When an HttpError occurs in Google Tasks tools, the error handler now checks
the HTTP status code before suggesting re-authentication. Re-auth messages are
only shown for 401 (Unauthorized) and 403 (Forbidden) errors.
This prevents misleading re-authentication suggestions for non-auth errors like
400 (Bad Request) with malformed arguments, allowing the LLM to focus on the
actual root cause instead of being misdirected by incorrect auth guidance.
The fix applies to both CLI mode (stdio legacy oauth) and MCP mode (OAuth 2.1).
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
When `create_oauth_flow()` is called without an explicit `code_verifier`
(i.e. during the initial auth flow in `start_auth_flow()`), the function
never sets `autogenerate_code_verifier=True` on the Flow constructor.
oauthlib 3.2+ automatically adds `code_challenge` to the authorization
URL at the session level, so Google expects a matching `code_verifier`
during the token exchange. However, since `Flow.code_verifier` remains
`None`, that `None` gets stored in the session store and later passed
back during the callback — causing Google to reject the token exchange
with `(invalid_grant) Missing code verifier`.
The fix adds `autogenerate_code_verifier=True` in the else branch so
the Flow object generates and exposes a proper PKCE code verifier that
gets stored and reused during the callback token exchange.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Detect checklist items in Google Docs API responses and render them as
- [ ] (unchecked) and - [x] (checked) in markdown, so LLMs understand
checkbox state instead of writing literal [x] or DONE text.
Closes#516
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The _wrap_well_known_endpoint function assumed all route endpoints are regular
request handlers (async def handler(request) -> Response). However, the MCP
SDK's cors_middleware wraps handlers with CORSMiddleware, which is an ASGI app
expecting (scope, receive, send). When the wrapper called
`await endpoint(request)` on a CORSMiddleware instance, it passed only 1
argument instead of the required 3 ASGI args.
The fix detects whether the endpoint is a regular handler function or an ASGI
app (using the same inspect check as Starlette's Route constructor), and uses
the appropriate calling convention:
- Regular handlers: called as `await endpoint(request)` (existing behavior)
- ASGI apps: invoked via the ASGI interface `await endpoint(scope, receive, send)`
with response capture to apply cache-busting headers
https://claude.ai/code/session_011S5zFTWRfKBJBUEanrhvQg
