Enhancement: Passive Scope Downgrade Detection via Bridge Telemetry

[sangalo20]

Description

The current Connection-Level Health Worker in the nexus-broker can reliably detect when a user entirely revokes access (i.e., the refresh token is rejected with invalid_grant). However, detecting partial scope revocation (e.g., a user revokes calendar.read but keeps profile) is inherently difficult due to limitations in the OAuth2 specification.

Because the Broker is domain-agnostic, it does not know which provider API endpoints correspond to which scopes, meaning it cannot actively "test" individual scopes.

Proposed Solution

To solve this, we must rely on passive monitoring rather than active polling:

1. The nexus-bridge handles all active traffic from Agents.
2. If an Agent attempts to use a specific scope that has been revoked, the provider's API will typically return a 403 Forbidden (or sometimes a 401).
3. The nexus-bridge should be enhanced to catch these authorization errors and report them back to the nexus-broker via an internal telemetry endpoint.
4. The Broker can then mark the connection as degraded and log exactly which scopes are failing, allowing the frontend to prompt the user to re-authenticate and re-grant the missing permissions.

Context

Documented as Technical Debt during the implementation of the Provider and Connection-Level Health Checks architecture.