fix(mcp): release probe session, clean up refresh-lock chain

- detectMcpAuthType now reads the Mcp-Session-Id response header and fires a
  best-effort DELETE to release the streamable-HTTP session the probe just
  allocated. Failures are ignored; servers will time the session out anyway.
- Rewrite the refresh-lock chain to `prev.catch(() => undefined).then(() => fn())`
  so the predecessor's rejection reason is explicitly discarded rather than
  threaded into fn as an ignored argument. Each caller's outcome stays its own.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/lib/mcp/oauth/probe.ts

@@ -42,6 +42,11 @@ export async function detectMcpAuthType(url: string): Promise<McpAuthType> {
       signal: controller.signal,
     })
 
+    const sessionId = res.headers.get('mcp-session-id')
+    if (sessionId) {
+      void closeMcpSession(url, sessionId)
+    }
+
     if (res.status === 401) {
       const params = extractWWWAuthenticateParams(res)
       if (params.resourceMetadataUrl || params.scope || params.error) {
@@ -59,3 +64,25 @@ export async function detectMcpAuthType(url: string): Promise<McpAuthType> {
     clearTimeout(timer)
   }
 }
+
+/**
+ * Best-effort DELETE to release the streamable-HTTP session the probe just
+ * allocated. Failures are ignored — the session will expire on the server side.
+ */
+async function closeMcpSession(url: string, sessionId: string): Promise<void> {
+  try {
+    const controller = new AbortController()
+    const timer = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS)
+    try {
+      await fetch(url, {
+        method: 'DELETE',
+        headers: { 'Mcp-Session-Id': sessionId },
+        signal: controller.signal,
+      })
+    } finally {
+      clearTimeout(timer)
+    }
+  } catch {
+    // Ignore — best-effort cleanup
+  }
+}

apps/sim/lib/mcp/oauth/storage.ts

@@ -232,7 +232,10 @@ const refreshLocks = new Map<string, Promise<unknown>>()
 
 export async function withMcpOauthRefreshLock<T>(rowId: string, fn: () => Promise<T>): Promise<T> {
   const prev = refreshLocks.get(rowId) ?? Promise.resolve()
-  const next = prev.then(fn, fn)
+  // Wait for the predecessor to settle (success or failure), discard its
+  // value/error, then run fn. Each caller awaits its own fn's outcome — errors
+  // do not propagate across callers in the chain.
+  const next = prev.catch(() => undefined).then(() => fn())
   refreshLocks.set(rowId, next)
   const cleanup = () => {
     if (refreshLocks.get(rowId) === next) refreshLocks.delete(rowId)