Align resolveTokenScopeForServer api:// guard with Python implementation

Replace broad startsWith('api://') check with an exact match against
ATG_APP_ID_URI ('api://ea9ffc3e-...'), mirroring the Python utility.py logic.
This allows V2 servers that use api:// audience URIs to get their own
per-server token instead of being silently routed to the shared ATG scope.

Author: biswapm

packages/agents-a365-tooling/src/configuration/ToolingConfiguration.ts

@@ -9,16 +9,17 @@ import { MCPServerConfig } from '../contracts';
 const MCP_PLATFORM_PROD_BASE_URL = 'https://agent365.svc.cloud.microsoft';
 const PROD_MCP_PLATFORM_AUTHENTICATION_SCOPE = 'ea9ffc3e-8a23-4a7d-836d-234d7c7565c1/.default';
 const ATG_APP_ID = 'ea9ffc3e-8a23-4a7d-836d-234d7c7565c1';
+const ATG_APP_ID_URI = `api://${ATG_APP_ID}`;   // "api://ea9ffc3e-8a23-4a7d-836d-234d7c7565c1"
 
 /**
  * Resolve the OAuth scope to request for a given MCP server.
  * V2 servers carry their own audience GUID in the `audience` field; V1 servers (no audience,
- * or audience matching the shared ATG AppId) fall back to the shared ATG scope.
+ * or audience matching the shared ATG AppId or its api:// URI form) fall back to the shared ATG scope.
  */
 export function resolveTokenScopeForServer(server: MCPServerConfig): string {
   if (server.audience &&
       server.audience !== ATG_APP_ID &&
-      !server.audience.startsWith('api://')) {
+      server.audience !== ATG_APP_ID_URI) {
     // V2 server: use explicit scope if provided, otherwise fall back to /.default
     if (server.scope) {
       return `${server.audience}/${server.scope}`;

tests/tooling/configuration/ToolingConfiguration.test.ts

@@ -266,8 +266,14 @@ describe('resolveTokenScopeForServer', () => {
     expect(resolveTokenScopeForServer({ mcpServerName: 'mail', url: 'https://mail.example.com', audience: ATG_APP_ID })).toBe(ATG_SCOPE);
   });
 
-  it('should return ATG scope when audience starts with api:// (not a plain GUID)', () => {
-    expect(resolveTokenScopeForServer({ mcpServerName: 'mail', url: 'https://mail.example.com', audience: 'api://custom-app-id' })).toBe(ATG_SCOPE);
+  it('should return ATG scope when audience is the ATG api:// URI form', () => {
+    const atgAppIdUri = `api://${ATG_APP_ID}`;
+    expect(resolveTokenScopeForServer({ mcpServerName: 'mail', url: 'https://mail.example.com', audience: atgAppIdUri })).toBe(ATG_SCOPE);
+  });
+
+  it('should return per-server scope when audience is a non-ATG api:// URI (V2 server)', () => {
+    const v2AppIdUri = 'api://custom-app-id';
+    expect(resolveTokenScopeForServer({ mcpServerName: 'mail', url: 'https://mail.example.com', audience: v2AppIdUri })).toBe(`${v2AppIdUri}/.default`);
   });
 
   it('should return per-server scope for a V2 GUID audience', () => {