Persist DCR client credentials for OAuth session restoration

[flfeurmou-indeed]

Summary

Extend OAuth token persistence to also store Dynamic Client Registration (DCR) client credentials. This enables workloads that use DCR (like Datadog and Glean) to restore OAuth sessions across restarts without requiring a new browser-based authentication flow.

This PR builds on #3382 which added refresh token persistence, addressing the remaining issue where DCR servers still required re-authentication because the dynamically registered client_id (and client_secret where applicable) were lost on restart.

Problem

Remote MCP servers that use Dynamic Client Registration (e.g., Datadog, Glean) would lose their OAuth sessions after workload restarts because:

1. The refresh token was being persisted (feat(auth): persist OAuth tokens across workload restarts #3382 fix)
2. But the DCR-issued client_id was not persisted
3. Without the original client_id, the token refresh request fails with "Client ID is required" or similar errors

Solution

Store DCR client credentials in the secret manager alongside refresh tokens:

• CachedClientIDRef: Reference to the stored client ID
• CachedClientSecretRef: Reference to the stored client secret (when issued)

For PKCE flows (like Datadog), only the client_id is persisted since no client_secret is issued.

Changes

• Add CachedClientIDRef and CachedClientSecretRef fields to remote.Config
• Add HasCachedClientCredentials() and ClearCachedClientCredentials() helper methods
• Add TokenTypeOAuthClientID to secrets for secure storage
• Expose ClientID and ClientSecret in OAuthFlowResult from discovery
• Add ClientCredentialsPersister type for DCR credential persistence
• Update handler to restore and persist DCR credentials
• Update runner to wire up the client credentials persister
• Regenerate swagger documentation
• Add unit tests for new functionality

Testing

• All existing tests pass
• New unit tests added for HasCachedClientCredentials and ClearCachedClientCredentials
• Manually tested with Datadog MCP (PKCE flow) - sessions survive restarts

Related

Closes #3335

[codecov]

Codecov Report

❌ Patch coverage is 14.58333% with 41 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.83%. Comparing base (a7962a6) to head (0127cb4).
⚠️ Report is 50 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/auth/remote/handler.go	0.00%	23 Missing ⚠️
pkg/runner/runner.go	0.00%	16 Missing ⚠️
pkg/auth/discovery/discovery.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3418      +/-   ##
==========================================
+ Coverage   64.79%   64.83%   +0.03%     
==========================================
  Files         381      396      +15     
  Lines       37149    38559    +1410     
==========================================
+ Hits        24071    24999     +928     
- Misses      11191    11611     +420     
- Partials     1887     1949      +62     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[amirejaz]

we can save clientID as plain text as this is public

[amirejaz]

We need to store additional DCR metadata (such as client_secret_expires_at and registration_access_token) and implement handling for client secret expiration in DCR.

[flfeurmou-indeed]

Addressed the review feedback:

✅ ClientID as plain text: Changed CachedClientIDRef to CachedClientID - now stored directly in config instead of as a secret reference (since it's public information)

✅ Added DCR metadata fields:

• CachedClientSecretExpiresAt - tracks when the client secret expires
• CachedRegistrationAccessTokenRef - for updating/deleting the client registration

⏸️ Expiration handling logic: The fields are in place, but I haven't implemented the actual expiration check and re-registration flow yet. Let me know if that's needed in this PR or if it can be a follow-up.