[backport] OAuth 2.1 stdio login (upstream main) [story]

[gastrodon]

Summary

Full OAuth 2.1 login support for the stdio server. Replaces the mandatory PAT with a lazy, auto-refreshing OAuth flow triggered on first tool call. Three coordinated pieces of work:

• [backport] OAuth 2.1 core library — PKCE + device flows (upstream main) #10 — OAuth 2.1 core library (internal/oauth): PKCE + device-code flows, Manager, Prompter interface
• [backport] Wire OAuth 2.1 login into stdio server (upstream main) #11 — Wire OAuth into stdio server: BearerAuthTransport, RunStdioServer middleware, --oauth-* flags
• [backport] OAuth build-time credentials + docs (upstream main) #12 — Build-time credentials + docs: ldflags injection, internal/buildinfo, docs/oauth-login.md, README/server.json updates

Upstream reference

• version: upstream main (post v1.4.0, unreleased)
• commits: github@8ce77e3
• PRs: feat(oauth): add stdio OAuth 2.1 login core library (1/4) github/github-mcp-server#2704, feat(oauth): wire stdio OAuth 2.1 login into the server (2/4) github/github-mcp-server#2710, build(oauth): bake in default OAuth credentials for official releases (3/4) github/github-mcp-server#2711, docs(oauth): stdio OAuth login guide + OAuth-first install config (4/4) github/github-mcp-server#2717

Fork conflict

None. OAuth is an authentication layer entirely separate from the fork's project-management and issue-graph tooling.

Context

The stdio GitHub MCP server previously required users to provision a GitHub personal access token. OAuth 2.1 PKCE login eliminates this friction: official binaries on github.com ship with baked-in credentials, so users just run the server and complete a browser login on first use. GHES and custom-app users bring their own --oauth-client-id.

[gastrodon]

Unified Changelog — upstream main since v1.4.0

See #10 for the full changelog. Summary:

• [backport] OAuth 2.1 stdio login (upstream main) [story] #13 (story): OAuth 2.1 stdio login → sub-issues [backport] OAuth 2.1 core library — PKCE + device flows (upstream main) #10 [backport] Wire OAuth 2.1 login into stdio server (upstream main) #11 [backport] OAuth build-time credentials + docs (upstream main) #12
• [backport] Issue dependency read/write tools (upstream main) #14: Issue dependency read/write tools
• [backport] get_parent method for issue_read (upstream main) #15: get_parent for issue_read
• [backport] Promote issue fields to default, remove legacy issue_write methods (upstream main) #16: Promote issue fields, remove legacy issue_write
• [backport] Remove show_ui parameter, centralize show/defer decision (upstream main) #17: Remove show_ui, centralize show/defer
• [backport] Fix delete:true on issue fields — REST DELETE fallback (upstream main) #18: Fix delete:true on issue fields
• [backport] Bound ui_get pagination to prevent latency spikes (upstream main) #19: Bound ui_get pagination
• [backport] Fix issue_write MCP App form gating for labels/assignees/milestone/type (upstream main) #20: Fix issue_write form gating
• [backport] Validate required params in add_comment_to_pending_review (upstream main) #21: Validate required params in add_comment_to_pending_review

[gastrodon]

No-op. All three sub-issues (#10 #11 #12) are already present in the fork. The full OAuth 2.1 stdio login story — core library, server wiring, build credentials, docs — is implemented. Sub-issues closed as no-ops.