OAuth tokens lost on version update due to version-specific storage directory

[BenNewman100]

Problem

When using npx mcp-remote@latest, OAuth tokens are lost every time the package updates to a new version, forcing users to re-authenticate via browser on each update.

Root Cause

In src/lib/mcp-auth-config.ts, the config directory includes the package version:

export function getConfigDir(): string {
  const baseConfigDir = process.env.MCP_REMOTE_CONFIG_DIR ||
    path.join(os.homedir(), '.mcp-auth')
  return path.join(baseConfigDir, `mcp-remote-${MCP_REMOTE_VERSION}`)
}

This creates separate directories for each version:

~/.mcp-auth/
├── mcp-remote-0.1.29/
│   ├── {hash}_tokens.json      ← tokens from old version
│   ├── {hash}_client_info.json
│   └── ...
├── mcp-remote-0.1.31/
│   ├── {hash}_client_info.json  ← new version starts fresh
│   ├── {hash}_code_verifier.txt
│   └── {hash}_lock.json         ← no tokens.json!

When mcp-remote updates (which happens frequently with @latest), the new version can't see the old version's tokens.

Reproduction Steps

1. Configure an MCP client to use npx mcp-remote@latest https://some-server/sse
2. Authenticate via browser when prompted
3. Verify tokens are saved in ~/.mcp-auth/mcp-remote-{version}/
4. Wait for a new mcp-remote version to be published (or manually clear npm cache)
5. Restart the MCP client
6. Observe: prompted to authenticate again because new version directory has no tokens

Expected Behavior

Tokens should persist across mcp-remote version updates. Re-authentication should only be required when tokens expire or are revoked.

Suggested Fixes

Option A: Remove version from path (simple)

export function getConfigDir(): string {
  return process.env.MCP_REMOTE_CONFIG_DIR ||
    path.join(os.homedir(), '.mcp-auth', 'mcp-remote')
}

Option B: Add migration logic (better UX)
On startup, check for tokens in old version directories and migrate them to the new location.

Workaround

Users can set MCP_REMOTE_CONFIG_DIR to bypass version-specific storage:

{
  "command": "npx",
  "args": ["-y", "mcp-remote@latest", "https://example.com/sse"],
  "env": {
    "MCP_REMOTE_CONFIG_DIR": "/path/to/.mcp-auth/mcp-remote"
  }
}

This workaround should probably be documented in the README for users of @latest.

Environment

• mcp-remote versions affected: all (by design)
• OS: Windows 11 (likely affects all platforms)
• MCP Client: Claude Code CLI

[geelen]

See my comment on #202 (comment)

Happy to fix this, but don't want the users to have to opt in/out. I really want the ability to blow the auth cache if we need to make it backwards-incompatible change.