Clean up DCR entries on OAuth revoke using profile-aware logic

Export CleanupOrphanedDCREntries so it can be called from the revoke
command. After revoking tokens, the CLI now checks whether the server
is still in any profile before deleting its DCR entry. This replaces
the catalog-based IsRemoteOAuthServer check which missed community
servers without oauth.providers metadata.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jchangx

cmd/docker-mcp/oauth/revoke.go

@@ -4,9 +4,10 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/docker/mcp-gateway/pkg/catalog"
+	"github.com/docker/mcp-gateway/pkg/db"
 	"github.com/docker/mcp-gateway/pkg/desktop"
 	pkgoauth "github.com/docker/mcp-gateway/pkg/oauth"
+	"github.com/docker/mcp-gateway/pkg/workingset"
 )
 
 func Revoke(ctx context.Context, app string) error {
@@ -25,28 +26,21 @@ func Revoke(ctx context.Context, app string) error {
 func revokeDesktopMode(ctx context.Context, app string) error {
 	client := desktop.NewAuthClient()
 
-	// Get catalog to check if this is a remote OAuth server
-	catalogData, err := catalog.GetWithOptions(ctx, true, nil)
-	if err != nil {
-		return fmt.Errorf("failed to get catalog: %w", err)
-	}
-
-	server, found := catalogData.Servers[app]
-	isRemoteOAuth := found && server.IsRemoteOAuthServer()
-
 	// Revoke tokens
 	if err := client.DeleteOAuthApp(ctx, app); err != nil {
 		return fmt.Errorf("failed to revoke OAuth access: %w", err)
 	}
 
-	// For remote OAuth servers, also delete DCR client
-	if isRemoteOAuth {
-		if err := client.DeleteDCRClient(ctx, app); err != nil {
-			return fmt.Errorf("failed to remove DCR client: %w", err)
-		}
+	fmt.Printf("OAuth access revoked for %s\n", app)
+
+	// Clean up DCR entry if the server is not in any profile.
+	// If the server is still in a profile, keep the DCR entry so it
+	// remains visible in the OAuth UI for re-authorization.
+	dao, err := db.New()
+	if err == nil {
+		workingset.CleanupOrphanedDCREntries(ctx, dao, []string{app})
 	}
 
-	fmt.Printf("OAuth access revoked for %s\n", app)
 	return nil
 }
 

pkg/workingset/server.go

@@ -95,17 +95,18 @@ func RemoveServers(ctx context.Context, dao db.DAO, id string, serverNames []str
 		namesToRemove[name] = true
 	}
 
-	originalCount := len(workingSet.Servers)
+	removedNames := make([]string, 0)
 	filtered := make([]Server, 0, len(workingSet.Servers))
 	for _, server := range workingSet.Servers {
 		// TODO: Remove when Snapshot is required
-		if server.Snapshot == nil || !namesToRemove[server.Snapshot.Server.Name] {
+		if server.Snapshot != nil && namesToRemove[server.Snapshot.Server.Name] {
+			removedNames = append(removedNames, server.Snapshot.Server.Name)
+		} else {
 			filtered = append(filtered, server)
 		}
 	}
 
-	removedCount := originalCount - len(filtered)
-	if removedCount == 0 {
+	if len(removedNames) == 0 {
 		return fmt.Errorf("no matching servers found to remove")
 	}
 
@@ -120,10 +121,10 @@ func RemoveServers(ctx context.Context, dao db.DAO, id string, serverNames []str
 		return fmt.Errorf("failed to update profile: %w", err)
 	}
 
-	fmt.Printf("Removed %d server(s) from profile %s\n", removedCount, id)
+	fmt.Printf("Removed %d server(s) from profile %s\n", len(removedNames), id)
 
 	// Clean up DCR entries for removed servers not in any other profile
-	cleanupOrphanedDCREntries(ctx, dao, serverNames)
+	CleanupOrphanedDCREntries(ctx, dao, removedNames)
 
 	return nil
 }
@@ -136,9 +137,9 @@ type dcrClient interface {
 	DeleteDCRClient(ctx context.Context, app string) error
 }
 
-// cleanupOrphanedDCREntries removes DCR entries for servers that no longer
+// CleanupOrphanedDCREntries removes DCR entries for servers that no longer
 // exist in any profile. This prevents stale OAuth entries from accumulating.
-func cleanupOrphanedDCREntries(ctx context.Context, dao db.DAO, serverNames []string) {
+func CleanupOrphanedDCREntries(ctx context.Context, dao db.DAO, serverNames []string) {
 	if oauth.IsCEMode() {
 		return
 	}