npm - @kya-os/mcp-i-core - Versions diffs - 1.3.12 → 1.3.14 - Mend

@kya-os/mcp-i-core 1.3.12 → 1.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (254) hide show

package/dist/config/remote-config.js +9 -12
package/dist/runtime/base.js +11 -0
package/dist/services/access-control.service.js +5 -0
package/dist/services/tool-protection.service.js +17 -8
package/package.json +2 -2
package/.turbo/turbo-build.log +0 -4
package/.turbo/turbo-test$colon$coverage.log +0 -4586
package/.turbo/turbo-test.log +0 -3169
package/COMPLIANCE_IMPROVEMENT_REPORT.md +0 -483
package/Composer 3.md +0 -615
package/GPT-5.md +0 -1169
package/OPUS-plan.md +0 -352
package/PHASE_3_AND_4.1_SUMMARY.md +0 -585
package/PHASE_3_SUMMARY.md +0 -317
package/PHASE_4.1.3_SUMMARY.md +0 -428
package/PHASE_4.1_COMPLETE.md +0 -525
package/PHASE_4_USER_DID_IDENTITY_LINKING_PLAN.md +0 -1240
package/SCHEMA_COMPLIANCE_REPORT.md +0 -275
package/TEST_PLAN.md +0 -571
package/coverage/coverage-final.json +0 -60
package/dist/cache/oauth-config-cache.d.ts.map +0 -1
package/dist/cache/oauth-config-cache.js.map +0 -1
package/dist/cache/tool-protection-cache.d.ts.map +0 -1
package/dist/cache/tool-protection-cache.js.map +0 -1
package/dist/compliance/index.d.ts.map +0 -1
package/dist/compliance/index.js.map +0 -1
package/dist/compliance/schema-registry.d.ts.map +0 -1
package/dist/compliance/schema-registry.js.map +0 -1
package/dist/compliance/schema-verifier.d.ts.map +0 -1
package/dist/compliance/schema-verifier.js.map +0 -1
package/dist/config/remote-config.d.ts.map +0 -1
package/dist/config/remote-config.js.map +0 -1
package/dist/config.d.ts.map +0 -1
package/dist/config.js.map +0 -1
package/dist/delegation/audience-validator.d.ts.map +0 -1
package/dist/delegation/audience-validator.js.map +0 -1
package/dist/delegation/bitstring.d.ts.map +0 -1
package/dist/delegation/bitstring.js.map +0 -1
package/dist/delegation/cascading-revocation.d.ts.map +0 -1
package/dist/delegation/cascading-revocation.js.map +0 -1
package/dist/delegation/delegation-graph.d.ts.map +0 -1
package/dist/delegation/delegation-graph.js.map +0 -1
package/dist/delegation/did-key-resolver.d.ts.map +0 -1
package/dist/delegation/did-key-resolver.js.map +0 -1
package/dist/delegation/index.d.ts.map +0 -1
package/dist/delegation/index.js.map +0 -1
package/dist/delegation/statuslist-manager.d.ts.map +0 -1
package/dist/delegation/statuslist-manager.js.map +0 -1
package/dist/delegation/storage/index.d.ts.map +0 -1
package/dist/delegation/storage/index.js.map +0 -1
package/dist/delegation/storage/memory-graph-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-graph-storage.js.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.d.ts.map +0 -1
package/dist/delegation/storage/memory-statuslist-storage.js.map +0 -1
package/dist/delegation/utils.d.ts.map +0 -1
package/dist/delegation/utils.js.map +0 -1
package/dist/delegation/vc-issuer.d.ts.map +0 -1
package/dist/delegation/vc-issuer.js.map +0 -1
package/dist/delegation/vc-verifier.d.ts.map +0 -1
package/dist/delegation/vc-verifier.js.map +0 -1
package/dist/identity/idp-token-resolver.d.ts.map +0 -1
package/dist/identity/idp-token-resolver.js.map +0 -1
package/dist/identity/idp-token-storage.interface.d.ts.map +0 -1
package/dist/identity/idp-token-storage.interface.js.map +0 -1
package/dist/identity/user-did-manager.d.ts.map +0 -1
package/dist/identity/user-did-manager.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers/base.d.ts.map +0 -1
package/dist/providers/base.js.map +0 -1
package/dist/providers/memory.d.ts.map +0 -1
package/dist/providers/memory.js.map +0 -1
package/dist/runtime/audit-logger.d.ts.map +0 -1
package/dist/runtime/audit-logger.js.map +0 -1
package/dist/runtime/base.d.ts.map +0 -1
package/dist/runtime/base.js.map +0 -1
package/dist/services/access-control.service.d.ts.map +0 -1
package/dist/services/access-control.service.js.map +0 -1
package/dist/services/authorization/authorization-registry.d.ts.map +0 -1
package/dist/services/authorization/authorization-registry.js.map +0 -1
package/dist/services/authorization/types.d.ts.map +0 -1
package/dist/services/authorization/types.js.map +0 -1
package/dist/services/batch-delegation.service.d.ts.map +0 -1
package/dist/services/batch-delegation.service.js.map +0 -1
package/dist/services/crypto.service.d.ts.map +0 -1
package/dist/services/crypto.service.js.map +0 -1
package/dist/services/errors.d.ts.map +0 -1
package/dist/services/errors.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js.map +0 -1
package/dist/services/oauth-config.service.d.ts.map +0 -1
package/dist/services/oauth-config.service.js.map +0 -1
package/dist/services/oauth-provider-registry.d.ts.map +0 -1
package/dist/services/oauth-provider-registry.js.map +0 -1
package/dist/services/oauth-service.d.ts.map +0 -1
package/dist/services/oauth-service.js.map +0 -1
package/dist/services/oauth-token-retrieval.service.d.ts.map +0 -1
package/dist/services/oauth-token-retrieval.service.js.map +0 -1
package/dist/services/proof-verifier.d.ts.map +0 -1
package/dist/services/proof-verifier.js.map +0 -1
package/dist/services/provider-resolver.d.ts.map +0 -1
package/dist/services/provider-resolver.js.map +0 -1
package/dist/services/provider-validator.d.ts.map +0 -1
package/dist/services/provider-validator.js.map +0 -1
package/dist/services/session-registration.service.d.ts.map +0 -1
package/dist/services/session-registration.service.js.map +0 -1
package/dist/services/storage.service.d.ts.map +0 -1
package/dist/services/storage.service.js.map +0 -1
package/dist/services/tool-context-builder.d.ts.map +0 -1
package/dist/services/tool-context-builder.js.map +0 -1
package/dist/services/tool-protection.service.d.ts.map +0 -1
package/dist/services/tool-protection.service.js.map +0 -1
package/dist/types/oauth-required-error.d.ts.map +0 -1
package/dist/types/oauth-required-error.js.map +0 -1
package/dist/types/tool-protection.d.ts.map +0 -1
package/dist/types/tool-protection.js.map +0 -1
package/dist/utils/base58.d.ts.map +0 -1
package/dist/utils/base58.js.map +0 -1
package/dist/utils/base64.d.ts.map +0 -1
package/dist/utils/base64.js.map +0 -1
package/dist/utils/cors.d.ts.map +0 -1
package/dist/utils/cors.js.map +0 -1
package/dist/utils/did-helpers.d.ts.map +0 -1
package/dist/utils/did-helpers.js.map +0 -1
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/index.js.map +0 -1
package/dist/utils/storage-keys.d.ts.map +0 -1
package/dist/utils/storage-keys.js.map +0 -1
package/docs/API_REFERENCE.md +0 -1362
package/docs/COMPLIANCE_MATRIX.md +0 -691
package/docs/STATUSLIST2021_GUIDE.md +0 -696
package/docs/W3C_VC_DELEGATION_GUIDE.md +0 -710
package/src/__tests__/cache/tool-protection-cache.test.ts +0 -640
package/src/__tests__/config/provider-runtime-config.test.ts +0 -309
package/src/__tests__/delegation-e2e.test.ts +0 -690
package/src/__tests__/identity/user-did-manager.test.ts +0 -232
package/src/__tests__/index.test.ts +0 -56
package/src/__tests__/integration/full-flow.test.ts +0 -789
package/src/__tests__/integration.test.ts +0 -281
package/src/__tests__/providers/base.test.ts +0 -173
package/src/__tests__/providers/memory.test.ts +0 -319
package/src/__tests__/regression/phase2-regression.test.ts +0 -429
package/src/__tests__/runtime/audit-logger.test.ts +0 -154
package/src/__tests__/runtime/base-extensions.test.ts +0 -595
package/src/__tests__/runtime/base.test.ts +0 -869
package/src/__tests__/runtime/delegation-flow.test.ts +0 -164
package/src/__tests__/runtime/proof-client-did.test.ts +0 -376
package/src/__tests__/runtime/route-interception.test.ts +0 -686
package/src/__tests__/runtime/tool-protection-enforcement.test.ts +0 -908
package/src/__tests__/services/agentshield-integration.test.ts +0 -791
package/src/__tests__/services/cache-busting.test.ts +0 -125
package/src/__tests__/services/oauth-service-pkce.test.ts +0 -556
package/src/__tests__/services/provider-resolver-edge-cases.test.ts +0 -591
package/src/__tests__/services/tool-protection-merged-config.test.ts +0 -485
package/src/__tests__/services/tool-protection-oauth-provider.test.ts +0 -480
package/src/__tests__/services/tool-protection.service.test.ts +0 -1373
package/src/__tests__/utils/mock-providers.ts +0 -340
package/src/cache/oauth-config-cache.d.ts +0 -69
package/src/cache/oauth-config-cache.d.ts.map +0 -1
package/src/cache/oauth-config-cache.js.map +0 -1
package/src/cache/oauth-config-cache.ts +0 -123
package/src/cache/tool-protection-cache.ts +0 -171
package/src/compliance/EXAMPLE.md +0 -412
package/src/compliance/__tests__/schema-verifier.test.ts +0 -797
package/src/compliance/index.ts +0 -8
package/src/compliance/schema-registry.ts +0 -460
package/src/compliance/schema-verifier.ts +0 -708
package/src/config/__tests__/merged-config.spec.ts +0 -445
package/src/config/__tests__/remote-config.spec.ts +0 -268
package/src/config/remote-config.ts +0 -264
package/src/config.ts +0 -312
package/src/delegation/__tests__/audience-validator.test.ts +0 -112
package/src/delegation/__tests__/bitstring.test.ts +0 -346
package/src/delegation/__tests__/cascading-revocation.test.ts +0 -628
package/src/delegation/__tests__/delegation-graph.test.ts +0 -584
package/src/delegation/__tests__/did-key-resolver.test.ts +0 -265
package/src/delegation/__tests__/utils.test.ts +0 -152
package/src/delegation/__tests__/vc-issuer.test.ts +0 -442
package/src/delegation/__tests__/vc-verifier.test.ts +0 -922
package/src/delegation/audience-validator.ts +0 -52
package/src/delegation/bitstring.ts +0 -278
package/src/delegation/cascading-revocation.ts +0 -370
package/src/delegation/delegation-graph.ts +0 -299
package/src/delegation/did-key-resolver.ts +0 -179
package/src/delegation/index.ts +0 -14
package/src/delegation/statuslist-manager.ts +0 -353
package/src/delegation/storage/__tests__/memory-graph-storage.test.ts +0 -366
package/src/delegation/storage/__tests__/memory-statuslist-storage.test.ts +0 -228
package/src/delegation/storage/index.ts +0 -9
package/src/delegation/storage/memory-graph-storage.ts +0 -178
package/src/delegation/storage/memory-statuslist-storage.ts +0 -77
package/src/delegation/utils.ts +0 -221
package/src/delegation/vc-issuer.ts +0 -232
package/src/delegation/vc-verifier.ts +0 -568
package/src/identity/idp-token-resolver.ts +0 -181
package/src/identity/idp-token-storage.interface.ts +0 -94
package/src/identity/user-did-manager.ts +0 -526
package/src/index.ts +0 -310
package/src/providers/base.d.ts +0 -91
package/src/providers/base.d.ts.map +0 -1
package/src/providers/base.js.map +0 -1
package/src/providers/base.ts +0 -96
package/src/providers/memory.ts +0 -142
package/src/runtime/audit-logger.ts +0 -39
package/src/runtime/base.ts +0 -1392
package/src/services/__tests__/access-control.integration.test.ts +0 -443
package/src/services/__tests__/access-control.proof-response-validation.test.ts +0 -578
package/src/services/__tests__/access-control.service.test.ts +0 -970
package/src/services/__tests__/batch-delegation.service.test.ts +0 -351
package/src/services/__tests__/crypto.service.test.ts +0 -531
package/src/services/__tests__/oauth-provider-registry.test.ts +0 -142
package/src/services/__tests__/proof-verifier.integration.test.ts +0 -485
package/src/services/__tests__/proof-verifier.test.ts +0 -489
package/src/services/__tests__/provider-resolution.integration.test.ts +0 -202
package/src/services/__tests__/provider-resolver.test.ts +0 -213
package/src/services/__tests__/storage.service.test.ts +0 -358
package/src/services/access-control.service.ts +0 -990
package/src/services/authorization/authorization-registry.ts +0 -66
package/src/services/authorization/types.ts +0 -71
package/src/services/batch-delegation.service.ts +0 -137
package/src/services/crypto.service.ts +0 -302
package/src/services/errors.ts +0 -76
package/src/services/index.ts +0 -18
package/src/services/oauth-config.service.d.ts +0 -53
package/src/services/oauth-config.service.d.ts.map +0 -1
package/src/services/oauth-config.service.js.map +0 -1
package/src/services/oauth-config.service.ts +0 -192
package/src/services/oauth-provider-registry.d.ts +0 -57
package/src/services/oauth-provider-registry.d.ts.map +0 -1
package/src/services/oauth-provider-registry.js.map +0 -1
package/src/services/oauth-provider-registry.ts +0 -141
package/src/services/oauth-service.ts +0 -544
package/src/services/oauth-token-retrieval.service.ts +0 -245
package/src/services/proof-verifier.ts +0 -478
package/src/services/provider-resolver.d.ts +0 -48
package/src/services/provider-resolver.d.ts.map +0 -1
package/src/services/provider-resolver.js.map +0 -1
package/src/services/provider-resolver.ts +0 -146
package/src/services/provider-validator.ts +0 -170
package/src/services/session-registration.service.ts +0 -251
package/src/services/storage.service.ts +0 -566
package/src/services/tool-context-builder.ts +0 -237
package/src/services/tool-protection.service.ts +0 -1070
package/src/types/oauth-required-error.ts +0 -63
package/src/types/tool-protection.ts +0 -155
package/src/utils/__tests__/did-helpers.test.ts +0 -156
package/src/utils/base58.ts +0 -109
package/src/utils/base64.ts +0 -148
package/src/utils/cors.ts +0 -83
package/src/utils/did-helpers.ts +0 -210
package/src/utils/index.ts +0 -8
package/src/utils/storage-keys.ts +0 -278
package/tsconfig.json +0 -21
package/vitest.config.ts +0 -56

package/src/services/oauth-service.ts DELETED Viewed

@@ -1,544 +0,0 @@
-/**
- * OAuth Service
- *
- * Handles OAuth token exchange and refresh using PKCE (Proof Key for Code Exchange).
- * Supports both direct PKCE exchange with OAuth providers and proxy mode via AgentShield.
- *
- * @package @kya-os/mcp-i-core
- */
-import type { FetchProvider } from "../providers/base.js";
-import type { OAuthConfigService } from "./oauth-config.service.js";
-import type { IdpTokens, OAuthProvider } from "@kya-os/contracts/config";
-export interface OAuthServiceConfig {
-  /** OAuth config service for fetching provider configurations */
-  configService: OAuthConfigService;
-  /** Fetch provider for making HTTP requests */
-  fetchProvider: FetchProvider;
-  /** AgentShield API URL (for proxy mode) */
-  agentShieldApiUrl: string;
-  /** AgentShield API key (for proxy mode) */
-  agentShieldApiKey: string;
-  /** Project ID for fetching OAuth config */
-  projectId: string;
-  /** Optional logger callback for diagnostics */
-  logger?: (message: string, data?: unknown) => void;
-}
-/**
- * Service for OAuth token exchange and refresh
- */
-export class OAuthService {
-  private config: Required<Omit<OAuthServiceConfig, "logger">> & {
-    logger: (message: string, data?: unknown) => void;
-  };
-  constructor(config: OAuthServiceConfig) {
-    this.config = {
-      configService: config.configService,
-      fetchProvider: config.fetchProvider,
-      agentShieldApiUrl: config.agentShieldApiUrl,
-      agentShieldApiKey: config.agentShieldApiKey,
-      projectId: config.projectId,
-      logger: config.logger || (() => {}),
-    };
-  }
-  /**
-   * Exchange authorization code for IDP tokens using PKCE
-   *
-   * For PKCE providers: Exchanges code directly with OAuth provider (no client secret)
-   * For proxy mode: Exchanges code via AgentShield API
-   *
-   * @param provider - OAuth provider name (e.g., "github", "google")
-   * @param code - Authorization code from OAuth callback
-   * @param codeVerifier - PKCE code verifier (optional for non-PKCE providers in proxy mode)
-   * @param redirectUri - Redirect URI used in authorization request
-   * @returns IDP tokens (access_token, refresh_token, expires_at, etc.)
-   */
-  async exchangeToken(
-    provider: string,
-    code: string,
-    codeVerifier?: string,
-    redirectUri?: string
-  ): Promise<IdpTokens> {
-    // Fetch provider config
-    const oauthConfig = await this.config.configService.getOAuthConfig(
-      this.config.projectId
-    );
-    const providerConfig = oauthConfig.providers[provider];
-    if (!providerConfig) {
-      throw new Error(`Provider "${provider}" not configured for project "${this.config.projectId}"`);
-    }
-    // For PKCE providers, require codeVerifier
-    if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
-      if (!codeVerifier) {
-        throw new Error(
-          `Provider "${provider}" requires PKCE code_verifier for token exchange`
-        );
-      }
-      return this.exchangeTokenPKCE(
-        providerConfig,
-        code,
-        codeVerifier,
-        redirectUri || ""
-      );
-    }
-    // For proxy mode, codeVerifier is optional (only included if PKCE is supported)
-    if (providerConfig.proxyMode) {
-      return this.exchangeTokenProxy(
-        providerConfig,
-        code,
-        codeVerifier,
-        redirectUri || ""
-      );
-    }
-    throw new Error(
-      `Provider "${provider}" configuration is invalid: must support PKCE or use proxy mode`
-    );
-  }
-  /**
-   * Exchange token directly with OAuth provider using PKCE
-   */
-  private async exchangeTokenPKCE(
-    providerConfig: OAuthProvider,
-    code: string,
-    codeVerifier: string,
-    redirectUri: string
-  ): Promise<IdpTokens> {
-    this.config.logger("[OAuthService] Exchanging token with PKCE", {
-      provider: providerConfig.authorizationUrl,
-      tokenUrl: providerConfig.tokenUrl,
-      hasClientSecret: !!providerConfig.clientSecret,
-    });
-    // Build token exchange parameters
-    // Note: GitHub OAuth Apps require client_secret even with PKCE
-    // (GitHub Apps can use PKCE without client_secret, but OAuth Apps cannot)
-    const params: Record<string, string> = {
-      grant_type: "authorization_code",
-      code,
-      redirect_uri: redirectUri,
-      client_id: providerConfig.clientId,
-      code_verifier: codeVerifier,
-    };
-    // Include client_secret if provider has one configured
-    // This is required for GitHub OAuth Apps and other providers that need it
-    if (providerConfig.clientSecret) {
-      params.client_secret = providerConfig.clientSecret;
-    }
-    const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json",
-      },
-      body: new URLSearchParams(params).toString(),
-    });
-    if (!response.ok) {
-      const errorText = await response.text().catch(() => "Unknown error");
-      let errorData: any;
-      try {
-        errorData = JSON.parse(errorText);
-      } catch {
-        errorData = { error: errorText };
-      }
-      const errorMessage =
-        errorData.error_description || errorData.error || errorText;
-      this.config.logger("[OAuthService] Token exchange failed", {
-        status: response.status,
-        error: errorMessage,
-        provider: providerConfig.tokenUrl,
-      });
-      throw new Error(
-        `Token exchange failed: ${errorMessage} (${response.status})`
-      );
-    }
-    const tokens = await response.json() as {
-      access_token?: string;
-      refresh_token?: string;
-      expires_in?: number;
-      token_type?: string;
-      scope?: string;
-      // GitHub returns errors with 200 status!
-      error?: string;
-      error_description?: string;
-      error_uri?: string;
-    };
-    // GitHub returns errors with 200 status - check for error field first
-    if (tokens.error) {
-      this.config.logger("[OAuthService] Token exchange returned error (200 status)", {
-        error: tokens.error,
-        errorDescription: tokens.error_description,
-        errorUri: tokens.error_uri,
-        provider: providerConfig.tokenUrl,
-        responseKeys: Object.keys(tokens),
-      });
-      throw new Error(
-        `Token exchange failed: ${tokens.error_description || tokens.error}`
-      );
-    }
-    // Validate required fields
-    if (!tokens.access_token) {
-      this.config.logger("[OAuthService] Token response missing access_token", {
-        responseKeys: Object.keys(tokens),
-        provider: providerConfig.tokenUrl,
-      });
-      throw new Error("Token response missing access_token");
-    }
-    // Calculate expiration timestamp
-    const expiresIn = tokens.expires_in || 3600; // Default 1 hour
-    const expiresAt = Date.now() + expiresIn * 1000;
-    const idpTokens: IdpTokens = {
-      access_token: tokens.access_token,
-      refresh_token: tokens.refresh_token,
-      expires_in: expiresIn,
-      expires_at: expiresAt,
-      token_type: tokens.token_type || "Bearer",
-      scope: tokens.scope,
-    };
-    this.config.logger("[OAuthService] Token exchange successful", {
-      provider: providerConfig.tokenUrl,
-      expiresAt: new Date(expiresAt).toISOString(),
-      hasRefreshToken: !!idpTokens.refresh_token,
-    });
-    return idpTokens;
-  }
-  /**
-   * Exchange token via AgentShield proxy (for providers that require proxy mode)
-   *
-   * Note: For Phase 3 two-step flow, OAuth tokens are retrieved separately via
-   * OAuthTokenRetrievalService in the callback handler. This method maintains
-   * backward compatibility for direct proxy mode usage.
-   */
-  private async exchangeTokenProxy(
-    providerConfig: OAuthProvider,
-    code: string,
-    codeVerifier?: string,
-    redirectUri?: string
-  ): Promise<IdpTokens> {
-    // Exchange via AgentShield proxy endpoint
-    const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
-    this.config.logger("[OAuthService] Exchanging token via proxy", {
-      proxyUrl,
-      provider: providerConfig.authorizationUrl,
-      hasCodeVerifier: !!codeVerifier,
-      supportsPKCE: providerConfig.supportsPKCE,
-    });
-    // Build request body - only include code_verifier if PKCE is supported and provided
-    const requestBody: Record<string, string> = {
-      grant_type: "authorization_code",
-      code,
-      redirect_uri: redirectUri || "",
-      provider: providerConfig.authorizationUrl,
-      project_id: this.config.projectId,
-    };
-    // Include code_verifier only if provider supports PKCE and verifier is provided
-    if (providerConfig.supportsPKCE && codeVerifier) {
-      requestBody.code_verifier = codeVerifier;
-    }
-    const response = await this.config.fetchProvider.fetch(proxyUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${this.config.agentShieldApiKey}`,
-      },
-      body: JSON.stringify(requestBody),
-    });
-    if (!response.ok) {
-      const errorText = await response.text().catch(() => "Unknown error");
-      let errorData: any;
-      try {
-        errorData = JSON.parse(errorText);
-      } catch {
-        errorData = { error: errorText };
-      }
-      const errorMessage =
-        errorData.error_description || errorData.error || errorText;
-      this.config.logger("[OAuthService] Proxy token exchange failed", {
-        status: response.status,
-        error: errorMessage,
-        proxyUrl,
-      });
-      throw new Error(
-        `Proxy token exchange failed: ${errorMessage} (${response.status})`
-      );
-    }
-    const result = await response.json() as {
-      data?: {
-        access_token: string;
-        refresh_token?: string;
-        expires_in?: number;
-        token_type?: string;
-        scope?: string;
-      };
-      access_token?: string;
-      refresh_token?: string;
-      expires_in?: number;
-      token_type?: string;
-      scope?: string;
-    };
-    const tokens = result.data || result;
-    // Validate required fields
-    if (!tokens.access_token) {
-      throw new Error("Proxy token response missing access_token");
-    }
-    // Calculate expiration timestamp
-    const expiresIn = tokens.expires_in || 3600; // Default 1 hour
-    const expiresAt = Date.now() + expiresIn * 1000;
-    const idpTokens: IdpTokens = {
-      access_token: tokens.access_token,
-      refresh_token: tokens.refresh_token,
-      expires_in: expiresIn,
-      expires_at: expiresAt,
-      token_type: tokens.token_type || "Bearer",
-      scope: tokens.scope,
-    };
-    this.config.logger("[OAuthService] Proxy token exchange successful", {
-      proxyUrl,
-      expiresAt: new Date(expiresAt).toISOString(),
-      hasRefreshToken: !!idpTokens.refresh_token,
-    });
-    return idpTokens;
-  }
-  /**
-   * Refresh IDP access token using refresh token
-   *
-   * For PKCE providers: Refreshes directly with OAuth provider
-   * For proxy mode: Refreshes via AgentShield API
-   *
-   * @param provider - OAuth provider name
-   * @param refreshToken - Refresh token from previous token exchange
-   * @returns New IDP tokens or null if refresh failed
-   */
-  async refreshToken(
-    provider: string,
-    refreshToken: string
-  ): Promise<IdpTokens | null> {
-    // Fetch provider config
-    const oauthConfig = await this.config.configService.getOAuthConfig(
-      this.config.projectId
-    );
-    const providerConfig = oauthConfig.providers[provider];
-    if (!providerConfig) {
-      this.config.logger("[OAuthService] Provider not found for refresh", {
-        provider,
-      });
-      return null;
-    }
-    // For PKCE providers, refresh directly with OAuth provider
-    if (providerConfig.supportsPKCE && !providerConfig.proxyMode) {
-      return this.refreshTokenPKCE(providerConfig, refreshToken);
-    }
-    // For proxy mode, refresh via AgentShield
-    if (providerConfig.proxyMode) {
-      return this.refreshTokenProxy(providerConfig, refreshToken);
-    }
-    return null;
-  }
-  /**
-   * Refresh token directly with OAuth provider using PKCE
-   */
-  private async refreshTokenPKCE(
-    providerConfig: OAuthProvider,
-    refreshToken: string
-  ): Promise<IdpTokens | null> {
-    this.config.logger("[OAuthService] Refreshing token with PKCE", {
-      provider: providerConfig.tokenUrl,
-    });
-    try {
-      const response = await this.config.fetchProvider.fetch(providerConfig.tokenUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-          Accept: "application/json",
-        },
-        body: new URLSearchParams({
-          grant_type: "refresh_token",
-          refresh_token: refreshToken,
-          client_id: providerConfig.clientId,
-        }).toString(),
-      });
-      if (!response.ok) {
-        this.config.logger("[OAuthService] Token refresh failed", {
-          status: response.status,
-          provider: providerConfig.tokenUrl,
-        });
-        return null;
-      }
-      const tokens = await response.json() as {
-        access_token: string;
-        refresh_token?: string;
-        expires_in?: number;
-        token_type?: string;
-        scope?: string;
-      };
-      if (!tokens.access_token) {
-        this.config.logger("[OAuthService] Token refresh response missing access_token");
-        return null;
-      }
-      // Calculate expiration timestamp
-      const expiresIn = tokens.expires_in || 3600; // Default 1 hour
-      const expiresAt = Date.now() + expiresIn * 1000;
-      const idpTokens: IdpTokens = {
-        access_token: tokens.access_token,
-        refresh_token: tokens.refresh_token || refreshToken, // Use new refresh token if provided, otherwise keep old one
-        expires_in: expiresIn,
-        expires_at: expiresAt,
-        token_type: tokens.token_type || "Bearer",
-        scope: tokens.scope,
-      };
-      this.config.logger("[OAuthService] Token refresh successful", {
-        provider: providerConfig.tokenUrl,
-        expiresAt: new Date(expiresAt).toISOString(),
-      });
-      return idpTokens;
-    } catch (error) {
-      this.config.logger("[OAuthService] Token refresh error", {
-        error: error instanceof Error ? error.message : String(error),
-        provider: providerConfig.tokenUrl,
-      });
-      return null;
-    }
-  }
-  /**
-   * Refresh token via AgentShield proxy
-   */
-  private async refreshTokenProxy(
-    providerConfig: OAuthProvider,
-    refreshToken: string
-  ): Promise<IdpTokens | null> {
-    const proxyUrl = `${this.config.agentShieldApiUrl}/api/v1/oauth/token`;
-    this.config.logger("[OAuthService] Refreshing token via proxy", {
-      proxyUrl,
-      provider: providerConfig.authorizationUrl,
-    });
-    try {
-      const response = await this.config.fetchProvider.fetch(proxyUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Authorization: `Bearer ${this.config.agentShieldApiKey}`,
-        },
-        body: JSON.stringify({
-          grant_type: "refresh_token",
-          refresh_token: refreshToken,
-          provider: providerConfig.authorizationUrl,
-          project_id: this.config.projectId,
-        }),
-      });
-      if (!response.ok) {
-        this.config.logger("[OAuthService] Proxy token refresh failed", {
-          status: response.status,
-          proxyUrl,
-        });
-        return null;
-      }
-      const result = await response.json() as {
-        data?: {
-          access_token: string;
-          refresh_token?: string;
-          expires_in?: number;
-          token_type?: string;
-          scope?: string;
-        };
-        access_token?: string;
-        refresh_token?: string;
-        expires_in?: number;
-        token_type?: string;
-        scope?: string;
-      };
-      const tokens = result.data || result;
-      if (!tokens.access_token) {
-        this.config.logger("[OAuthService] Proxy token refresh response missing access_token");
-        return null;
-      }
-      // Calculate expiration timestamp
-      const expiresIn = tokens.expires_in || 3600; // Default 1 hour
-      const expiresAt = Date.now() + expiresIn * 1000;
-      const idpTokens: IdpTokens = {
-        access_token: tokens.access_token,
-        refresh_token: tokens.refresh_token || refreshToken,
-        expires_in: expiresIn,
-        expires_at: expiresAt,
-        token_type: tokens.token_type || "Bearer",
-        scope: tokens.scope,
-      };
-      this.config.logger("[OAuthService] Proxy token refresh successful", {
-        proxyUrl,
-        expiresAt: new Date(expiresAt).toISOString(),
-      });
-      return idpTokens;
-    } catch (error) {
-      this.config.logger("[OAuthService] Proxy token refresh error", {
-        error: error instanceof Error ? error.message : String(error),
-        proxyUrl,
-      });
-      return null;
-    }
-  }
-}