v2.8.0

[2.8.0] - 2026-05-25

Added

• Added per-server OAuth redirectUri, clientName, and clientUri overrides for pre-registered callbacks and dynamic client metadata.

Fixed

• Avoided OAuth callback port exhaustion by starting the callback server lazily and using OS-assigned ports for dynamic OAuth flows.
• Re-register dynamic OAuth clients before browser auth when cached redirect URI metadata is missing or no longer matches the active callback URI.

v2.7.0

[2.7.0] - 2026-05-22

Added

• Added TUI call rendering for MCP proxy and direct tool inputs. Thanks @dmmulroy for PR #102.

Fixed

• Hardened OAuth credential storage paths against server-name path traversal without rejecting valid configured server names.
• Rejected unsafe regex-mode MCP search patterns before executing them.

v2.6.1

[2.6.1] - 2026-05-13

Added

• Added /mcp logout <server> to clear stored OAuth credentials and disconnect the server. Thanks @mattzcarey for PR #96.

Fixed

• Cancel pending OAuth callbacks when logging out of an MCP server.

v2.6.0

[2.6.0] - 2026-05-10

Added

• Added a no-argument /mcp-auth OAuth picker and in-panel auth shortcut for OAuth-capable MCP servers.
• Added compact collapsed rendering for MCP proxy and direct-tool result rows while keeping full tool results available when expanded.

Changed

• Migrated Pi runtime dependencies and imports from deprecated @mariozechner/* packages to @earendil-works/* packages.

Fixed

• Re-register dynamic OAuth clients during fresh auth when cached DCR client info exists without tokens, avoiding dead authorization URLs after server-side client invalidation.
• Kept OAuth tokens, dynamic client info, PKCE verifiers, and OAuth state bound to the server URL so stale credentials cannot be reused after a server URL changes.
• Kept the /mcp-auth OAuth picker search focused on OAuth server rows and prevented hidden panel shortcuts from unexpectedly launching auth.
• Kept long MCP error results expanded in compact tool result rendering.

v2.5.4

Changed

• Ignored npm lockfiles and removed checked-in package-lock.json files.

Fixed

• Resolved ${VAR} and $env:VAR placeholders in HTTP bearer tokens.
• Honored MCP sampling modelPreferences.hints before falling back to the current/default model.

v2.5.3

Added

• Added environment variable and ~ expansion for stdio server cwd values.

v2.5.2

Fixed

• Respected PI_CODING_AGENT_DIR for Pi-owned MCP config and state files, including metadata cache, npx cache, onboarding state, OAuth credentials, and pi-mcp-adapter init writes.

v2.5.1

Fixed

• Changed OAuth browser callbacks to http://localhost:<port>/callback for pre-registered clients such as Slack MCP. Thanks @shenal for PR #53.

v2.5.0

Added

• Added MCP sampling/createMessage support with conservative human approval by default and opt-in settings.samplingAutoApprove for non-interactive flows.
• Added configured Vitest coverage for OAuth provider authorization fallback behavior.
• Added test:oauth-provider for running the root OAuth provider node test with the required TypeScript loader.

Fixed

• Applied settings.authRequiredMessage to proxy and direct-tool auth-required paths, including non-UI autoAuth failures.
• Fixed /mcp-auth <server> reporting success for expired stored OAuth tokens without forcing the SDK refresh/re-auth flow.
• Kept mcp search focused on MCP tools and added a direct-call hint when native Pi tools are accidentally routed through the proxy.

v2.4.2

Fixed

• Migrated extension tool schemas from @sinclair/typebox to typebox 1.x so packaged installs follow Pi's current extension runtime contract.

Changed

• Replaced the legacy @sinclair/typebox runtime dependency with typebox.