MCP client refactor - storage adapter

[mattzcarey]

part one in a long saga. This moves all the mcp storage functions to the client manager, with an interface to try and make it less platform specific.

also cleans up the _connectMcpServersInternal and mcp.connect into..

• mcp.registerServer()
• mcp.connectToServer()

tested with: https://search-mcp.parallel.ai/mcp on https://workers-ai-playground.mattzcarey.workers.dev/

Other fun stuff here:

• reasoning card for playground
• updating to qwen 3 as default

[changeset-bot]

🦋 Changeset detected

Latest commit: 0966d6c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
agents	Minor
hono-agents	Major

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[claude]

Claude Code Review

Architecture Issues

Critical: Race condition in OAuth flow (index.ts:482-487)
The OAuth callback handling fires onServerStateChanged which triggers a broadcast, then establishConnection is called in the background which fires another onServerStateChanged. However, establishConnection can fail after the broadcast, leaving the UI showing stale state. The background connection should complete before broadcasting, or the error state should trigger another broadcast.

Storage timing issue (client.ts:600-602)
clearAuthUrl is called immediately after completeAuthorization, but if establishConnection fails later, the auth_url is already cleared. This breaks reconnection attempts since the system thinks OAuth is complete when it isn't. Consider clearing auth_url only after establishConnection succeeds.

Code Quality

Missing error handling in restoreConnectionsFromStorage (client.ts:223)
Connection restoration catches errors but continues silently. Failed restorations should be tracked so the UI can show which servers need attention.

Inconsistent state machine (client.ts:160-196)
The logic skips servers in various states but doesn't document why. A server in "authenticating" state during restore likely indicates an incomplete OAuth flow that should be cleaned up or retried.

Type safety gap (client-storage.ts:79-85)
AgentMCPClientStorage constructor takes sql with a signature that returns T[], but the SQL operations don't validate that the template strings are actually SQL. Consider a more type-safe SQL builder or at least document the expected usage pattern.

Testing Coverage

The test file (client-manager.test.ts) has grown significantly (+1757 lines) but I cannot verify test quality without seeing the full file. Ensure tests cover:

• The OAuth race condition scenarios
• Failed connection restoration
• Concurrent registerServer/connectToServer calls
• Storage adapter error cases

Minor Issues

• client.ts:166-167: Log message could be more actionable - suggest what user should do
• index.ts:1322: mcp.dispose() called but no check if already disposed
• client-storage.ts:22,26: Return types use Promise<T | undefined> | undefined - this dual async/sync pattern is confusing, pick one

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/agents@652

commit: 0966d6c

[threepointone]

📚 Documentation Sync

I've created a documentation PR to sync these changes to cloudflare-docs:

Docs PR: cloudflare/cloudflare-docs#26535

Documentation Changes

This PR introduces a storage adapter architecture for the MCP client manager. The documentation includes:

1. New Advanced Configuration Guide (advanced-client-api.mdx)

   • Explains the MCPStorageAdapter interface
   • Provides examples for implementing custom storage backends (KV, R2, external databases)
   • Documents the connection restoration process after hibernation
   • Details performance considerations and caching strategies

2. OAuth Security Section (updated oauth-mcp-client.mdx)

   • Documents the security improvement where callback URLs are cleared after successful OAuth
   • Explains state parameter validation
   • Notes on secure token storage

3. API Reference Updates (updated mcp-client-api.mdx)

   • Added link to advanced configuration guide
   • Noted the modular storage adapter architecture

Why These Docs Matter

This refactoring introduces a breaking change in how MCPClientManager is initialized (now requires a storage adapter in options). While the Agent class handles this transparently for most users, advanced users who might want custom storage backends (e.g., storing MCP configs in KV instead of SQL) now have a documented path forward.

The OAuth security improvements are also worth documenting for user awareness.

---

This is an automated sync from the intelligent documentation workflow.

[threepointone]

📚 Documentation sync

Documentation has been updated in cloudflare-docs to reflect these changes:

Docs PR: cloudflare/cloudflare-docs#26535

Changes documented

• New page: mcp-storage.mdx - Explains the storage adapter architecture and security considerations
• Updated: mcp-client-api.mdx - Added security notes about OAuth credential cleanup
• Updated: oauth-mcp-client.mdx - Added security information about automatic credential cleanup

The documentation covers:

• Storage adapter interface for flexible MCP server configuration persistence
• Automatic OAuth credential cleanup after successful authentication (security improvement)
• Connection restoration behavior after Agent hibernation

---

🤖 Auto-generated comment

[threepointone]

Documentation Updated

The documentation for this PR has been updated in cloudflare-docs#26535.

Documentation changes:

• Added new Storage Adapter page documenting the MCPStorageAdapter interface
• Updated MCP Client API reference to reference storage adapter pattern
• Documented breaking change: MCPClientManager now requires storage option
• Included migration guide for direct MCPClientManager usage
• Documented security improvements in OAuth credential handling

Please review the documentation PR when you have a chance.

[threepointone]

📚 Documentation sync completed

The documentation for this PR has been updated in the cloudflare-docs repository.

Documentation PR: cloudflare/cloudflare-docs#26535

Updated documentation:

• MCP Client API Reference - Updated to reflect storage adapter pattern, automatic connection restoration, and OAuth security improvements
• Storage Adapter Guide - New comprehensive guide on the storage adapter pattern and custom storage backends
• MCP Storage Architecture - New documentation explaining internal storage architecture
• OAuth MCP Client Guide - Updated with OAuth security considerations

Key changes documented:

• Storage adapter pattern for decoupling MCP connection management from storage
• Automatic connection restoration after Agent hibernation
• OAuth security improvements (callback URL clearing to prevent replay attacks)
• Custom storage backend implementation guide
• Connection state management and efficient callback routing

The documentation is ready for review alongside this PR.

[deathbyknowledge]

🔥

[threepointone]

paired and reviewd, ping when done and let's land this

[threepointone]

stampung pending a descriptive changeset