fix(mcp wizard): break Step 1 ⇄ Step 4 loop + correct Step 2 banner for anon

Three bugs the MS Docs install path surfaced:

1. **Step 1 ⇄ Step 4 dead loop** (the worst — admin couldn't ever
   reach Step 2/3 to override). `goNext` short-circuited Step 1 to
   Step 4 whenever the probe said `anonymous_ok`, AND `goBack` from
   Step 4 jumped to Step 1. So Back → Next → Back → Next bounced
   between 1 and 4 forever. Fix: move the anonymous shortcut from
   `goNext` (recurring traversal rule) to step-source's
   `runProbeAndNext` (one-shot probe-completion decision). `goBack`
   from Step 4 with anonymous now lands on Step 2 — the symmetric
   place to actually adjust the shape.

2. **Step 2 ProbeSummary lied for anonymous probes**. The fallback
   branch assumed "no OAuth metadata ⇒ recommend static token" and
   rendered "Reachable — auth required, no OAuth metadata" with the
   probe's "Connected — 3 tools available" detail underneath, which
   is internally contradictory. Added an `if (probe.anonymous_ok)`
   branch upfront so admins navigating back to Step 2 see "Reachable
   — public service" with the matching "Anonymous — no credential
   forwarded" recommendation.

3. **i18n**: `anonymousRec` was missing from probeSummary; added in
   en + zh. Renamed `anonymousTitle` from "Reachable — anonymous"
   to "Reachable — public service" / "可达 — 公开服务" so the
   Step 2 banner reads cleanly.

Also added `goToStep` prop to StepSource so the probe handler can
hop directly to Step 4 without going through `onNext`'s
sequential-traversal contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: fylorn

web/src/components/mcp/wizard/server-wizard.tsx

@@ -59,15 +59,14 @@ export function ServerWizardPage() {
 
   const goNext = () => {
     const cur = wiz.state.step;
-    // Anonymous shortcut: skip Step 2 and Step 3 if Step 1 detected
-    // a public server. Admin can still go back and pick a non-anon
-    // shape to override.
-    if (cur === 1 && wiz.state.probe?.anonymous_ok && wiz.state.auth_shape === 'anonymous') {
-      wiz.goToStep(4);
-      return;
-    }
+    // Step 2 → Step 4 when admin chose anonymous (Step 3 is meaningless
+    // — no credential to own). Step 1 used to short-circuit here too,
+    // but that created a back→next loop: "Back" from Step 4 lands on
+    // Step 1, then "Next" auto-skipped to Step 4 again, blocking the
+    // admin from ever reaching Step 2. The anonymous shortcut from
+    // Step 1 now lives inside `step-source.tsx`'s probe handler and
+    // fires exactly once on probe completion, not on every traversal.
     if (cur === 2 && wiz.state.auth_shape === 'anonymous') {
-      // No credential to own when there's no auth.
       wiz.patch({ credential_owner: 'per_user', shared_pending: null });
       wiz.goToStep(4);
       return;
@@ -79,9 +78,12 @@ export function ServerWizardPage() {
 
   const goBack = () => {
     const cur = wiz.state.step;
-    // Mirror the skip logic in reverse.
+    // From Step 4, mirror the forward anonymous shortcut: jump back
+    // to Step 2 (where the admin can change the shape away from
+    // anonymous). Going back to Step 1 would force a re-probe and
+    // re-trigger the auto-skip, which is the loop we just fixed.
     if (cur === 4 && wiz.state.auth_shape === 'anonymous') {
-      wiz.goToStep(1);
+      wiz.goToStep(2);
       return;
     }
     if (cur > 1) {
@@ -219,6 +221,7 @@ export function ServerWizardPage() {
             patch={wiz.patch}
             patchOAuth={wiz.patchOAuth}
             onNext={goNext}
+            goToStep={wiz.goToStep}
             onCancel={cancel}
             templateLoading={wiz.templateLoading}
           />

web/src/components/mcp/wizard/step-auth-shape.tsx

@@ -216,17 +216,17 @@ export function StepAuthShape({ state, patch, patchOAuth, onNext, onBack }: Prop
 
 /**
  * Summary banner — surfaces the Step 1 probe verdict and the resulting
- * recommendation so the auto-pick isn't a black box. Three branches:
+ * recommendation so the auto-pick isn't a black box. Four branches:
  *
+ *   - `anonymous_ok` ⇒ success; public service, "Anonymous" is the
+ *     correct pick. (Reachable when the admin navigates back to
+ *     Step 2 after the probe shortcutted them to Step 4.)
  *   - `auth_required` + OAuth metadata + DCR succeeded ⇒ green; we
  *     pre-filled everything (issuer, client_id, client_secret).
  *   - `auth_required` + OAuth metadata + no DCR ⇒ amber; admin needs
  *     to register the upstream OAuth app and paste Client ID back.
  *   - `auth_required` + no OAuth metadata ⇒ neutral; static token
  *     is the recommendation.
- *
- * Anonymous-OK probes never reach Step 2 (the wizard shell skips
- * straight to Step 4), so we don't render that case here.
  */
 function ProbeSummary({
   url,
@@ -245,7 +245,12 @@ function ProbeSummary({
   let detail: string;
   let recommendation: string;
 
-  if (oauthProbe?.issuer && oauthProbe.client_id) {
+  if (probe.anonymous_ok) {
+    tone = 'success';
+    title = t('mcpServers.wizard.probeSummary.anonymousTitle');
+    detail = probe.message;
+    recommendation = t('mcpServers.wizard.probeSummary.anonymousRec');
+  } else if (oauthProbe?.issuer && oauthProbe.client_id) {
     tone = 'success';
     title = t('mcpServers.wizard.probeSummary.oauthDcrTitle');
     detail = t('mcpServers.wizard.probeSummary.oauthDcrDetail', {

web/src/components/mcp/wizard/step-source.tsx

@@ -13,6 +13,11 @@ interface Props {
   patch: (partial: Partial<WizardState>) => void;
   patchOAuth: (partial: Partial<WizardState['oauth']>) => void;
   onNext: () => void;
+  /** Direct jump used by the anonymous-OK probe shortcut to land on
+   *  Step 4. We can't call `onNext` because it intentionally always
+   *  goes to Step 2 — the auto-skip is a one-shot probe-completion
+   *  decision, not a recurring traversal rule. */
+  goToStep: (step: 1 | 2 | 3 | 4) => void;
   onCancel: () => void;
   /** True while the `?template=<slug>` prefill fetch is in flight. */
   templateLoading?: boolean;
@@ -37,6 +42,7 @@ export function StepSource({
   patch,
   patchOAuth,
   onNext,
+  goToStep,
   onCancel,
   templateLoading,
 }: Props) {
@@ -151,6 +157,16 @@ export function StepSource({
         setError(probe.message);
         return;
       }
+      // Anonymous shortcut: probe passed without credentials → no
+      // auth shape to pick, no credential owner to choose. Jump to
+      // Step 4 (confirm) directly. This skip is INTENTIONALLY a
+      // one-shot probe-completion decision, not a permanent traversal
+      // rule — once the admin lands on Step 4 they can `Back` through
+      // every step normally to adjust shape / credentials.
+      if (probe.anonymous_ok) {
+        goToStep(4);
+        return;
+      }
       onNext();
     } catch (err) {
       setError(err instanceof Error ? err.message : 'Probe failed');

web/src/i18n/en.json

@@ -686,8 +686,9 @@
         "oauthManualRec": "OAuth 2.0 (manual app registration required).",
         "staticTitle": "Reachable — auth required, no OAuth metadata",
         "staticRec": "Static token (PAT / API key) — pick the header shape and continue.",
-        "anonymousTitle": "Reachable — anonymous",
-        "anonymousDetail": "Anonymous tools/list returned {{count}} tool(s) without any credential. Auth shape and credential ownership steps were skipped."
+        "anonymousTitle": "Reachable — public service",
+        "anonymousDetail": "Anonymous tools/list returned {{count}} tool(s) without any credential. Auth shape and credential ownership steps were skipped.",
+        "anonymousRec": "Anonymous — no credential is forwarded. Continue to confirm."
       }
     },
     "credentialOwner": {

web/src/i18n/zh.json

@@ -686,8 +686,9 @@
         "oauthManualRec": "OAuth 2.0（需在上游手动注册应用）。",
         "staticTitle": "可达 — 需要认证，未发现 OAuth 元数据",
         "staticRec": "静态 token（PAT / API key）— 选择 header 形态后继续。",
-        "anonymousTitle": "可达 — 匿名服务",
-        "anonymousDetail": "匿名 tools/list 返回 {{count}} 个工具，无需凭据。已自动跳过「认证形态」和「凭据归属」两步。"
+        "anonymousTitle": "可达 — 公开服务",
+        "anonymousDetail": "匿名 tools/list 返回 {{count}} 个工具，无需凭据。已自动跳过「认证形态」和「凭据归属」两步。",
+        "anonymousRec": "匿名 — 不转发任何凭据。点「下一步」继续到确认。"
       }
     },
     "credentialOwner": {