[backport] OAuth 2.1 core library — PKCE + device flows (upstream main)

[gastrodon]

Summary

Introduces internal/oauth, a self-contained OAuth 2.1 login library for the stdio server. Provides:

• Authorization-code + PKCE flow with a local loopback callback server (state/CSRF, XSS-safe result pages)
• Device-authorization flow as headless/container fallback
• A Manager that selects the most secure available channel (browser → URL elicitation → last-resort message) and exposes a refreshing TokenSource
• Both GitHub OAuth Apps and GitHub Apps are supported; expiring GitHub App tokens are refreshed automatically via x/oauth2
• Prompter interface decouples MCP client interaction from the OAuth flow so tests are runnable without a live session
• internal/oauth/env.go for detecting headless environments; internal/oauth/callback.go for loopback receiver

Upstream reference

• version: upstream main (post v1.4.0, unreleased)
• commits: github@8ce77e3
• PR: feat(oauth): add stdio OAuth 2.1 login core library (1/4) github/github-mcp-server#2704

Fork conflict

None. internal/oauth is a new package with no overlap with the fork's project-management additions.

Context

The stdio server previously required a pre-provisioned PAT. This library is the foundation for zero-config OAuth login — users on github.com can authenticate on first tool call without generating a token, removing a significant friction point for new adopters.

[gastrodon]

Unified Changelog — upstream main since v1.4.0

All changes below are unreleased upstream commits on github/github-mcp-server main (post v1.4.0, 2026-06-18 → 2026-06-26). All are present in this fork's codebase; PATCHER.md has not yet been updated.

---

Stories

OAuth 2.1 stdio login (#13 → sub-issues #10 #11 #12)

• upstream: main (post v1.4.0)
• type: feature / story
• description: Full zero-config OAuth login for stdio server. Core library (internal/oauth) with PKCE + device-code flows, wired into RunStdioServer as a lazy first-call interceptor, with build-time credential injection via ldflags. Users on github.com authenticate via browser; PAT is now optional.
• upstream commits: 8ce77e3 (squashes PRs feat(oauth): add stdio OAuth 2.1 login core library (1/4) github/github-mcp-server#2704 feat(oauth): wire stdio OAuth 2.1 login into the server (2/4) github/github-mcp-server#2710 build(oauth): bake in default OAuth credentials for official releases (3/4) github/github-mcp-server#2711 docs(oauth): stdio OAuth login guide + OAuth-first install config (4/4) github/github-mcp-server#2717)
• fork conflict: none

---

Standalone Features

Issue dependency read/write tools (#14)

• upstream: main (post v1.4.0)
• type: feature / standalone
• description: issue_dependency_read (get_blocked_by / get_blocking) and issue_dependency_write (add / remove × blocked_by / blocking) via GraphQL blockedBy/blocking connections and addBlockedBy/removeBlockedBy mutations. Feature-flagged behind issue_dependencies. Accepts issue numbers, resolves to node IDs in a single aliased query.
• upstream commits: 067756a (PR Add issue dependency read/write MCP tools github/github-mcp-server#2751)
• fork conflict: mild design note — the fork's issue_graph traverses sub-issues and cross-refs. Blocked-by/blocking is a complementary axis not yet covered by issue_graph. Standalone tools are additive.

get_parent method for issue_read (#15)

• upstream: main (post v1.4.0)
• type: feature / standalone
• description: Adds upward parent traversal to issue_read via GraphQL Issue.parent. Returns {"parent": null} for top-level issues. Always-on, mirroring get_sub_issues.
• upstream commits: 9430064 (PR Add get_parent method to issue_read github/github-mcp-server#2726)
• fork conflict: none — additive to issues.go, complementary to issue_graph

Promote issue fields to default, remove legacy issue_write (#16)

• upstream: main (post v1.4.0)
• type: feature / standalone (breaking change — removes old write path)
• description: Removes remote_mcp_issue_fields feature flag; deletes ~572 lines of legacy issue_write methods that pre-dated issue field support. Granular issue_write with issue_fields is now the only write path.
• upstream commits: a37837 (PR Promote issue fields and deprecate legacy issue write tool  github/github-mcp-server#2696)
• fork conflict: none — fork does not extend legacy write methods

---

Bug Fixes

Remove show_ui, centralize show/defer decision (#17)

• upstream: main (post v1.4.0)
• type: bug / refactor
• description: show_ui=false caused up-front execution but the host still rendered the MCP App form (spec has no per-call opt-out). Fix: Views driven by actual tool result; show_ui removed entirely from create_pull_request and issue_write; show/defer logic centralized in ui_capability.go via shouldDeferToForm().
• upstream commits: 0503f2f (PR fix(mcp-apps): reconcile the show/defer contract — render results, remove show_ui github/github-mcp-server#2774)
• fork conflict: mild note — v1.4.0 introduced show_ui (PR Add explicit show_ui parameter to UI-enabled write tools github/github-mcp-server#2601). This removes it. Fork's custom tools don't use MCP Apps UI so no functional conflict.

Fix delete:true on issue fields — REST DELETE fallback (#18)

• upstream: main (post v1.4.0)
• type: bug
• description: When deleting the last issue field value, go-github's omitempty tag strips the empty slice from the PATCH body, causing the server to skip the field update. Fix: detect empty-after-filter case and fire individual REST DELETE per field. Already-absent fields are silently skipped; partial failures accumulated with per-field detail.
• upstream commits: 29634da (PR Fix delete:true on issue fields by calling deleteIssueFieldValue mutation github/github-mcp-server#2755)
• fork conflict: none

Bound ui_get pagination (#19)

• upstream: main (post v1.4.0)
• type: bug
• description: ui_get pagination was unbounded; large repos caused tail latency spikes (observed ~20 min). Fix: uiGetMaxPages = 10 (1000 items) cap on all loops; has_more flag indicates truncation.
• upstream commits: 63d313a (PR fix(ui_get): bound pagination to cap latency github/github-mcp-server#2766)
• fork conflict: none

Fix issue_write form gating for labels/assignees/milestone/type (#20)

• upstream: main (post v1.4.0)
• type: bug
• description: labels, assignees, milestone, type were missing from issueWriteFormParams allowlist, causing calls with these params to bypass the confirmation form. Fixed by adding all four; description text corrected.
• upstream commits: 3c4749d (PR Show issue_write MCP App form for labels/assignees/milestone/type github/github-mcp-server#2767)
• fork conflict: none

Validate required params in add_comment_to_pending_review (#21)

• upstream: main (post v1.4.0)
• type: bug
• description: mapstructure.WeakDecode silently zero-valued missing required params. Replace with RequiredParam[string] / RequiredInt calls so missing args return isError with descriptive message before any API call.
• upstream commits: 5aa8ed3 (PR fix(pull_requests): validate required params in add_comment_to_pending_review github/github-mcp-server#2770)
• fork conflict: none

[gastrodon]

No-op. The fork's codebase already contains the full internal/oauth/ package (callback.go, env.go, flow.go, manager.go, oauth.go, prompter.go, templates/) implementing PKCE and device-code flows. All tests in internal/oauth/*_test.go are present. The last_patched field in PATCHER.md has not yet been updated to reflect this — that will happen at cycle close.