feat(git-token-service): add GitLab token support with OAuth refresh

[eshurakov]

Summary

• Add getGitLabToken RPC method to cloudflare-git-token-service, enabling callers to retrieve GitLab access tokens the same way they already use getTokenForRepo/getToken for GitHub.
• New GitLabLookupService queries platform_integrations for active GitLab integrations by user/org ID, joining organization_memberships for org-scoped lookups and kilocode_users to enforce blocked-user checks. Org integrations are prioritized over personal ones.
• New GitLabTokenService handles token retrieval: PAT tokens are returned directly, OAuth tokens are checked for expiry (with a 5-minute buffer) and automatically refreshed via GitLab's /oauth/token endpoint. Refreshed tokens are written back to platform_integrations.metadata.
• OAuth client credentials are sourced per-integration from metadata.client_id/client_secret (for self-hosted instances) with fallback to GITLAB_OAUTH_CLIENT_ID/GITLAB_OAUTH_CLIENT_SECRET env vars (for gitlab.com).
• No KV caching — Hyperdrive queries are fast enough, and caching would risk serving stale tokens after reconnection or refresh.
• Exports typed result types (GetGitLabTokenParams, GetGitLabTokenResult) for consuming service bindings.
• Test worker updated with POST /getGitLabToken endpoint for manual testing.

Verification

• pnpm typecheck — pass (all 28 workspace projects)
• pnpm --filter cloudflare-git-token-service lint — pass (no errors)

Visual Changes

N/A

Reviewer Notes

• This PR is scoped to cloudflare-git-token-service only. Consumers (cloud-agent-next, cloudflare-gastown) will integrate via service binding in follow-up PRs.
• OAuth refresh race condition is accepted: if two workers refresh simultaneously, GitLab rotates the refresh token so the second refresh fails. The first writer wins; callers can retry.
• GITLAB_OAUTH_CLIENT_ID and GITLAB_OAUTH_CLIENT_SECRET are added as optional env vars in worker-configuration.d.ts. These are only needed as a fallback for gitlab.com integrations where custom credentials aren't stored in the integration metadata. They will need to be added as secrets in wrangler config before production use.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (6 files)

• cloudflare-git-token-service/src/gitlab-lookup-service.ts
• cloudflare-git-token-service/src/gitlab-token-service.ts
• cloudflare-git-token-service/src/index.ts
• cloudflare-git-token-service/test/test-worker.ts
• cloudflare-git-token-service/worker-configuration.d.ts
• src/app/(app)/gastown/[townId]/TownOverviewPageClient.tsx

---

_{Reviewed by gpt-5.4-20260305 · 546,102 tokens}