Fix TTL zero-value guard and document CIMD+baseline scope interaction

- Change cache_fallback_ttl validation from < 0 to <= 0 in
  CIMDRunConfig.Validate(). A zero TTL would expire every cache entry
  immediately, causing an outbound CIMD fetch on every authorize request.
- Add note to baselineClientScopes CRD field comment that when
  cimd.enabled is true, baseline scopes are also unioned into
  CIMD-resolved clients, including third-party ones.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: amirejaz

cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go

@@ -293,6 +293,9 @@ type EmbeddedAuthServerConfig struct {
 	// "openid" and "offline_access"). Adding a privileged scope here — e.g.
 	// "admin:read" — would grant it to every DCR-registered client, including
 	// public clients like Claude Code, Cursor, and VS Code.
+	// When cimd.enabled is true, these baseline scopes are also unioned into
+	// the scope set of every CIMD-resolved client, including third-party clients
+	// dynamically resolved from arbitrary HTTPS URLs.
 	// +kubebuilder:validation:MaxItems=10
 	// +kubebuilder:validation:items:MinLength=1
 	// +kubebuilder:validation:items:Pattern=`^[\x21\x23-\x5B\x5D-\x7E]+$`

pkg/authserver/config.go

@@ -157,8 +157,8 @@ func (c *CIMDRunConfig) Validate() error {
 		if err != nil {
 			return fmt.Errorf("cache_fallback_ttl: %w", err)
 		}
-		if d < 0 {
-			return fmt.Errorf("cache_fallback_ttl must be non-negative when CIMD is enabled, got %s", c.CacheFallbackTTL)
+		if d <= 0 {
+			return fmt.Errorf("cache_fallback_ttl must be positive when CIMD is enabled, got %s", c.CacheFallbackTTL)
 		}
 	}
 	return nil