fix(code): proxy MCP requests locally to keep OAuth tokens fresh

apps/code/src/main/di/container.ts

@@ -32,6 +32,7 @@ import { LinearIntegrationService } from "../services/linear-integration/service
 import { LlmGatewayService } from "../services/llm-gateway/service";
 import { McpAppsService } from "../services/mcp-apps/service";
 import { McpCallbackService } from "../services/mcp-callback/service";
+import { McpProxyService } from "../services/mcp-proxy/service";
 import { NotificationService } from "../services/notification/service";
 import { OAuthService } from "../services/oauth/service";
 import { PosthogPluginService } from "../services/posthog-plugin/service";
@@ -66,6 +67,7 @@ container.bind(MAIN_TOKENS.AgentAuthAdapter).to(AgentAuthAdapter);
 container.bind(MAIN_TOKENS.AgentService).to(AgentService);
 container.bind(MAIN_TOKENS.AuthService).to(AuthService);
 container.bind(MAIN_TOKENS.AuthProxyService).to(AuthProxyService);
+container.bind(MAIN_TOKENS.McpProxyService).to(McpProxyService);
 container.bind(MAIN_TOKENS.ArchiveService).to(ArchiveService);
 container.bind(MAIN_TOKENS.SuspensionService).to(SuspensionService);
 container.bind(MAIN_TOKENS.AppLifecycleService).to(AppLifecycleService);

apps/code/src/main/di/tokens.ts

@@ -23,6 +23,7 @@ export const MAIN_TOKENS = Object.freeze({
   AgentService: Symbol.for("Main.AgentService"),
   AuthService: Symbol.for("Main.AuthService"),
   AuthProxyService: Symbol.for("Main.AuthProxyService"),
+  McpProxyService: Symbol.for("Main.McpProxyService"),
   ArchiveService: Symbol.for("Main.ArchiveService"),
   SuspensionService: Symbol.for("Main.SuspensionService"),
   AppLifecycleService: Symbol.for("Main.AppLifecycleService"),

apps/code/src/main/menu.ts

@@ -10,6 +10,7 @@ import {
 } from "electron";
 import { container } from "./di/container";
 import { MAIN_TOKENS } from "./di/tokens";
+import type { AuthService } from "./services/auth/service";
 import type { McpAppsService } from "./services/mcp-apps/service";
 import type { UIService } from "./services/ui/service";
 import type { UpdatesService } from "./services/updates/service";
@@ -132,6 +133,28 @@ function buildFileMenu(): MenuItemConstructorOptions {
                 .invalidateToken();
             },
           },
+          {
+            label: "Force refresh of OAuth token",
+            click: () => {
+              container
+                .get<AuthService>(MAIN_TOKENS.AuthService)
+                .refreshAccessToken()
+                .then(() => {
+                  dialog.showMessageBox({
+                    type: "info",
+                    title: "OAuth Token Refreshed",
+                    message: "Access token refreshed successfully.",
+                  });
+                })
+                .catch((err: Error) => {
+                  dialog.showMessageBox({
+                    type: "error",
+                    title: "OAuth Token Refresh Failed",
+                    message: err.message,
+                  });
+                });
+            },
+          },
           {
             label: "Refresh MCP Apps discovery",
             click: () => {

apps/code/src/main/services/agent/auth-adapter.test.ts

@@ -50,6 +50,14 @@ function createDependencies() {
     authProxy: {
       start: vi.fn().mockResolvedValue("http://127.0.0.1:9999"),
     },
+    mcpProxy: {
+      start: vi.fn().mockResolvedValue(undefined),
+      register: vi
+        .fn()
+        .mockImplementation(
+          (id: string) => `http://127.0.0.1:9998/${encodeURIComponent(id)}`,
+        ),
+    },
   };
 }
 
@@ -68,27 +76,29 @@ describe("AgentAuthAdapter", () => {
     adapter = new AgentAuthAdapter(
       deps.authService as never,
       deps.authProxy as never,
+      deps.mcpProxy as never,
     );
   });
 
   afterEach(() => {
     vi.restoreAllMocks();
   });
 
-  it("builds the default PostHog MCP server", async () => {
+  it("builds the default PostHog MCP server routed through the local proxy", async () => {
     const servers = await adapter.buildMcpServers(baseCredentials);
 
+    expect(deps.mcpProxy.register).toHaveBeenCalledWith(
+      "posthog",
+      "https://mcp.posthog.com/mcp",
+    );
     expect(servers).toEqual(
       expect.arrayContaining([
         expect.objectContaining({
           name: "posthog",
           type: "http",
-          url: "https://mcp.posthog.com/mcp",
-          headers: expect.arrayContaining([
-            {
-              name: "Authorization",
-              value: "Bearer test-access-token",
-            },
+          url: "http://127.0.0.1:9998/posthog",
+          headers: expect.not.arrayContaining([
+            expect.objectContaining({ name: "Authorization" }),
           ]),
         }),
       ]),
@@ -152,14 +162,16 @@ describe("AgentAuthAdapter", () => {
 
     const servers = await adapter.buildMcpServers(baseCredentials);
 
+    expect(deps.mcpProxy.register).toHaveBeenCalledWith(
+      "installation-inst-2",
+      "https://proxy.posthog.com/inst-2/",
+    );
     expect(servers).toEqual(
       expect.arrayContaining([
         expect.objectContaining({
           name: "secure-server",
-          url: "https://proxy.posthog.com/inst-2/",
-          headers: [
-            { name: "Authorization", value: "Bearer test-access-token" },
-          ],
+          url: "http://127.0.0.1:9998/installation-inst-2",
+          headers: [],
         }),
       ]),
     );

apps/code/src/main/services/agent/auth-adapter.ts

@@ -5,6 +5,7 @@ import { MAIN_TOKENS } from "../../di/tokens";
 import { logger } from "../../utils/logger";
 import type { AuthService } from "../auth/service";
 import type { AuthProxyService } from "../auth-proxy/service";
+import type { McpProxyService } from "../mcp-proxy/service";
 import type { Credentials } from "./schemas";
 
 const log = logger.scope("agent-auth-adapter");
@@ -37,6 +38,8 @@ export class AgentAuthAdapter {
     private readonly authService: AuthService,
     @inject(MAIN_TOKENS.AuthProxyService)
     private readonly authProxy: AuthProxyService,
+    @inject(MAIN_TOKENS.McpProxyService)
+    private readonly mcpProxy: McpProxyService,
   ) {}
 
   createPosthogConfig(credentials: Credentials): AgentPosthogConfig {
@@ -51,14 +54,19 @@ export class AgentAuthAdapter {
   async buildMcpServers(credentials: Credentials): Promise<AcpMcpServer[]> {
     const servers: AcpMcpServer[] = [];
     const mcpUrl = this.getPostHogMcpUrl(credentials.apiHost);
-    const token = await this.getValidToken();
+    // Warm the token so authenticatedFetch() has something cached, but do not
+    // bake it into the MCP config — the proxy injects a fresh one on every
+    // forwarded request.
+    await this.getValidToken();
+
+    await this.mcpProxy.start();
+    const proxiedPosthogUrl = this.mcpProxy.register("posthog", mcpUrl);
 
     servers.push({
       name: "posthog",
       type: "http",
-      url: mcpUrl,
+      url: proxiedPosthogUrl,
       headers: [
-        { name: "Authorization", value: `Bearer ${token}` },
         {
           name: "x-posthog-project-id",
           value: String(credentials.projectId),
@@ -72,23 +80,28 @@ export class AgentAuthAdapter {
     for (const installation of installations) {
       if (installation.url === mcpUrl) continue;
 
+      const name =
+        installation.name || installation.display_name || installation.url;
+
       if (installation.auth_type === "none") {
         servers.push({
-          name:
-            installation.name || installation.display_name || installation.url,
+          name,
           type: "http",
           url: installation.url,
           headers: [],
         });
         continue;
       }
 
+      const proxiedUrl = this.mcpProxy.register(
+        `installation-${installation.id}`,
+        installation.proxy_url,
+      );
       servers.push({
-        name:
-          installation.name || installation.display_name || installation.url,
+        name,
         type: "http",
-        url: installation.proxy_url,
-        headers: [{ name: "Authorization", value: `Bearer ${token}` }],
+        url: proxiedUrl,
+        headers: [],
       });
     }