[backport] Wire OAuth 2.1 login into stdio server (upstream main)

[gastrodon]

Summary

Connects the internal/oauth core library to the stdio MCP server:

• BearerAuthTransport gains a TokenProvider consulted per-request, so the lazily-acquired, auto-refreshing OAuth token replaces the pinned static token without rebuilding the HTTP client
• RunStdioServer starts without a token and installs receiving middleware that runs the authorization flow on the first tool call, surfacing the auth URL or device code via elicitation (or a tool-result fallback)
• Tool filtering uses the requested OAuth scopes; missing-scope tools are hidden
• A sessionPrompter adapts the MCP server session to oauth.Prompter, keeping the auth URL off the model's context
• New stdio flags: --oauth-client-id, --oauth-client-secret, --oauth-scopes, --oauth-callback-port
• New internal/ghmcp/oauth.go integrates the session layer; internal/ghmcp/server.go updated

Upstream reference

• version: upstream main (post v1.4.0, unreleased)
• commits: github@8ce77e3 (2/4 squashed)
• PR: feat(oauth): wire stdio OAuth 2.1 login into the server (2/4) github/github-mcp-server#2710

Fork conflict

None. internal/ghmcp/server.go additions are additive alongside the fork's existing project-management setup.

Context

Without this wiring, the core OAuth library has no effect. This commit makes OAuth login the default path for stdio users on github.com by intercepting the first MCP tool call.

Depends on

See parent issue (OAuth story).

[gastrodon]

Unified Changelog — upstream main since v1.4.0

All changes below are unreleased upstream commits on github/github-mcp-server main (post v1.4.0, 2026-06-18 → 2026-06-26). All are present in this fork's codebase; PATCHER.md has not yet been updated.

---

Stories

OAuth 2.1 stdio login (#13 → sub-issues #10 #11 #12)

• upstream: main (post v1.4.0)
• type: feature / story
• description: Full zero-config OAuth login for stdio server. Core library (internal/oauth) with PKCE + device-code flows, wired into RunStdioServer as a lazy first-call interceptor, with build-time credential injection via ldflags. Users on github.com authenticate via browser; PAT is now optional.
• upstream commits: 8ce77e3 (squashes PRs feat(oauth): add stdio OAuth 2.1 login core library (1/4) github/github-mcp-server#2704 feat(oauth): wire stdio OAuth 2.1 login into the server (2/4) github/github-mcp-server#2710 build(oauth): bake in default OAuth credentials for official releases (3/4) github/github-mcp-server#2711 docs(oauth): stdio OAuth login guide + OAuth-first install config (4/4) github/github-mcp-server#2717)
• fork conflict: none

---

Standalone Features

Issue dependency read/write tools (#14)

• upstream: main (post v1.4.0) — type: feature / standalone
• description: issue_dependency_read and issue_dependency_write via GraphQL blockedBy/blocking. Feature-flagged behind issue_dependencies.
• upstream commits: 067756a (PR Add issue dependency read/write MCP tools github/github-mcp-server#2751)
• fork conflict: mild — complementary to issue_graph, additive

get_parent for issue_read (#15)

• upstream: main (post v1.4.0) — type: feature / standalone
• description: Upward parent traversal via GraphQL Issue.parent.
• upstream commits: 9430064 (PR Add get_parent method to issue_read github/github-mcp-server#2726) — fork conflict: none

Promote issue fields, remove legacy issue_write (#16)

• upstream: main (post v1.4.0) — type: feature / standalone
• description: Remove remote_mcp_issue_fields FF; delete ~572 lines of legacy write methods.
• upstream commits: a37837 (PR Promote issue fields and deprecate legacy issue write tool  github/github-mcp-server#2696) — fork conflict: none

---

Bug Fixes

Remove show_ui, centralize show/defer (#17) — commits: 0503f2f (PR github#2774) — fork conflict: mild (v1.4.0 added show_ui; this removes it; no functional impact on fork's tools)

Fix delete:true on issue fields (#18) — commits: 29634da (PR github#2755) — fork conflict: none

Bound ui_get pagination (#19) — commits: 63d313a (PR github#2766) — fork conflict: none

Fix issue_write form gating (#20) — commits: 3c4749d (PR github#2767) — fork conflict: none

Validate required params in add_comment_to_pending_review (#21) — commits: 5aa8ed3 (PR github#2770) — fork conflict: none

[gastrodon]

No-op. The fork already has internal/ghmcp/oauth.go (OAuth session prompter + RunStdioServer middleware), pkg/http/transport/bearer.go with TokenProvider support, and cmd/github-mcp-server/main.go with --oauth-client-id/-secret/-scopes/-callback-port flags (37 oauth references confirmed). All wiring is present.