fix(mcp): preserve custom headers for OAuth servers; atomic PATCH + token clear

- client.ts: pass requestInit.headers for OAuth servers too. Previously OAuth
  authType set requestInit to undefined, dropping all custom headers including
  SIM_VIA_HEADER for cross-call loop prevention. The SDK's authProvider adds
  Authorization on top, so user/system headers must still flow through.
- servers/[id]/route.ts: wrap server UPDATE and stale OAuth-token DELETE in a
  single transaction. Previously the update committed before the token clear,
  so a token-clear failure would leave new credentials with stale tokens.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/mcp/servers/[id]/route.ts

@@ -115,29 +115,6 @@ export const PATCH = withRouteHandler(
           finalUpdateData.authType = 'oauth'
         }
 
-        const [updatedServer] = await db
-          .update(mcpServers)
-          .set({
-            ...finalUpdateData,
-            updatedAt: new Date(),
-          })
-          .where(
-            and(
-              eq(mcpServers.id, serverId),
-              eq(mcpServers.workspaceId, workspaceId),
-              isNull(mcpServers.deletedAt)
-            )
-          )
-          .returning()
-
-        if (!updatedServer) {
-          return createMcpErrorResponse(
-            new Error('Server not found or access denied'),
-            'Server not found',
-            404
-          )
-        }
-
         const urlChanged = body.url !== undefined && currentServer?.url !== body.url
         const clientIdChanged =
           body.oauthClientId !== undefined &&
@@ -155,9 +132,42 @@ export const PATCH = withRouteHandler(
           }
         }
         const oauthCredsChanged = clientIdChanged || clientSecretChanged
+        const shouldClearOauth = urlChanged || oauthCredsChanged
+
+        const updatedServer = await db.transaction(async (tx) => {
+          const [updated] = await tx
+            .update(mcpServers)
+            .set({
+              ...finalUpdateData,
+              updatedAt: new Date(),
+            })
+            .where(
+              and(
+                eq(mcpServers.id, serverId),
+                eq(mcpServers.workspaceId, workspaceId),
+                isNull(mcpServers.deletedAt)
+              )
+            )
+            .returning()
+
+          if (!updated) return null
+
+          if (shouldClearOauth) {
+            await tx.delete(mcpServerOauth).where(eq(mcpServerOauth.mcpServerId, serverId))
+          }
+
+          return updated
+        })
+
+        if (!updatedServer) {
+          return createMcpErrorResponse(
+            new Error('Server not found or access denied'),
+            'Server not found',
+            404
+          )
+        }
 
-        if (urlChanged || oauthCredsChanged) {
-          await db.delete(mcpServerOauth).where(eq(mcpServerOauth.mcpServerId, serverId))
+        if (shouldClearOauth) {
           logger.info(
             `[${requestId}] Cleared OAuth credentials for server ${serverId} due to ${urlChanged ? 'URL' : 'OAuth credential'} change`
           )

apps/sim/lib/mcp/client.ts

@@ -93,11 +93,9 @@ export class McpClient {
     const useOauth = this.config.authType === 'oauth' && this.authProvider != null
     this.transport = new StreamableHTTPClientTransport(new URL(this.config.url), {
       authProvider: useOauth ? this.authProvider : undefined,
-      requestInit: useOauth
-        ? undefined
-        : {
-            headers: this.config.headers,
-          },
+      requestInit: {
+        headers: this.config.headers,
+      },
     })
 
     this.client = new Client(