fix(mcp): add TTL to PendingAuth and clear auth mode on all failure paths

Auth mode (pending_auth on a Thread) had no timeout and several code
paths that failed to clear it, causing user messages to be swallowed
indefinitely. This adds defense-in-depth:

- Add created_at + 5-minute TTL to PendingAuth; auto-clear on next
  message if expired (safety net for edge cases like user closing
  browser mid-OAuth)
- Clear auth mode on OAuth callback failure paths (unknown/consumed
  state, expired flow)
- Move clear_auth_mode before configure() match in setup_submit so
  it runs on failure too (addresses Copilot review feedback)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ilblackdragon

src/agent/agent_loop.rs

@@ -838,19 +838,31 @@ impl Agent {
         };
 
         if let Some(pending) = pending_auth {
-            match &submission {
-                Submission::UserInput { content } => {
-                    return self
-                        .process_auth_token(message, &pending, content, session, thread_id)
-                        .await;
+            if pending.is_expired() {
+                // TTL exceeded — clear stale auth and fall through to normal handling
+                tracing::warn!(
+                    extension = %pending.extension_name,
+                    "Auth mode expired after TTL, clearing"
+                );
+                let mut sess = session.lock().await;
+                if let Some(thread) = sess.threads.get_mut(&thread_id) {
+                    thread.pending_auth = None;
                 }
-                _ => {
-                    // Any control submission (interrupt, undo, etc.) cancels auth mode
-                    let mut sess = session.lock().await;
-                    if let Some(thread) = sess.threads.get_mut(&thread_id) {
-                        thread.pending_auth = None;
+            } else {
+                match &submission {
+                    Submission::UserInput { content } => {
+                        return self
+                            .process_auth_token(message, &pending, content, session, thread_id)
+                            .await;
+                    }
+                    _ => {
+                        // Any control submission (interrupt, undo, etc.) cancels auth mode
+                        let mut sess = session.lock().await;
+                        if let Some(thread) = sess.threads.get_mut(&thread_id) {
+                            thread.pending_auth = None;
+                        }
+                        // Fall through to normal handling
                     }
-                    // Fall through to normal handling
                 }
             }
         }

src/agent/session.rs

@@ -12,7 +12,7 @@
 
 use std::collections::{HashMap, HashSet};
 
-use chrono::{DateTime, Utc};
+use chrono::{DateTime, TimeDelta, Utc};
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
@@ -132,6 +132,9 @@ pub enum ThreadState {
 
 /// Pending auth token request.
 ///
+/// Auth mode TTL — matches `OAUTH_FLOW_EXPIRY` (5 minutes).
+const AUTH_MODE_TTL: TimeDelta = TimeDelta::minutes(5);
+
 /// When `tool_auth` returns `awaiting_token`, the thread enters auth mode.
 /// The next user message is intercepted before entering the normal pipeline
 /// (no logging, no turn creation, no history) and routed directly to the
@@ -140,6 +143,16 @@ pub enum ThreadState {
 pub struct PendingAuth {
     /// Extension name to authenticate.
     pub extension_name: String,
+    /// When this auth mode was entered. Used for TTL expiry.
+    #[serde(default = "Utc::now")]
+    pub created_at: DateTime<Utc>,
+}
+
+impl PendingAuth {
+    /// Returns `true` if this auth mode has exceeded the TTL.
+    pub fn is_expired(&self) -> bool {
+        Utc::now() - self.created_at > AUTH_MODE_TTL
+    }
 }
 
 /// Pending tool approval request stored on a thread.
@@ -295,7 +308,10 @@ impl Thread {
     /// Enter auth mode: next user message will be routed directly to
     /// the credential store, bypassing the normal pipeline entirely.
     pub fn enter_auth_mode(&mut self, extension_name: String) {
-        self.pending_auth = Some(PendingAuth { extension_name });
+        self.pending_auth = Some(PendingAuth {
+            extension_name,
+            created_at: Utc::now(),
+        });
         self.updated_at = Utc::now();
     }
 
@@ -684,15 +700,16 @@ mod tests {
 
     #[test]
     fn test_enter_auth_mode() {
+        let before = Utc::now();
         let mut thread = Thread::new(Uuid::new_v4());
         assert!(thread.pending_auth.is_none());
 
         thread.enter_auth_mode("telegram".to_string());
-        assert!(thread.pending_auth.is_some());
-        assert_eq!(
-            thread.pending_auth.as_ref().unwrap().extension_name,
-            "telegram"
-        );
+        assert!(thread.pending_auth.is_some()); // safety: test assertion
+        let pending = thread.pending_auth.as_ref().unwrap(); // safety: checked above
+        assert_eq!(pending.extension_name, "telegram"); // safety: test assertion
+        assert!(pending.created_at >= before); // safety: test assertion
+        assert!(!pending.is_expired()); // safety: test assertion
     }
 
     #[test]
@@ -701,8 +718,10 @@ mod tests {
         thread.enter_auth_mode("notion".to_string());
 
         let pending = thread.take_pending_auth();
-        assert!(pending.is_some());
-        assert_eq!(pending.unwrap().extension_name, "notion");
+        assert!(pending.is_some()); // safety: test assertion
+        let pending = pending.unwrap(); // safety: checked above
+        assert_eq!(pending.extension_name, "notion"); // safety: test assertion
+        assert!(!pending.is_expired()); // safety: test assertion
 
         // Should be cleared after take
         assert!(thread.pending_auth.is_none());
@@ -717,10 +736,26 @@ mod tests {
         let json = serde_json::to_string(&thread).expect("should serialize");
         assert!(json.contains("pending_auth"));
         assert!(json.contains("openai"));
+        assert!(json.contains("created_at")); // safety: test assertion
 
         let restored: Thread = serde_json::from_str(&json).expect("should deserialize");
-        assert!(restored.pending_auth.is_some());
-        assert_eq!(restored.pending_auth.unwrap().extension_name, "openai");
+        assert!(restored.pending_auth.is_some()); // safety: test assertion
+        let pending = restored.pending_auth.unwrap(); // safety: checked above
+        assert_eq!(pending.extension_name, "openai"); // safety: test assertion
+        assert!(!pending.is_expired()); // safety: test assertion
+    }
+
+    #[test]
+    fn test_pending_auth_expiry() {
+        let mut pending = PendingAuth {
+            extension_name: "test".to_string(),
+            created_at: Utc::now(),
+        };
+        assert!(!pending.is_expired()); // safety: test assertion
+
+        // Backdate beyond the TTL
+        pending.created_at = Utc::now() - AUTH_MODE_TTL - TimeDelta::seconds(1);
+        assert!(pending.is_expired()); // safety: test assertion
     }
 
     #[test]

src/channels/web/server.rs

@@ -563,6 +563,7 @@ async fn oauth_callback_handler(
                 lookup_key = %lookup_key,
                 "OAuth callback received with unknown or expired state"
             );
+            clear_auth_mode(&state).await;
             return oauth_error_page("IronClaw");
         }
     };
@@ -581,6 +582,7 @@ async fn oauth_callback_handler(
                 message: "OAuth flow expired. Please try again.".to_string(),
             });
         }
+        clear_auth_mode(&state).await;
         return oauth_error_page(&flow.display_name);
     }
 
@@ -2186,12 +2188,12 @@ async fn extensions_setup_submit_handler(
         "Extension manager not available (secrets store required)".to_string(),
     ))?;
 
+    // Clear auth mode regardless of outcome so the next user message goes
+    // through to the LLM instead of being intercepted as a token.
+    clear_auth_mode(&state).await;
+
     match ext_mgr.configure(&name, &req.secrets).await {
         Ok(result) => {
-            // Clear auth mode so the next user message goes through to the LLM
-            // instead of being intercepted as a token.
-            clear_auth_mode(&state).await;
-
             // Broadcast auth_completed so the chat UI can dismiss any in-progress
             // auth card or setup modal that was triggered by tool_auth/tool_activate.
             state.sse.broadcast(SseEvent::AuthCompleted {