Fix stdio OAuth startup and sandbox flag handling

Author: vladimir-tikhonov-nutrient

benchmarks/core-runtime.mjs

@@ -136,7 +136,7 @@ async function runBenchmark() {
 
 try {
   const totalMs = await runBenchmark()
-  console.log(`METRIC total_ms=${totalMs}`)
+  globalThis.console.log(`METRIC total_ms=${totalMs}`)
 } finally {
   await setSandboxDirectory(null)
   await fs.rm(fixtureRoot, { recursive: true, force: true })

src/auth/nutrient-oauth.ts

@@ -40,6 +40,7 @@ type CachedCredentials = z.infer<typeof CachedCredentialsSchema>
 
 const FETCH_TIMEOUT_MS = 15_000
 const CALLBACK_TIMEOUT_MS = 5 * 60 * 1000
+const pendingTokenRequests = new Map<string, Promise<string>>()
 
 export function getDefaultCredentialsPath(
   env: NodeJS.ProcessEnv = process.env,
@@ -367,7 +368,24 @@ export async function invalidateCachedToken(config: NutrientOAuthConfig): Promis
 export async function getToken(config: NutrientOAuthConfig): Promise<string> {
   const credentialsPath = config.credentialsPath ?? getDefaultCredentialsPath()
 
-  logger.debug('getToken called', { credentialsPath })
+  const pendingRequest = pendingTokenRequests.get(credentialsPath)
+  if (pendingRequest) {
+    logger.debug('Awaiting in-flight token acquisition', { credentialsPath })
+    return pendingRequest
+  }
+
+  const tokenRequest = getTokenUncached(config, credentialsPath).finally(() => {
+    if (pendingTokenRequests.get(credentialsPath) === tokenRequest) {
+      pendingTokenRequests.delete(credentialsPath)
+    }
+  })
+
+  pendingTokenRequests.set(credentialsPath, tokenRequest)
+  return tokenRequest
+}
+
+async function getTokenUncached(config: NutrientOAuthConfig, credentialsPath: string): Promise<string> {
+  logger.debug('Starting token acquisition', { credentialsPath })
 
   // 1. Check cached token
   const cached = await readCachedCredentials(credentialsPath)

src/index.ts

@@ -240,14 +240,6 @@ export async function runServer(environment: Environment): Promise<RunServerResu
 
   const apiClient = createStdioApiClient(environment)
 
-  // Authenticate eagerly before accepting tool calls — in stdio mode there's
-  // no transport-level mechanism to pause while waiting for browser auth
-  if (!environment.nutrientApiKey) {
-    logger.info('No API key set, authenticating via OAuth before accepting connections...')
-    await getToken(buildOAuthConfig(environment))
-    logger.info('OAuth authentication completed')
-  }
-
   const server = createMcpServer({
     sandboxEnabled,
     apiClient,

src/utils/sandbox.ts

@@ -7,40 +7,31 @@
  * @returns The sandbox directory path or undefined if none specified
  */
 export function parseSandboxPath(args: string[], envVar?: string): string | undefined {
-  const argsLength = args.length
-  if (argsLength === 2) {
-    const firstArg = args[0]
-    if (firstArg === '--sandbox') {
-      return args[1]
-    }
-    if (firstArg === '-s') {
-      return args[1]
-    }
-  } else if (argsLength === 0) {
+  if (args.length === 0) {
     return envVar || undefined
   }
 
-  const firstArg = args[0]
-  if (firstArg === '--sandbox' || firstArg === '-s') {
-    if (argsLength > 1) {
-      return args[1]
-    }
-
-    throw new Error('--sandbox flag requires a directory path')
-  }
+  let sandboxPath: string | undefined
 
-  // Check command line arguments first (higher precedence)
-  for (let i = 1; i < argsLength; i++) {
+  for (let i = 0; i < args.length; i++) {
     const arg = args[i]
+
     if (arg === '--sandbox' || arg === '-s') {
-      if (i + 1 < argsLength) {
-        return args[i + 1]
+      if (i + 1 < args.length) {
+        sandboxPath = args[i + 1]
+        i += 1
+        continue
       }
 
       throw new Error('--sandbox flag requires a directory path')
     }
+
+    if (arg.startsWith('-')) {
+      throw new Error(`Unknown CLI flag: ${arg}`)
+    }
+
+    throw new Error(`Unexpected argument: ${arg}`)
   }
 
-  // Fall back to environment variable
-  return envVar || undefined
+  return sandboxPath || envVar || undefined
 }

tests/nutrient-oauth.test.ts

@@ -325,10 +325,29 @@ describe('getToken integration', () => {
       expect(token).toBe('concurrent-new-token')
     }
 
-    // NOTE: Without dedup, each call makes its own refresh request.
-    // This test documents the current behavior. If dedup is added,
-    // change the assertion to: expect(refreshCallCount).toBe(1)
-    expect(refreshCallCount).toBeGreaterThanOrEqual(1)
+    expect(refreshCallCount).toBe(1)
+  })
+
+  it('concurrent calls start the browser flow only once when no credentials exist', async () => {
+    const { getToken } = await import('../src/auth/nutrient-oauth.js')
+    const config = makeConfig({
+      tokenUrl: 'http://localhost:1/token',
+      credentialsPath: join(testDir, 'nonexistent.json'),
+      clientId: 'fresh-client',
+    })
+
+    const openMock = (await import('open')).default as ReturnType<typeof vi.fn>
+    openMock.mockClear()
+
+    const first = getToken(config)
+    const second = getToken(config)
+
+    await vi.waitFor(() => {
+      expect(openMock).toHaveBeenCalledOnce()
+    }, { timeout: 5_000 })
+
+    first.catch(() => {})
+    second.catch(() => {})
   })
 
   it('goes straight to browser flow when no refresh token is cached', async () => {

tests/unit.test.ts

@@ -766,10 +766,19 @@ describe('API Functions', () => {
       expect(() => parseSandboxPath(args, undefined)).toThrow('--sandbox flag requires a directory path')
     })
 
-    it('should handle multiple arguments and find sandbox flag', () => {
-      const args = ['--help', '--sandbox', '/path/to/sandbox', '--verbose']
-      const result = parseSandboxPath(args, undefined)
-      expect(result).toBe('/path/to/sandbox')
+    it('should throw on unknown flags', () => {
+      const args = ['--sandbox-dir', '/path/to/sandbox']
+      expect(() => parseSandboxPath(args, undefined)).toThrow('Unknown CLI flag: --sandbox-dir')
+    })
+
+    it('should throw on unexpected positional arguments', () => {
+      const args = ['/path/to/sandbox']
+      expect(() => parseSandboxPath(args, undefined)).toThrow('Unexpected argument: /path/to/sandbox')
+    })
+
+    it('should throw when known and unknown flags are mixed', () => {
+      const args = ['--sandbox', '/path/to/sandbox', '--verbose']
+      expect(() => parseSandboxPath(args, undefined)).toThrow('Unknown CLI flag: --verbose')
     })
 
     it('should return undefined when empty env var provided', () => {