Wire persistent DCRCredentialStore into EmbeddedAuthServer

[tgrunnagle]

DRAFT - not ready for review

Summary

• Why: Phase 2 of the DCR story shipped an in-memory stub for the DCRCredentialStore that lived only in the runner package. Restarting (or scaling out to) an authserver dropped every RFC 7591 client registration on the floor and re-registered against the upstream on every boot, which is unworkable for the Datadog-style upstream demo and for any multi-replica deployment. This PR wires the persistent DCRCredentialStore introduced in earlier sub-issues (in-memory + Redis backends) into EmbeddedAuthServer so a Redis-backed authserver reuses already-registered clients across replicas and restarts.
• What:
  • EmbeddedAuthServer.dcrStore is now typed against storage.DCRCredentialStore and is derived from the same storage.Storage value returned by createStorage, so a single storage_type: redis config toggles DCR persistence alongside the rest of authserver state. The storage.Storage interface embeds storage.DCRCredentialStore, promoting the previously-needed runtime type assertion to a compile-time guarantee.
  • The Phase 2 standalone in-memory DCRCredentialStore in pkg/authserver/runner/dcr_store.go is collapsed into a thin storageBackedStore adapter that delegates to storage.DCRCredentialStore and translates DCRResolution <-> DCRCredentials at the boundary. There is now exactly one persistence implementation per backend.
  • The constructor is split into the public NewEmbeddedAuthServer (creates storage) and an unexported newEmbeddedAuthServerWithStorage (owns the cleanup contract). Any error after entry closes the storage backend via a deferred cleanup gated on a named return error, so a crash-looping caller no longer leaks the Redis client connection pool / MemoryStorage cleanup goroutine on every restart.
  • buildPureOAuth2Config remains pure (unchanged signature, no ctx, no I/O); buildUpstreamConfigs is the boundary that consumes the resolver and overlays DCR-resolved credentials onto each upstream.
  • Adds DCRStore() accessor on EmbeddedAuthServer mirroring IDPTokenStorage / UpstreamTokenRefresher, used by integration tests to verify the resolver and the authserver write through the same backend.

This PR also lands the dependency stack that #5185 builds on (the persistent DCRCredentialStore types + memory backend, the Redis backend, the operator CRD surface for DCR, and the runner-side DCR resolver wiring). Each layer was developed and reviewed as a separate commit on this branch; commits are sequenced so each one builds and tests cleanly.

Closes #5185

Type of change

• Bug fix
• New feature
• Refactoring (no behavior change)
• Dependency update
• Documentation
• Other (describe):

Test plan

• Unit tests (task test)
• E2E tests (task test-e2e)
• Linting (task lint-fix)
• Manual testing (describe below)

Notable test coverage added by this PR:

• pkg/authserver/integration_dcr_restart_test.go (new) — TestEmbeddedAuthServer_DCRSurvivesRestart boots an EmbeddedAuthServer against a mock AS, captures the DCR store via the new DCRStore() accessor, closes the server, and asserts the persisted DCR row survives the first server's Close. Lives in package authserver_test to avoid the runner -> authserver import cycle. The full "boot, close, boot again, observe zero /register" scenario across a fresh constructor is documented as a gap (the production Redis path requires Sentinel, which miniredis does not speak); test docstring records the conditions under which it can be closed.
• pkg/authserver/runner/embeddedauthserver_test.go — TestBuildUpstreamConfigs_DCR exercises first-call registration + cache-hit on the second call (zero additional HTTP requests) and asserts the caller's RunConfig.Upstreams slice is never mutated. TestNewEmbeddedAuthServer_ClosesStorageOnError uses a closeTrackingStorage wrapper to verify the deferred-cleanup contract.
• pkg/authserver/storage/memory_test.go, redis_test.go, redis_integration_test.go — coverage for the persistent DCRCredentialStore operations on both backends, including ScopesHash canonicalisation (sort + dedupe + newline join).

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

The CRD changes are additive: OAuth2UpstreamConfig.clientId becomes optional with a CEL constraint requiring exactly one of clientId or dcrConfig, and a new dcrConfig field is added. Existing MCPExternalAuthConfig / VirtualMCPServer resources that set clientId continue to validate unchanged.

Does this introduce a user-facing change?

Yes. Operators of OAuth2 upstreams can now configure RFC 7591 Dynamic Client Registration in the operator CRD via dcrConfig (with discoveryUrl or registrationEndpoint, plus optional initialAccessTokenRef, softwareId, softwareStatement) instead of statically configuring clientId + clientSecret. When the authserver is configured with storage_type: redis, DCR registrations persist across restarts and are shared across replicas; in single-replica memory mode, registrations live for the process lifetime as before.

Special notes for reviewers

• This PR is the terminal task in the Phase 3 DCR DAG and pulls along the dependency stack from sub-issues 1 and 2 (persistent DCRCredentialStore types + memory + Redis backends), the operator CRD surface, and the Phase 2 resolver wiring. The size is above the usual 400-line / 10-file limit; each commit is self-contained and the stack reads top-to-bottom in commit order. Reviewers may prefer to walk the per-commit diffs.
• The full "boot, close, boot again, zero /register" cross-constructor restart scenario is not exercised; closing it requires either miniredis-Sentinel emulation or a Docker-based Redis Sentinel cluster in the test harness. The wiring that the second boot would consume — the type of dcrStore being the same storage.DCRCredentialStore that authserver.New writes through — is verified at compile time by storage.Storage embedding storage.DCRCredentialStore and by TestEmbeddedAuthServer_DCRSurvivesRestart asserting the persistence boundary.
• buildPureOAuth2Config was kept intentionally pure (no ctx, no I/O) to preserve the architectural gate established in Authserver DCR integration (Phase 2, Steps 2a-2g) #4978; the wiring change swaps the implementation passed into the resolver, not the call shape.
• No secrets (client_secret, registration_access_token, initial_access_token, refresh tokens) appear as arguments to slog.* calls; the grep assertion from Authserver DCR integration (Phase 2, Steps 2a-2g) #4978 still applies.

[codecov]

Codecov Report

❌ Patch coverage is 92.18750% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.87%. Comparing base (df0ad8f) to head (609e7d3).

Files with missing lines	Patch %	Lines
pkg/authserver/runner/embeddedauthserver.go	88.88%	1 Missing and 1 partial ⚠️
pkg/authserver/server_impl.go	66.66%	1 Missing and 1 partial ⚠️
pkg/authserver/runner/dcr_store.go	97.50%	1 Missing ⚠️

Additional details and impacted files

@@                  Coverage Diff                  @@
##           dcr-3b_issue_5184    #5196      +/-   ##
=====================================================
+ Coverage              67.81%   67.87%   +0.05%     
=====================================================
  Files                    610      610              
  Lines                  62379    62420      +41     
=====================================================
+ Hits                   42302    42366      +64     
+ Misses                 16902    16877      -25     
- Partials                3175     3177       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tgrunnagle]

Multi-Agent Consensus Review

Agents consulted: concurrency, architecture, test-coverage, security, general-quality. Codex unavailable (skipped).

Consensus Summary

#	Finding	Consensus	Severity	Action
F1	Tests leak MemoryStorage cleanupLoop goroutine via newInMemoryDCRResolutionCache	9/10	MEDIUM	Fix
F3	Test names TestInMemoryDCRResolutionCache_* reference deleted type	7/10	MEDIUM	Fix
F4	newInMemoryDCRResolutionCache doc still markets it for production deployments	7/10	MEDIUM	Fix
F5	Restart test name overstates coverage; depends on undocumented MemoryStorage post-Close behavior	9/10	MEDIUM	Fix
F6	Storage interface widening (DCRCredentialStore embed) couples impls to DCR; broadens secret reach	7/10	MEDIUM	Discuss
F7	resolutionToCredentials/credentialsToResolution drop fields with no round-trip test	7/10	MEDIUM	Fix
F8	Deferred-cleanup slog.Warn logs unredacted retErr; can leak upstream response body	7/10	MEDIUM	Fix
F9	newMockUpstreamAS duplicates pkg/authserver/runner.newMockAuthorizationServer	7/10	LOW	Fix
F10	DCRStore() accessor: secret reach + delegation pattern + lifecycle docs	8/10	MEDIUM	Discuss
F11	PR is DRAFT; size over budget; e2e gap not documented	n/a	INFO	Comment

Overall

The wiring change is structurally correct: deferred-cleanup contract via named return retErr works, no double-close path between the deferred close and EmbeddedAuthServer.Close → server.Close → storage.Close, and closeOnce continues to make the caller path idempotent. The architectural gate from #4978 (buildPureOAuth2Config remains pure) is preserved. The closeTrackingStorage test seam is the right shape for verifying the contract — interface seam, not a hook field.

The dominant cluster of findings is comment drift and test-naming drift around the dcrResolutionCache / inMemoryDCRResolutionCache rename (F3, F4) plus a real test-infra goroutine leak that this PR introduces by routing test fixtures through storage.NewMemoryStorage (F1). These are fast to fix.

F6 and F10 are the design-discussion items. Embedding DCRCredentialStore into Storage was a deliberate choice to land a compile-time guarantee, but it widens the secret-bearing surface across every consumer of storage.Storage and every future backend. The new public DCRStore() accessor returns the raw secret-bearing interface and breaks the e.server.* delegation pattern used by sibling getters; if its only consumer is the integration test, a test-only export would be cleaner. Both are worth a deliberate decision rather than a side effect of compile-time-safety convenience.

F5 is the integration test's coverage story: the TestEmbeddedAuthServer_DCRSurvivesRestart name promises a restart, but the assertion is "reading from the same MemoryStorage instance after Close still works," which is an undocumented contract of MemoryStorage. The test docstring honestly acknowledges the cross-boot scenario is deferred — but the test name and the PR's user-visible "survives restart with Redis" promise are not yet in the suite.

Documentation

• dcrResolutionCache interface doc and newInMemoryDCRResolutionCache doc need updates per F4.
• EmbeddedAuthServer.dcrStore field comment + DCRStore() doc need a security note per F10.
• The Storage interface doc should call out the DCR-credential reach if F6's design lands as embedded.

Verification notes

Three findings raised by individual agents were verified against the post-PR file state and dropped as false positives — they cited the deleted (-) lines in the diff as if they were still in the new file. Specifically: (a) one HIGH security finding claimed RedisStorage does not implement DCRCredentialStore — verified false at pkg/authserver/storage/redis.go:2040 on the base branch dcr-3b_issue_5184; (b) two findings about the dcrResolutionCache interface doc retaining "in-memory" / "never expired" claims — verified false; the post-PR file at lines 33-46 contains only the new "thin adapter" framing.

Process notes

• Self-review caveat: the authenticated user is the PR author, so the review event is necessarily COMMENT (GitHub rejects REQUEST_CHANGES on own PRs). The findings would otherwise lean toward REQUEST_CHANGES due to the cluster of MEDIUM consensus items.
• Per .claude/rules/pr-creation.md, this PR exceeds the 400-line / 10-file budget — the author already acknowledged this in the body. Splitting the integration test (217 LOC) into a follow-up would put the wiring change inside budget.

---

Generated with Claude Code

[tgrunnagle]

Re: F11 (PR state / size / e2e gap from the multi-agent review body): noted, no commit. The size-over-budget acknowledgement and the deferred Sentinel-restart e2e are already called out in the PR body, and the PR remains in draft pending the size discussion. The Sentinel-restart gap is now explicitly recorded in the docstring on TestEmbeddedAuthServer_DCRStorePersistsAcrossClose (39dfc62) so a future contributor adding the harness has a single grep target.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

PR size has been reduced below the XL threshold. Thank you for splitting this up!

[github-actions]

✅ PR size has been reduced below the XL threshold. The size review has been dismissed and this PR can now proceed with normal review. Thank you for splitting this up!