feat(all): implement OAuth pending flows to prevent orphaned installations

Replaced immediate installation creation with two-phase OAuth flow:
- New oauthPendingFlows table stores temporary OAuth state (10-min expiry)
- Authorize endpoint creates flow instead of installation with oauth_pending=true
- Callback endpoint creates installation only after successful OAuth completion
- Cleanup cron job runs every 3 minutes to delete expired flows

Backend changes:
- Add oauthPendingFlows table with indexes for state and expiration
- Update authorize.ts to create flows with flow_id instead of installation_id
- Update callback.ts route from /installations/:installationId/oauth/callback to /oauth/callback/:flowId
- Add CleanupExpiredOAuthPendingFlowsWorker and cron job
- Update response schemas to use flow_id instead of installation_id

Frontend changes:
- Update mcpInstallationService.ts to handle flow_id response
- Update McpServerInstallWizard.vue to use flow_id for completion

Database migration: 0010_young_jimmy_woo.sql

Fixes issue where closing OAuth popup created orphaned installations.
Installations now only exist after successful OAuth authorization.

Author: Lasim

services/backend/api-spec.json

@@ -26096,9 +26096,9 @@
                 "schema": {
                   "type": "object",
                   "properties": {
-                    "installation_id": {
+                    "flow_id": {
                       "type": "string",
-                      "description": "Unique installation ID for the pending OAuth installation"
+                      "description": "Unique flow ID for the pending OAuth flow"
                     },
                     "authorization_url": {
                       "type": "string",
@@ -26116,7 +26116,7 @@
                     }
                   },
                   "required": [
-                    "installation_id",
+                    "flow_id",
                     "authorization_url",
                     "requires_authorization",
                     "expires_at"
@@ -26259,7 +26259,7 @@
         }
       }
     },
-    "/api/teams/{teamId}/mcp/installations/{installationId}/oauth/callback": {
+    "/api/teams/{teamId}/mcp/oauth/callback/{flowId}": {
       "get": {
         "tags": [
           "MCP Installations",
@@ -26311,17 +26311,17 @@
             "in": "path",
             "name": "teamId",
             "required": true,
-            "description": "Team ID that owns the installation"
+            "description": "Team ID"
           },
           {
             "schema": {
               "type": "string",
               "minLength": 1
             },
             "in": "path",
-            "name": "installationId",
+            "name": "flowId",
             "required": true,
-            "description": "Installation ID"
+            "description": "OAuth flow ID"
           }
         ],
         "responses": {

services/backend/api-spec.yaml

@@ -18506,9 +18506,9 @@ paths:
               schema:
                 type: object
                 properties:
-                  installation_id:
+                  flow_id:
                     type: string
-                    description: Unique installation ID for the pending OAuth installation
+                    description: Unique flow ID for the pending OAuth flow
                   authorization_url:
                     type: string
                     format: uri
@@ -18522,7 +18522,7 @@ paths:
                     format: date-time
                     description: ISO 8601 timestamp when the OAuth state expires
                 required:
-                  - installation_id
+                  - flow_id
                   - authorization_url
                   - requires_authorization
                   - expires_at
@@ -18617,7 +18617,7 @@ paths:
                   - success
                   - error
                 description: Internal Server Error
-  /api/teams/{teamId}/mcp/installations/{installationId}/oauth/callback:
+  /api/teams/{teamId}/mcp/oauth/callback/{flowId}:
     get:
       tags:
         - MCP Installations
@@ -18654,14 +18654,14 @@ paths:
           in: path
           name: teamId
           required: true
-          description: Team ID that owns the installation
+          description: Team ID
         - schema:
             type: string
             minLength: 1
           in: path
-          name: installationId
+          name: flowId
           required: true
-          description: Installation ID
+          description: OAuth flow ID
       responses:
         "200":
           description: Default Response

services/backend/drizzle/migrations/0010_young_jimmy_woo.sql

@@ -0,0 +1,27 @@
+CREATE TABLE "oauthPendingFlows" (
+	"id" text PRIMARY KEY NOT NULL,
+	"team_id" text NOT NULL,
+	"server_id" text NOT NULL,
+	"created_by" text NOT NULL,
+	"oauth_state" text NOT NULL,
+	"oauth_code_verifier" text NOT NULL,
+	"oauth_client_id" text NOT NULL,
+	"oauth_client_secret" text,
+	"oauth_provider_id" text,
+	"oauth_token_endpoint" text NOT NULL,
+	"oauth_token_endpoint_auth_method" text NOT NULL,
+	"installation_name" text NOT NULL,
+	"installation_type" text DEFAULT 'global' NOT NULL,
+	"team_config" text,
+	"expires_at" timestamp with time zone NOT NULL,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "oauthPendingFlows" ADD CONSTRAINT "oauthPendingFlows_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "oauthPendingFlows" ADD CONSTRAINT "oauthPendingFlows_server_id_mcpServers_id_fk" FOREIGN KEY ("server_id") REFERENCES "public"."mcpServers"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "oauthPendingFlows" ADD CONSTRAINT "oauthPendingFlows_created_by_authUser_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."authUser"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "oauthPendingFlows" ADD CONSTRAINT "oauthPendingFlows_oauth_provider_id_mcpOauthProviders_id_fk" FOREIGN KEY ("oauth_provider_id") REFERENCES "public"."mcpOauthProviders"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "oauth_pending_flows_state_idx" ON "oauthPendingFlows" USING btree ("oauth_state");--> statement-breakpoint
+CREATE INDEX "oauth_pending_flows_expires_at_idx" ON "oauthPendingFlows" USING btree ("expires_at");--> statement-breakpoint
+CREATE INDEX "oauth_pending_flows_team_server_idx" ON "oauthPendingFlows" USING btree ("team_id","server_id");--> statement-breakpoint
+CREATE INDEX "oauth_pending_flows_created_by_idx" ON "oauthPendingFlows" USING btree ("created_by");