fix: handle slow_down in GitHub device-flow token polling

[friendlygeorge]

Summary

Treat slow_down as a retriable error in the GitHub device-flow token polling loop, per RFC 8628 §3.5.

Problem

When GitHub's device-flow token endpoint returns slow_down, the publisher exits with a fatal error:

Error: login failed: error polling for token: token request failed: slow_down

The login session is unrecoverable — the user must re-run the command and hope to authorize before any slow_down is emitted again.

Root Cause

In pollForToken, only authorization_pending is treated as retriable. slow_down falls into the catch-all error branch and aborts:

if tokenResp.Error == "authorization_pending" {
    time.Sleep(time.Duration(interval) * time.Second)
    continue
}
if tokenResp.Error != "" {
    return "", fmt.Errorf("token request failed: %s", tokenResp.Error)
}

Fix

Treat slow_down the same as authorization_pending but with the required interval increase (+5 seconds):

if tokenResp.Error == "authorization_pending" || tokenResp.Error == "slow_down" {
    if tokenResp.Error == "slow_down" {
        interval += 5
    }
    time.Sleep(time.Duration(interval) * time.Second)
    continue
}

Testing

The existing test infrastructure doesn't directly test pollForToken (unexported method, external test package). The fix is minimal (4 lines changed) and follows the exact pattern specified in RFC 8628 §3.5. Can verify manually:

1. Run mcp-publisher login github
2. Open the device URL but delay authorization past the initial polling window
3. Observe that instead of failing, the publisher retries with increased intervals

Related

• Closes mcp-publisher: device-flow login treats GitHub slow_down as fatal instead of backing off #1289
• Related to metrics: stop counting client-cancelled requests as server errors #1255 (metrics-side fix for cancelled requests)

[friendlygeorge]

Hi! This PR has been open for 5 days. Just checking if there's anything I can do to help move it forward — happy to address any review feedback or make adjustments.

The fix handles the slow_down response per RFC 8628 §3.5, which is the standard retry mechanism for device-flow token polling. Without it, users get an unrecoverable error when GitHub throttles the polling interval.

[friendlygeorge]

Hi — just a gentle ping. CI is green (Build/Lint + Tests passing). This fixes #1289 — the fatal error that kills device-flow login sessions. Happy to make any adjustments if the approach needs tweaking.

[friendlygeorge]

Hi — gentle ping. CI is green (Build/Lint + Tests passing). This treats slow_down as retriable per RFC 8628 §3.5 — prevents unrecoverable login failures when GitHub rate-limits device-flow polling. Happy to iterate if needed.

[friendlygeorge]

Hi — gentle ping. CI is green (Build/Lint + Tests passing). Per RFC 8628 section 3.5, slow_down should be treated as retriable in device-flow polling — currently it causes an unrecoverable fatal error. Happy to iterate if the implementation needs changes.