Skip to content

bug(mcp): OAuth server blocks agent startup and auth URL invisible in TUI #2276

Closed
#2281
Closed
bug(mcp): OAuth server blocks agent startup and auth URL invisible in TUI#2276
#2281
Assignees
bug-ops
Labels
P1High ROI, low complexity — do next sprintbugSomething isn't working
@bug-ops

Description

@bug-ops
bug-ops
opened on Mar 27, 2026

Problem

When an MCP server with OAuth ([mcp.servers.oauth] enabled = true) is configured, the agent startup freezes for up to 300 seconds and the user never sees the authorization URL in TUI mode.

Root Cause

Two interrelated problems in the startup sequence (src/runner.rs / src/agent_setup.rs):

  1. Blocking startup: mcp_manager.connect_all().await is called inside build_tool_setup(), which runs via tokio::join! before the TUI is created (TUI is created at line 644, after the join completes). The OAuth phase calls await_oauth_callback(listener, 300s, ...) which blocks the entire initialization for up to 5 minutes while waiting for a browser callback that will never arrive.

  2. Auth URL never shown: The OAuth auth URL is sent via status_tx (as a status message) during connect_all(), but the TUI event loop has not started yet at that point. By the time TUI renders, the OAuth callback has already timed out. The URL is never displayed to the user.

  3. No browser open: There is no open::that() or equivalent to auto-launch the browser with the auth URL.

Reproduction

Configure any HTTP MCP server with OAuth (e.g. todoist):

[[mcp.servers]]
id = "todoist"
url = "https://ai.todoist.net/mcp"

[mcp.servers.oauth]
enabled = true
token_storage = "vault"
callback_port = 18766

Run cargo run --features full -- --tui. Agent startup freezes for 300s, then launches without todoist tools.

Expected Behavior

  • OAuth flow must not block agent startup
  • The auth URL should be prominently displayed in the TUI (e.g. a dedicated OAuth authorization dialog/prompt)
  • Ideally, the browser is auto-opened with the auth URL

Suggested Fix Direction

  • Move OAuth connection out of the startup critical path — connect OAuth servers after the TUI event loop has started
  • OR make OAuth startup non-blocking: skip OAuth servers on first launch, connect them lazily via a background task after TUI is ready
  • Add a TUI dialog or notification that shows the OAuth URL with a "Press Enter to open in browser" prompt
  • Use open::that() crate to auto-launch the browser

Files

  • src/agent_setup.rs:338-344create_mcp_manager_with_vault + connect_all()
  • src/runner.rs:552-562tokio::join! that blocks startup
  • src/runner.rs:642-644 — TUI created AFTER tool setup completes
  • crates/zeph-mcp/src/manager.rs:396await_oauth_callback 300s timeout

Metadata

Metadata

Assignees

Labels

P1High ROI, low complexity — do next sprintbugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions