feat(mcp-sidecar): implement RSA-OAEP token exchange for dynamic token refresh

Replace the static AMBIENT_TOKEN injection with the same RSA-OAEP
token exchange protocol the runner uses, so the MCP sidecar can
fetch and periodically refresh its own API token from the CP token
server.

- Add tokenexchange package: RSA-OAEP encrypt session ID, fetch
  token from CP /token endpoint with retry/backoff, background
  refresh every 5 minutes
- Make client.Client thread-safe (sync.RWMutex) with SetToken()
  for hot-swapping tokens on refresh
- Refactor mention.Resolver to use TokenFunc instead of static
  string so it always reads the current token
- Inject SESSION_ID into MCP sidecar env in buildMCPSidecar()
- Default MCP_API_SERVER_URL to AMBIENT_API_SERVER_URL so the
  sidecar inherits the correct API endpoint automatically
- Remove hardcoded MCP_API_SERVER_URL from mpp-openshift overlay
- Add unit tests for tokenexchange, client, and mention packages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: Ambient Code Bot

components/ambient-cli/cmd/acpctl/session/send.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
 	"os/signal"
 	"strings"
@@ -56,6 +57,19 @@ func runSend(cmd *cobra.Command, args []string) error {
 	ctx, cancel := context.WithTimeout(cmd.Context(), cfg.GetRequestTimeout())
 	defer cancel()
 
+	streamCtx, streamCancel := signal.NotifyContext(cmd.Context(), os.Interrupt)
+	defer streamCancel()
+
+	var stream io.ReadCloser
+	if sendFollow {
+		s, err := client.Sessions().StreamEvents(streamCtx, sessionID)
+		if err != nil {
+			return fmt.Errorf("stream events: %w", err)
+		}
+		stream = s
+		defer stream.Close()
+	}
+
 	msg, err := client.Sessions().PushMessage(ctx, sessionID, payload)
 	if err != nil {
 		return fmt.Errorf("send message: %w", err)
@@ -67,15 +81,6 @@ func runSend(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 
-	streamCtx, streamCancel := signal.NotifyContext(cmd.Context(), os.Interrupt)
-	defer streamCancel()
-
-	stream, err := client.Sessions().StreamEvents(streamCtx, sessionID)
-	if err != nil {
-		return fmt.Errorf("stream events: %w", err)
-	}
-	defer stream.Close()
-
 	out := cmd.OutOrStdout()
 	scanner := bufio.NewScanner(stream)
 	var reasoningBuf strings.Builder

components/ambient-control-plane/internal/config/config.go

@@ -70,13 +70,17 @@ func Load() (*ControlPlaneConfig, error) {
 		VertexSecretNamespace: envOrDefault("VERTEX_SECRET_NAMESPACE", "ambient-code"),
 		RunnerImageNamespace:  os.Getenv("RUNNER_IMAGE_NAMESPACE"),
 		MCPImage:              os.Getenv("MCP_IMAGE"),
-		MCPAPIServerURL:       envOrDefault("MCP_API_SERVER_URL", "http://ambient-api-server.ambient-code.svc:8000"),
+		MCPAPIServerURL:       envOrDefault("MCP_API_SERVER_URL", ""),
 		RunnerLogLevel:        envOrDefault("RUNNER_LOG_LEVEL", "info"),
 		ProjectKubeTokenFile: os.Getenv("PROJECT_KUBE_TOKEN_FILE"),
 		CPTokenListenAddr:    envOrDefault("CP_TOKEN_LISTEN_ADDR", ":8080"),
 		CPTokenURL:           os.Getenv("CP_TOKEN_URL"),
 	}
 
+	if cfg.MCPAPIServerURL == "" {
+		cfg.MCPAPIServerURL = cfg.APIServerURL
+	}
+
 	if cfg.APIToken == "" && (cfg.OIDCClientID == "" || cfg.OIDCClientSecret == "") {
 		return nil, fmt.Errorf("either AMBIENT_API_TOKEN or both OIDC_CLIENT_ID and OIDC_CLIENT_SECRET must be set; set AMBIENT_API_TOKEN for k8s SA token auth or OIDC_CLIENT_ID+OIDC_CLIENT_SECRET for OIDC")
 	}

components/ambient-control-plane/internal/reconciler/kube_reconciler.go

@@ -441,12 +441,7 @@ func (r *SimpleKubeReconciler) ensurePod(ctx context.Context, namespace string,
 	}
 
 	if useMCPSidecar {
-		ambientToken, err := r.factory.Token(ctx)
-		if err != nil {
-			r.logger.Warn().Err(err).Str("session_id", session.ID).Msg("failed to fetch token for MCP sidecar; sidecar will start without AMBIENT_TOKEN")
-			ambientToken = ""
-		}
-		containers = append(containers, r.buildMCPSidecar(ambientToken))
+		containers = append(containers, r.buildMCPSidecar(session.ID))
 		r.logger.Info().Str("session_id", session.ID).Msg("MCP sidecar enabled for session")
 	}
 
@@ -816,7 +811,7 @@ func boolToStr(b bool) string {
 	return "false"
 }
 
-func (r *SimpleKubeReconciler) buildMCPSidecar(ambientToken string) interface{} {
+func (r *SimpleKubeReconciler) buildMCPSidecar(sessionID string) interface{} {
 	mcpImage := r.cfg.MCPImage
 	imagePullPolicy := "Always"
 	if strings.HasPrefix(mcpImage, "localhost/") {
@@ -828,9 +823,7 @@ func (r *SimpleKubeReconciler) buildMCPSidecar(ambientToken string) interface{}
 		envVar("AMBIENT_API_URL", r.cfg.MCPAPIServerURL),
 		envVar("AMBIENT_CP_TOKEN_URL", r.cfg.CPTokenURL),
 		envVar("AMBIENT_CP_TOKEN_PUBLIC_KEY", r.cfg.CPTokenPublicKey),
-	}
-	if ambientToken != "" {
-		env = append(env, envVar("AMBIENT_TOKEN", ambientToken))
+		envVar("SESSION_ID", sessionID),
 	}
 	return map[string]interface{}{
 		"name":            "ambient-mcp",

components/ambient-mcp/client/client.go

@@ -9,12 +9,14 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"sync"
 	"time"
 )
 
 type Client struct {
 	httpClient *http.Client
 	baseURL    string
+	mu         sync.RWMutex
 	token      string
 }
 
@@ -27,7 +29,18 @@ func New(baseURL, token string) *Client {
 }
 
 func (c *Client) BaseURL() string { return c.baseURL }
-func (c *Client) Token() string   { return c.token }
+
+func (c *Client) Token() string {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	return c.token
+}
+
+func (c *Client) SetToken(token string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.token = token
+}
 
 func (c *Client) do(ctx context.Context, method, path string, body []byte, result interface{}, expectedStatuses ...int) error {
 	reqURL := c.baseURL + "/api/ambient/v1" + path
@@ -42,7 +55,7 @@ func (c *Client) do(ctx context.Context, method, path string, body []byte, resul
 	if body != nil {
 		req.Header.Set("Content-Type", "application/json")
 	}
-	req.Header.Set("Authorization", "Bearer "+c.token)
+	req.Header.Set("Authorization", "Bearer "+c.Token())
 	req.Header.Set("Accept", "application/json")
 
 	resp, err := c.httpClient.Do(req)

components/ambient-mcp/client/client_test.go

@@ -0,0 +1,133 @@
+package client
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"testing"
+)
+
+func TestNew(t *testing.T) {
+	c := New("http://localhost:8080/", "my-token")
+	if c.BaseURL() != "http://localhost:8080" {
+		t.Errorf("BaseURL() = %q, want trailing slash stripped", c.BaseURL())
+	}
+	if c.Token() != "my-token" {
+		t.Errorf("Token() = %q, want %q", c.Token(), "my-token")
+	}
+}
+
+func TestSetToken(t *testing.T) {
+	c := New("http://localhost:8080", "initial")
+	c.SetToken("refreshed")
+	if c.Token() != "refreshed" {
+		t.Errorf("Token() after SetToken = %q, want %q", c.Token(), "refreshed")
+	}
+}
+
+func TestSetToken_ConcurrentAccess(t *testing.T) {
+	c := New("http://localhost:8080", "initial")
+	var wg sync.WaitGroup
+
+	for i := range 100 {
+		wg.Add(2)
+		go func(n int) {
+			defer wg.Done()
+			c.SetToken("token-" + string(rune('A'+n%26)))
+		}(i)
+		go func() {
+			defer wg.Done()
+			_ = c.Token()
+		}()
+	}
+	wg.Wait()
+
+	got := c.Token()
+	if got == "" {
+		t.Error("Token() is empty after concurrent access")
+	}
+}
+
+func TestGet_SendsBearerToken(t *testing.T) {
+	var receivedAuth string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuth = r.Header.Get("Authorization")
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+	}))
+	defer srv.Close()
+
+	c := New(srv.URL, "test-bearer")
+	var result map[string]string
+	err := c.Get(context.Background(), "/healthz", &result)
+	if err != nil {
+		t.Fatalf("Get: %v", err)
+	}
+	if receivedAuth != "Bearer test-bearer" {
+		t.Errorf("Authorization = %q, want %q", receivedAuth, "Bearer test-bearer")
+	}
+}
+
+func TestGet_UsesRefreshedToken(t *testing.T) {
+	var receivedAuth string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuth = r.Header.Get("Authorization")
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+	}))
+	defer srv.Close()
+
+	c := New(srv.URL, "old-token")
+	c.SetToken("new-token")
+
+	var result map[string]string
+	err := c.Get(context.Background(), "/healthz", &result)
+	if err != nil {
+		t.Fatalf("Get: %v", err)
+	}
+	if receivedAuth != "Bearer new-token" {
+		t.Errorf("Authorization = %q, want %q", receivedAuth, "Bearer new-token")
+	}
+}
+
+func TestGet_UnexpectedStatus(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "not found", http.StatusNotFound)
+	}))
+	defer srv.Close()
+
+	c := New(srv.URL, "token")
+	err := c.Get(context.Background(), "/missing", nil)
+	if err == nil {
+		t.Fatal("expected error for 404 response")
+	}
+}
+
+func TestPost_SendsBody(t *testing.T) {
+	var receivedBody map[string]string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		json.NewDecoder(r.Body).Decode(&receivedBody)
+		if r.Header.Get("Content-Type") != "application/json" {
+			t.Errorf("Content-Type = %q, want application/json", r.Header.Get("Content-Type"))
+		}
+		w.WriteHeader(http.StatusCreated)
+		json.NewEncoder(w).Encode(map[string]string{"id": "123"})
+	}))
+	defer srv.Close()
+
+	c := New(srv.URL, "token")
+	body := map[string]string{"name": "test"}
+	var result map[string]string
+	err := c.Post(context.Background(), "/items", body, &result, http.StatusCreated)
+	if err != nil {
+		t.Fatalf("Post: %v", err)
+	}
+	if receivedBody["name"] != "test" {
+		t.Errorf("received body name = %q, want %q", receivedBody["name"], "test")
+	}
+	if result["id"] != "123" {
+		t.Errorf("result id = %q, want %q", result["id"], "123")
+	}
+}

components/ambient-mcp/main.go

@@ -8,6 +8,7 @@ import (
 	"github.com/mark3labs/mcp-go/server"
 
 	"github.com/ambient-code/platform/components/ambient-mcp/client"
+	"github.com/ambient-code/platform/components/ambient-mcp/tokenexchange"
 )
 
 func main() {
@@ -16,18 +17,50 @@ func main() {
 		apiURL = "http://localhost:8080"
 	}
 
-	token := os.Getenv("AMBIENT_TOKEN")
-	if token == "" {
-		fmt.Fprintln(os.Stderr, "AMBIENT_TOKEN is required")
-		os.Exit(1)
-	}
-
 	transport := os.Getenv("MCP_TRANSPORT")
 	if transport == "" {
 		transport = "stdio"
 	}
 
+	cpTokenURL := os.Getenv("AMBIENT_CP_TOKEN_URL")
+	cpPublicKey := os.Getenv("AMBIENT_CP_TOKEN_PUBLIC_KEY")
+	sessionID := os.Getenv("SESSION_ID")
+
+	var token string
+	var exchanger *tokenexchange.Exchanger
+
+	if cpTokenURL != "" && cpPublicKey != "" && sessionID != "" {
+		var err error
+		exchanger, err = tokenexchange.New(cpTokenURL, cpPublicKey, sessionID)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "token exchange init failed: %v\n", err)
+			os.Exit(1)
+		}
+		token, err = exchanger.FetchToken()
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "initial token fetch failed: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Fprintln(os.Stderr, "bootstrapped token via CP token exchange")
+	} else {
+		token = os.Getenv("AMBIENT_TOKEN")
+		if token == "" {
+			fmt.Fprintln(os.Stderr, "AMBIENT_TOKEN is required when CP token exchange env vars are not set")
+			os.Exit(1)
+		}
+		fmt.Fprintln(os.Stderr, "using static AMBIENT_TOKEN (no CP token exchange)")
+	}
+
 	c := client.New(apiURL, token)
+
+	if exchanger != nil {
+		exchanger.OnRefresh(func(freshToken string) {
+			c.SetToken(freshToken)
+		})
+		exchanger.StartBackgroundRefresh()
+		defer exchanger.Stop()
+	}
+
 	s := newServer(c, transport)
 
 	switch transport {

components/ambient-mcp/mention/resolve.go

@@ -18,16 +18,18 @@ type Doer interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 
+type TokenFunc func() string
+
 type Resolver struct {
 	baseURL string
-	token   string
+	tokenFn TokenFunc
 	http    *http.Client
 }
 
-func NewResolver(baseURL, token string) *Resolver {
+func NewResolver(baseURL string, tokenFn TokenFunc) *Resolver {
 	return &Resolver{
 		baseURL: strings.TrimSuffix(baseURL, "/"),
-		token:   token,
+		tokenFn: tokenFn,
 		http:    &http.Client{},
 	}
 }
@@ -43,7 +45,7 @@ func (r *Resolver) Resolve(ctx context.Context, projectID, identifier string) (s
 	if uuidPattern.MatchString(strings.ToLower(identifier)) {
 		path := r.baseURL + "/api/ambient/v1/projects/" + url.PathEscape(projectID) + "/agents/" + url.PathEscape(identifier)
 		req, _ := http.NewRequestWithContext(ctx, http.MethodGet, path, nil)
-		req.Header.Set("Authorization", "Bearer "+r.token)
+		req.Header.Set("Authorization", "Bearer "+r.tokenFn())
 		resp, err := r.http.Do(req)
 		if err != nil {
 			return "", fmt.Errorf("lookup agent by ID: %w", err)
@@ -66,7 +68,7 @@ func (r *Resolver) Resolve(ctx context.Context, projectID, identifier string) (s
 
 	path := r.baseURL + "/api/ambient/v1/projects/" + url.PathEscape(projectID) + "/agents?search=name='" + url.QueryEscape(identifier) + "'"
 	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, path, nil)
-	req.Header.Set("Authorization", "Bearer "+r.token)
+	req.Header.Set("Authorization", "Bearer "+r.tokenFn())
 	resp, err := r.http.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("search agent by name: %w", err)