focus on?

Localhost redirect fallback policy (only after DCR rejection, legacy default preserved) and the conservative JSON Schema pattern repair applied before TypeBox compile.

Linked context

Which issue does this close?

Closes #91433

Which issues, PRs, or discussions are related?

Related #91433 (ClawSweeper review and reporter follow-up confirming localhost fixes Calendly)

Was this requested by a maintainer or owner?

No — community bug report with maintainer review pending.

Real behavior proof (required for external PRs)

• Behavior or issue addressed: MCP OAuth regex crash, [object Response] error masking, Calendly DCR redirect rejection

• Real environment tested: Local Node v25.6.0 on Windows checkout (E:/Projects/openclaw), branch fix/issue-91433-mcp-oauth-regex

• Exact steps or command run after this patch:

  • node -e repro script for PayPal-like TypeBox pattern compile and body-less OAuth error normalization (copied output below)
  • node scripts/run-vitest.mjs src/agents/mcp-oauth.test.ts -t "legacy loopback|redirect registration|retries MCP"
  • node scripts/run-vitest.mjs src/agents/mcp-http-fetch.test.ts -t "compatible with MCP SDK"
  • pnpm exec oxlint on changed source files

• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output):

Copied terminal output from a local Node repro after this patch:

Terminal output (PayPal-like TypeBox pattern):
  before: Invalid regular expression: /^https\:\/\///u: Invalid escape
  after repair compiles as: ^https:///
Terminal output (OAuth DCR error body path):
  foreign response instanceof Response: false
  wrapped response instanceof Response: true
  parsed error_description: bad redirect

• Observed result after fix: PayPal-like unicode-invalid pattern compiles after repair; body-less foreign fetch responses normalize to global Response so OAuth error JSON is readable; localhost redirect retry is covered by unit test.
• What was not tested: Live openclaw mcp login/probe against PayPal or Calendly
• Proof limitations or environment constraints: No access to external OAuth AS credentials/endpoints in this environment; reporter already confirmed localhost redirect fixes Calendly live.
• Before evidence (optional but encouraged): Issue MCP remote OAuth: two bugs block streamable-http servers (regex \: under /u; OAuth errors surfaced as [object Response]) #91433 repro logs (Invalid regular expression: /^https\:\/\//u, [object Response])

Tests and validation

Which commands did you run?

• node scripts/run-vitest.mjs src/agents/mcp-oauth.test.ts -t "legacy loopback|redirect registration|retries MCP"
• node scripts/run-vitest.mjs src/agents/mcp-http-fetch.test.ts -t "compatible with MCP SDK"
• pnpm exec oxlint src/shared/json-schema-defaults.ts src/agents/mcp-oauth.ts src/agents/mcp-http-fetch.ts

What regression coverage was added or updated?

• mcp-oauth.test.ts: legacy default preserved; localhost retry after redirect registration rejection
• mcp-http-fetch.test.ts: body-less cross-realm fetch response works with MCP SDK parseErrorResponse
• agent-bundle-mcp-runtime.test.ts: unicode-invalid JSON Schema pattern compiles and validates

What failed before this fix, if known?

• PayPal probe: Invalid regular expression: /^https\:\/\//u: Invalid escape
• Calendly login: Invalid OAuth error response ... "[object Response]"
• Calendly DCR: invalid_client_metadata for 127.0.0.1 redirect (reporter confirmed localhost works)

If no test was added, why not?

N/A — regression tests added for all three fixes.

Risk checklist

Did user-visible behavior change? (Yes)

New localhost redirect retry on DCR rejection; legacy 127.0.0.1 default preserved for existing registrations.

Did config, environment, or migration behavior change? (No)

Did security, auth, secrets, network, or tool execution behavior change? (Yes)

OAuth redirect registration fallback and MCP HTTP response normalization for OAuth error readability.

What is the highest-risk area?

OAuth redirect fallback after dynamic client registration failure.

How is that risk mitigated?

Legacy default unchanged; localhost used only on explicit DCR redirect rejection without configured override; existing --oauth-redirect-url override remains.

Current review state

What is the next action?

Wait for maintainer review. CI is green on head 564eac41ac; request another ClawSweeper re-review after the prior run timed out (Codex ETIMEDOUT).

What is still waiting on author, maintainer, CI, or external proof?

• ClawSweeper re-review on 564eac41ac did not complete (timeout); no fresh bot verdict yet
• Live PayPal/Calendly openclaw mcp login/probe proof still unavailable in contributor environment

Which bot or reviewer comments were addressed?

• All prior P1 code findings addressed in 564eac41ac (body-less error text, redirect persistence)
• CI: check-lint, Real behavior proof, checks-node-agentic-agents-support, checks-node-agentic-agents-core-runtime — pass on latest push

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 8, 2026, 8:47 PM ET / 00:47 UTC.

Summary
The PR updates MCP OAuth redirect fallback behavior, MCP HTTP response wrapping for SDK OAuth error parsing, JSON Schema pattern normalization, and related regression tests.

PR surface: Source +121, Tests +145. Total +266 across 6 files.

Reproducibility: yes. for the PR-introduced defect by source inspection: the fallback writes redirectUrl before the second auth attempt, and runMcpOAuthLogin reads that store value for later unconfigured logins. I did not run the full CLI OAuth flow because this is a read-only review and live credentials are not available.

Review metrics: 1 noteworthy metric.

• OAuth fallback state: 1 persisted redirect field added. The new stored redirectUrl changes future MCP OAuth login behavior after the fallback path.

Merge readiness
Overall: 🦪 silver shellfish
Proof: 🦪 silver shellfish
Patch quality: 🦪 silver shellfish
Result: blocked until stronger real behavior proof is added.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Fix redirect persistence so failed fallback attempts do not change future logins.
• [P2] Add redacted openclaw mcp login/openclaw mcp probe terminal or log proof for the fallback and code-exchange path, or get maintainer proof acceptance.

Proof guidance:

• [P1] Needs stronger real behavior proof before merge: Copied terminal output covers the schema and response-normalization repros, but the PR still lacks redacted real openclaw mcp login/probe proof for the automatic fallback and later code exchange; after adding proof, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Risk before merge

• [P2] Merging as-is can leave a failed or false-positive redirect fallback stored as localhost, changing later unconfigured MCP OAuth logins away from the shipped 127.0.0.1 default.
• [P2] The PR still lacks redacted live openclaw mcp login/probe proof for the automatic fallback and later code exchange against a real OAuth MCP server or maintainer acceptance of that proof gap.

Maintainer options:

1. Persist fallback only after success (recommended)
   Move the stored redirectUrl write until the localhost retry returns authorized or redirect so failed fallback attempts do not poison later logins.
2. Accept sticky fallback intentionally
   Maintainers can explicitly accept that any redirect-registration-looking failure switches future unconfigured logins to localhost until credentials are cleared.

Next step before merge

• [P1] The remaining action is not a safe automation marker because the external PR also needs contributor or maintainer real-behavior proof for the auth-provider flow.

Security
Needs attention: The diff does not add third-party code execution or dependency changes, but the OAuth redirect fallback can persist an unproven auth-provider route after a failed retry.

Review findings

• [P1] Persist the localhost redirect only after the retry succeeds — src/agents/mcp-oauth.ts:276

Review details

Best possible solution:

Keep the legacy default and explicit oauth.redirectUrl override, retry with localhost in memory, persist localhost only after the retry succeeds, then require redacted live CLI proof or explicit maintainer acceptance before merge.

Do we have a high-confidence way to reproduce the issue?

Yes for the PR-introduced defect by source inspection: the fallback writes redirectUrl before the second auth attempt, and runMcpOAuthLogin reads that store value for later unconfigured logins. I did not run the full CLI OAuth flow because this is a read-only review and live credentials are not available.

Is this the best way to solve the issue?

No as written; the PR uses the right owner path, but the redirect store update should be conditional on a successful fallback attempt. The response wrapping and schema-pattern repair are plausible narrow fixes after dependency/source inspection.

Full review comments:

• [P1] Persist the localhost redirect only after the retry succeeds — src/agents/mcp-oauth.ts:276
  This writes redirectUrl: localhost before the fallback auth attempt proves it can complete. If the retry also fails, or if invalid_client_metadata matched a non-redirect client metadata problem, the store is left pinned to localhost and later openclaw mcp login calls no longer use the legacy 127.0.0.1 default even though the fallback never worked. Keep the in-memory retry, but only persist the fallback redirect after the retry returns authorized or redirect, and add a regression test for the failed-retry path.
  Confidence: 0.9

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5b76436c452a.

Label changes

Label changes:

• add rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦪 silver shellfish.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🦪 silver shellfish, so this older rating label is no longer current.

Label justifications:

• P1: The PR changes MCP OAuth login behavior for remote servers and can affect existing auth-provider setups.
• merge-risk: 🚨 compatibility: The fallback stores a new redirect choice that can change future upgrade/login behavior for existing MCP OAuth users.
• merge-risk: 🚨 auth-provider: The changed OAuth redirect registration and code-exchange flow directly affects auth-provider routing and credentials.
• rating: 🦪 silver shellfish: Overall readiness is 🦪 silver shellfish; proof is 🦪 silver shellfish and patch quality is 🦪 silver shellfish.
• status: 📣 needs proof: The PR needs real behavior proof before ClawSweeper can clear the contributor ask. Needs stronger real behavior proof before merge: Copied terminal output covers the schema and response-normalization repros, but the PR still lacks redacted real openclaw mcp login/probe proof for the automatic fallback and later code exchange; after adding proof, updating the PR body should trigger re-review, or a maintainer can comment @clawsweeper re-review. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, the PR author or someone with repository write access can comment @clawsweeper re-review.

Evidence reviewed

PR surface:

Source +121, Tests +145. Total +266 across 6 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	144	23	+121
Tests	3	146	1	+145
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	6	290	24	+266

Security concerns:

• [medium] Sticky redirect fallback after failed retry — src/agents/mcp-oauth.ts:276
  A failed fallback can leave future OAuth logins using localhost instead of the shipped 127.0.0.1 default, changing auth-provider behavior without a successful registration or code exchange.
  Confidence: 0.88

What I checked:

• root policy read: The full root AGENTS.md was read; its auth-provider, fallback, dependency-contract, and proof requirements apply to this PR. (AGENTS.md:1, 5b76436c452a)
• scoped policy read: src/agents/AGENTS.md was read fully; the PR touches agent MCP runtime code and tests under that scope. (src/agents/AGENTS.md:1, 5b76436c452a)
• current OAuth behavior: Current main uses the shipped 127.0.0.1 redirect default and has no persisted redirectUrl fallback in the OAuth store. (src/agents/mcp-oauth.ts:47, 5b76436c452a)
• PR fallback persistence: The PR writes LOCALHOST_REDIRECT_URL into the OAuth store before the fallback auth attempt returns authorized or redirect. (src/agents/mcp-oauth.ts:276, 564eac41acb0)
• MCP SDK contract: @modelcontextprotocol/sdk 1.29.0 parseErrorResponse reads text only from a global Response, and auth() uses provider.clientMetadata for DCR plus provider.redirectUrl for authorization and token exchange. (package.json:1878, 5b76436c452a)
• CLI entry point: openclaw mcp login calls runMcpOAuthLogin with the MCP HTTP fetch wrapper, so the change affects the documented public OAuth login flow. (src/cli/mcp-cli.ts:1244, 5b76436c452a)

Likely related people:

• openclaw/openclaw-secops: CODEOWNERS assigns src/agents/auth.ts and nested auth paths to this team, and the PR changes src/agents/mcp-oauth.ts. (role: CODEOWNERS auth owner; confidence: high; files: .github/CODEOWNERS, src/agents/mcp-oauth.ts)
• Kevin Lin: git blame/log in this checkout point current central MCP/auth/schema lines to a recent broad revert commit touching these files; this is a routing clue, not blame for the bug. (role: recent area contributor; confidence: low; commits: 4c5d8afa38c0; files: src/agents/mcp-oauth.ts, src/agents/mcp-http-fetch.ts, src/shared/json-schema-defaults.ts)
• Vincent Koc: git log -S and file history show the latest release baseline commit touching the central MCP OAuth/fetch/schema files. (role: release baseline contributor; confidence: low; commits: 2e08f0f4221f; files: src/agents/mcp-oauth.ts, src/agents/mcp-http-fetch.ts, src/shared/json-schema-defaults.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[LiuwqGit]

Follow-up pushed addressing ClawSweeper review:

• Redirect compatibility: keep legacy 127.0.0.1 default; retry DCR with localhost only after invalid_client_metadata / redirect_uri rejection (no configured override).
• OAuth error regression: test now uses a body-less foreign response — the path where current main returned an unparsed response to MCP SDK parseErrorResponse.
• Lint: fixed no-new side-effect probes in JSON Schema pattern repair.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27149794995
• Updated: 2026-06-08T16:00:46.910Z

[LiuwqGit]

Second follow-up (564eac41ac) addresses ClawSweeper P1 findings:

1. Body-less OAuth errors: ensureGlobalFetchResponse now awaits response.text() when body is null, so MCP SDK parseErrorResponse receives JSON instead of an empty body.
2. Redirect persistence: localhost fallback writes redirectUrl into the OAuth store; subsequent openclaw mcp login --code reuses the same redirect URI.

Tests added/updated:

• mcp-http-fetch.test.ts — body-less foreign response regression (now passes locally + CI)
• mcp-oauth.test.ts — persisted redirect across code exchange

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27176155239
• Updated: 2026-06-09T00:47:58.040Z

[LiuwqGit]

PR follow-up status on 564eac41ac:

• CI: all required checks green (including check-lint, Real behavior proof, checks-node-agentic-agents-core-runtime)
• Code: prior ClawSweeper P1 items addressed (body-less OAuth error text + persisted localhost redirect for --code exchange)
• ClawSweeper: last re-review failed with Codex ETIMEDOUT before completing — requesting a fresh review

@clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27175821896
• Updated: 2026-06-09T00:36:40.618Z

[vincentkoc]

Maintainer fixes and pre-merge proof are complete.

Autoreview found and this branch now fixes:

• body-forbidden 204/205/304 response normalization
• redirect fallback firing during authorization-code exchange
• failed localhost fallbacks being persisted
• OAuth retry state being overwritten after a successful redirect
• repaired patternProperties collisions, including prototype-named keys

Verification on head 967d4486cfbdf20ef2768efbd3e90785c52ca088:

• node scripts/run-vitest.mjs src/agents/mcp-http-fetch.test.ts src/agents/mcp-oauth.test.ts src/agents/agent-bundle-mcp-runtime.test.ts src/shared/json-schema-defaults.test.ts — 57 tests passed
• .agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main ... — clean; no accepted/actionable findings
• dependency contract inspected directly against @modelcontextprotocol/sdk 1.29.0 source/types

Broad remote proof gap: Crabbox Azure exhausted regional core quota/capacity; Blacksmith fallback is unavailable because the blacksmith CLI is not installed; brokered AWS is not authenticated on this host. No broad gate was represented as passing.