Mirror: feat(mcp): re-enable oauth resource parameter and add discovery logging (#5331)

.devcontainer/devcontainer.json

@@ -5,7 +5,10 @@
 
 	"features": {
 		"ghcr.io/devcontainers/features/git:1": {},
-		"ghcr.io/devcontainers/features/github-cli:1": {}
+		"ghcr.io/devcontainers/features/github-cli:1": {},
+		"ghcr.io/devcontainers/features/sshd:1": {
+			"version": "latest"
+		}
 	},
 
 	"customizations": {
@@ -54,15 +57,12 @@
 	"remoteUser": "root",
 	"containerUser": "root",
 
-	// Mounts for persisting Kilo Code state across container rebuilds
-	// These mounts preserve threads, settings, and caches
 	"mounts": [
 		"source=${localWorkspaceFolder}/.git,target=/workspace/.git,type=bind,consistency=cached",
 		"source=kilocode-global-storage,target=/root/.vscode-remote/data/User/globalStorage/kilocode.kilo-code,type=volume",
 		"source=kilocode-settings,target=/root/.vscode-remote/data/User,type=volume"
 	],
 
-	// Configure custom properties for workspace storage
 	"workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind",
 	"workspaceFolder": "/workspace"
 }

.github/dependabot.yml

@@ -1,21 +1,12 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
 version: 2
 updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
-
-  - package-ecosystem: "npm"
-    directory: "/cli"
-    schedule:
-      interval: "weekly"
-
+    open-pull-requests-limit: 5
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
+    open-pull-requests-limit: 3

.github/workflows/codeql.yml

@@ -0,0 +1,28 @@
+name: CodeQL
+on:
+  pull_request:
+    branches: [main]
+
+permissions:
+  security-events: write
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3

.github/workflows/pr-agent.yml

@@ -0,0 +1,24 @@
+name: PR Agent
+on:
+  pull_request:
+    types: [opened, reopened, ready_for_review]
+  issue_comment:
+    types: [created]
+
+permissions:
+  issues: write
+  pull-requests: write
+  contents: read
+
+jobs:
+  pr_agent:
+    if: ${{ github.event.sender.type != 'Bot' }}
+    runs-on: ubuntu-latest
+    name: Run PR Agent
+    steps:
+      - name: PR Agent action step
+        id: pragent
+        uses: qodo-ai/pr-agent@main
+        env:
+          OPENAI_KEY: ${{ secrets.OPENAI_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

greptile.json

@@ -0,0 +1,89 @@
+{
+  "commentTypes": ["logic", "syntax", "style"],
+  "strictness": 1,
+  "fixWithAI": true,
+  "triggerOnUpdates": true,
+  "summarySection": {
+    "included": true,
+    "collapsible": false,
+    "defaultOpen": true
+  },
+  "issuesTableSection": {
+    "included": true,
+    "collapsible": false,
+    "defaultOpen": true
+  },
+  "confidenceScoreSection": {
+    "included": true,
+    "collapsible": false,
+    "defaultOpen": true
+  },
+  "sequenceDiagramSection": {
+    "included": true,
+    "collapsible": true,
+    "defaultOpen": false
+  },
+  "ignorePatterns": [
+    "*.lock",
+    "*.snap",
+    "pnpm-lock.yaml",
+    "src/i18n/locales/**"
+  ],
+  "customContext": [
+    {
+      "type": "rules",
+      "value": "This is a pnpm monorepo using Turbo. Packages: src/ (VSCode extension), webview-ui/ (React frontend), cli/ (CLI), packages/ (shared types, ipc, telemetry), jetbrains/ (Kotlin plugin), apps/ (docs, e2e, storybook)."
+    },
+    {
+      "type": "rules",
+      "value": "All code changes that modify Kilo Code behavior MUST include kilocode_change markers in comments explaining what was changed and why."
+    },
+    {
+      "type": "rules",
+      "value": "PRs that touch UI or settings MUST include i18n translation strings. A GUI-based change with settings typically involves 12-13 files plus ~18 more for i18n."
+    },
+    {
+      "type": "rules",
+      "value": "PRs SHOULD include a .changeset/ file for version bumping. Exception: docs-only changes in apps/kilocode-docs/ do not require changesets."
+    },
+    {
+      "type": "rules",
+      "value": "New provider additions follow a pattern: handler in src/api/providers/, model info, types in packages/types/, i18n strings, and tests. Check existing providers like anthropic or openai for the pattern."
+    },
+    {
+      "type": "rules",
+      "value": "TypeScript strict mode. No any types without justification. Use Zod schemas for runtime validation at system boundaries."
+    },
+    {
+      "type": "rules",
+      "value": "Security: No hardcoded credentials, API keys, or secrets. Validate all user inputs. No command injection in ExecuteCommand tool. No XSS in webview-ui."
+    },
+    {
+      "type": "rules",
+      "value": "Test expectations: Unit tests for business logic, integration tests for API handlers, e2e tests for critical user flows. Tests live alongside source files or in __tests__ directories."
+    },
+    {
+      "type": "files",
+      "path": "AGENTS.md",
+      "description": "Project structure, architecture overview, agent runtime details, and coding conventions"
+    },
+    {
+      "type": "files",
+      "path": "CONTRIBUTING.md",
+      "description": "Contribution guidelines, PR requirements, commit message format"
+    },
+    {
+      "type": "files",
+      "path": ".github/pull_request_template.md",
+      "description": "Expected PR format: Context, Implementation, Screenshots, How to Test"
+    },
+    {
+      "type": "other",
+      "value": "This repo has 50+ AI provider integrations. When reviewing provider changes, check for: correct error handling, proper streaming support, model capability declarations, and consistent patterns with existing providers."
+    },
+    {
+      "type": "other",
+      "value": "The docs site is a Next.js app using Markdoc at apps/kilocode-docs/. Docs PRs only need Build Markdoc Site and check-translations CI checks to pass."
+    }
+  ]
+}

src/services/mcp/oauth/McpAuthorizationDiscovery.ts

@@ -158,6 +158,7 @@ export class McpAuthorizationDiscovery {
 			}
 		} catch (e) {
 			// Ignore and try next
+			console.warn(`Failed to fetch RFC 8414 metadata:`, e)
 		}
 
 		// Try OIDC Discovery
@@ -174,6 +175,7 @@ export class McpAuthorizationDiscovery {
 			}
 		} catch (e) {
 			// Ignore fetch errors
+			console.warn(`Failed to fetch OIDC metadata:`, e)
 		}
 
 		throw new Error(`Failed to discover authorization server metadata for ${issuerUrl}`)

src/services/mcp/oauth/McpOAuthService.ts

@@ -194,7 +194,7 @@ export class McpOAuthService {
 			state,
 			codeChallenge,
 			codeChallengeMethod: "S256",
-			// resource: serverUrl, // Disabled: Cloudflare doesn't support RFC 8707 resource parameter
+			resource: serverUrl,
 		})
 
 		// 5. Verify State