Merge pull request #2355 from dgageot/auth

dgageot · web-flow · commit 5b0355b3e511 · 2026-04-09T14:54:58.000+02:00
Store OAuth tokens in OS keychain and add silent refresh token support
diff --git a/go.mod b/go.mod
@@ -7,6 +7,7 @@ require (
 	charm.land/bubbletea/v2 v2.0.2
 	charm.land/glamour/v2 v2.0.0
 	charm.land/lipgloss/v2 v2.0.2
+	github.com/99designs/keyring v1.2.2
 	github.com/JohannesKaufmann/html-to-markdown/v2 v2.5.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/a2aproject/a2a-go v0.3.13
@@ -74,7 +75,13 @@ require (
 )
 
 require (
+	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
+	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
+	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
+	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/junegunn/go-shellwords v0.0.0-20250127100254-2aa3b3277741 // indirect
+	github.com/mtibben/percent v0.2.1 // indirect
 	github.com/pb33f/jsonpath v0.8.2 // indirect
 	github.com/pb33f/ordered-map/v2 v2.3.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -14,6 +14,10 @@ cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdB
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs=
+github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4=
+github.com/99designs/keyring v1.2.2 h1:pZd3neh/EmUzWONb35LxQfvuY7kiSXAq3HQd97+XBn0=
+github.com/99designs/keyring v1.2.2/go.mod h1:wes/FrByc8j7lFOAGLGSNEg8f/PaI3cgTBqhFkHUrPk=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/JohannesKaufmann/dom v0.2.0 h1:1bragmEb19K8lHAqgFgqCpiPCFEZMTXzOIEjuxkUfLQ=
@@ -175,6 +179,8 @@ github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
 github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -204,6 +210,8 @@ github.com/dop251/goja v0.0.0-20260311135729-065cd970411c h1:OcLmPfx1T1RmZVHHFwW
 github.com/dop251/goja v0.0.0-20260311135729-065cd970411c/go.mod h1:MxLav0peU43GgvwVgNbLAj1s/bSGboKkhuULvq/7hx4=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/dvsekhvalnov/jose2go v1.5.0 h1:3j8ya4Z4kMCwT5nXIKFSV84YS+HdqSSO0VsTQxaLAeM=
+github.com/dvsekhvalnov/jose2go v1.5.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
@@ -239,6 +247,8 @@ github.com/go-sourcemap/sourcemap v2.1.3+incompatible/go.mod h1:F8jJfvm2KbVjc5Nq
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
+github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
+github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
@@ -281,6 +291,8 @@ github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aN
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0/go.mod h1:JfhWUomR1baixubs02l85lZYYOm7LV6om4ceouMv45c=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
@@ -361,13 +373,16 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
 github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
+github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
+github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A=
 github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/openai/openai-go/v3 v3.30.0 h1:T8VkhqAm6BuvxwpVG+Aw+H4TcYIsbj9nqytjpWcE/aU=
@@ -591,6 +606,7 @@ google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/dnaeon/go-vcr.v4 v4.0.6 h1:PiJkrakkmzc5s7EfBnZOnyiLwi7o7A9fwPzN0X2uwe0=
diff --git a/pkg/tools/mcp/mcp.go b/pkg/tools/mcp/mcp.go
@@ -111,7 +111,7 @@ func NewRemoteToolset(name, urlString, transport string, headers map[string]stri
 	desc := buildRemoteDescription(urlString, transport)
 	return &Toolset{
 		name:        name,
-		mcpClient:   newRemoteClient(urlString, transport, headers, NewInMemoryTokenStore()),
+		mcpClient:   newRemoteClient(urlString, transport, headers, NewKeyringTokenStore()),
 		logID:       urlString,
 		description: desc,
 	}
diff --git a/pkg/tools/mcp/oauth.go b/pkg/tools/mcp/oauth.go
@@ -180,7 +180,8 @@ func (t *oauthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 
 	reqClone := req.Clone(req.Context())
 
-	if token, err := t.tokenStore.GetToken(t.baseURL); err == nil && !token.IsExpired() {
+	// Attach a valid token if available, silently refreshing if expired.
+	if token := t.getValidToken(req.Context()); token != nil {
 		reqClone.Header.Set("Authorization", "Bearer "+token.AccessToken)
 	}
 
@@ -210,6 +211,46 @@ func (t *oauthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return resp, nil
 }
 
+// getValidToken returns a non-expired token for the server, silently refreshing
+// an expired token when a refresh token is available. Returns nil if no usable
+// token can be obtained.
+func (t *oauthTransport) getValidToken(ctx context.Context) *OAuthToken {
+	token, err := t.tokenStore.GetToken(t.baseURL)
+	if err != nil {
+		return nil
+	}
+
+	if !token.IsExpired() {
+		return token
+	}
+
+	if token.RefreshToken == "" {
+		return nil
+	}
+
+	slog.Debug("Attempting silent token refresh", "url", t.baseURL)
+
+	o := &oauth{metadataClient: &http.Client{Timeout: 5 * time.Second}}
+	metadata, err := o.getAuthorizationServerMetadata(ctx, t.baseURL)
+	if err != nil {
+		slog.Debug("Failed to fetch auth server metadata for refresh", "error", err)
+		return nil
+	}
+
+	newToken, err := RefreshAccessToken(ctx, metadata.TokenEndpoint, token.RefreshToken, "", "")
+	if err != nil {
+		slog.Debug("Token refresh failed, will require interactive auth", "error", err)
+		return nil
+	}
+
+	if err := t.tokenStore.StoreToken(t.baseURL, newToken); err != nil {
+		slog.Warn("Failed to store refreshed token", "error", err)
+	}
+
+	slog.Debug("Token refreshed successfully", "url", t.baseURL)
+	return newToken
+}
+
 // handleOAuthFlow performs the OAuth flow when a 401 response is received
 func (t *oauthTransport) handleOAuthFlow(ctx context.Context, authServer, wwwAuth string) error {
 	if t.managed {
diff --git a/pkg/tools/mcp/oauth_helpers.go b/pkg/tools/mcp/oauth_helpers.go
@@ -159,3 +159,48 @@ func RegisterClient(ctx context.Context, authMetadata *AuthorizationServerMetada
 func GeneratePKCEVerifier() string {
 	return oauth2.GenerateVerifier()
 }
+
+// RefreshAccessToken uses a refresh token to obtain a new access token
+// without user interaction.
+func RefreshAccessToken(ctx context.Context, tokenEndpoint, refreshToken, clientID, clientSecret string) (*OAuthToken, error) {
+	data := url.Values{}
+	data.Set("grant_type", "refresh_token")
+	data.Set("refresh_token", refreshToken)
+	data.Set("client_id", clientID)
+	if clientSecret != "" {
+		data.Set("client_secret", clientSecret)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, tokenEndpoint, strings.NewReader(data.Encode()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create refresh request: %w", err)
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to refresh token: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("token refresh failed with status %d: %s", resp.StatusCode, string(body))
+	}
+
+	var token OAuthToken
+	if err := json.NewDecoder(resp.Body).Decode(&token); err != nil {
+		return nil, fmt.Errorf("failed to decode refresh response: %w", err)
+	}
+
+	if token.ExpiresIn > 0 {
+		token.ExpiresAt = time.Now().Add(time.Duration(token.ExpiresIn) * time.Second)
+	}
+
+	// Preserve the refresh token if the server didn't issue a new one
+	if token.RefreshToken == "" {
+		token.RefreshToken = refreshToken
+	}
+
+	return &token, nil
+}
diff --git a/pkg/tools/mcp/tokenstore_keyring.go b/pkg/tools/mcp/tokenstore_keyring.go
@@ -0,0 +1,87 @@
+package mcp
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+
+	"github.com/99designs/keyring"
+)
+
+const keyringServiceName = "docker-agent-oauth"
+
+// KeyringTokenStore implements OAuthTokenStore using the OS-native credential store
+// (macOS Keychain, Windows Credential Manager, Linux Secret Service).
+type KeyringTokenStore struct {
+	ring keyring.Keyring
+}
+
+// NewKeyringTokenStore creates a token store backed by the OS keychain.
+// Falls back to InMemoryTokenStore if no keyring backend is available.
+func NewKeyringTokenStore() OAuthTokenStore {
+	ring, err := keyring.Open(keyring.Config{
+		ServiceName:                    keyringServiceName,
+		KeychainTrustApplication:       true,
+		KeychainSynchronizable:         false,
+		KeychainAccessibleWhenUnlocked: true,
+	})
+	if err != nil {
+		slog.Warn("OS keyring not available, falling back to in-memory token store", "error", err)
+		return NewInMemoryTokenStore()
+	}
+
+	// Validate the keyring is actually usable by attempting a get.
+	// Some backends (e.g. file) open successfully but fail on operations.
+	_, err = ring.Get("docker-agent-probe")
+	if err != nil && !errors.Is(err, keyring.ErrKeyNotFound) {
+		slog.Warn("OS keyring not usable, falling back to in-memory token store", "error", err)
+		return NewInMemoryTokenStore()
+	}
+
+	return &KeyringTokenStore{ring: ring}
+}
+
+// keyringKey returns a stable key for a given resource URL.
+func keyringKey(resourceURL string) string {
+	return "oauth:" + resourceURL
+}
+
+func (s *KeyringTokenStore) GetToken(resourceURL string) (*OAuthToken, error) {
+	item, err := s.ring.Get(keyringKey(resourceURL))
+	if err != nil {
+		if errors.Is(err, keyring.ErrKeyNotFound) {
+			return nil, fmt.Errorf("no token found for resource: %s", resourceURL)
+		}
+		return nil, fmt.Errorf("keyring get failed: %w", err)
+	}
+
+	var token OAuthToken
+	if err := json.Unmarshal(item.Data, &token); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal token: %w", err)
+	}
+
+	return &token, nil
+}
+
+func (s *KeyringTokenStore) StoreToken(resourceURL string, token *OAuthToken) error {
+	data, err := json.Marshal(token)
+	if err != nil {
+		return fmt.Errorf("failed to marshal token: %w", err)
+	}
+
+	return s.ring.Set(keyring.Item{
+		Key:         keyringKey(resourceURL),
+		Data:        data,
+		Label:       "Docker Agent OAuth Token",
+		Description: "OAuth token for " + resourceURL,
+	})
+}
+
+func (s *KeyringTokenStore) RemoveToken(resourceURL string) error {
+	err := s.ring.Remove(keyringKey(resourceURL))
+	if err != nil && !errors.Is(err, keyring.ErrKeyNotFound) {
+		return fmt.Errorf("keyring remove failed: %w", err)
+	}
+	return nil
+}
diff --git a/pkg/tools/mcp/tokenstore_keyring_test.go b/pkg/tools/mcp/tokenstore_keyring_test.go
@@ -0,0 +1,90 @@
+package mcp
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+)
+
+func TestKeyringTokenStore_RoundTrip(t *testing.T) {
+	// Use in-memory fallback for CI environments without a keyring.
+	// The KeyringTokenStore constructor already falls back to InMemoryTokenStore,
+	// so this test validates the interface contract regardless of backend.
+	store := NewKeyringTokenStore()
+
+	resourceURL := "https://example.com/mcp"
+
+	// Initially no token
+	_, err := store.GetToken(resourceURL)
+	if err == nil {
+		t.Fatal("expected error for missing token")
+	}
+
+	// Store a token
+	token := &OAuthToken{
+		AccessToken:  "access-123",
+		TokenType:    "Bearer",
+		RefreshToken: "refresh-456",
+		ExpiresIn:    3600,
+		ExpiresAt:    time.Now().Add(1 * time.Hour),
+	}
+	if err := store.StoreToken(resourceURL, token); err != nil {
+		t.Fatalf("StoreToken failed: %v", err)
+	}
+
+	// Retrieve it
+	got, err := store.GetToken(resourceURL)
+	if err != nil {
+		t.Fatalf("GetToken failed: %v", err)
+	}
+	if got.AccessToken != "access-123" {
+		t.Errorf("AccessToken = %q, want %q", got.AccessToken, "access-123")
+	}
+	if got.RefreshToken != "refresh-456" {
+		t.Errorf("RefreshToken = %q, want %q", got.RefreshToken, "refresh-456")
+	}
+
+	// Remove it
+	if err := store.RemoveToken(resourceURL); err != nil {
+		t.Fatalf("RemoveToken failed: %v", err)
+	}
+
+	_, err = store.GetToken(resourceURL)
+	if err == nil {
+		t.Fatal("expected error after RemoveToken")
+	}
+}
+
+func TestKeyringTokenStore_JSONRoundTrip(t *testing.T) {
+	// Verify that OAuthToken serializes correctly (important for keyring storage)
+	token := &OAuthToken{
+		AccessToken:  "at",
+		TokenType:    "Bearer",
+		RefreshToken: "rt",
+		ExpiresIn:    7200,
+		ExpiresAt:    time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC),
+		Scope:        "read write",
+	}
+
+	data, err := json.Marshal(token)
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	var got OAuthToken
+	if err := json.Unmarshal(data, &got); err != nil {
+		t.Fatalf("Unmarshal failed: %v", err)
+	}
+
+	if got.AccessToken != token.AccessToken || got.RefreshToken != token.RefreshToken || got.Scope != token.Scope {
+		t.Errorf("JSON round-trip mismatch: got %+v, want %+v", got, token)
+	}
+}
+
+func TestKeyringTokenStore_RemoveNonExistent(t *testing.T) {
+	store := NewKeyringTokenStore()
+	// Should not error when removing a non-existent token
+	if err := store.RemoveToken("https://nonexistent.example.com"); err != nil {
+		t.Fatalf("RemoveToken for non-existent key should not error: %v", err)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func NewRemoteToolset(name, urlString, transport string, headers map[string]stri`
`111`	`111`	`desc := buildRemoteDescription(urlString, transport)`
`112`	`112`	`return &Toolset{`
`113`	`113`	`name: name,`
`114`		`- mcpClient: newRemoteClient(urlString, transport, headers, NewInMemoryTokenStore()),`
	`114`	`+ mcpClient: newRemoteClient(urlString, transport, headers, NewKeyringTokenStore()),`
`115`	`115`	`logID: urlString,`
`116`	`116`	`description: desc,`
`117`	`117`	`}`