feat(mcp): rotate refresh tokens for SDK auth

[kunickiaj]

Description

Adds refresh-token support to the SDK OAuth provider adapter.

Key points:

• Adds an in-memory refresh-token grant store with HMAC-at-rest token hashes.
• Issues refresh tokens alongside authorization-code access tokens.
• Implements dual-token rotation for refresh-token grants.
• Accepts one previous refresh token for retry tolerance, while preventing forked chains by invalidating the then-current token on previous-token retry.
• Detects older refresh-token replay, revokes the grant, and cascades access-token revocation.
• Preserves RFC 8707 resource binding across access tokens, refresh grants, refresh rotation, and AuthInfo.resource.
• Rejects access tokens whose bound audience does not match the configured MCP resource URL.

Type of Change

• 🚀 Feature (new functionality)
• 🐛 Bug fix (fixes an issue)
• 📚 Documentation (docs-only change)
• 🔧 Maintenance (refactor, chore, CI, etc.)
• 🧪 Testing (test-only changes)

Testing

• Relevant checks pass locally (pnpm run tsc, pnpm run lint, pnpm run test)
• Added/updated tests for changes
• Manually verified changes work as expected

Validation run:

• pnpm run lint
• pnpm run tsc
• pnpm exec vitest run packages/mcp-server/src/http.test.ts packages/mcp-server/src/oauth.test.ts packages/mcp-server/src/provider.test.ts
• pnpm run test
• CodeReviewer re-review: no blockers

Checklist

• Code follows project style (pnpm run lint passes for touched files)
• Self-review completed
• Documentation updated (if needed)
• No new warnings introduced

Docs are deferred to the final remote MCP OAuth docs/release validation slice.

[kunickiaj]

• feat(mcp): polish OAuth metadata and refresh audits #1144
• feat(mcp): rotate refresh tokens for SDK auth #1143 👈 (View in Graphite)
• feat(mcp): mount SDK auth router on Express #1142
• feat(mcp): add SDK OAuth provider adapter #1141
• chore(mcp): add express deps for SDK auth router migration #1140
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e26858418

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[kunickiaj]

Merge activity

• May 24, 1:33 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 24, 1:41 AM UTC: Graphite rebased this pull request as part of a merge.
• May 24, 1:42 AM UTC: @kunickiaj merged this pull request with Graphite.