fix mcp oauth in docker

[StpMax]

Description

fix mcp oauth in docker

Fixes #issue_number

Type of change

(Please delete options that are not relevant)

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ⚡ New feature (non-breaking change which adds functionality)
• 📢 Breaking change (fix or feature that would cause existing functionality not to work as expected)
• 📄 This change requires a documentation update

Verification Process

To ensure the changes are working as expected:

• Test Location: Specify the URL or path for testing.
• Verification Steps: Outline the steps or queries needed to validate the change. Include any data, configurations, or actions required to reproduce or see the new functionality.

Additional Media:

• I have attached a brief loom video or screenshots showcasing the new functionality or change.

Checklist:

• My code follows the style guidelines(PEP 8) of MindsDB.
• I have appropriately commented on my code, especially in complex areas.
• Necessary documentation updates are either made or tracked in issues.
• Relevant unit and integration tests are updated or added.

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

Introduces public_url support for MCP OAuth configuration to ensure valid client-facing endpoint URLs are advertised.

• mindsdb/api/mcp/oauth.py: Updated build_oauth_components to read an optional public_url override and fall back to replacing bind-all addresses (0.0.0.0, ::, or empty string) with 127.0.0.1
• mindsdb/utilities/config.py: Added public_url as a new OAuth config schema field with a default empty string value and environment variable binding via MINDSDB_MCP_OAUTH_PUBLIC_URL

---

Confidence Score: 5/5 - Safe to Merge

Safe to merge — this PR correctly addresses a Docker deployment issue where build_oauth_components would advertise bind-all addresses (0.0.0.0 or ::) as OAuth endpoints, which are invalid for client-facing URLs. The fallback logic to replace non-routable bind addresses with 127.0.0.1 is sound, and the public_url override in the config schema with environment variable binding (MINDSDB_MCP_OAUTH_...) provides the necessary escape hatch for production deployments where the public address differs from the bind address.

Key Findings:

• build_oauth_components in oauth.py now correctly handles the bind-all address edge cases (0.0.0.0, ::, and empty string) that would produce invalid OAuth endpoint URLs in containerized environments, with a sensible fallback to 127.0.0.1.
• The public_url field addition to the OAuth config schema in config.py follows the existing pattern for config fields (default empty string, environment variable binding), making it consistent with the rest of the configuration system.
• No review comments were generated and heuristic analysis found zero issues across all severity levels, indicating the change is minimal, focused, and does not introduce regressions.

Files requiring special attention

• mindsdb/api/mcp/oauth.py
• mindsdb/utilities/config.py