fix: remove colon from actorId to prevent OAuth code parse failure

[chitcommit]

OAuth token exchange was broken: actorId used mcp-client:clientId which added a 4th colon to the authorization code. OAuthProvider expects userId:grantId:secret (3 parts). Fixed by using dash separator instead. After deploy, MCP should reconnect via OAuth PKCE.

Summary by CodeRabbit

• Bug Fixes
  • Fixed OAuth authentication identifier formatting for improved system compatibility.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittyconnect	54088da	Mar 19 2026, 12:59 AM

[github-actions]

⚠️ Unsigned Commits Detected

This PR contains unsigned commits. ChittyOS requires all commits to be cryptographically signed.

How to fix this:

Option 1: Sign with SSH key (Recommended)

# Configure Git to use SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

# Re-sign your commits
git rebase --exec 'git commit --amend --no-edit -S' HEAD~N
git push --force-with-lease

Option 2: Sign with 1Password

1. Enable "Sign Git commits" in 1Password settings
2. Configure Git: git config --global gpg.program /path/to/op-ssh-sign

Option 3: Sign with GPG

git config --global commit.gpgsign true
git config --global user.signingkey YOUR_KEY_ID

📚 1Password SSH Signing Guide

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Warning

Rate limit exceeded

@chitcommit has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 2 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 280acf77-8514-40c5-b7c5-b65ef49d483b

📥 Commits

Reviewing files that changed from the base of the PR and between 44cd306 and 54088da.

📒 Files selected for processing (1)

• src/middleware/oauth-provider.js

📝 Walkthrough

Walkthrough

Modified the userId construction pattern in the OAuth provider from colon-separated to hyphen-separated format and added inline documentation explaining encoding constraints and authorization code derivation.

Changes

Cohort / File(s)	Summary
OAuth Provider userId Pattern src/middleware/oauth-provider.js	Updated userId construction from mcp-client:${clientId} to mcp-client-${clientId} in handleAuthorize flow. Added comments clarifying that userId must not contain colons and documenting how the OAuthProvider encodes authorization codes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐰 A colon once lived in a client ID,
But hyphens work better, we all now agreed!
With comments so clear on encoding's delight,
Our OAuth provider now separates right! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the problem and solution clearly but does not follow the required template structure with sections for Summary, Security & Access, Docs, and Validation.	Add sections for Summary (purpose/scope/impacted services), Security & Access checklist, Docs checklist, and Validation checklist to match the repository template.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: removing a colon from actorId to fix OAuth code parsing, which is the primary purpose of this PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/oauth-actorId-colon

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Fixes OAuth token exchange failures by ensuring the per-actor userId used during authorization completion does not introduce an extra : delimiter into the provider’s authorization-code encoding format.

Changes:

• Replace the mcp-client:${clientId} actorId format with mcp-client-${clientId} to avoid embedding : in userId.
• Add inline documentation explaining why userId must not contain colons.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/middleware/oauth-provider.js`:
- Line 128: The actorId construction uses oauthReqInfo.clientId directly which
allows colons to break the authorization code format; change construction and
any place that composes the authorization code (the code string built from
userId:grantId:secret) to use an encoded clientId (e.g., base64 or
encodeURIComponent) instead of the raw oauthReqInfo.clientId, update the
decoding/validation path that splits the authorization code (the code validation
logic that expects "userId:grantId:secret") to decode the clientId after
splitting, and ensure all references to actorId and authorization-code
composition/validation (look for oauthReqInfo.clientId, actorId, and the
authorization code split/validate functions) are updated consistently so colons
in client IDs cannot break parsing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: efc75e36-d104-41e9-a0ae-770deaa4a16f

📥 Commits

Reviewing files that changed from the base of the PR and between 238f22b and 44cd306.

📒 Files selected for processing (1)

• src/middleware/oauth-provider.js