refactor(mcp): cleanup pass — emcn buttons, derived state, OAuth header bug

- Prevent stored Authorization header from overwriting OAuth Bearer in McpClient
- Per-user connection cache keying in connection-manager (token-leak prevention)
- Tighten types in use-mcp-tools and tools/execute (drop `any`)
- Replace raw <button> with emcn Button in mcp settings + form modal
- Modal Cancel: variant='ghost' → 'default' to match design system
- Derive editInitialData and showDeleteDialog from existing state
- Replace refreshingServers Record + chained timer with mutation state
- Trigger MCP OAuth start on create when authType==='oauth' from tool-input
- Invalidate servers/storedTools alongside tools on force-refresh

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/tools/execute/route.ts

@@ -111,7 +111,8 @@ export const POST = withRouteHandler(
 
         if (tool.inputSchema?.properties) {
           for (const [paramName, paramSchema] of Object.entries(tool.inputSchema.properties)) {
-            const schema = paramSchema as any
+            const schema = hasType(paramSchema) ? paramSchema : null
+            if (!schema) continue
             const value = args[paramName]
 
             if (value === undefined || value === null) {

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/components/mcp-server-form-modal/mcp-server-form-modal.tsx

@@ -700,18 +700,19 @@ export function McpServerFormModal({
                 </div>
               </div>
 
-              <button
+              <Button
                 type='button'
+                variant='ghost'
                 onClick={() => setShowAdvanced((v) => !v)}
-                className='mt-1 flex items-center gap-1 self-start text-[var(--text-secondary)] text-small hover-hover:text-[var(--text-primary)]'
+                className='mt-1 gap-1 self-start px-0 py-0 text-small'
               >
                 {showAdvanced ? (
                   <ChevronDown className='h-[14px] w-[14px]' />
                 ) : (
                   <ChevronRight className='h-[14px] w-[14px]' />
                 )}
                 Advanced settings
-              </button>
+              </Button>
               {showAdvanced && (
                 <div className='flex flex-col gap-2'>
                   <FormField label='OAuth Client ID (optional)'>
@@ -779,7 +780,7 @@ export function McpServerFormModal({
               )}
             </div>
             <div className='flex items-center gap-2'>
-              <Button variant='ghost' onClick={() => onOpenChange(false)}>
+              <Button variant='default' onClick={() => onOpenChange(false)}>
                 Cancel
               </Button>
               {formMode === 'json' ? (

apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx

@@ -129,6 +129,25 @@ function ServerListItem({
   )
 }
 
+function buildEditInitialData(server: McpServer) {
+  const entries: { key: string; value: string }[] = server.headers
+    ? Object.entries(server.headers).map(([key, value]) => ({ key, value }))
+    : []
+  if (entries.length === 0) entries.push({ key: '', value: '' })
+  const last = entries[entries.length - 1]
+  if (last.key !== '' || last.value !== '') entries.push({ key: '', value: '' })
+
+  return {
+    name: server.name || '',
+    transport: (server.transport as McpTransport) || 'streamable-http',
+    url: server.url || '',
+    timeout: 30000,
+    headers: entries,
+    oauthClientId: server.oauthClientId || undefined,
+    hasOauthClientSecret: server.hasOauthClientSecret === true,
+  }
+}
+
 interface MCPProps {
   initialServerId?: string | null
 }
@@ -165,19 +184,7 @@ export function MCP({ initialServerId }: MCPProps) {
   const { data: allowedMcpDomains = null } = useAllowedMcpDomains()
 
   const [showAddModal, setShowAddModal] = useState(false)
-  const [showEditModal, setShowEditModal] = useState(false)
-  const [editInitialData, setEditInitialData] = useState<
-    | {
-        name: string
-        transport: McpTransport
-        url?: string
-        timeout?: number
-        headers?: { key: string; value: string }[]
-        oauthClientId?: string
-        hasOauthClientSecret?: boolean
-      }
-    | undefined
-  >(undefined)
+  const [editingServerId, setEditingServerId] = useState<string | null>(null)
 
   const [searchTerm, setSearchTerm] = useState('')
   const [deletingServers, setDeletingServers] = useState<Set<string>>(() => new Set())
@@ -192,8 +199,8 @@ export function MCP({ initialServerId }: MCPProps) {
     }
   }, [])
 
-  const [showDeleteDialog, setShowDeleteDialog] = useState(false)
   const [serverToDeleteId, setServerToDeleteId] = useState<string | null>(null)
+  const showDeleteDialog = serverToDeleteId !== null
 
   const [selectedServerId, setSelectedServerId] = useState<string | null>(initialServerId ?? null)
 
@@ -238,9 +245,6 @@ export function MCP({ initialServerId }: MCPProps) {
     return () => window.removeEventListener('message', onMessage)
   }, [queryClient, workspaceId])
 
-  const [refreshingServers, setRefreshingServers] = useState<
-    Record<string, { status: 'refreshing' | 'refreshed'; workflowsUpdated?: number }>
-  >({})
   const [expandedTools, setExpandedTools] = useState<Set<string>>(() => new Set())
 
   const startOauthForServer = async (serverId: string) => {
@@ -277,13 +281,11 @@ export function MCP({ initialServerId }: MCPProps) {
 
   const handleRemoveServer = (serverId: string) => {
     setServerToDeleteId(serverId)
-    setShowDeleteDialog(true)
   }
 
   const confirmDeleteServer = async () => {
     if (!serverToDeleteId) return
 
-    setShowDeleteDialog(false)
     const serverId = serverToDeleteId
     setServerToDeleteId(null)
 
@@ -344,7 +346,6 @@ export function MCP({ initialServerId }: MCPProps) {
 
   const handleRefreshServer = async (serverId: string) => {
     try {
-      setRefreshingServers((prev) => ({ ...prev, [serverId]: { status: 'refreshing' } }))
       const result = await refreshServerMutation.mutateAsync({ workspaceId, serverId })
       logger.info(
         `Refreshed MCP server: ${serverId}, workflows updated: ${result.workflowsUpdated}`
@@ -369,50 +370,30 @@ export function MCP({ initialServerId }: MCPProps) {
           logger.warn('Failed to reload workflow subblock values:', reloadError)
         }
       }
-
-      setRefreshingServers((prev) => ({
-        ...prev,
-        [serverId]: { status: 'refreshed', workflowsUpdated: result.workflowsUpdated },
-      }))
-      setTimeout(() => {
-        setRefreshingServers((prev) => {
-          const newState = { ...prev }
-          delete newState[serverId]
-          return newState
-        })
-      }, 3000)
     } catch (error) {
       logger.error('Failed to refresh MCP server:', error)
-      setRefreshingServers((prev) => {
-        const newState = { ...prev }
-        delete newState[serverId]
-        return newState
-      })
     }
   }
 
-  const handleOpenEditModal = (server: McpServer) => {
-    const headers: { key: string; value: string }[] = server.headers
-      ? Object.entries(server.headers).map(([key, value]) => ({ key, value }))
-      : [{ key: '', value: '' }]
-    if (headers.length === 0) headers.push({ key: '', value: '' })
-
-    const lastHeader = headers[headers.length - 1]
-    if (lastHeader.key !== '' || lastHeader.value !== '') {
-      headers.push({ key: '', value: '' })
-    }
-
-    setEditInitialData({
-      name: server.name || '',
-      transport: (server.transport as McpTransport) || 'streamable-http',
-      url: server.url || '',
-      timeout: 30000,
-      headers,
-      oauthClientId: server.oauthClientId || undefined,
-      hasOauthClientSecret: server.hasOauthClientSecret === true,
-    })
-    setShowEditModal(true)
-  }
+  useEffect(() => {
+    if (!refreshServerMutation.isSuccess) return
+    const timeout = window.setTimeout(() => refreshServerMutation.reset(), 3000)
+    return () => window.clearTimeout(timeout)
+    // eslint-disable-next-line react-hooks/exhaustive-deps -- mutation object is unstable; isSuccess flag is the trigger
+  }, [refreshServerMutation.isSuccess])
+
+  const refreshingServerId = refreshServerMutation.isPending
+    ? refreshServerMutation.variables?.serverId
+    : null
+  const refreshedServerId = refreshServerMutation.isSuccess
+    ? refreshServerMutation.variables?.serverId
+    : null
+  const refreshedWorkflowsUpdated = refreshServerMutation.data?.workflowsUpdated
+
+  const editingServer = editingServerId
+    ? (servers.find((s) => s.id === editingServerId) as McpServer | undefined)
+    : undefined
+  const editInitialData = editingServer ? buildEditInitialData(editingServer) : undefined
 
   const selectedServer = (() => {
     if (!selectedServerId) return null
@@ -547,11 +528,12 @@ export function MCP({ initialServerId }: MCPProps) {
                         key={tool.name}
                         className='overflow-hidden rounded-md border bg-[var(--surface-3)]'
                       >
-                        <button
+                        <Button
                           type='button'
+                          variant='ghost'
                           onClick={() => hasParams && toggleToolExpanded(tool.name)}
                           className={cn(
-                            'flex w-full items-start justify-between px-2.5 py-2 text-left',
+                            'flex h-auto w-full items-start justify-between rounded-none px-2.5 py-2 text-left text-sm',
                             hasParams && 'cursor-pointer hover-hover:bg-[var(--surface-4)]'
                           )}
                           disabled={!hasParams}
@@ -593,7 +575,7 @@ export function MCP({ initialServerId }: MCPProps) {
                               )}
                             />
                           )}
-                        </button>
+                        </Button>
 
                         {isExpanded && hasParams && (
                           <div className='border-[var(--border-1)] border-t bg-[var(--surface-2)] px-2.5 py-2'>
@@ -660,25 +642,27 @@ export function MCP({ initialServerId }: MCPProps) {
             <Button
               onClick={() => handleRefreshServer(server.id)}
               variant='default'
-              disabled={!!refreshingServers[server.id]}
+              disabled={refreshingServerId === server.id || refreshedServerId === server.id}
             >
-              {refreshingServers[server.id]?.status === 'refreshing'
+              {refreshingServerId === server.id
                 ? 'Refreshing...'
-                : refreshingServers[server.id]?.status === 'refreshed'
-                  ? refreshingServers[server.id].workflowsUpdated
-                    ? `Synced (${refreshingServers[server.id].workflowsUpdated} workflow${refreshingServers[server.id].workflowsUpdated === 1 ? '' : 's'})`
+                : refreshedServerId === server.id
+                  ? refreshedWorkflowsUpdated
+                    ? `Synced (${refreshedWorkflowsUpdated} workflow${refreshedWorkflowsUpdated === 1 ? '' : 's'})`
                     : 'Refreshed'
                   : 'Refresh Tools'}
             </Button>
-            <Button onClick={() => handleOpenEditModal(server)} variant='default'>
+            <Button onClick={() => setEditingServerId(server.id)} variant='default'>
               Edit
             </Button>
           </div>
         </div>
 
         <McpServerFormModal
-          open={showEditModal}
-          onOpenChange={setShowEditModal}
+          open={editingServerId !== null}
+          onOpenChange={(open) => {
+            if (!open) setEditingServerId(null)
+          }}
           mode='edit'
           initialData={editInitialData}
           onSubmit={async (config) => {
@@ -753,7 +737,7 @@ export function MCP({ initialServerId }: MCPProps) {
                     tools={tools}
                     isDeleting={deletingServers.has(server.id)}
                     isLoadingTools={isLoadingTools}
-                    isRefreshing={refreshingServers[server.id]?.status === 'refreshing'}
+                    isRefreshing={refreshingServerId === server.id}
                     onRemove={() => handleRemoveServer(server.id)}
                     onViewDetails={() => handleViewDetails(server.id)}
                   />
@@ -787,7 +771,12 @@ export function MCP({ initialServerId }: MCPProps) {
         allowedMcpDomains={allowedMcpDomains}
       />
 
-      <Modal open={showDeleteDialog} onOpenChange={setShowDeleteDialog}>
+      <Modal
+        open={showDeleteDialog}
+        onOpenChange={(open) => {
+          if (!open) setServerToDeleteId(null)
+        }}
+      >
         <ModalContent size='sm'>
           <ModalHeader>Delete MCP Server</ModalHeader>
           <ModalBody>
@@ -800,7 +789,7 @@ export function MCP({ initialServerId }: MCPProps) {
             </p>
           </ModalBody>
           <ModalFooter>
-            <Button variant='default' onClick={() => setShowDeleteDialog(false)}>
+            <Button variant='default' onClick={() => setServerToDeleteId(null)}>
               Cancel
             </Button>
             <Button variant='destructive' onClick={confirmDeleteServer}>

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/tool-input.tsx

@@ -64,6 +64,7 @@ import {
   useForceRefreshMcpTools,
   useMcpServers,
   useMcpToolsEvents,
+  useStartMcpOauth,
   useStoredMcpTools,
 } from '@/hooks/queries/mcp'
 import { useWorkflowState, useWorkflows } from '@/hooks/queries/workflows'
@@ -536,6 +537,7 @@ export const ToolInput = memo(function ToolInput({
   useMcpToolsEvents(workspaceId)
   const { navigateToSettings } = useSettingsNavigation()
   const createMcpServer = useCreateMcpServer()
+  const startMcpOauth = useStartMcpOauth()
   const { data: allowedMcpDomains = null } = useAllowedMcpDomains()
   const availableEnvVars = useAvailableEnvVarKeys(workspaceId)
   const mcpDataLoading = mcpLoading || mcpServersLoading
@@ -2135,7 +2137,13 @@ export const ToolInput = memo(function ToolInput({
         onOpenChange={setMcpModalOpen}
         mode='add'
         onSubmit={async (config) => {
-          await createMcpServer.mutateAsync({ workspaceId, config: { ...config, enabled: true } })
+          const result = await createMcpServer.mutateAsync({
+            workspaceId,
+            config: { ...config, enabled: true },
+          })
+          if (result.authType === 'oauth') {
+            await startMcpOauth.mutateAsync({ serverId: result.id, workspaceId })
+          }
         }}
         workspaceId={workspaceId}
         availableEnvVars={availableEnvVars}

apps/sim/hooks/mcp/use-mcp-tools.ts

@@ -5,12 +5,13 @@
  * using TanStack Query for optimal caching and performance
  */
 
-import type React from 'react'
+import type { ComponentType, SVGProps } from 'react'
 import { useCallback, useMemo } from 'react'
 import { createLogger } from '@sim/logger'
 import { useQueryClient } from '@tanstack/react-query'
 import { McpIcon } from '@/components/icons'
 import { createMcpToolId } from '@/lib/mcp/shared'
+import type { McpToolSchema } from '@/lib/mcp/types'
 import { mcpKeys, useMcpToolsQuery } from '@/hooks/queries/mcp'
 
 const logger = createLogger('useMcpTools')
@@ -22,9 +23,9 @@ export interface McpToolForUI {
   serverId: string
   serverName: string
   type: 'mcp'
-  inputSchema: any
+  inputSchema: McpToolSchema
   bgColor: string
-  icon: React.ComponentType<any>
+  icon: ComponentType<SVGProps<SVGSVGElement>>
 }
 
 export interface UseMcpToolsResult {

apps/sim/hooks/queries/mcp.ts

@@ -118,6 +118,8 @@ export function useForceRefreshMcpTools() {
     mutationFn: (workspaceId: string) => fetchMcpTools(workspaceId, true),
     onSettled: (_data, _error, workspaceId) => {
       queryClient.invalidateQueries({ queryKey: mcpKeys.toolsList(workspaceId) })
+      queryClient.invalidateQueries({ queryKey: mcpKeys.serversList(workspaceId) })
+      queryClient.invalidateQueries({ queryKey: mcpKeys.storedToolsList(workspaceId) })
     },
   })
 }

apps/sim/lib/mcp/client.ts

@@ -93,9 +93,7 @@ export class McpClient {
     const useOauth = this.config.authType === 'oauth' && this.authProvider != null
     this.transport = new StreamableHTTPClientTransport(new URL(this.config.url), {
       authProvider: useOauth ? this.authProvider : undefined,
-      requestInit: {
-        headers: this.config.headers,
-      },
+      requestInit: useOauth ? undefined : { headers: this.config.headers },
     })
 
     this.client = new Client(