npm - @kya-os/mcp-i-core - Versions diffs - 1.2.3-canary.6 → 1.3.0 - Mend

@kya-os/mcp-i-core 1.2.3-canary.6 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (231) hide show

package/.claude/settings.local.json +9 -0
package/.turbo/turbo-build.log +4 -0
package/.turbo/turbo-test$colon$coverage.log +4514 -0
package/.turbo/turbo-test.log +2973 -0
package/COMPLIANCE_IMPROVEMENT_REPORT.md +483 -0
package/Composer 3.md +615 -0
package/GPT-5.md +1169 -0
package/OPUS-plan.md +352 -0
package/PHASE_3_AND_4.1_SUMMARY.md +585 -0
package/PHASE_3_SUMMARY.md +317 -0
package/PHASE_4.1.3_SUMMARY.md +428 -0
package/PHASE_4.1_COMPLETE.md +525 -0
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +1240 -0
package/SCHEMA_COMPLIANCE_REPORT.md +275 -0
package/TEST_PLAN.md +571 -0
package/coverage/coverage-final.json +57 -0
package/dist/__tests__/utils/mock-providers.d.ts +1 -2
package/dist/__tests__/utils/mock-providers.d.ts.map +1 -1
package/dist/__tests__/utils/mock-providers.js.map +1 -1
package/dist/cache/oauth-config-cache.d.ts +69 -0
package/dist/cache/oauth-config-cache.d.ts.map +1 -0
package/dist/cache/oauth-config-cache.js +76 -0
package/dist/cache/oauth-config-cache.js.map +1 -0
package/dist/identity/idp-token-resolver.d.ts +53 -0
package/dist/identity/idp-token-resolver.d.ts.map +1 -0
package/dist/identity/idp-token-resolver.js +108 -0
package/dist/identity/idp-token-resolver.js.map +1 -0
package/dist/identity/idp-token-storage.interface.d.ts +42 -0
package/dist/identity/idp-token-storage.interface.d.ts.map +1 -0
package/dist/identity/idp-token-storage.interface.js +12 -0
package/dist/identity/idp-token-storage.interface.js.map +1 -0
package/dist/identity/user-did-manager.d.ts +39 -1
package/dist/identity/user-did-manager.d.ts.map +1 -1
package/dist/identity/user-did-manager.js +69 -3
package/dist/identity/user-did-manager.js.map +1 -1
package/dist/index.d.ts +22 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +39 -1
package/dist/index.js.map +1 -1
package/dist/runtime/audit-logger.d.ts +37 -0
package/dist/runtime/audit-logger.d.ts.map +1 -0
package/dist/runtime/audit-logger.js +9 -0
package/dist/runtime/audit-logger.js.map +1 -0
package/dist/runtime/base.d.ts +58 -2
package/dist/runtime/base.d.ts.map +1 -1
package/dist/runtime/base.js +266 -11
package/dist/runtime/base.js.map +1 -1
package/dist/services/access-control.service.d.ts.map +1 -1
package/dist/services/access-control.service.js +200 -35
package/dist/services/access-control.service.js.map +1 -1
package/dist/services/authorization/authorization-registry.d.ts +29 -0
package/dist/services/authorization/authorization-registry.d.ts.map +1 -0
package/dist/services/authorization/authorization-registry.js +57 -0
package/dist/services/authorization/authorization-registry.js.map +1 -0
package/dist/services/authorization/types.d.ts +53 -0
package/dist/services/authorization/types.d.ts.map +1 -0
package/dist/services/authorization/types.js +10 -0
package/dist/services/authorization/types.js.map +1 -0
package/dist/services/batch-delegation.service.d.ts +53 -0
package/dist/services/batch-delegation.service.d.ts.map +1 -0
package/dist/services/batch-delegation.service.js +95 -0
package/dist/services/batch-delegation.service.js.map +1 -0
package/dist/services/oauth-config.service.d.ts +53 -0
package/dist/services/oauth-config.service.d.ts.map +1 -0
package/dist/services/oauth-config.service.js +117 -0
package/dist/services/oauth-config.service.js.map +1 -0
package/dist/services/oauth-provider-registry.d.ts +77 -0
package/dist/services/oauth-provider-registry.d.ts.map +1 -0
package/dist/services/oauth-provider-registry.js +112 -0
package/dist/services/oauth-provider-registry.js.map +1 -0
package/dist/services/oauth-service.d.ts +77 -0
package/dist/services/oauth-service.d.ts.map +1 -0
package/dist/services/oauth-service.js +348 -0
package/dist/services/oauth-service.js.map +1 -0
package/dist/services/oauth-token-retrieval.service.d.ts +49 -0
package/dist/services/oauth-token-retrieval.service.d.ts.map +1 -0
package/dist/services/oauth-token-retrieval.service.js +150 -0
package/dist/services/oauth-token-retrieval.service.js.map +1 -0
package/dist/services/provider-resolver.d.ts +48 -0
package/dist/services/provider-resolver.d.ts.map +1 -0
package/dist/services/provider-resolver.js +120 -0
package/dist/services/provider-resolver.js.map +1 -0
package/dist/services/provider-validator.d.ts +55 -0
package/dist/services/provider-validator.d.ts.map +1 -0
package/dist/services/provider-validator.js +135 -0
package/dist/services/provider-validator.js.map +1 -0
package/dist/services/tool-context-builder.d.ts +57 -0
package/dist/services/tool-context-builder.d.ts.map +1 -0
package/dist/services/tool-context-builder.js +125 -0
package/dist/services/tool-context-builder.js.map +1 -0
package/dist/services/tool-protection.service.d.ts +87 -10
package/dist/services/tool-protection.service.d.ts.map +1 -1
package/dist/services/tool-protection.service.js +282 -112
package/dist/services/tool-protection.service.js.map +1 -1
package/dist/types/oauth-required-error.d.ts +40 -0
package/dist/types/oauth-required-error.d.ts.map +1 -0
package/dist/types/oauth-required-error.js +40 -0
package/dist/types/oauth-required-error.js.map +1 -0
package/dist/utils/did-helpers.d.ts +33 -0
package/dist/utils/did-helpers.d.ts.map +1 -1
package/dist/utils/did-helpers.js +40 -0
package/dist/utils/did-helpers.js.map +1 -1
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/dist/utils/index.js.map +1 -1
package/docs/API_REFERENCE.md +1362 -0
package/docs/COMPLIANCE_MATRIX.md +691 -0
package/docs/STATUSLIST2021_GUIDE.md +696 -0
package/docs/W3C_VC_DELEGATION_GUIDE.md +710 -0
package/package.json +24 -50
package/scripts/audit-compliance.ts +724 -0
package/src/__tests__/cache/tool-protection-cache.test.ts +640 -0
package/src/__tests__/config/provider-runtime-config.test.ts +309 -0
package/src/__tests__/delegation-e2e.test.ts +690 -0
package/src/__tests__/identity/user-did-manager.test.ts +213 -0
package/src/__tests__/index.test.ts +56 -0
package/src/__tests__/integration/full-flow.test.ts +776 -0
package/src/__tests__/integration.test.ts +281 -0
package/src/__tests__/providers/base.test.ts +173 -0
package/src/__tests__/providers/memory.test.ts +319 -0
package/src/__tests__/regression/phase2-regression.test.ts +427 -0
package/src/__tests__/runtime/audit-logger.test.ts +154 -0
package/src/__tests__/runtime/base-extensions.test.ts +593 -0
package/src/__tests__/runtime/base.test.ts +869 -0
package/src/__tests__/runtime/delegation-flow.test.ts +164 -0
package/src/__tests__/runtime/proof-client-did.test.ts +375 -0
package/src/__tests__/runtime/route-interception.test.ts +686 -0
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +908 -0
package/src/__tests__/services/agentshield-integration.test.ts +784 -0
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +487 -0
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +480 -0
package/src/__tests__/services/tool-protection.service.test.ts +1366 -0
package/src/__tests__/utils/mock-providers.ts +340 -0
package/src/cache/oauth-config-cache.d.ts +69 -0
package/src/cache/oauth-config-cache.d.ts.map +1 -0
package/src/cache/oauth-config-cache.js +71 -0
package/src/cache/oauth-config-cache.js.map +1 -0
package/src/cache/oauth-config-cache.ts +123 -0
package/src/cache/tool-protection-cache.ts +171 -0
package/src/compliance/EXAMPLE.md +412 -0
package/src/compliance/__tests__/schema-verifier.test.ts +797 -0
package/src/compliance/index.ts +8 -0
package/src/compliance/schema-registry.ts +460 -0
package/src/compliance/schema-verifier.ts +708 -0
package/src/config/__tests__/remote-config.spec.ts +268 -0
package/src/config/remote-config.ts +174 -0
package/src/config.ts +309 -0
package/src/delegation/__tests__/audience-validator.test.ts +112 -0
package/src/delegation/__tests__/bitstring.test.ts +346 -0
package/src/delegation/__tests__/cascading-revocation.test.ts +628 -0
package/src/delegation/__tests__/delegation-graph.test.ts +584 -0
package/src/delegation/__tests__/utils.test.ts +152 -0
package/src/delegation/__tests__/vc-issuer.test.ts +442 -0
package/src/delegation/__tests__/vc-verifier.test.ts +922 -0
package/src/delegation/audience-validator.ts +52 -0
package/src/delegation/bitstring.ts +278 -0
package/src/delegation/cascading-revocation.ts +370 -0
package/src/delegation/delegation-graph.ts +299 -0
package/src/delegation/index.ts +14 -0
package/src/delegation/statuslist-manager.ts +353 -0
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +366 -0
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +228 -0
package/src/delegation/storage/index.ts +9 -0
package/src/delegation/storage/memory-graph-storage.ts +178 -0
package/src/delegation/storage/memory-statuslist-storage.ts +77 -0
package/src/delegation/utils.ts +42 -0
package/src/delegation/vc-issuer.ts +232 -0
package/src/delegation/vc-verifier.ts +568 -0
package/src/identity/idp-token-resolver.ts +147 -0
package/src/identity/idp-token-storage.interface.ts +59 -0
package/src/identity/user-did-manager.ts +370 -0
package/src/index.ts +260 -0
package/src/providers/base.d.ts +91 -0
package/src/providers/base.d.ts.map +1 -0
package/src/providers/base.js +38 -0
package/src/providers/base.js.map +1 -0
package/src/providers/base.ts +96 -0
package/src/providers/memory.ts +142 -0
package/src/runtime/audit-logger.ts +39 -0
package/src/runtime/base.ts +1329 -0
package/src/services/__tests__/access-control.integration.test.ts +443 -0
package/src/services/__tests__/access-control.proof-response-validation.test.ts +578 -0
package/src/services/__tests__/access-control.service.test.ts +970 -0
package/src/services/__tests__/batch-delegation.service.test.ts +351 -0
package/src/services/__tests__/crypto.service.test.ts +531 -0
package/src/services/__tests__/oauth-provider-registry.test.ts +142 -0
package/src/services/__tests__/proof-verifier.integration.test.ts +485 -0
package/src/services/__tests__/proof-verifier.test.ts +489 -0
package/src/services/__tests__/provider-resolution.integration.test.ts +198 -0
package/src/services/__tests__/provider-resolver.test.ts +217 -0
package/src/services/__tests__/storage.service.test.ts +358 -0
package/src/services/access-control.service.ts +990 -0
package/src/services/authorization/authorization-registry.ts +66 -0
package/src/services/authorization/types.ts +71 -0
package/src/services/batch-delegation.service.ts +137 -0
package/src/services/crypto.service.ts +302 -0
package/src/services/errors.ts +76 -0
package/src/services/index.ts +9 -0
package/src/services/oauth-config.service.d.ts +53 -0
package/src/services/oauth-config.service.d.ts.map +1 -0
package/src/services/oauth-config.service.js +113 -0
package/src/services/oauth-config.service.js.map +1 -0
package/src/services/oauth-config.service.ts +166 -0
package/src/services/oauth-provider-registry.d.ts +57 -0
package/src/services/oauth-provider-registry.d.ts.map +1 -0
package/src/services/oauth-provider-registry.js +73 -0
package/src/services/oauth-provider-registry.js.map +1 -0
package/src/services/oauth-provider-registry.ts +123 -0
package/src/services/oauth-service.ts +510 -0
package/src/services/oauth-token-retrieval.service.ts +245 -0
package/src/services/proof-verifier.ts +478 -0
package/src/services/provider-resolver.d.ts +48 -0
package/src/services/provider-resolver.d.ts.map +1 -0
package/src/services/provider-resolver.js +106 -0
package/src/services/provider-resolver.js.map +1 -0
package/src/services/provider-resolver.ts +144 -0
package/src/services/provider-validator.ts +170 -0
package/src/services/storage.service.ts +566 -0
package/src/services/tool-context-builder.ts +172 -0
package/src/services/tool-protection.service.ts +958 -0
package/src/types/oauth-required-error.ts +63 -0
package/src/types/tool-protection.ts +155 -0
package/src/utils/__tests__/did-helpers.test.ts +101 -0
package/src/utils/base64.ts +148 -0
package/src/utils/cors.ts +83 -0
package/src/utils/did-helpers.ts +150 -0
package/src/utils/index.ts +8 -0
package/src/utils/storage-keys.ts +278 -0
package/tsconfig.json +21 -0
package/vitest.config.ts +56 -0

package/src/services/oauth-service.ts ADDED Viewed

@@ -0,0 +1,510 @@
+/**
+ * OAuth Service
+ *
+ * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
+ * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+import type { FetchProvider } from "../providers/base.js";
+import type { OAuthConfigService } from "./oauth-config.service.js";
+import type { IdpTokens, OAuthProvider } from "@kya-os/contracts/config";
+export interface OAuthServiceConfig {
+  /** OAuth config service for fetching provider configurations */
+  configService: OAuthConfigService;
+  /** Fetch provider for making HTTP requests */
+  fetchProvider: FetchProvider;
+  /** AgentShield API URL (for proxy mode) */
+  agentShieldApiUrl: string;
+  /** AgentShield API key (for proxy mode) */
+  agentShieldApiKey: string;
+  /** Project ID for fetching OAuth config */
+  projectId: string;
+  /** Optional logger callback for diagnostics */
+  logger?: (message: string, data?: unknown) => void;
+}
+/**
+ * Service for OAuth token exchange and refresh
+ */
+export class OAuthService {
+  private config: Required<Omit<OAuthServiceConfig, "logger">> & {
+    logger: (message: string, data?: unknown) => void;
+  };
+  constructor(config: OAuthServiceConfig) {
+    this.config = {
+      configService: config.configService,
+      fetchProvider: config.fetchProvider,
+      agentShieldApiUrl: config.agentShieldApiUrl,
+      agentShieldApiKey: config.agentShieldApiKey,
+      projectId: config.projectId,
+      logger: config.logger || (() => {}),
+    };
+  }
+  /**
+   * Exchange authorization code for IDP tokens using PKCE
+   *
+   * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
+   * For proxy mode: Exchanges code via AgentShield API
+   *
+   * @param provider - OAuth provider name (e.g., "github", "google")
+   * @param code - Authorization code from OAuth callback
+   * @param codeVerifier - PKCE code verifier (optional for non-PKCE providers in proxy mode)
+   * @param redirectUri - Redirect URI used in authorization request
+   * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
+   */
+  async exchangeToken(
+    provider: string,
+    code: string,
+    codeVerifier?: string,
+    redirectUri?: string
+  ): Promise<IdpTokens> {
+    // Fetch provider config
+    const oauthConfig = await this.config.configService.getOAuthConfig(
+      this.config.projectId
+    );
+    const providerConfig = oauthConfig.providers[provider];
+    if (!providerConfig) {
+      throw new Error(`Provider "${provider}" not configured for project "${this.config.projectId}"`);
+    }
+    // For PKCE providers, require codeVerifier
+    if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+      if (!codeVerifier) {
+        throw new Error(
+          `Provider "${provider}" requires PKCE code_verifier for token exchange`
+        );
+      }
+      return this.exchangeTokenPKCE(
+        providerConfig,
+        code,
+        codeVerifier,
+        redirectUri || ""
+      );
+    }
+    // For proxy mode, codeVerifier is optional (only included if PKCE is supported)
+    if (providerConfig.proxyMode) {
+      return this.exchangeTokenProxy(
+        providerConfig,
+        code,
+        codeVerifier,
+        redirectUri || ""
+      );
+    }
+    throw new Error(
+      `Provider "${provider}" configuration is invalid: must support PKCE or use proxy mode`
+    );
+  }
+  /**
+   * Exchange token directly with OAuth provider using PKCE
+   */
+  private async exchangeTokenPKCE(
+    providerConfig: OAuthProvider,
+    code: string,
+    codeVerifier: string,
+    redirectUri: string
+  ): Promise<IdpTokens> {
+    this.config.logger("[OAuthService] Exchanging token with PKCE", {
+      provider: providerConfig.authorizationUrl,
+      tokenUrl: providerConfig.tokenUrl,
+    });
+    const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json",
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+        client_id: providerConfig.clientId,
+        code_verifier: codeVerifier,
+      }).toString(),
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "Unknown error");
+      let errorData: any;
+      try {
+        errorData = JSON.parse(errorText);
+      } catch {
+        errorData = { error: errorText };
+      }
+      const errorMessage =
+        errorData.error_description || errorData.error || errorText;
+      this.config.logger("[OAuthService] Token exchange failed", {
+        status: response.status,
+        error: errorMessage,
+        provider: providerConfig.tokenUrl,
+      });
+      throw new Error(
+        `Token exchange failed: ${errorMessage} (${response.status})`
+      );
+    }
+    const tokens = await response.json() as {
+      access_token: string;
+      refresh_token?: string;
+      expires_in?: number;
+      token_type?: string;
+      scope?: string;
+    };
+    // Validate required fields
+    if (!tokens.access_token) {
+      throw new Error("Token response missing access_token");
+    }
+    // Calculate expiration timestamp
+    const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const idpTokens: IdpTokens = {
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_in: expiresIn,
+      expires_at: expiresAt,
+      token_type: tokens.token_type || "Bearer",
+      scope: tokens.scope,
+    };
+    this.config.logger("[OAuthService] Token exchange successful", {
+      provider: providerConfig.tokenUrl,
+      expiresAt: new Date(expiresAt).toISOString(),
+      hasRefreshToken: !!idpTokens.refresh_token,
+    });
+    return idpTokens;
+  }
+  /**
+   * Exchange token via AgentShield proxy (for providers that require proxy mode)
+   *
+   * Note: For Phase 3 two-step flow, OAuth tokens are retrieved separately via
+   * OAuthTokenRetrievalService in the callback handler. This method maintains
+   * backward compatibility for direct proxy mode usage.
+   */
+  private async exchangeTokenProxy(
+    providerConfig: OAuthProvider,
+    code: string,
+    codeVerifier?: string,
+    redirectUri?: string
+  ): Promise<IdpTokens> {
+    // Exchange via AgentShield proxy endpoint
+    const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
+    this.config.logger("[OAuthService] Exchanging token via proxy", {
+      proxyUrl,
+      provider: providerConfig.authorizationUrl,
+      hasCodeVerifier: !!codeVerifier,
+      supportsPKCE: providerConfig.supportsPKCE,
+    });
+    // Build request body - only include code_verifier if PKCE is supported and provided
+    const requestBody: Record<string, string> = {
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri || "",
+      provider: providerConfig.authorizationUrl,
+      project_id: this.config.projectId,
+    };
+    // Include code_verifier only if provider supports PKCE and verifier is provided
+    if (providerConfig.supportsPKCE && codeVerifier) {
+      requestBody.code_verifier = codeVerifier;
+    }
+    const response = await this.config.fetchProvider.fetch(proxyUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.config.agentShieldApiKey}`,
+      },
+      body: JSON.stringify(requestBody),
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "Unknown error");
+      let errorData: any;
+      try {
+        errorData = JSON.parse(errorText);
+      } catch {
+        errorData = { error: errorText };
+      }
+      const errorMessage =
+        errorData.error_description || errorData.error || errorText;
+      this.config.logger("[OAuthService] Proxy token exchange failed", {
+        status: response.status,
+        error: errorMessage,
+        proxyUrl,
+      });
+      throw new Error(
+        `Proxy token exchange failed: ${errorMessage} (${response.status})`
+      );
+    }
+    const result = await response.json() as {
+      data?: {
+        access_token: string;
+        refresh_token?: string;
+        expires_in?: number;
+        token_type?: string;
+        scope?: string;
+      };
+      access_token?: string;
+      refresh_token?: string;
+      expires_in?: number;
+      token_type?: string;
+      scope?: string;
+    };
+    const tokens = result.data || result;
+    // Validate required fields
+    if (!tokens.access_token) {
+      throw new Error("Proxy token response missing access_token");
+    }
+    // Calculate expiration timestamp
+    const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+    const expiresAt = Date.now() + expiresIn * 1000;
+    const idpTokens: IdpTokens = {
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      expires_in: expiresIn,
+      expires_at: expiresAt,
+      token_type: tokens.token_type || "Bearer",
+      scope: tokens.scope,
+    };
+    this.config.logger("[OAuthService] Proxy token exchange successful", {
+      proxyUrl,
+      expiresAt: new Date(expiresAt).toISOString(),
+      hasRefreshToken: !!idpTokens.refresh_token,
+    });
+    return idpTokens;
+  }
+  /**
+   * Refresh IDP access token using refresh token
+   *
+   * For PKCE providers: Refreshes directly with OAuth provider
+   * For proxy mode: Refreshes via AgentShield API
+   *
+   * @param provider - OAuth provider name
+   * @param refreshToken - Refresh token from previous token exchange
+   * @returns New IDP tokens or null if refresh failed
+   */
+  async refreshToken(
+    provider: string,
+    refreshToken: string
+  ): Promise<IdpTokens | null> {
+    // Fetch provider config
+    const oauthConfig = await this.config.configService.getOAuthConfig(
+      this.config.projectId
+    );
+    const providerConfig = oauthConfig.providers[provider];
+    if (!providerConfig) {
+      this.config.logger("[OAuthService] Provider not found for refresh", {
+        provider,
+      });
+      return null;
+    }
+    // For PKCE providers, refresh directly with OAuth provider
+    if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
+      return this.refreshTokenPKCE(providerConfig, refreshToken);
+    }
+    // For proxy mode, refresh via AgentShield
+    if (providerConfig.proxyMode) {
+      return this.refreshTokenProxy(providerConfig, refreshToken);
+    }
+    return null;
+  }
+  /**
+   * Refresh token directly with OAuth provider using PKCE
+   */
+  private async refreshTokenPKCE(
+    providerConfig: OAuthProvider,
+    refreshToken: string
+  ): Promise<IdpTokens | null> {
+    this.config.logger("[OAuthService] Refreshing token with PKCE", {
+      provider: providerConfig.tokenUrl,
+    });
+    try {
+      const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          Accept: "application/json",
+        },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          client_id: providerConfig.clientId,
+        }).toString(),
+      });
+      if (!response.ok) {
+        this.config.logger("[OAuthService] Token refresh failed", {
+          status: response.status,
+          provider: providerConfig.tokenUrl,
+        });
+        return null;
+      }
+      const tokens = await response.json() as {
+        access_token: string;
+        refresh_token?: string;
+        expires_in?: number;
+        token_type?: string;
+        scope?: string;
+      };
+      if (!tokens.access_token) {
+        this.config.logger("[OAuthService] Token refresh response missing access_token");
+        return null;
+      }
+      // Calculate expiration timestamp
+      const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+      const expiresAt = Date.now() + expiresIn * 1000;
+      const idpTokens: IdpTokens = {
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep old one
+        expires_in: expiresIn,
+        expires_at: expiresAt,
+        token_type: tokens.token_type || "Bearer",
+        scope: tokens.scope,
+      };
+      this.config.logger("[OAuthService] Token refresh successful", {
+        provider: providerConfig.tokenUrl,
+        expiresAt: new Date(expiresAt).toISOString(),
+      });
+      return idpTokens;
+    } catch (error) {
+      this.config.logger("[OAuthService] Token refresh error", {
+        error: error instanceof Error ? error.message : String(error),
+        provider: providerConfig.tokenUrl,
+      });
+      return null;
+    }
+  }
+  /**
+   * Refresh token via AgentShield proxy
+   */
+  private async refreshTokenProxy(
+    providerConfig: OAuthProvider,
+    refreshToken: string
+  ): Promise<IdpTokens | null> {
+    const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
+    this.config.logger("[OAuthService] Refreshing token via proxy", {
+      proxyUrl,
+      provider: providerConfig.authorizationUrl,
+    });
+    try {
+      const response = await this.config.fetchProvider.fetch(proxyUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${this.config.agentShieldApiKey}`,
+        },
+        body: JSON.stringify({
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          provider: providerConfig.authorizationUrl,
+          project_id: this.config.projectId,
+        }),
+      });
+      if (!response.ok) {
+        this.config.logger("[OAuthService] Proxy token refresh failed", {
+          status: response.status,
+          proxyUrl,
+        });
+        return null;
+      }
+      const result = await response.json() as {
+        data?: {
+          access_token: string;
+          refresh_token?: string;
+          expires_in?: number;
+          token_type?: string;
+          scope?: string;
+        };
+        access_token?: string;
+        refresh_token?: string;
+        expires_in?: number;
+        token_type?: string;
+        scope?: string;
+      };
+      const tokens = result.data || result;
+      if (!tokens.access_token) {
+        this.config.logger("[OAuthService] Proxy token refresh response missing access_token");
+        return null;
+      }
+      // Calculate expiration timestamp
+      const expiresIn = tokens.expires_in || 3600; // Default 1 hour
+      const expiresAt = Date.now() + expiresIn * 1000;
+      const idpTokens: IdpTokens = {
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token || refreshToken,
+        expires_in: expiresIn,
+        expires_at: expiresAt,
+        token_type: tokens.token_type || "Bearer",
+        scope: tokens.scope,
+      };
+      this.config.logger("[OAuthService] Proxy token refresh successful", {
+        proxyUrl,
+        expiresAt: new Date(expiresAt).toISOString(),
+      });
+      return idpTokens;
+    } catch (error) {
+      this.config.logger("[OAuthService] Proxy token refresh error", {
+        error: error instanceof Error ? error.message : String(error),
+        proxyUrl,
+      });
+      return null;
+    }
+  }
+}