Defensive cap on remembered rejection messages (see MCPOAuthCallbackService.rejectedCallbacks).
Sized well above any realistic single-user burst (e.g. workspace-trust toggle with all OAuth
servers autostarting); hitting it only degrades a late browser callback's message to the generic
"Unknown or expired OAuth state". Shared across frontends; multi-tenant deployments should run
one backend per user.
Defensive cap on remembered rejection messages (see MCPOAuthCallbackService.rejectedCallbacks). Sized well above any realistic single-user burst (e.g. workspace-trust toggle with all OAuth servers autostarting); hitting it only degrades a late browser callback's message to the generic "Unknown or expired OAuth state". Shared across frontends; multi-tenant deployments should run one backend per user.