feat: add mcpOAuthTokenStorage support across all SDKs

[MackinnonBuck]

Motivation

The runtime now accepts mcpOAuthTokenStorage on session.create and session.resume requests to control whether MCP OAuth tokens use the OS keychain or an in-memory store. SDK consumers need this property exposed so they can opt into safe multitenant behavior where tokens are isolated per session.

Part of https://github.com/github/copilot-agent-runtime/issues/7151

Approach

Adds mcpOAuthTokenStorage to the session config types and wires it through to the JSON-RPC request payload in all five language SDKs. The SDK default is "in-memory" (not "persistent") -- this intentionally differs from the runtime default to ensure multitenant consumers get isolation by default.

Per-SDK details:

• Node.js -- property on SessionConfig interface with "persistent" | "in-memory" union type; added to ResumeSessionConfig Pick type; applied with ?? "in-memory" in both payload builders
• Python -- Literal["persistent", "in-memory"] field in both TypedDicts; keyword-only parameter with docstring in both client methods; applied with or "in-memory"
• Go -- MCPOAuthTokenStorage string on public config structs and internal wire request structs (follows Go initialism convention, consistent with MCPServers); default applied in client wiring with empty-string check
• .NET -- McpOAuthTokenStorageMode enum using [JsonConverter(typeof(JsonStringEnumConverter<T>))] + [JsonStringEnumMemberName] (matching established pattern); property on both config classes with copy constructors; wire records and pass-through updated; added to [JsonSerializable] context
• Rust -- Option<String> field with #[serde(skip_serializing_if)]; builder methods; Default / new set Some("in-memory"); Debug impls updated

Tests

• Rust: Default and builder composition assertions in existing type tests
• .NET: McpOAuthTokenStorage added to SessionConfig_Clone_CopiesAllProperties test
• Go: Wire serialization tests for both createSessionRequest and resumeSessionRequest (verifies correct JSON key and omitempty behavior)

Notes for reviewers

• The property is always sent on the wire (never omitted when defaulted), so the runtime always receives an explicit value from the SDK.

[Copilot]

Pull request overview

This PR exposes a new session configuration option, mcpOAuthTokenStorage, across all SDKs so callers can choose whether MCP OAuth tokens are stored persistently (OS keychain) or isolated in-memory per session, defaulting to "in-memory" for safer multitenant usage.

Changes:

• Adds mcpOAuthTokenStorage to session create/resume config types in Rust, Python, Node.js, Go, and .NET.
• Wires the value through to the JSON-RPC payload builders in each SDK, defaulting to "in-memory" when not provided.
• Extends Go/.NET/Rust tests to cover defaulting, cloning, and JSON key serialization.

Show a summary per file

File	Description
rust/src/types.rs	Adds mcp_oauth_token_storage fields + builders + defaults for create/resume configs and extends Rust type tests.
python/copilot/session.py	Extends SessionConfig / ResumeSessionConfig TypedDicts with mcp_oauth_token_storage Literal type.
python/copilot/client.py	Adds mcp_oauth_token_storage parameters to create_session/resume_session and always sends mcpOAuthTokenStorage with default.
nodejs/src/types.ts	Adds mcpOAuthTokenStorage to SessionConfig and includes it in ResumeSessionConfig Pick.
nodejs/src/client.ts	Always sends mcpOAuthTokenStorage on create/resume payloads, defaulting to "in-memory".
go/types.go	Adds MCPOAuthTokenStorage to public configs and wire request structs (JSON key mcpOAuthTokenStorage).
go/client.go	Defaults MCPOAuthTokenStorage to "in-memory" when unset, for both create and resume requests.
go/client_test.go	Adds serialization tests for mcpOAuthTokenStorage JSON key presence/omission behavior.
dotnet/test/Unit/CloneTests.cs	Ensures McpOAuthTokenStorage is copied by SessionConfig clone/copy constructor test.
dotnet/src/Types.cs	Introduces McpOAuthTokenStorageMode enum and adds config properties for create/resume configs.
dotnet/src/Client.cs	Wires McpOAuthTokenStorage through create/resume request records and serialization context.

Copilot's findings

• Files reviewed: 11/11 changed files
• Comments generated: 2

[github-actions]

Generated by SDK Consistency Review Agent for issue #1326 · ● 968.2K

[github-actions]

Generated by SDK Consistency Review Agent for issue #1326 · ● 5.8M

[github-actions]

Cross-SDK Consistency Review ✅

This PR adds mcpOAuthTokenStorage consistently across all six SDK implementations. Here's a summary of the cross-SDK alignment:

SDK	Config type	Default applied	Wire field
Node.js	SessionConfigBase.mcpOAuthTokenStorage?: "persistent" | "in-memory"	"in-memory" in configDefaultsForMode() for "empty" mode	mcpOAuthTokenStorage
Python	mcp_oauth_token_storage: Literal["persistent", "in-memory"] | None	"in-memory" via _mcp_oauth_token_storage_default() for "empty" mode	mcpOAuthTokenStorage
Go	MCPOAuthTokenStorage string on config structs	"in-memory" with empty-string check in client wiring for empty mode	mcpOAuthTokenStorage
.NET	McpOAuthTokenStorageMode enum with [JsonStringEnumMemberName]	McpOAuthTokenStorageMode.InMemory via ??= in ApplyConfigDefaultsForMode()	mcpOAuthTokenStorage
Rust	Option<String> field with serde skip	Some("in-memory") in Default/new	mcpOAuthTokenStorage
Java	String mcpOAuthTokenStorage on SessionConfig/ResumeSessionConfig	"in-memory" applied in CopilotClient when getMcpOAuthTokenStorage() == null in empty mode	mcpOAuthTokenStorage

All SDKs:

• Expose the property on both create and resume config types
• Apply the same "in-memory" default for empty mode (SDK default intentionally differs from runtime default for safe multitenant behavior)
• Pass the value through to the wire payload
• Include tests covering the default and explicit override cases

No cross-SDK inconsistencies found. 🎉

Generated by SDK Consistency Review Agent for issue #1326 · ● 4.5M · ◷