feat(core): Implement OAuth flows and DefaultTokenManager (#9)

Introduce comprehensive OAuth 2.0 support with Authorization Code + PKCE
and device code flows, along with a complete TokenManager implementation.

- Add `ProviderConfig` for OAuth provider metadata
- Add `ProviderRegistry` with pre-configured GitHub, Spotify, and Google providers
- Store provider endpoints, capabilities (PKCE, device code), and default scopes

- **PKCE Flow** (`oauth::pkce`): Authorization Code + PKCE for web/native apps
  - Generate PKCE code verifier and challenge
  - Build authorization URLs with CSRF state protection
  - Exchange authorization codes for tokens
  - Local callback listener for redirect handling
- **Device Code Flow** (`oauth::device_code`): For headless/limited-input devices
  - Request device and user codes
  - Poll token endpoint with proper error handling
  - Support authorization_pending, slow_down, expired_token errors

- Implement `DefaultTokenManager<S: SecretStore>`
  - Automatic token refresh when expired (5-minute buffer)
  - Store/retrieve access tokens, refresh tokens, expiry, and scopes
  - Client credentials management via SecretStore
  - Rich error reporting (NotFound, Expired, RefreshFailed, etc.)
- Add `TokenScopes` credential type for persisting OAuth scopes

- Add `oauth2` v4.4 for OAuth protocol handling
- Add `reqwest` v0.12 for HTTP client operations
- Add `rand` v0.8 for secure random string generation
- Add `wiremock` v0.6 for integration testing

- Comprehensive integration tests for token refresh scenarios
- Mock OAuth endpoints with wiremock
- Test expiry detection, refresh success/failure, persistence
- Test multi-account support and scope handling

Closes #9

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: Amp AI

Cargo.lock

@@ -41,13 +41,15 @@ keyring = { workspace = true, optional = true }
 # OAuth2
 oauth2 = { workspace = true, optional = true }
 reqwest = { workspace = true, optional = true }
+rand = { version = "0.8", optional = true }
 
 [features]
 default = ["keyring-store"]
 keyring-store = ["dep:keyring"]
-oauth = ["dep:oauth2", "dep:reqwest"]
+oauth = ["dep:oauth2", "dep:reqwest", "dep:rand"]
 full = ["keyring-store", "oauth"]
 
 [dev-dependencies]
 tokio = { workspace = true, features = ["test-util", "macros"] }
 tempfile = "3.13"
+wiremock = "0.6"

sigilforge-core/Cargo.toml

@@ -27,6 +27,15 @@ pub mod resolve;
 pub mod error;
 pub mod account_store;
 
+#[cfg(feature = "oauth")]
+pub mod provider;
+
+#[cfg(feature = "oauth")]
+pub mod token_manager;
+
+#[cfg(feature = "oauth")]
+pub mod oauth;
+
 // Re-export commonly used types at crate root
 pub use model::{
     ServiceId,
@@ -67,3 +76,12 @@ pub use account_store::{
     AccountStore,
     AccountStoreError,
 };
+
+#[cfg(feature = "oauth")]
+pub use provider::{
+    ProviderConfig,
+    ProviderRegistry,
+};
+
+#[cfg(feature = "oauth")]
+pub use token_manager::DefaultTokenManager;

sigilforge-core/src/lib.rs

@@ -165,6 +165,9 @@ pub enum CredentialType {
     /// OAuth client secret (usually at provider level).
     ClientSecret,
 
+    /// OAuth scopes (comma-separated).
+    TokenScopes,
+
     /// Custom credential type.
     Custom(String),
 }
@@ -179,6 +182,7 @@ impl CredentialType {
             Self::ApiKey => "api_key",
             Self::ClientId => "client_id",
             Self::ClientSecret => "client_secret",
+            Self::TokenScopes => "token_scopes",
             Self::Custom(s) => s,
         }
     }