@vellumai/credential-executor 0.4.55 → 0.4.56

package/src/grants/rpc-handlers.ts

@@ -36,29 +36,29 @@ import type { RpcMethodHandler } from "../server.js";
 
 /**
  * Project a CES internal PersistentGrant into the wire-format
- * PersistentGrantRecord. The internal store uses a simpler schema;
- * the wire format includes additional status/lifecycle fields.
- *
- * Since the persistent store does not track lifecycle states (expiry,
- * revocation, consumption), all persisted grants are considered "active".
+ * PersistentGrantRecord. Maps real fields from the persistent store
+ * schema into the wire contract.
  */
-function projectGrant(
-  grant: PersistentGrant,
-  sessionId: string,
-): PersistentGrantRecord {
+function projectGrant(grant: PersistentGrant): PersistentGrantRecord {
   return {
     grantId: grant.id,
-    sessionId,
+    sessionId: grant.sessionId,
     credentialHandle: grant.scope,
-    proposalType: grant.tool as "http" | "command",
+    proposalType:
+      grant.tool === "http" || grant.tool === "command"
+        ? grant.tool
+        : "command",
     proposalHash: grant.id,
     allowedPurposes: [grant.pattern],
-    status: "active",
+    status: grant.revokedAt != null ? "revoked" : "active",
     grantedBy: "user",
     createdAt: new Date(grant.createdAt).toISOString(),
     expiresAt: null,
     consumedAt: null,
-    revokedAt: null,
+    revokedAt:
+      grant.revokedAt != null
+        ? new Date(grant.revokedAt).toISOString()
+        : null,
   };
 }
 
@@ -94,30 +94,52 @@ export function createRecordGrantHandler(
       return { success: true };
     }
 
-    // Build a PersistentGrant from the decision.
     const proposal = decision.proposal;
     const now = Date.now();
     const grantId = decision.proposalHash;
 
-    const persistentGrant: PersistentGrant = {
-      id: grantId,
-      tool: proposal.type,
-      pattern:
-        proposal.type === "http"
-          ? `${proposal.method} ${proposal.url}`
-          : proposal.command,
-      scope: proposal.credentialHandle,
-      createdAt: now,
-    };
-
-    // Persist the grant.
-    deps.persistentGrantStore.add(persistentGrant);
+    // Determine the grant type. When omitted (backwards compat), default
+    // to `always_allow` so existing callers that don't send `grantType`
+    // continue to create persistent grants.
+    const grantType = decision.grantType ?? "always_allow";
+
+    // Only `always_allow` creates a persistent grant. All other approved
+    // decisions create only a temporary grant — this prevents allow_once,
+    // allow_10m, and allow_conversation from becoming effectively permanent.
+    if (grantType === "always_allow") {
+      let pattern: string;
+      if (proposal.type === "http") {
+        // Use the templated allowedUrlPatterns (e.g. "https://api.example.com/repos/{:uuid}/pulls")
+        // so the persistent grant covers future requests with different IDs but the same URL structure.
+        // Falls back to the exact URL only if allowedUrlPatterns is missing.
+        const urlPattern = proposal.allowedUrlPatterns?.[0] ?? proposal.url;
+        pattern = `${proposal.method} ${urlPattern}`;
+      } else {
+        pattern = proposal.allowedCommandPatterns?.[0] ?? proposal.command;
+      }
+      const persistentGrant: PersistentGrant = {
+        id: grantId,
+        tool: proposal.type,
+        pattern,
+        scope: proposal.credentialHandle,
+        createdAt: now,
+        sessionId,
+      };
+      deps.persistentGrantStore.add(persistentGrant);
+    }
 
-    // Also record a temporary grant so the caller can use it immediately.
-    // Map TTL to the appropriate temporary grant kind.
-    if (decision.ttl === "PT10M") {
+    // Record a temporary grant so the caller can use it immediately.
+    // For `always_allow`, an `allow_once` temp grant bridges the gap until
+    // the next policy check hits the persistent store.
+    if (grantType === "allow_10m") {
       deps.temporaryGrantStore.add("allow_10m", decision.proposalHash);
+    } else if (grantType === "allow_conversation") {
+      deps.temporaryGrantStore.add("allow_conversation", decision.proposalHash, {
+        conversationId: request.conversationId ?? sessionId,
+      });
     } else {
+      // allow_once and always_allow both get a single-use temp grant
+      // for immediate retry.
       deps.temporaryGrantStore.add("allow_once", decision.proposalHash);
     }
 
@@ -158,23 +180,23 @@ export function createRecordGrantHandler(
 
 export interface ListGrantsHandlerDeps {
   persistentGrantStore: PersistentGrantStore;
-  /** Default session ID for grants that don't track session. */
-  sessionId: string;
 }
 
 /**
  * Create an RPC handler for the `list_grants` method.
  *
- * Lists all persistent grants, optionally filtered by session ID,
- * credential handle, or status. Returns wire-format PersistentGrantRecords
- * that never include raw secret material.
+ * Lists all persistent grants (including revoked, for audit trail),
+ * optionally filtered by session ID, credential handle, or status.
+ * Returns wire-format PersistentGrantRecords that never include raw
+ * secret material.
  */
 export function createListGrantsHandler(
   deps: ListGrantsHandlerDeps,
 ): RpcMethodHandler<ListGrants, ListGrantsResponse> {
   return (request) => {
-    const allGrants = deps.persistentGrantStore.getAll();
-    const projected = allGrants.map((g) => projectGrant(g, deps.sessionId));
+    // Include revoked grants in the listing for audit visibility.
+    const allGrants = deps.persistentGrantStore.getAllIncludingRevoked();
+    const projected = allGrants.map((g) => projectGrant(g));
 
     let filtered = projected;
 
@@ -207,22 +229,24 @@ export interface RevokeGrantHandlerDeps {
 /**
  * Create an RPC handler for the `revoke_grant` method.
  *
- * Removes a grant from the persistent store by its stable ID. Returns
- * success/failure. The reason field is logged but not persisted (the
- * persistent store does not track revocation metadata).
+ * Marks a grant as revoked in the persistent store by its stable ID,
+ * preserving the record for audit trail. Returns success/failure.
  */
 export function createRevokeGrantHandler(
   deps: RevokeGrantHandlerDeps,
 ): RpcMethodHandler<RevokeGrant, RevokeGrantResponse> {
   return (request) => {
-    const removed = deps.persistentGrantStore.remove(request.grantId);
+    const revoked = deps.persistentGrantStore.markRevoked(
+      request.grantId,
+      request.reason,
+    );
 
-    if (!removed) {
+    if (!revoked) {
       return {
         success: false,
         error: {
           code: "GRANT_NOT_FOUND",
-          message: `No grant found with ID "${request.grantId}"`,
+          message: `No grant found with ID "${request.grantId}" (or already revoked)`,
         },
       };
     }

package/src/grants/temporary-store.ts

@@ -1,7 +1,7 @@
 /**
  * CES in-memory temporary grant store.
  *
- * Manages grants for `allow_once`, `allow_10m`, and `allow_thread` decisions.
+ * Manages grants for `allow_once`, `allow_10m`, and `allow_conversation` decisions.
  * All state is in-memory — temporary grants never survive a process restart,
  * which is the desired behaviour for ephemeral approvals.
  *
@@ -9,26 +9,26 @@
  * - `allow_once`: Keyed by proposal hash. Consumed (deleted) on first use.
  * - `allow_10m`: Keyed by proposal hash. Checked for expiry on every read;
  *   expired entries are lazily purged.
- * - `allow_thread`: Keyed by proposal hash + conversation ID. Scoped to a
- *   single conversation thread.
+ * - `allow_conversation`: Keyed by proposal hash + conversation ID. Scoped to a
+ *   single conversation.
  */
 
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
 
-export type TemporaryGrantKind = "allow_once" | "allow_10m" | "allow_thread";
+export type TemporaryGrantKind = "allow_once" | "allow_10m" | "allow_conversation";
 
 export interface TemporaryGrant {
   /** The kind of temporary grant. */
   kind: TemporaryGrantKind;
   /** Canonical proposal hash identifying the operation being granted. */
   proposalHash: string;
-  /** Conversation ID — required for `allow_thread`, ignored otherwise. */
+  /** Conversation ID — required for `allow_conversation`, ignored otherwise. */
   conversationId?: string;
   /** When the grant was created (epoch ms). */
   createdAt: number;
-  /** When the grant expires (epoch ms). Only set for `allow_10m`. */
+  /** When the grant expires (epoch ms). Set for `allow_10m`; optionally set for `allow_once`. */
   expiresAt?: number;
 }
 
@@ -43,20 +43,20 @@ const DEFAULT_TIMED_DURATION_MS = 10 * 60 * 1000;
  * Compute the storage key for a temporary grant.
  *
  * - `allow_once` / `allow_10m`: keyed by proposal hash alone.
- * - `allow_thread`: keyed by proposal hash + conversation ID.
+ * - `allow_conversation`: keyed by proposal hash + conversation ID.
  */
 function storageKey(
   kind: TemporaryGrantKind,
   proposalHash: string,
   conversationId?: string,
 ): string {
-  if (kind === "allow_thread") {
+  if (kind === "allow_conversation") {
     if (!conversationId) {
       throw new Error(
-        "allow_thread grants require a conversationId",
+        "allow_conversation grants require a conversationId",
       );
     }
-    return `thread:${conversationId}:${proposalHash}`;
+    return `conversation:${conversationId}:${proposalHash}`;
   }
   return `${kind}:${proposalHash}`;
 }
@@ -76,7 +76,7 @@ export class TemporaryGrantStore {
    *
    * @param kind - The type of temporary grant.
    * @param proposalHash - Canonical hash of the operation proposal.
-   * @param options - Additional options (conversationId for thread grants,
+   * @param options - Additional options (conversationId for conversation grants,
    *   custom duration for timed grants).
    */
   add(
@@ -102,6 +102,8 @@ export class TemporaryGrantStore {
     if (kind === "allow_10m") {
       grant.expiresAt =
         Date.now() + (options?.durationMs ?? DEFAULT_TIMED_DURATION_MS);
+    } else if (kind === "allow_once" && options?.durationMs !== undefined) {
+      grant.expiresAt = Date.now() + options.durationMs;
     }
 
     this.store.set(key, grant);
@@ -113,7 +115,7 @@ export class TemporaryGrantStore {
    * - `allow_once`: Returns `true` and **consumes** the grant (deletes it).
    * - `allow_10m`: Returns `true` only if the grant has not expired.
    *   Expired grants are lazily purged.
-   * - `allow_thread`: Returns `true` only if a grant exists for the given
+   * - `allow_conversation`: Returns `true` only if a grant exists for the given
    *   proposal hash scoped to the specified conversation ID.
    *
    * Returns `false` if no matching grant exists.
@@ -128,6 +130,11 @@ export class TemporaryGrantStore {
     if (!grant) return false;
 
     if (grant.kind === "allow_once") {
+      // Check TTL if set
+      if (grant.expiresAt !== undefined && Date.now() >= grant.expiresAt) {
+        this.store.delete(key);
+        return false;
+      }
       // Consume on first use
       this.store.delete(key);
       return true;
@@ -142,7 +149,7 @@ export class TemporaryGrantStore {
       return true;
     }
 
-    // allow_thread — no expiry, just existence check
+    // allow_conversation — no expiry, just existence check
     return true;
   }
 
@@ -150,7 +157,7 @@ export class TemporaryGrantStore {
    * Check whether any kind of active temporary grant exists for the given
    * proposal hash and optional conversation ID.
    *
-   * Checks `allow_once`, `allow_10m`, and `allow_thread` in order.
+   * Checks `allow_once`, `allow_10m`, and `allow_conversation` in order.
    * Returns the kind of the matched grant, or `undefined` if none match.
    *
    * Note: If an `allow_once` grant matches, it is consumed.
@@ -165,9 +172,9 @@ export class TemporaryGrantStore {
     // Check allow_10m
     if (this.check("allow_10m", proposalHash)) return "allow_10m";
 
-    // Check allow_thread (requires conversationId)
-    if (conversationId && this.check("allow_thread", proposalHash, conversationId)) {
-      return "allow_thread";
+    // Check allow_conversation (requires conversationId)
+    if (conversationId && this.check("allow_conversation", proposalHash, conversationId)) {
+      return "allow_conversation";
     }
 
     return undefined;
@@ -190,11 +197,11 @@ export class TemporaryGrantStore {
   /**
    * Remove all temporary grants for a given conversation ID.
    *
-   * Useful when a conversation/thread ends. Only removes `allow_thread`
+   * Useful when a conversation ends. Only removes `allow_conversation`
    * grants scoped to that conversation.
    */
   clearConversation(conversationId: string): void {
-    const prefix = `thread:${conversationId}:`;
+    const prefix = `conversation:${conversationId}:`;
     for (const key of this.store.keys()) {
       if (key.startsWith(prefix)) {
         this.store.delete(key);

package/src/http/executor.ts

@@ -28,18 +28,22 @@ import type {
   MakeAuthenticatedRequestResponse,
 } from "@vellumai/ces-contracts";
 import { HandleType, parseHandle, hashProposal } from "@vellumai/ces-contracts";
+import type { InjectionTemplate } from "@vellumai/credential-storage";
 
 import { evaluateHttpPolicy, type PolicyResult } from "./policy.js";
 import { filterHttpResponse, type RawHttpResponse } from "./response-filter.js";
 import { generateHttpAuditSummary } from "./audit.js";
 
+import type { AuditStore } from "../audit/store.js";
 import type { PersistentGrantStore } from "../grants/persistent-store.js";
 import type { TemporaryGrantStore } from "../grants/temporary-store.js";
 
 import type { LocalMaterialiser, MaterialisedCredential } from "../materializers/local.js";
 import { materializeManagedToken, type ManagedMaterializerOptions } from "../materializers/managed-platform.js";
 import { resolveLocalSubject, type LocalSubjectResolverDeps } from "../subjects/local.js";
+import { checkCredentialPolicy } from "../subjects/policy.js";
 import { resolveManagedSubject, type ManagedSubjectResolverOptions } from "../subjects/managed.js";
+import type { SessionIdRef } from "../server.js";
 
 // ---------------------------------------------------------------------------
 // Auth injection constants
@@ -75,8 +79,10 @@ export interface HttpExecutorDeps {
   managedSubjectOptions?: ManagedSubjectResolverOptions;
   /** Options for managed token materialisation (null if managed mode is unavailable). */
   managedMaterializerOptions?: ManagedMaterializerOptions;
-  /** Session ID for audit records. */
-  sessionId: string;
+  /** Audit store for persisting token-free audit records. */
+  auditStore: AuditStore;
+  /** Mutable reference to the session ID for audit records. Updated to the handshake session ID once the RPC handshake completes. */
+  sessionId: SessionIdRef;
   /** Optional custom fetch implementation (for testing). */
   fetch?: typeof globalThis.fetch;
   /** Optional logger. */
@@ -135,6 +141,7 @@ export async function executeAuthenticatedHttpRequest(
       headers: request.headers,
       purpose: request.purpose,
       grantId: request.grantId,
+      conversationId: request.conversationId,
     },
     deps.persistentGrantStore,
     deps.temporaryGrantStore,
@@ -178,13 +185,15 @@ export async function executeAuthenticatedHttpRequest(
     const audit = generateHttpAuditSummary({
       credentialHandle: request.credentialHandle,
       grantId,
-      sessionId: deps.sessionId,
+      sessionId: deps.sessionId.current,
       method: request.method,
       url: request.url,
       success: false,
       errorMessage: materialiseResult.error,
     });
 
+    try { deps.auditStore.append(audit); } catch { /* audit persistence must not block execution */ }
+
     return {
       success: false,
       error: {
@@ -198,7 +207,8 @@ export async function executeAuthenticatedHttpRequest(
   const { credential, secrets } = materialiseResult;
 
   // 4. Build the outbound request with injected auth
-  const outboundHeaders = buildOutboundHeaders(
+  const authenticated = buildAuthenticatedRequest(
+    request.url,
     request.headers ?? {},
     credential,
   );
@@ -208,12 +218,14 @@ export async function executeAuthenticatedHttpRequest(
   try {
     rawResponse = await performHttpRequest(
       request.method,
-      request.url,
-      outboundHeaders,
+      authenticated.url,
+      authenticated.headers,
       request.body,
       policyResult,
       request.credentialHandle,
       deps,
+      credential,
+      request.headers ?? {},
     );
   } catch (err) {
     const errorMessage = err instanceof Error ? err.message : String(err);
@@ -223,13 +235,15 @@ export async function executeAuthenticatedHttpRequest(
     const audit = generateHttpAuditSummary({
       credentialHandle: request.credentialHandle,
       grantId,
-      sessionId: deps.sessionId,
+      sessionId: deps.sessionId.current,
       method: request.method,
       url: request.url,
       success: false,
       errorMessage: safeError,
     });
 
+    try { deps.auditStore.append(audit); } catch { /* audit persistence must not block execution */ }
+
     return {
       success: false,
       error: {
@@ -243,17 +257,19 @@ export async function executeAuthenticatedHttpRequest(
   // 6. Filter the response through the sanitisation pipeline
   const filtered = filterHttpResponse(rawResponse, secrets);
 
-  // 7. Generate audit summary
+  // 7. Generate and persist audit summary
   const audit = generateHttpAuditSummary({
     credentialHandle: request.credentialHandle,
     grantId,
-    sessionId: deps.sessionId,
+    sessionId: deps.sessionId.current,
     method: request.method,
     url: request.url,
     success: true,
     statusCode: rawResponse.statusCode,
   });
 
+  try { deps.auditStore.append(audit); } catch { /* audit persistence must not block execution */ }
+
   logger.log(
     `[ces-http] ${request.method} ${request.url} -> ${rawResponse.statusCode} (grant=${grantId})`,
   );
@@ -299,6 +315,19 @@ async function materialiseCredential(
         return { ok: false, error: subjectResult.error };
       }
 
+      // Enforce credential-level policies for local static handles.
+      // OAuth connections don't carry allowedTools/allowedDomains in the
+      // same way, so policy checks are skipped for OAuth.
+      if (subjectResult.subject.type === HandleType.LocalStatic) {
+        const policyCheck = checkCredentialPolicy(
+          subjectResult.subject.metadata,
+          "make_authenticated_request",
+        );
+        if (!policyCheck.ok) {
+          return { ok: false, error: policyCheck.error! };
+        }
+      }
+
       // Materialise through the local materialiser
       const matResult = await deps.localMaterialiser.materialise(subjectResult.subject);
       if (!matResult.ok) {
@@ -358,18 +387,36 @@ async function materialiseCredential(
 }
 
 // ---------------------------------------------------------------------------
-// Auth header injection
+// Auth injection
 // ---------------------------------------------------------------------------
 
 /**
- * Build the outbound request headers by:
+ * Result of building an authenticated request — may contain a modified URL
+ * (e.g. when the credential is injected as a query parameter).
+ */
+interface AuthenticatedRequest {
+  headers: Record<string, string>;
+  url: string;
+}
+
+/**
+ * Build the outbound request by:
  * 1. Stripping any caller-supplied auth headers (defense-in-depth).
- * 2. Injecting the credential as an Authorization header.
+ * 2. Injecting the credential using the appropriate strategy.
+ *
+ * For `local_static` handles, the credential's `injectionTemplates` are
+ * checked for a template matching the target URL's hostname. If found,
+ * the template controls how the credential is injected (header name,
+ * value prefix, or query parameter). If no matching template exists,
+ * falls back to `Authorization: Bearer <value>`.
+ *
+ * OAuth handles always use `Authorization: Bearer <value>`.
  */
-function buildOutboundHeaders(
+function buildAuthenticatedRequest(
+  url: string,
   callerHeaders: Record<string, string>,
   credential: MaterialisedCredential,
-): Record<string, string> {
+): AuthenticatedRequest {
   const headers: Record<string, string> = {};
 
   // Copy caller headers, stripping any auth headers
@@ -379,14 +426,28 @@ function buildOutboundHeaders(
     }
   }
 
+  let finalUrl = url;
+
   // Inject credential based on handle type
   switch (credential.handleType) {
-    case HandleType.LocalStatic:
-      // Static secrets are injected as Bearer tokens by default.
-      // The subject metadata could specify a different injection strategy
-      // in the future, but for now Bearer is the safe default.
-      headers["Authorization"] = `Bearer ${credential.value}`;
+    case HandleType.LocalStatic: {
+      // Check for a matching injection template
+      const template = findMatchingTemplate(url, credential.injectionTemplates);
+      if (template) {
+        if (template.injectionType === "header") {
+          const headerName = template.headerName ?? "Authorization";
+          const prefix = template.valuePrefix ?? "";
+          headers[headerName] = `${prefix}${credential.value}`;
+        } else if (template.injectionType === "query") {
+          const paramName = template.queryParamName ?? "api_key";
+          finalUrl = appendQueryParam(url, paramName, credential.value);
+        }
+      } else {
+        // No matching template — fall back to Bearer auth
+        headers["Authorization"] = `Bearer ${credential.value}`;
+      }
       break;
+    }
 
     case HandleType.LocalOAuth:
     case HandleType.PlatformOAuth:
@@ -401,7 +462,62 @@ function buildOutboundHeaders(
       break;
   }
 
-  return headers;
+  return { headers, url: finalUrl };
+}
+
+/**
+ * Find the first injection template whose `hostPattern` matches the
+ * target URL's hostname. Returns undefined if no template matches or
+ * no templates are defined.
+ */
+function findMatchingTemplate(
+  url: string,
+  templates: InjectionTemplate[] | undefined,
+): InjectionTemplate | undefined {
+  if (!templates || templates.length === 0) return undefined;
+
+  let hostname: string;
+  try {
+    hostname = new URL(url).hostname;
+  } catch {
+    return undefined;
+  }
+
+  return templates.find((t) => matchHostPattern(t.hostPattern, hostname));
+}
+
+/**
+ * Simple glob-style host pattern matching.
+ *
+ * Supports:
+ * - Exact match: `"api.fal.ai"` matches `"api.fal.ai"`
+ * - Leading wildcard: `"*.fal.ai"` matches `"api.fal.ai"`, `"queue.fal.ai"`
+ * - Bare wildcard: `"*"` matches everything
+ */
+function matchHostPattern(pattern: string, hostname: string): boolean {
+  const lPattern = pattern.toLowerCase();
+  const lHostname = hostname.toLowerCase();
+  if (lPattern === "*") return true;
+  if (lPattern.startsWith("*.")) {
+    const suffix = lPattern.slice(1); // e.g. ".fal.ai"
+    return lHostname.endsWith(suffix) || lHostname === lPattern.slice(2);
+  }
+  return lPattern === lHostname;
+}
+
+/**
+ * Append a query parameter to a URL, preserving existing query params.
+ */
+function appendQueryParam(url: string, name: string, value: string): string {
+  try {
+    const parsed = new URL(url);
+    parsed.searchParams.set(name, value);
+    return parsed.toString();
+  } catch {
+    // If URL parsing fails, fall back to naive append
+    const separator = url.includes("?") ? "&" : "?";
+    return `${url}${separator}${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
+  }
 }
 
 // ---------------------------------------------------------------------------
@@ -420,9 +536,17 @@ async function performHttpRequest(
   originalPolicy: PolicyResult & { allowed: true },
   credentialHandle: string,
   deps: HttpExecutorDeps,
+  credential?: MaterialisedCredential,
+  callerHeaders?: Record<string, string>,
 ): Promise<RawHttpResponse> {
   const fetchFn = deps.fetch ?? globalThis.fetch;
 
+  // Preserve the original caller headers (before auth injection) so that
+  // redirect re-authentication starts from a clean slate on each hop.
+  // This prevents previously injected auth headers from being treated as
+  // caller headers and leaking credentials across redirect hops.
+  const originalCallerHeaders = callerHeaders ?? headers;
+
   let currentUrl = url;
   let currentMethod = method;
   let currentHeaders = headers;
@@ -466,14 +590,21 @@ async function performHttpRequest(
       // Resolve the redirect URL (may be relative)
       const redirectUrl = new URL(locationHeader, currentUrl).toString();
 
+      // Determine the method that will actually be used on the next hop.
+      // 303 converts any method to GET (per RFC 9110 §15.4.4); other
+      // redirect statuses preserve the method.
+      const nextMethod = response.status === 303 ? "GET" : currentMethod;
+
       // Enforce grant policy on the redirect target — the redirect must
-      // independently satisfy the same credential handle's grant policy.
+      // independently satisfy the same credential handle's grant policy
+      // using the method we will actually send.
+      // Sanitise purpose string to avoid leaking query-injected secrets.
       const redirectPolicy = evaluateHttpPolicy(
         {
           credentialHandle,
-          method: currentMethod,
+          method: nextMethod,
           url: redirectUrl,
-          purpose: `redirect from ${currentUrl}`,
+          purpose: `redirect from ${sanitiseUrl(currentUrl)}`,
         },
         deps.persistentGrantStore,
         deps.temporaryGrantStore,
@@ -485,13 +616,27 @@ async function performHttpRequest(
         );
       }
 
-      // For 303 redirects, convert to GET
+      // Apply the method/body changes for 303 redirects
       if (response.status === 303) {
         currentMethod = "GET";
         currentBody = undefined;
       }
 
-      currentUrl = redirectUrl;
+      // Re-apply auth injection for the redirect URL starting from the
+      // original caller headers — not currentHeaders which already contain
+      // auth injected on the previous hop. This prevents credential leakage
+      // across multi-redirect flows.
+      if (credential) {
+        const reAuthenticated = buildAuthenticatedRequest(
+          redirectUrl,
+          originalCallerHeaders,
+          credential,
+        );
+        currentUrl = reAuthenticated.url;
+        currentHeaders = reAuthenticated.headers;
+      } else {
+        currentUrl = redirectUrl;
+      }
       continue;
     }