fix: static token rejected by requireBearerAuth (missing expiresAt)

src/vault-mcp/auth/__tests__/oauth-provider.test.ts

@@ -276,6 +276,14 @@ describe("verifyAccessToken", () => {
     expect(result.token).toBe(AUTH_TOKEN)
   })
 
+  it("gives the static token a future expiresAt so requireBearerAuth accepts it", async () => {
+    const result = await oauth.provider.verifyAccessToken!(AUTH_TOKEN)
+    // requireBearerAuth rejects any AuthInfo where expiresAt is not a number,
+    // or is in the past. The static token must carry a future numeric expiry.
+    expect(typeof result.expiresAt).toBe("number")
+    expect(result.expiresAt!).toBeGreaterThan(DateTime.now().toUnixInteger())
+  })
+
   it("returns correct auth info for a valid JWT", async () => {
     const token = signJwt(
       {

src/vault-mcp/auth/oauth-provider.ts

@@ -291,7 +291,16 @@ export const createOAuthProvider = ({
     /** Three-tier verification: static token (fast path for CLI) → revocation check → JWT. */
     async verifyAccessToken(token: string): Promise<AuthInfo> {
       if (safeEqual(token, authToken)) {
-        return { token, clientId: "static", scopes: ["vault"] }
+        // The static token never expires, but the SDK's requireBearerAuth
+        // rejects any AuthInfo without a numeric expiresAt ("Token has no
+        // expiration time"). Hand it a far-future timestamp so the static
+        // token is accepted while remaining effectively perpetual.
+        return {
+          token,
+          clientId: "static",
+          scopes: ["vault"],
+          expiresAt: DateTime.now().plus({ years: 10 }).toUnixInteger(),
+        }
       }
 
       if (isRevoked(token)) {