chore(auth): remove deprecated OAuth MCP provider plugin and backing tables

[waleedlatif1]

Summary

• Remove the deprecated better-auth `oidc-provider` plugin (was emitting a deprecation warning) — it only ever powered OAuth for Copilot MCP, which is already deprecated (410)
• Remove the `jwt` plugin + `jwks` table too: both were added in the same PR as the OAuth provider (`useJWTPlugin: true`) and have no other consumer (realtime sockets use `oneTimeToken`, and nothing reads the JWKS endpoint)
• Delete the now-dead OAuth-authorization-server surfaces: CIMD client resolution, the `/oauth/consent` UI, the `authorize-params` route, `.well-known` discovery routes, and the unused `oauth-token` validator
• Drop `https://claude.ai\` / `https://claude.com\` from better-auth `trustedOrigins` (added for the Claude→Sim MCP connect flow)
• Remove the dead `/api/auth/jwks` + `/.well-known/` CORS rule from the proxy
• Drop the 4 backing tables via migration `0223_lowly_shocker`: `oauth_application`, `oauth_access_token`, `oauth_consent`, `jwks`
• Lower the api-validation route baseline 762 → 761

Kept intact: all integration OAuth (`genericOAuth`), `oneTimeToken`, `admin`, `organization`, `sso`, `stripe`, the MCP client OAuth (`lib/mcp/oauth`), and the separate Copilot-MCP 410 tombstones.

Type of Change

• Chore / maintenance (dead-code + deprecated-plugin removal)

Testing

Tested manually — `bunx biome check` clean across all changed files; `bun run check:api-validation` and `:strict` both pass (761 routes); migration regenerated cleanly against the staging schema snapshot (single file, 4 `DROP TABLE`).

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 2, 2026 5:32pm

[cursor]

PR Summary

Medium Risk
Touches core auth configuration and irreversibly drops OAuth-provider tables via CASCADE; scope is limited to an already-deprecated Copilot MCP path, with integration OAuth unchanged.

Overview
Removes the deprecated Sim-as-OAuth-authorization-server stack that only supported Copilot MCP (already deprecated). better-auth no longer loads the oidcProvider or jwt plugins; CIMD resolution on authorize/token is gone, along with Claude origins in trustedOrigins.

Deleted surfaces: /oauth/consent UI, GET /api/auth/oauth2/authorize-params, .well-known OAuth discovery routes, lib/auth/cimd.ts, lib/mcp/oauth-discovery.ts, and validateOAuthAccessToken. The oauthAuthorizeParams API contract is removed from oauth-connections.ts.

Proxy/tests: CORS no longer special-cases /api/auth/jwks or /.well-known/ (tests updated).

DB: Migration 0223_lowly_shocker drops jwks, oauth_application, oauth_access_token, and oauth_consent with CASCADE.

Unchanged: Integration OAuth via genericOAuth, workflow credential OAuth, MCP client OAuth under lib/mcp/oauth, and other auth plugins.

^{Reviewed by Cursor Bugbot for commit 9b834bf. Configure here.}

[greptile-apps]

Greptile Summary

This PR removes the deprecated oidcProvider and jwt better-auth plugins along with all associated infrastructure: the OAuth consent UI, authorization-server discovery routes, CIMD client resolution, JWKS endpoint, and the 4 backing database tables (oauth_application, oauth_access_token, oauth_consent, jwks). The change is scoped to the now-dead Copilot MCP OAuth flow; integration OAuth, oneTimeToken, SSO, and the MCP client OAuth library are all left intact.

• Deletes 9 source files and removes ~350 lines of auth plugin configuration, API routes, and contract types; drops 4 tables via migration 0223_lowly_shocker using DROP TABLE … CASCADE.
• Removes https://claude.ai / https://claude.com from trustedOrigins and the JWKS/.well-known CORS rule from the proxy, and lowers the API-validation route baseline from 762 → 761.

Confidence Score: 4/5

Safe to merge — this is a well-scoped dead-code removal with one minor leftover in the proxy that has no functional impact.

The removal is thorough and consistent across all layers: auth plugins, routes, contracts, schema, migration, and mocks. The only missed cleanup is the isMcpOauthDiscoveryEndpoint exemption in proxy.ts that still references the now-deleted /.well-known/ paths; since those routes 404 regardless, it has no effect in practice. The migration correctly drops all four tables with CASCADE and the dependency ordering is valid.

apps/sim/proxy.ts — the isMcpOauthDiscoveryEndpoint variable was not removed alongside the CORS rule cleanup.

Important Files Changed

Filename	Overview
apps/sim/proxy.ts	CORS rule for JWKS/well-known correctly removed, but the isMcpOauthDiscoveryEndpoint security-filter exemption that references the now-deleted /.well-known/ paths was not cleaned up — dead code remains.
apps/sim/lib/auth/auth.ts	Removes jwt/oidcProvider plugins, CIMD hook, and claude.ai/claude.com trusted origins — clean deletion with no loose references left.
packages/db/migrations/0223_lowly_shocker.sql	Drops all 4 backing tables with CASCADE in the correct dependency order; straightforward and safe.
packages/db/schema.ts	Removes oauthApplication, oauthAccessToken, oauthConsent, and jwks table definitions — consistent with migration and no remaining references.
apps/sim/lib/auth/cimd.ts	Deleted entirely; all consumers in auth.ts were also removed in this PR.
apps/sim/lib/mcp/oauth-discovery.ts	Deleted entirely; only consumers were the removed /.well-known/ route handlers.
apps/sim/proxy.test.ts	Removes JWKS/well-known CORS policy tests consistently with the proxy change; no remaining stale test cases.
apps/sim/lib/api/contracts/oauth-connections.ts	Removes oauthAuthorizeParamsContract, its schemas, and the OAuthAuthorizeParamsResponse export type — cleanly scoped to the deleted route.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph REMOVED["Removed (this PR)"]
        A["/.well-known/oauth-authorization-server"] --> D["oauth-discovery.ts"]
        B["/.well-known/oauth-protected-resource"] --> D
        C["/oauth/consent page"] --> E["oidcProvider plugin"]
        F["/api/auth/oauth2/authorize-params"] --> G["cimd.ts"]
        E --> H["jwt plugin"]
        H --> I[("jwks table")]
        E --> J[("oauth_application table")]
        E --> K[("oauth_access_token table")]
        E --> L[("oauth_consent table")]
        G --> J
    end

    subgraph KEPT["Kept intact"]
        M["genericOAuth integrations"]
        N["oneTimeToken plugin"]
        O["SSO / organization / admin"]
        P["/api/mcp/copilot/.well-known/..."]
        Q["lib/mcp/oauth (client)"]
        R["/api/mcp/copilot 410 tombstone"]
    end

    style REMOVED fill:#fee2e2,stroke:#ef4444
    style KEPT fill:#dcfce7,stroke:#22c55e

Loading

Comments Outside Diff (1)

1. apps/sim/proxy.ts, line 197-204 (link)

   The isMcpOauthDiscoveryEndpoint variable still exempts /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource from suspicious-UA blocking, but those routes were deleted by this PR. Requests to these paths now return 404 from Next.js regardless, so the exemption is harmless but is dead code that should be removed alongside the CORS rule cleanup.

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

_{Reviews (1): Last reviewed commit: "chore(auth): remove deprecated OAuth MCP..." | Re-trigger Greptile}