feat: add support for OAuth clientCredential and password flows in Respect core

[harshit078]

What/Why/How?

• Added the OAuth2 token exchange for x-security schemes with the password and clientCredentials flows.
• Respect now fetches the access token from tokenUrl and apply Authorization: Bearer to the request, which allows to manually obtain a accessToken

Reference

#2122

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

High Risk
Changes authentication for Respect runs (outbound token requests, credential handling, and caching) and tightens OAuth2 x-security validation, which can break workflows that relied only on accessToken or incomplete credentials.

Overview
Respect can automatically obtain OAuth2 access tokens for Arazzo x-security when the scheme declares clientCredentials or password flows, instead of requiring a pre-supplied accessToken for those cases.

At request time, resolveXSecurityParameters is now async and, when credentials are present, POSTs to the flow’s tokenUrl (Basic or body client auth, optional scope), caches tokens on TestContext with expiry refresh, masks secrets, and sets Authorization: Bearer. A user-provided accessToken still bypasses exchange (including empty string handling in lint).

Lint and runtime validation for x-security-scheme-required-values / validateXSecurityParameters now require clientId/clientSecret or username/password per declared OAuth2 flow (with rules when both flows exist); implicit-style flows still expect accessToken.

Also adds an AsyncAPI 3 security-defined rule module and updates e2e config error snapshots for new visitor types (ActionParameters, ActionParameter). Minor version bumps in changeset for @redocly/respect-core, @redocly/openapi-core, and @redocly/cli.

^{Reviewed by Cursor Bugbot for commit a98fd8c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: a98fd8c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/respect-core	Minor
@redocly/openapi-core	Minor
@redocly/cli	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a98fd8c. Configure here.}

[harshit078]

Hey @DmitryAnansky , can you take review the PR please ? Thanks !