Agents have no awareness of MCPs that need auth

[msvechla]

Problem

When a remote MCP fails to connect with UnauthorizedError, opencode sets its status to needs_auth and surfaces a toast pointing at the /mcps picker (or the opencode mcp auth shell subcommand). However, the running agent has zero awareness that this MCP exists:

• MCP.tools() filters to status === "connected" clients only, so no tool from a needs_auth MCP reaches the agent's tool list.
• The system prompt does not enumerate configured MCPs.
• The agent therefore cannot reason about the MCP, cannot suggest authentication, and cannot trigger the OAuth flow on the user's behalf.

A user asking "use the mops-integration MCP and list rentals for X" gets a generic "I don't have that tool" response, with no path forward inside the conversation.

Expected behaviour

The agent should know which MCPs are configured-but-unauthenticated and have a way to trigger the OAuth flow when the user asks.

Reproduction

1. Configure a remote MCP with OAuth (e.g. any Keycloak-backed MCP).
2. Clear its tokens (delete tokens from ~/.local/share/opencode/mcp-auth.json for that MCP) and restart opencode.
3. Ask the agent: "use to ".
4. The agent reports it doesn't have any tools matching <name>.

Environment

• opencode 1.14.48 (also reproduces against current dev HEAD).
• Any remote MCP with OAuth that returns UnauthorizedError on connect.

Related

• Remote MCP OAuth: browser never opens for re-authentication after session loss #16893 — Remote MCP OAuth: browser never opens for re-authentication (the in-TUI sibling, addressed in fix(mcp): authenticate on toggle in TUI MCP picker #27704).
• MCP OAuth: opencode mcp auth doesn't refresh token in active sessions #21702 — MCP OAuth: opencode mcp auth doesn't refresh token in active sessions.