hermes - 💡(How to fix) Fix MCP OAuth fails with Supabase: token exchange requires client_secret [2 pull requests]

Bug Description

Supabase hosted MCP OAuth can complete browser consent but fail during the authorization-code token exchange with:

Token exchange failed (422): {"message":"Required parameter: client_secret"}

In practice, the browser authorization page can appear repeatedly after clicking Approve because the callback succeeds but token exchange fails.

Steps to Reproduce

1. Configure Supabase hosted MCP with OAuth, for example:

   mcp_servers:
     supabase:
       url: https://mcp.supabase.com/mcp?project_ref=<project_ref>&features=docs%2Caccount%2Cdatabase%2Cdebugging%2Cdevelopment%2Cfunctions%2Cbranching%2Cstorage
       auth: oauth
       enabled: true

2. Run:

   hermes mcp login supabase

3. Approve the Supabase authorization request in the browser.

Expected Behavior

Hermes should exchange the authorization code for tokens, persist the OAuth token cache, and allow:

hermes mcp test supabase

to connect and discover Supabase MCP tools.

Actual Behavior

The OAuth flow may fail during code-to-token exchange with:

Required parameter: client_secret

or repeatedly reopen/show the Supabase authorization page.

Root Cause

Supabase MCP dynamic client registration may return a client_secret while omitting token_endpoint_auth_method. The MCP SDK treats the missing method as public-client auth (none), so token exchange omits client_secret. Supabase rejects that exchange because it registered/returned a confidential client.

During a clean reinstall reproduction, Supabase's token endpoint also returned a successful token response with HTTP 201 Created; Hermes/MCP SDK code paths that require exactly 200 can incorrectly treat that successful response as a failure.

Related Prior Art

Other MCP clients/platforms have hit the same class of Supabase hosted MCP DCR behavior:

• PostHog fix: https://github.com/PostHog/posthog/pull/58881
• Craft Agents issue: https://github.com/craft-ai-agents/craft-agents-oss/issues/437

Proposed Fix

• If DCR/stored client info contains client_secret and token_endpoint_auth_method is missing/none, coerce it to client_secret_post before token exchange and refresh.
• Persist that corrected method in Hermes' OAuth client cache.
• Accept any 2xx token/refresh response as success, not only exactly 200.
• Avoid including token response bodies in token-exchange error messages.

Local Verification

With the fix applied locally:

hermes mcp test supabase
✓ Connected
✓ Tools discovered: 23

A smoke test using Supabase MCP execute_sql also succeeded for create/insert/select/delete/drop of a temporary table, and final list_tables returned an empty database again.