Problem
The ConnectionHealthWorker can detect full revocation (refresh token rejected) but cannot detect partial scope revocation — e.g., a user revokes calendar.read but keeps profile. The broker is domain-agnostic and cannot actively test individual scopes.
Proposed Solution
Implement passive telemetry in nexus-bridge:
- The
nexus-bridge intercepts all outbound API calls from agents.
- When a provider returns
403 Forbidden, the bridge captures the failing scope/endpoint context.
- The bridge reports this to the broker via an internal telemetry endpoint (e.g.
POST /internal/telemetry/scope-failure).
- The broker marks the connection as
degraded and records which scopes are failing.
- The frontend can then surface a targeted re-auth prompt for the specific missing scopes.
Impact
- Connections degraded by partial revocation currently appear
healthy to the worker
- Agents silently fail on 403s with no feedback to the user
References
docs/healthchecks.md §7 Technical Debtnexus-broker/internal/service/connection_health.go
Problem
The
ConnectionHealthWorkercan detect full revocation (refresh token rejected) but cannot detect partial scope revocation — e.g., a user revokescalendar.readbut keepsprofile. The broker is domain-agnostic and cannot actively test individual scopes.Proposed Solution
Implement passive telemetry in
nexus-bridge:nexus-bridgeintercepts all outbound API calls from agents.403 Forbidden, the bridge captures the failing scope/endpoint context.POST /internal/telemetry/scope-failure).degradedand records which scopes are failing.Impact
healthyto the workerReferences
docs/healthchecks.md§7 Technical Debtnexus-broker/internal/service/connection_health.go