fix(mcp): clear OAuth token when deleting MCP server

[404-Page-Found]

What this PR does

Before this PR: When an MCP server was deleted, the OAuth token stored in ~/.cherrystudio/config/mcp/oauth/ was not cleared. This caused the server to bypass the OAuth authorization flow when re-installed.

After this PR: When an MCP server is deleted, the removeServer() method now clears the OAuth token file by computing the MD5 hash of the server's baseUrl and calling JsonFileStorage.clear().

Fixes #14047

Why we need it and why it was done in this way

The bug prevents users from re-authenticating with an MCP server that uses OAuth. When the token expires or needs to be refreshed, users had to manually delete the OAuth file from ~/.cherrystudio/config/mcp/oauth/.

The following tradeoffs were made:

• Simple fix within existing code structure - no new services or patterns needed
• Reuses existing JsonFileStorage.clear() method which already handles file deletion gracefully

The following alternatives were considered:

• Adding OAuth cleanup to the global "Clear Cache" action - but this would clear all OAuth tokens, not just the deleted server's
• Creating a dedicated cleanup method - unnecessary since JsonFileStorage.clear() already exists

Breaking changes

None - this is a bug fix that only affects the deletion flow.

Special notes for your reviewer

The fix adds OAuth token cleanup in the removeServer() method. The implementation:

1. Checks if server.baseUrl exists (not all MCP servers have a baseUrl)
2. Computes MD5 hash of the baseUrl to match the storage filename format
3. Uses existing JsonFileStorage.clear() which handles non-existent files gracefully (catches ENOENT)

Checklist

This checklist is not enforcing, but it's a reminder of items that could be relevant to every PR.
Approvers are expected to review this list.

• PR: The PR description is expressive enough and will help future contributors
• Code: Write code that humans can understand and Keep it simple
• Refactor: You have left the code cleaner than you found it (Boy Scout Rule)
• Upgrade: Impact of this change on upgrade flows was considered and addressed if required
• Documentation: A user-guide update was considered and is present (link) or not required. Check this only when the PR introduces or changes a user-facing feature or behavior.
• Self-review: I have reviewed my own code (e.g., via /gh-pr-review, gh pr diff, or GitHub UI) before requesting review from others

Release note

fix(mcp): clear OAuth token when deleting MCP server - when an MCP server using OAuth is deleted, its cached token is now properly cleared, allowing fresh re-authentication on reinstall

[kangfenmao]

test

[kangfenmao]

Clean and focused fix. Reuses existing JsonFileStorage.clear() nicely. One minor consistency suggestion — see inline comment.

[kangfenmao]

[B3] Minor inconsistency in MD5 hash computation

In the original OAuth creation flow (lines 323–326), when server.baseUrl is undefined, the code falls back to an empty string:

serverUrlHash: crypto.createHash('md5').update(server.baseUrl || '').digest('hex')

Here, the if (server.baseUrl) guard means cleanup is skipped when baseUrl is undefined or an empty string — but the creation flow would still generate a hash (from '') and create an OAuth file in that case.

In practice, a server without a baseUrl is unlikely to reach the OAuth flow, so this won't cause real issues. Still, for consistency, consider extracting the hash computation into a shared helper to avoid duplicated logic:

private getServerUrlHash(server: MCPServer): string {
  return crypto.createHash('md5').update(server.baseUrl || '').digest('hex')
}