chore(deps): update dependency stacklok/toolhive to v0.26.1 (#2154)

renovate[bot] · github-actions[bot] · web-flow · commit e7d497554559 · 2026-04-30T14:59:14.000+02:00
* chore(deps): update dependency stacklok/toolhive to v0.26.1

* chore: regenerate artifacts after dependency update

---------

Co-authored-by: renovate[bot] &lt;29139614+renovate[bot]@users.noreply.github.com&gt;
Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/common/api/generated/index.ts b/common/api/generated/index.ts
@@ -233,6 +233,7 @@ export type {
   GithubComStacklokToolhivePkgAuthAwsstsConfig,
   GithubComStacklokToolhivePkgAuthAwsstsRoleMapping,
   GithubComStacklokToolhivePkgAuthRemoteConfig,
+  GithubComStacklokToolhivePkgAuthserverDcrUpstreamConfig,
   GithubComStacklokToolhivePkgAuthserverOAuth2UpstreamRunConfig,
   GithubComStacklokToolhivePkgAuthserverOidcUpstreamRunConfig,
   GithubComStacklokToolhivePkgAuthserverRunConfig,
diff --git a/common/api/generated/types.gen.ts b/common/api/generated/types.gen.ts
@@ -398,6 +398,52 @@ export type GithubComStacklokToolhivePkgAuthUpstreamswapConfig = {
   provider_name?: string
 }
 
+/**
+ * DCRConfig enables RFC 7591 Dynamic Client Registration against the
+ * upstream authorization server. When set, the client credentials are
+ * obtained at runtime rather than being pre-provisioned via ClientID /
+ * ClientSecretFile / ClientSecretEnvVar, and ClientID must be left empty.
+ * Mutually exclusive with ClientID.
+ */
+export type GithubComStacklokToolhivePkgAuthserverDcrUpstreamConfig = {
+  /**
+   * DiscoveryURL is the RFC 8414 / OIDC Discovery URL from which the
+   * registration_endpoint is resolved at runtime. Mutually exclusive with
+   * RegistrationEndpoint.
+   */
+  discovery_url?: string
+  /**
+   * InitialAccessTokenEnvVar is the name of an environment variable
+   * containing the RFC 7591 initial access token. Mutually exclusive with
+   * InitialAccessTokenFile.
+   */
+  initial_access_token_env_var?: string
+  /**
+   * InitialAccessTokenFile is the path to a file containing the RFC 7591
+   * initial access token presented to the registration endpoint. Mutually
+   * exclusive with InitialAccessTokenEnvVar. Both may be omitted for open
+   * registration endpoints.
+   */
+  initial_access_token_file?: string
+  /**
+   * RegistrationEndpoint is the RFC 7591 registration endpoint URL used
+   * directly, bypassing discovery. Mutually exclusive with DiscoveryURL.
+   */
+  registration_endpoint?: string
+  /**
+   * SoftwareID is the RFC 7591 "software_id" registration metadata value,
+   * identifying the client software independent of any particular
+   * registration instance.
+   */
+  software_id?: string
+  /**
+   * SoftwareStatement is the RFC 7591 "software_statement" JWT asserting
+   * metadata about the client software, signed by a party the authorization
+   * server trusts.
+   */
+  software_statement?: string
+}
+
 /**
  * OAuth2Config contains OAuth 2.0-specific configuration.
  * Required when Type is "oauth2", must be nil when Type is "oidc".
@@ -417,6 +463,8 @@ export type GithubComStacklokToolhivePkgAuthserverOAuth2UpstreamRunConfig = {
   authorization_endpoint?: string
   /**
    * ClientID is the OAuth 2.0 client identifier registered with the upstream IDP.
+   * Mutually exclusive with DCRConfig: when DCRConfig is set, ClientID is obtained
+   * at runtime via RFC 7591 Dynamic Client Registration and must be left empty.
    */
   client_id?: string
   /**
@@ -429,6 +477,7 @@ export type GithubComStacklokToolhivePkgAuthserverOAuth2UpstreamRunConfig = {
    * Mutually exclusive with ClientSecretEnvVar. Optional for public clients using PKCE.
    */
   client_secret_file?: string
+  dcr_config?: GithubComStacklokToolhivePkgAuthserverDcrUpstreamConfig
   /**
    * RedirectURI is the callback URL where the upstream IDP will redirect after authentication.
    * When not specified, defaults to `{issuer}/oauth/callback`.
diff --git a/common/api/openapi.json b/common/api/openapi.json
@@ -404,6 +404,36 @@
         },
         "type": "object"
       },
+      "github_com_stacklok_toolhive_pkg_authserver.DCRUpstreamConfig": {
+        "description": "DCRConfig enables RFC 7591 Dynamic Client Registration against the\nupstream authorization server. When set, the client credentials are\nobtained at runtime rather than being pre-provisioned via ClientID /\nClientSecretFile / ClientSecretEnvVar, and ClientID must be left empty.\nMutually exclusive with ClientID.",
+        "properties": {
+          "discovery_url": {
+            "description": "DiscoveryURL is the RFC 8414 / OIDC Discovery URL from which the\nregistration_endpoint is resolved at runtime. Mutually exclusive with\nRegistrationEndpoint.",
+            "type": "string"
+          },
+          "initial_access_token_env_var": {
+            "description": "InitialAccessTokenEnvVar is the name of an environment variable\ncontaining the RFC 7591 initial access token. Mutually exclusive with\nInitialAccessTokenFile.",
+            "type": "string"
+          },
+          "initial_access_token_file": {
+            "description": "InitialAccessTokenFile is the path to a file containing the RFC 7591\ninitial access token presented to the registration endpoint. Mutually\nexclusive with InitialAccessTokenEnvVar. Both may be omitted for open\nregistration endpoints.",
+            "type": "string"
+          },
+          "registration_endpoint": {
+            "description": "RegistrationEndpoint is the RFC 7591 registration endpoint URL used\ndirectly, bypassing discovery. Mutually exclusive with DiscoveryURL.",
+            "type": "string"
+          },
+          "software_id": {
+            "description": "SoftwareID is the RFC 7591 \"software_id\" registration metadata value,\nidentifying the client software independent of any particular\nregistration instance.",
+            "type": "string"
+          },
+          "software_statement": {
+            "description": "SoftwareStatement is the RFC 7591 \"software_statement\" JWT asserting\nmetadata about the client software, signed by a party the authorization\nserver trusts.",
+            "type": "string"
+          }
+        },
+        "type": "object"
+      },
       "github_com_stacklok_toolhive_pkg_authserver.OAuth2UpstreamRunConfig": {
         "description": "OAuth2Config contains OAuth 2.0-specific configuration.\nRequired when Type is \"oauth2\", must be nil when Type is \"oidc\".",
         "properties": {
@@ -419,7 +449,7 @@
             "type": "string"
           },
           "client_id": {
-            "description": "ClientID is the OAuth 2.0 client identifier registered with the upstream IDP.",
+            "description": "ClientID is the OAuth 2.0 client identifier registered with the upstream IDP.\nMutually exclusive with DCRConfig: when DCRConfig is set, ClientID is obtained\nat runtime via RFC 7591 Dynamic Client Registration and must be left empty.",
             "type": "string"
           },
           "client_secret_env_var": {
@@ -430,6 +460,9 @@
             "description": "ClientSecretFile is the path to a file containing the OAuth 2.0 client secret.\nMutually exclusive with ClientSecretEnvVar. Optional for public clients using PKCE.",
             "type": "string"
           },
+          "dcr_config": {
+            "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.DCRUpstreamConfig"
+          },
           "redirect_uri": {
             "description": "RedirectURI is the callback URL where the upstream IDP will redirect after authentication.\nWhen not specified, defaults to `{issuer}/oauth/callback`.",
             "type": "string"
diff --git a/utils/constants.ts b/utils/constants.ts
@@ -3,4 +3,4 @@
  * This is managed by Renovate and updated automatically when new versions are released.
  * renovate: datasource=github-releases depName=stacklok/toolhive versioning=semver
  */
-export const TOOLHIVE_VERSION = process.env.THV_VERSION ?? 'v0.26.0'
+export const TOOLHIVE_VERSION = process.env.THV_VERSION ?? 'v0.26.1'
