Background
Combined tracker for five small, mechanical cleanup items deferred from the #1306 review (the v1.5 InspectorClient runtime port). All are direct v1.5 carry-overs that work correctly today but have small consistency or strictness issues worth fixing. Each is independent and the whole set is roughly a single afternoon's work.
Best done after #1307 (the integration-test follow-up) so the OAuth subsystem in particular has real test coverage before any of it gets refactored.
Items
1. Consolidate the three OAuthStorage implementations
core/auth/browser/storage.ts, core/auth/node/storage-node.ts, and core/auth/remote/storage-remote.ts are each ~130 lines and differ only in their constructors. All three delegate to the same createOAuthStore factory. They can collapse into a single class parameterized on storage adapter with zero behavior change.
2. Re-enable erasableSyntaxOnly in tsconfig.app.json
#1306 disabled erasableSyntaxOnly: true because the ported v1.5 code uses TS parameter properties (constructor(private foo: T)) in seven places. Convert them and flip the flag back on.
Sites (from #1306 review):
3. Switch console.error → this.logger.error in inspectorClient.ts
The rest of the file uses this.logger; two sites use console.error directly.
4. Standardize local ID generation on crypto.randomUUID()
Five sites build entry IDs from ${Date.now()}-${Math.random()}. These are local-only identifiers (never sent to the server), so there's no security concern, but crypto.randomUUID() is already used by other paths (fetchTracking, task) and would be more consistent.
5. Pin the hono Context generic at new Hono<Env>() and drop the streamSSE cast
core/mcp/remote/node/server.ts:458 has streamSSE(c as unknown as Parameters<typeof streamSSE>[0], …) to work around a hono generic mismatch. The clean fix is to pin the Context generic when the Hono app is created so the cast becomes unnecessary.
Acceptance criteria
Out of scope
Background
Combined tracker for five small, mechanical cleanup items deferred from the #1306 review (the v1.5 InspectorClient runtime port). All are direct v1.5 carry-overs that work correctly today but have small consistency or strictness issues worth fixing. Each is independent and the whole set is roughly a single afternoon's work.
Best done after #1307 (the integration-test follow-up) so the OAuth subsystem in particular has real test coverage before any of it gets refactored.
Items
1. Consolidate the three
OAuthStorageimplementationscore/auth/browser/storage.ts,core/auth/node/storage-node.ts, andcore/auth/remote/storage-remote.tsare each ~130 lines and differ only in their constructors. All three delegate to the samecreateOAuthStorefactory. They can collapse into a single class parameterized on storage adapter with zero behavior change.OAuthStoragetaking an adapter)core/mcp/types.tsInspectorClientEnvironment.oauth.storageconsumers2. Re-enable
erasableSyntaxOnlyintsconfig.app.json#1306 disabled
erasableSyntaxOnly: truebecause the ported v1.5 code uses TS parameter properties (constructor(private foo: T)) in seven places. Convert them and flip the flag back on.Sites (from #1306 review):
core/auth/providers.ts:55core/auth/providers.ts:110core/auth/state-machine.ts:260core/mcp/oauthManager.ts:48core/mcp/inspectorClient.ts:179core/mcp/messageTrackingTransport.ts:27core/mcp/remote/remoteClientTransport.ts:115erasableSyntaxOnly: falseoverride + TODO comment inclients/web/tsconfig.app.json3. Switch
console.error→this.logger.errorininspectorClient.tsThe rest of the file uses
this.logger; two sites useconsole.errordirectly.core/mcp/inspectorClient.ts:1965(roots/list_changed notification failure)console.*sites and convert them too4. Standardize local ID generation on
crypto.randomUUID()Five sites build entry IDs from
${Date.now()}-${Math.random()}. These are local-only identifiers (never sent to the server), so there's no security concern, butcrypto.randomUUID()is already used by other paths (fetchTracking, task) and would be more consistent.core/mcp/samplingCreateMessage.ts:38core/mcp/elicitationCreateMessage.ts:39core/mcp/inspectorClient.ts:312core/mcp/inspectorClient.ts:323core/mcp/inspectorClient.ts:3325. Pin the hono
Contextgeneric atnew Hono<Env>()and drop thestreamSSEcastcore/mcp/remote/node/server.ts:458hasstreamSSE(c as unknown as Parameters<typeof streamSSE>[0], …)to work around a hono generic mismatch. The clean fix is to pin the Context generic when the Hono app is created so the cast becomes unnecessary.Envtype for the remote server's hono appnew Hono<Env>()streamSSEcall siteAcceptance criteria
npm run validate+npm run test:storybookboth passvite.config.ts/tsconfig.app.json/ inspector source removedOut of scope
BaseOAuthClientProvidertyped-dispatcher refactor (feat(core): port v1.5 InspectorClient + transports + auth subsystem (#1302) #1306 item 6). Architectural — wait until OAuth has real test coverage from Run v1.5-ported integration tests under a node-env vitest project (#1302 follow-up) #1307.core/mcp/version.tsto replace the hardcodedcorePackageJsonconstant (feat(core): port v1.5 InspectorClient + transports + auth subsystem (#1302) #1306 item 10). Tracked separately when v2 replaces main.vite.config.tsalias list (feat(core): port v1.5 InspectorClient + transports + auth subsystem (#1302) #1306 item 8). Better handled as part of Run v1.5-ported integration tests under a node-env vitest project (#1302 follow-up) #1307's vitest-project restructure.