Add SDK MCP OAuth host token handlers

[roji]

Summary

• Add SDK-facing MCP OAuth host-token callbacks across Node, Python, Go, .NET, Java, and Rust.
• Add generated RPC/event surfaces for session.mcp.oauth.handlePendingRequest, mcp.oauth_required, and mcp.oauth_completed.
• Register mcp.oauth_required interest only when the high-level MCP auth callback is configured.
• Add Node E2E coverage with a fake OAuth-protected HTTP MCP server fixture. Will add similar OAuth E2E coverage for the other languages when the runtime support lands.

Notes

• Draft while the corresponding runtime work lands: github/copilot-agent-runtime#10195.
• The new Node MCP OAuth E2E uses the normal SDK construction-time path and requires the updated runtime behavior/package.

Validation

• Node targeted MCP auth unit tests passed.
• Node typecheck passed.
• Prettier check passed.
• Node MCP OAuth E2E passes against the sibling runtime branch; with the current packaged runtime it does not connect the OAuth test server yet.
• Earlier validation in this session covered .NET build, Rust targeted tests, Python compile, and Node build/unit tests; Go/Java full validation were blocked locally by missing toolchains.

[github-actions]

Cross-SDK Consistency Review

Feature coverage: ✅ All six SDKs covered

The MCP OAuth host-token callback is implemented across Node.js, Python, Go, .NET, Java, and Rust in this PR. The feature is broadly consistent, with the API shaped appropriately for each language's idioms.

---

🐛 Bug found — Rust SessionConfig::fmt (inline comment above)

mcp_auth_handler is registered twice in the Debug impl for SessionConfig (rust/src/types.rs, lines 1466–1469 duplicate 1462–1465). The second block should be deleted.

---

Minor design variation worth noting (not blocking)

requestId exposure to the handler callback differs across SDKs:

SDK	requestId accessible to handler?
Node.js	✅ in McpAuthRequest.requestId
Python	✅ in McpAuthRequest["requestId"]
Go	✅ in MCPAuthRequest.RequestID
Java	✅ in McpAuthRequest.requestId()
Rust	✅ as separate request_id: RequestId parameter
.NET	❌ not exposed in McpAuthContext

requestId is internal routing data that users typically don't need. The .NET McpAuthContext design (hiding it) is arguably cleaner, but if there's ever a need for host-side correlation of concurrent OAuth requests, the .NET handler would be unable to distinguish them. This may be fine by design — just worth a deliberate call.

---

Everything else looks consistent ✅

• Handler registration pattern (opt-in interest registration for mcp.oauth_required) is identical across all 6 SDKs.
• McpAuthResult cancellation semantics are consistent (each language uses its idiomatic pattern: enum in Rust, nullable in .NET, discriminated union in Node/Python, struct in Go, record in Java).
• Both create_session / resume_session paths register interest in all SDKs.
• Error-path fallback to cancellation on handler exceptions is present in all SDKs.

Generated by SDK Consistency Review Agent for issue #1669 · sonnet46 2.1M · ◷

[github-actions]

Generated by SDK Consistency Review Agent for issue #1669 · sonnet46 2.1M

[github-actions]

Duplicate Debug field — Rust SessionConfig

The mcp_auth_handler field is emitted twice in the Debug implementation (lines 1462–1465 and 1466–1469 are identical). The second block should be removed; otherwise debug/trace output will contain duplicate keys and DebugStruct::finish() may behave unexpectedly with some formatters.

// Remove this duplicate block (lines 1466-1469):
.field(
    "mcp_auth_handler",
    &self.mcp_auth_handler.as_ref().map(|_| "<set>"),
)