OAuth login flow and token storage for MCP servers.
Note: mcp.shared.auth.OAuthToken is a pydantic model whose default
repr includes the access and refresh token strings verbatim. Never
log one via %r, str(), f-string interpolation, or
logger.exception/exc_info on an exception that wraps one — the
tokens will land in stdout, log files, and error-reporting
pipelines. Pass only structural facts ("refreshed token for
server X") rather than the token itself.
Resolve ${VAR} env-var references in header values.
Construct an OAuthClientProvider for an MCP server.
Find an MCPReauthRequiredError anywhere inside exc's tree.
Walks exceptions (for ExceptionGroup), then __cause__ and
__context__, tracking visited nodes to terminate on cyclic chains.
Drive OAuth login for server_name, persisting tokens on success.
Parsed MCP server config entry.
All keys are optional at the type level because mcpServers entries
are validated shape-first by _validate_server_config rather than by
the type system. This TypedDict documents the accepted shape for
readers and static checkers — validate the fields at use sites before
relying on them.
File-backed TokenStorage under ~/.deepagents/mcp-tokens/.
Raised when an MCP server needs interactive re-authentication.
