agentHost: 9728-style protected resource auth

This commit implement RFC 9728/6750-inspired authentication for the
agent host. This is a working prototype, although before merging this
I'll pull this stuff up to the protocol itself rather than being
extension methods.

src/vs/platform/agentHost/test/node/mockAgent.ts

@@ -5,6 +5,7 @@
 
 import { Emitter } from '../../../../base/common/event.js';
 import { URI } from '../../../../base/common/uri.js';
+import type { IAuthorizationProtectedResourceMetadata } from '../../../../base/common/oauth.js';
 import { AgentSession, type AgentProvider, type IAgent, type IAgentAttachment, type IAgentCreateSessionConfig, type IAgentDescriptor, type IAgentMessageEvent, type IAgentModelInfo, type IAgentProgressEvent, type IAgentSessionMetadata, type IAgentToolCompleteEvent, type IAgentToolStartEvent } from '../../common/agentService.js';
 
 /**
@@ -24,6 +25,7 @@ export class MockAgent implements IAgent {
 	readonly abortSessionCalls: URI[] = [];
 	readonly respondToPermissionCalls: { requestId: string; approved: boolean }[] = [];
 	readonly changeModelCalls: { session: URI; model: string }[] = [];
+	readonly authenticateCalls: { resource: string; token: string }[] = [];
 
 	constructor(readonly id: AgentProvider = 'mock') { }
 
@@ -31,6 +33,13 @@ export class MockAgent implements IAgent {
 		return { provider: this.id, displayName: `Agent ${this.id}`, description: `Test ${this.id} agent`, requiresAuth: this.id === 'copilot' };
 	}
 
+	getProtectedResources(): IAuthorizationProtectedResourceMetadata[] {
+		if (this.id === 'copilot') {
+			return [{ resource: 'https://api.github.com', authorization_servers: ['https://github.com/login/oauth'] }];
+		}
+		return [];
+	}
+
 	async listModels(): Promise<IAgentModelInfo[]> {
 		return [{ provider: this.id, id: `${this.id}-model`, name: `${this.id} Model`, maxContextWindow: 128000, supportsVision: false, supportsReasoningEffort: false }];
 	}
@@ -75,6 +84,11 @@ export class MockAgent implements IAgent {
 		this.setAuthTokenCalls.push(token);
 	}
 
+	async authenticate(resource: string, token: string): Promise<boolean> {
+		this.authenticateCalls.push({ resource, token });
+		return true;
+	}
+
 	async shutdown(): Promise<void> { }
 
 	fireProgress(event: IAgentProgressEvent): void {
@@ -104,6 +118,10 @@ export class ScriptedMockAgent implements IAgent {
 		return { provider: 'mock', displayName: 'Mock Agent', description: 'Scripted test agent', requiresAuth: false };
 	}
 
+	getProtectedResources(): IAuthorizationProtectedResourceMetadata[] {
+		return [];
+	}
+
 	async listModels(): Promise<IAgentModelInfo[]> {
 		return [{ provider: 'mock', id: 'mock-model', name: 'Mock Model', maxContextWindow: 128000, supportsVision: false, supportsReasoningEffort: false }];
 	}
@@ -225,6 +243,10 @@ export class ScriptedMockAgent implements IAgent {
 
 	async setAuthToken(_token: string): Promise<void> { }
 
+	async authenticate(_resource: string, _token: string): Promise<boolean> {
+		return true;
+	}
+
 	async shutdown(): Promise<void> { }
 
 	dispose(): void {

src/vs/platform/agentHost/test/node/protocolServerHandler.test.ts

@@ -75,6 +75,8 @@ class MockSideEffectHandler implements IProtocolSideEffectHandler {
 	handleDisposeSession(_session: string): void { }
 	async handleListSessions(): Promise<ISessionSummary[]> { return []; }
 	handleSetAuthToken(_token: string): void { }
+	handleGetResourceMetadata() { return { resources: [] }; }
+	async handleAuthenticate(_params: { resource: string; token: string }) { return { authenticated: true }; }
 	async handleBrowseDirectory(uri: string): Promise<{ entries: { name: string; type: 'file' | 'directory' }[] }> {
 		this.browsedUris.push(URI.parse(uri));
 		const error = this.browseErrors.get(uri);