fix(adapter,gateway): harden token TTL, stdio safety, formatting, error handling

1. nexus-mcp-adapter: Replace dangerous 1-hour token TTL fallback with
   conservative 5-minute default + warning log when expires_at is missing
2. nexus-mcp-adapter: Change all console.log to console.error to prevent
   corrupting MCP StdioServerTransport JSON-RPC channel
3. nexus-gateway: Fix spaces-to-tabs indentation in server.go (gofmt)
4. nexus-gateway: Replace opaque status code forwarding on unexpected
   broker responses with structured 502 broker_unexpected_status error

All tests pass. go vet and go build clean.

Author: sangalo20

nexus-gateway/pkg/server/server.go

@@ -57,10 +57,10 @@ func (s *Server) routes() {
 	s.mux.Handle("/metrics", promhttp.Handler())
 
 	s.mux.Post("/v1/request-connection", s.handler.RequestConnection)
-        s.mux.Get("/v1/check-connection/{connectionID}", s.handler.CheckConnection)
-        s.mux.Get("/v1/resolve", s.handler.ResolveToken)
-        s.mux.Get("/v1/token/{connectionID}", s.handler.GetToken)
-        s.mux.Post("/v1/refresh/{connectionID}", s.handler.RefreshConnection)
+	s.mux.Get("/v1/check-connection/{connectionID}", s.handler.CheckConnection)
+	s.mux.Get("/v1/resolve", s.handler.ResolveToken)
+	s.mux.Get("/v1/token/{connectionID}", s.handler.GetToken)
+	s.mux.Post("/v1/refresh/{connectionID}", s.handler.RefreshConnection)
 	s.mux.Get("/v1/providers", s.handler.GetProviders)
 	s.mux.Get("/v1/providers/metadata", s.handler.GetProviders)
 	s.mux.Post("/v1/providers", s.handler.CreateProvider)

nexus-gateway/pkg/usecase/handler.go

@@ -447,7 +447,8 @@ func (h *Handler) ResolveToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	w.WriteHeader(resp.StatusCode())
+	writeError(w, http.StatusBadGateway, "broker_unexpected_status",
+		fmt.Sprintf("broker returned unexpected status %d", resp.StatusCode()), nil)
 }
 
 func (h *Handler) GetToken(w http.ResponseWriter, r *http.Request) {

nexus-mcp-adapter/src/NexusClient.ts

@@ -17,7 +17,7 @@ export class NexusClient {
    * Currently mocks the response.
    */
   private async fetchTokenFromGateway(workspaceId: string, provider: string): Promise<NexusTokenInfo> {
-    console.log(`[NexusClient] Fetching fresh token from Gateway for workspace: ${workspaceId}, provider: ${provider}`);
+    console.error(`[NexusClient] Fetching fresh token from Gateway for workspace: ${workspaceId}, provider: ${provider}`);
 
     const url = new URL(`${this.gatewayUrl}/v1/resolve`);
     url.searchParams.append('workspace_id', workspaceId);
@@ -63,11 +63,15 @@ export class NexusClient {
     }
 
     // Handle expiration parsing
-    let expiresAt = Date.now() + (1000 * 60 * 60); // Default 1 hour fallback
+    // Conservative 5-minute default — avoids serving stale tokens if the
+    // upstream provider issued a short-lived token (some are 5–15 min).
+    let expiresAt = Date.now() + (1000 * 60 * 5);
     if (data.credentials.expires_at) {
         expiresAt = new Date(data.credentials.expires_at).getTime();
     } else if (data.expires_at) {
-         expiresAt = new Date(data.expires_at).getTime();
+        expiresAt = new Date(data.expires_at).getTime();
+    } else {
+        console.warn(`[NexusClient] No expires_at in token response for workspace: ${workspaceId}, provider: ${provider}. Using conservative 5-minute TTL.`);
     }
 
     return {
@@ -87,7 +91,7 @@ export class NexusClient {
       tokenInfo = await this.fetchTokenFromGateway(workspaceId, provider);
       this.tokenManager.setToken(workspaceId, provider, tokenInfo);
     } else {
-      console.log(`[NexusClient] Using cached token for workspace: ${workspaceId}, provider: ${provider}`);
+      console.error(`[NexusClient] Using cached token for workspace: ${workspaceId}, provider: ${provider}`);
     }
 
     return tokenInfo;
@@ -120,7 +124,7 @@ export class NexusClient {
       };
 
       // 4. Execute the actual fetch request
-      console.log(`[NexusClient Fetcher] Executing proxy fetch to ${input.toString()}`);
+      console.error(`[NexusClient Fetcher] Executing proxy fetch to ${input.toString()}`);
       return globalThis.fetch(input, updatedInit);
     };
   }