🔑 fix: Robust MCP OAuth Detection in Tool-Call Flow (#12418)

* fix(api): add buildOAuthToolCallName utility for MCP OAuth flows

Extract a shared utility that builds the synthetic tool-call name
used during MCP OAuth flows (oauth_mcp_{normalizedServerName}).

Uses startsWith on the raw serverName (not the normalized form) to
guard against double-wrapping, so names that merely normalize to
start with oauth_mcp_ (e.g., oauth@mcp@server) are correctly
prefixed while genuinely pre-wrapped names are left as-is.

Add 8 unit tests covering normal names, pre-wrapped names, _mcp_
substrings, special characters, non-ASCII, and empty string inputs.

* fix(backend): use buildOAuthToolCallName in MCP OAuth flows

Replace inline tool-call name construction in both reconnectServer
(MCP.js) and createOAuthEmitter (ToolService.js) with the shared
buildOAuthToolCallName utility. Remove unused normalizeServerName
import from ToolService.js. Fix import ordering in both files.

This ensures the oauth_mcp_ prefix is consistently applied so the
client correctly identifies MCP OAuth flows and binds the CSRF
cookie to the right server.

* fix(client): robust MCP OAuth detection and split handling in ToolCall

- Fix split() destructuring to preserve tail segments for server names
  containing _mcp_ (e.g., foo_mcp_bar no longer truncated to foo).
- Add auth URL redirect_uri fallback: when the tool-call name lacks
  the _mcp_ delimiter, parse redirect_uri for the MCP callback path.
  Set function_name to the extracted server name so progress text
  shows the server, not the raw tool-call ID.
- Display server name instead of literal "oauth" as function_name,
  gated on auth presence to avoid misidentifying real tools named
  "oauth".
- Consolidate three independent new URL(auth) parses into a single
  parsedAuthUrl useMemo shared across detection, actionId, and
  authDomain hooks.
- Replace any type on ProgressText test mock with structural type.
- Add 8 tests covering delimiter detection, multi-segment names,
  function_name display, redirect_uri fallback, normalized _mcp_
  server names, and non-MCP action auth exclusion.

* chore: fix import order in utils.test.ts

* fix(client): drop auth gate on OAuth displayName so completed flows show server name

The createOAuthEnd handler re-emits the toolCall delta without auth,
so auth is cleared on the client after OAuth completes. Gating
displayName on `func === 'oauth' && auth` caused completed OAuth
steps to render "Completed oauth" instead of "Completed my-server".

Remove the `&& auth` gate — within the MCP delimiter branch the
func="oauth" check alone is sufficient. Also remove `auth` from the
useMemo dep array since only `parsedAuthUrl` is referenced. Update
the test to assert correct post-completion display.

api/server/services/MCP.js

@@ -14,6 +14,7 @@ const {
   normalizeJsonSchema,
   GenerationJobManager,
   resolveJsonSchemaRefs,
+  buildOAuthToolCallName,
 } = require('@librechat/api');
 const { Time, CacheKeys, Constants, isAssistantsEndpoint } = require('librechat-data-provider');
 const {
@@ -271,7 +272,7 @@ async function reconnectServer({
   const stepId = 'step_oauth_login_' + serverName;
   const toolCall = {
     id: flowId,
-    name: serverName,
+    name: buildOAuthToolCallName(serverName),
     type: 'tool_call_chunk',
   };