Problem
After #1379 wired the OAuth flow, the Network tab shows the post-redirect auth HTTP (discovery re-run + POST /token from completeOAuthFlow) but not the pre-redirect half — the protected-resource + authorization-server discovery and the Dynamic Client Registration POST /register that run during authenticate() on the page that then redirects to the auth server. That page's FetchRequestLogState is destroyed on navigation, so those auth entries never reach the connected page.
Root cause (confirmed empirically)
FetchRequestLogState + RemoteInspectorClientStorage are designed to persist the fetch log across the redirect (save on the client's saveSession event keyed by the OAuth authId, restore on the /oauth/callback rebuild). But the ordering defeats it:
BaseOAuthClientProvider.redirectToAuthorization (core/auth/providers.ts:234) sets window.location.href inside the SDK's auth().OAuthManager.authenticate only calls onBeforeOAuthRedirect → saveSession after auth() returns (core/mcp/oauthManager.ts:138).
By the time the save fires, the document is already unloading, so the save never reaches the backend (verified: no inspector-session-* file is written, even though a keepalive POST dispatched before navigation persists fine, and /api/storage works manually).
Fix plan
Persist the session synchronously, before navigation:
BrowserNavigation — run a synchronous beforeNavigate(url) hook before window.location.href.createWebEnvironment — accept an onBeforeOAuthRedirect hook and pass it to BrowserNavigation.App.tsx — wire the hook to flush the active FetchRequestLogState entries to RemoteInspectorClientStorage (keepalive POST, keyed by the authId parsed from the auth URL).FetchRequestLogState.hydrateFetchRequests — merge restored entries instead of replacing, to avoid a restore-vs-live-append race on the callback page.RemoteInspectorClientStorage.saveSession — use keepalive: true so the save outlives the unloading document.
Acceptance criteria
Notes
Stacked on #1383 (#1379). Independent of #1378.
Problem
After #1379 wired the OAuth flow, the Network tab shows the post-redirect auth HTTP (discovery re-run +
POST /tokenfromcompleteOAuthFlow) but not the pre-redirect half — the protected-resource + authorization-server discovery and the Dynamic Client RegistrationPOST /registerthat run duringauthenticate()on the page that then redirects to the auth server. That page'sFetchRequestLogStateis destroyed on navigation, so thoseauthentries never reach the connected page.Root cause (confirmed empirically)
FetchRequestLogState+RemoteInspectorClientStorageare designed to persist the fetch log across the redirect (save on the client'ssaveSessionevent keyed by the OAuth authId, restore on the/oauth/callbackrebuild). But the ordering defeats it:BaseOAuthClientProvider.redirectToAuthorization(core/auth/providers.ts:234) setswindow.location.hrefinside the SDK'sauth().OAuthManager.authenticateonly callsonBeforeOAuthRedirect→saveSessionafterauth()returns (core/mcp/oauthManager.ts:138).By the time the save fires, the document is already unloading, so the save never reaches the backend (verified: no
inspector-session-*file is written, even though akeepalivePOST dispatched before navigation persists fine, and/api/storageworks manually).Fix plan
Persist the session synchronously, before navigation:
BrowserNavigation— run a synchronousbeforeNavigate(url)hook beforewindow.location.href.createWebEnvironment— accept anonBeforeOAuthRedirecthook and pass it toBrowserNavigation.App.tsx— wire the hook to flush the activeFetchRequestLogStateentries toRemoteInspectorClientStorage(keepalive POST, keyed by the authId parsed from the auth URL).FetchRequestLogState.hydrateFetchRequests— merge restored entries instead of replacing, to avoid a restore-vs-live-append race on the callback page.RemoteInspectorClientStorage.saveSession— usekeepalive: trueso the save outlives the unloading document.Acceptance criteria
/register, plus post-redirect discovery +/token, all asauth, alongsidetransport.Notes
Stacked on #1383 (#1379). Independent of #1378.