[BUG] OAuth login fails: Lambda /sailapps/auth/code returns 400 "Error exchanging code for token"

[electronicBlacksmith]

Describe the bug
OAuth login fails at the code-for-token exchange. The auth Lambda returns 400 Error exchanging code for token after the user clicks Grant Application Access. Reproduces against both sandbox and prod tenants where sailpoint-cli is otherwise valid.

To Reproduce

1. Fresh clone of main (v1.3.0), npm install, npm run build:components, npm run start
2. Create an OAuth environment with a valid tenant URL + API URL
3. Click Login → complete SSO in browser
4. Click "Grant Application Access" on developer.sailpoint.com/sailapps
5. App never authenticates. Browser network tab shows:

POST https://nug87yusrg.execute-api.us-east-1.amazonaws.com/Prod/sailapps/auth/code
Body: {"code":"<fresh code>","state":"<base64 {id,publicKey}>"}

→ HTTP 400  text/plain  "Error exchanging code for token"
   apigw-requestid: duBXPiJAoAMEJjg=  (2026-05-21T14:25:12Z UTC)

Expected
Lambda returns encrypted token; app authenticates.

Ruled out

• Tenant config: direct POST <api>/oauth/token with client_id=sailpoint-cli and a fake code returns invalid_grant: Invalid authorization code. The tenant accepts the client_id, redirect_uri, and PKCE form — only the (deliberately fake) code is rejected. Real tenant config is fine.
• Stale/reused code: failure reproduces with a brand-new code consumed within seconds.
• Network: Lambda endpoint is reachable; TLS verified end-to-end.

Suspected area
Recent OAuth refactor — ee90ba4 (asymmetric key exchange) and f428605 (no longer saving private/public key pair). Possible Lambda-side PKCE verifier lookup or redirect_uri mismatch when calling <api>/oauth/token.

Environment

• App version: 1.3.0 (main @ f2f8691)
• OS: macOS 26.5.0
• Node 24.5.0 / npm 11.5.1 / Electron 36.8.1

[github-actions]

🎉 Thanks for opening your first issue here! Welcome to the community!