llm: extract shared OIDC config, move business logic to pkg/llm, add E2E tests (#5049)

* llm: extract shared OIDC config, move business logic to pkg/llm, add E2E tests

Three follow-up cleanups from the #5029 review (#5048):

1. Extract shared OIDC config type into pkg/oidc.ClientConfig. Both
   config.RegistryOAuthConfig and llm.OIDCConfig are now type aliases for
   this type, so field additions and validation changes apply to both
   authentication flows without drift.

2. Move business logic from the CLI layer into pkg/llm per the cli-commands
   convention. The config-set mutation/validation branch, the config-show
   text formatter, and the cached-token deletion logic all live in pkg/llm
   now. The CLI commands are thin wrappers that parse flags and delegate.

3. Add E2E tests for thv llm config set/show/reset, covering happy-path
   round-trips, HTTPS enforcement, incremental configuration, the
   not-configured message, and post-reset state.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* llm: fix errcheck lint failures in Show method

Show now returns an error and uses a writef closure to propagate the
first write failure rather than ignoring io.Writer errors. The CLI
caller is updated to return the error directly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* llm: skip token deletion for providers that can't list or delete

Providers like the environment provider are read-only and cannot hold
cached tokens, so calling ListSecrets on them would always produce a
spurious warning during thv llm config reset. Check CanList/CanDelete
capabilities first and treat non-capable providers as a no-op.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* llm: add unit tests for SetFields, DeleteCachedTokens, and Show

Covers the business logic introduced in manage.go:
- SetFields: field mutation, partial vs full validation branching,
  invalid-value rejection
- DeleteCachedTokens: capability no-ops (no CanList/CanDelete),
  empty-scope no-op, scoped deletion, error propagation
- Show: not-configured message, required-field output, conditional
  audience line, configured-tools section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test(e2e): configure environment secrets provider in llm config tests

Mirrors the pattern from cli_secrets_scoped_test.go to ensure the test
suite never opens the user's real keychain or 1Password. The environment
provider is non-interactive and read-only, so DeleteCachedTokens is a
no-op, keeping the tests fully hermetic.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: taskbot <taskbot@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

cmd/thv/app/llm.go

@@ -69,14 +69,7 @@ func newConfigCommand() *cobra.Command {
 }
 
 func newConfigSetCommand() *cobra.Command {
-	var (
-		gatewayURL   string
-		issuer       string
-		clientID     string
-		audience     string
-		proxyPort    int
-		callbackPort int
-	)
+	var opts llm.SetOptions
 
 	cmd := &cobra.Command{
 		Use:   "set",
@@ -91,43 +84,17 @@ Example:
 		Args: cobra.NoArgs,
 		RunE: func(_ *cobra.Command, _ []string) error {
 			return config.UpdateConfig(func(c *config.Config) error {
-				if gatewayURL != "" {
-					c.LLM.GatewayURL = gatewayURL
-				}
-				if issuer != "" {
-					c.LLM.OIDC.Issuer = issuer
-				}
-				if clientID != "" {
-					c.LLM.OIDC.ClientID = clientID
-				}
-				if audience != "" {
-					c.LLM.OIDC.Audience = audience
-				}
-				if proxyPort != 0 {
-					c.LLM.Proxy.ListenPort = proxyPort
-				}
-				if callbackPort != 0 {
-					c.LLM.OIDC.CallbackPort = callbackPort
-				}
-				// Always validate format/range for any fields that were set,
-				// so invalid values (e.g. http:// URL, out-of-range port) are
-				// rejected immediately rather than silently persisted.
-				// Full validation (required-field checks) only runs once the
-				// mandatory trio is present, allowing incremental configuration.
-				if !c.LLM.IsConfigured() {
-					return c.LLM.ValidatePartial()
-				}
-				return c.LLM.Validate()
+				return c.LLM.SetFields(opts)
 			})
 		},
 	}
 
-	cmd.Flags().StringVar(&gatewayURL, "gateway-url", "", "LLM gateway base URL (must use HTTPS)")
-	cmd.Flags().StringVar(&issuer, "issuer", "", "OIDC issuer URL")
-	cmd.Flags().StringVar(&clientID, "client-id", "", "OIDC client ID")
-	cmd.Flags().StringVar(&audience, "audience", "", "OIDC audience (optional)")
-	cmd.Flags().IntVar(&proxyPort, "proxy-port", 0, "Localhost proxy listen port (default 14000)")
-	cmd.Flags().IntVar(&callbackPort, "callback-port", 0, "OIDC callback port (default: ephemeral)")
+	cmd.Flags().StringVar(&opts.GatewayURL, "gateway-url", "", "LLM gateway base URL (must use HTTPS)")
+	cmd.Flags().StringVar(&opts.Issuer, "issuer", "", "OIDC issuer URL")
+	cmd.Flags().StringVar(&opts.ClientID, "client-id", "", "OIDC client ID")
+	cmd.Flags().StringVar(&opts.Audience, "audience", "", "OIDC audience (optional)")
+	cmd.Flags().IntVar(&opts.ProxyPort, "proxy-port", 0, "Localhost proxy listen port (default 14000)")
+	cmd.Flags().IntVar(&opts.CallbackPort, "callback-port", 0, "OIDC callback port (default: ephemeral)")
 
 	return cmd
 }
@@ -153,27 +120,7 @@ func newConfigShowCommand() *cobra.Command {
 				return nil
 			}
 
-			if !llmCfg.IsConfigured() {
-				fmt.Println("LLM gateway is not configured. Run \"thv llm config set\" to configure it.")
-				return nil
-			}
-
-			fmt.Printf("Gateway URL:   %s\n", llmCfg.GatewayURL)
-			fmt.Printf("OIDC Issuer:   %s\n", llmCfg.OIDC.Issuer)
-			fmt.Printf("OIDC Client:   %s\n", llmCfg.OIDC.ClientID)
-			if llmCfg.OIDC.Audience != "" {
-				fmt.Printf("Audience:      %s\n", llmCfg.OIDC.Audience)
-			}
-			fmt.Printf("Proxy Port:    %d\n", llmCfg.EffectiveProxyPort())
-			fmt.Printf("Scopes:        %v\n", llmCfg.OIDC.EffectiveScopes())
-			if len(llmCfg.ConfiguredTools) > 0 {
-				fmt.Println("Configured tools:")
-				for _, t := range llmCfg.ConfiguredTools {
-					fmt.Printf("  - %s (%s)  %s\n", t.Tool, t.Mode, t.ConfigPath)
-				}
-			}
-
-			return nil
+			return llmCfg.Show(os.Stdout)
 		},
 	}
 
@@ -191,8 +138,11 @@ tokens from the secrets provider.`,
 		Args: cobra.NoArgs,
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			// Delete cached tokens from the secrets provider first.
-			if err := deleteLLMSecrets(cmd.Context()); err != nil {
+			provider, err := secrets.GetSystemSecretsProvider()
+			if err != nil {
 				// Non-fatal: log and continue so the config is still cleared.
+				fmt.Fprintf(os.Stderr, "Warning: could not get secrets provider: %v\n", err)
+			} else if err := llm.DeleteCachedTokens(cmd.Context(), provider); err != nil {
 				fmt.Fprintf(os.Stderr, "Warning: could not remove cached LLM tokens: %v\n", err)
 			}
 
@@ -241,27 +191,6 @@ func runLLMToken(ctx context.Context) error {
 	return nil
 }
 
-// deleteLLMSecrets removes all secrets stored under the LLM scope.
-func deleteLLMSecrets(ctx context.Context) error {
-	provider, err := secrets.GetSystemSecretsProvider()
-	if err != nil {
-		return fmt.Errorf("failed to get secrets provider: %w", err)
-	}
-	scoped := pkgsecrets.NewScopedProvider(provider, pkgsecrets.ScopeLLM)
-	descs, err := scoped.ListSecrets(ctx)
-	if err != nil {
-		return err
-	}
-	if len(descs) == 0 {
-		return nil
-	}
-	names := make([]string, len(descs))
-	for i, d := range descs {
-		names[i] = d.Key
-	}
-	return scoped.DeleteSecrets(ctx, names)
-}
-
 // ── setup / teardown stubs ────────────────────────────────────────────────────
 
 func newLLMSetupCommand() *cobra.Command {

pkg/config/config.go

@@ -21,6 +21,7 @@ import (
 	"github.com/stacklok/toolhive/pkg/container/templates"
 	"github.com/stacklok/toolhive/pkg/llm"
 	"github.com/stacklok/toolhive/pkg/lockfile"
+	"github.com/stacklok/toolhive/pkg/oidc"
 	"github.com/stacklok/toolhive/pkg/secrets"
 )
 
@@ -65,17 +66,10 @@ type RegistryAuth struct {
 
 // RegistryOAuthConfig holds OAuth/OIDC configuration for registry authentication.
 // PKCE (S256) is always enforced per OAuth 2.1 requirements for public clients.
-type RegistryOAuthConfig struct {
-	Issuer       string   `yaml:"issuer"`
-	ClientID     string   `yaml:"client_id"`
-	Scopes       []string `yaml:"scopes,omitempty"`
-	Audience     string   `yaml:"audience,omitempty"`
-	CallbackPort int      `yaml:"callback_port,omitempty"`
-
-	// Cached token references for session restoration across CLI invocations.
-	CachedRefreshTokenRef string    `yaml:"cached_refresh_token_ref,omitempty"`
-	CachedTokenExpiry     time.Time `yaml:"cached_token_expiry,omitempty"`
-}
+//
+// This is a type alias for oidc.ClientConfig so that registry and LLM gateway
+// authentication always share the same field set and validation logic.
+type RegistryOAuthConfig = oidc.ClientConfig
 
 // Secrets contains the settings for secrets management.
 type Secrets struct {

pkg/llm/config.go

@@ -6,20 +6,22 @@ package llm
 import (
 	"errors"
 	"fmt"
-	"strings"
-	"time"
 
 	"github.com/stacklok/toolhive/pkg/networking"
+	pkgoidc "github.com/stacklok/toolhive/pkg/oidc"
 )
 
 const (
 	// DefaultProxyListenPort is the default port the localhost proxy listens on.
 	DefaultProxyListenPort = 14000
-
-	// DefaultOIDCScopes are the default OAuth scopes requested during login.
-	DefaultOIDCScopes = "openid offline_access"
 )
 
+// OIDCConfig is a type alias for oidc.ClientConfig, holding OIDC provider
+// settings and cached token state for the LLM gateway. Using a type alias
+// ensures this type stays in sync with pkg/config.RegistryOAuthConfig, which
+// is also an alias for the same underlying type.
+type OIDCConfig = pkgoidc.ClientConfig
+
 // Config holds all LLM gateway settings persisted under the llm: key in
 // ToolHive's config.yaml.
 type Config struct {
@@ -29,25 +31,6 @@ type Config struct {
 	ConfiguredTools []ToolConfig `yaml:"configured_tools,omitempty"  json:"configured_tools,omitempty"`
 }
 
-// OIDCConfig holds OIDC provider settings and cached token state for the LLM
-// gateway. Cached fields follow the same pattern as RegistryOAuthConfig in
-// pkg/config/config.go — token values are never stored here, only references
-// and expiry metadata.
-type OIDCConfig struct {
-	Issuer       string   `yaml:"issuer,omitempty"        json:"issuer,omitempty"`
-	ClientID     string   `yaml:"client_id,omitempty"     json:"client_id,omitempty"`
-	Scopes       []string `yaml:"scopes,omitempty"        json:"scopes,omitempty"`
-	Audience     string   `yaml:"audience,omitempty"      json:"audience,omitempty"`
-	CallbackPort int      `yaml:"callback_port,omitempty" json:"callback_port,omitempty"`
-
-	// CachedRefreshTokenRef is the secrets-provider key under which the refresh
-	// token is stored (never the token value itself).
-	CachedRefreshTokenRef string `yaml:"cached_refresh_token_ref,omitempty" json:"cached_refresh_token_ref,omitempty"`
-	// CachedTokenExpiry is the expiry of the most recently cached access token,
-	// used to surface helpful messages when the token is about to expire.
-	CachedTokenExpiry time.Time `yaml:"cached_token_expiry,omitempty" json:"cached_token_expiry,omitempty"`
-}
-
 // ProxyConfig holds configuration for the localhost reverse proxy.
 type ProxyConfig struct {
 	ListenPort int `yaml:"listen_port,omitempty" json:"listen_port,omitempty"`
@@ -132,12 +115,3 @@ func (c *Config) EffectiveProxyPort() int {
 	}
 	return DefaultProxyListenPort
 }
-
-// EffectiveScopes returns the configured OIDC scopes, or the default scopes
-// (openid, offline_access) if none are set.
-func (c *OIDCConfig) EffectiveScopes() []string {
-	if len(c.Scopes) > 0 {
-		return c.Scopes
-	}
-	return strings.Fields(DefaultOIDCScopes)
-}

pkg/llm/manage.go

@@ -0,0 +1,111 @@
+// SPDX-FileCopyrightText: Copyright 2026 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package llm
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	pkgsecrets "github.com/stacklok/toolhive/pkg/secrets"
+)
+
+// SetFields applies the non-zero fields from the provided options to the
+// config and validates the result. If the mandatory trio (gateway_url,
+// oidc.issuer, oidc.client_id) is present after the update, full validation
+// runs; otherwise only format/range validation runs to catch bad values early
+// while still allowing incremental configuration.
+func (c *Config) SetFields(opts SetOptions) error {
+	if opts.GatewayURL != "" {
+		c.GatewayURL = opts.GatewayURL
+	}
+	if opts.Issuer != "" {
+		c.OIDC.Issuer = opts.Issuer
+	}
+	if opts.ClientID != "" {
+		c.OIDC.ClientID = opts.ClientID
+	}
+	if opts.Audience != "" {
+		c.OIDC.Audience = opts.Audience
+	}
+	if opts.ProxyPort != 0 {
+		c.Proxy.ListenPort = opts.ProxyPort
+	}
+	if opts.CallbackPort != 0 {
+		c.OIDC.CallbackPort = opts.CallbackPort
+	}
+
+	if !c.IsConfigured() {
+		return c.ValidatePartial()
+	}
+	return c.Validate()
+}
+
+// SetOptions carries the flag values for the "config set" command.
+// Zero values are treated as "not provided" and leave the existing config
+// field unchanged.
+type SetOptions struct {
+	GatewayURL   string
+	Issuer       string
+	ClientID     string
+	Audience     string
+	ProxyPort    int
+	CallbackPort int
+}
+
+// DeleteCachedTokens removes all cached OIDC tokens stored under the LLM
+// scope via the provided secrets provider. It is a no-op if the provider does
+// not support listing or deletion (e.g. the environment provider), since such
+// providers cannot hold cached tokens.
+func DeleteCachedTokens(ctx context.Context, provider pkgsecrets.Provider) error {
+	scoped := pkgsecrets.NewScopedProvider(provider, pkgsecrets.ScopeLLM)
+	caps := scoped.Capabilities()
+	if !caps.CanList || !caps.CanDelete {
+		return nil
+	}
+	descs, err := scoped.ListSecrets(ctx)
+	if err != nil {
+		return err
+	}
+	if len(descs) == 0 {
+		return nil
+	}
+	names := make([]string, len(descs))
+	for i, d := range descs {
+		names[i] = d.Key
+	}
+	return scoped.DeleteSecrets(ctx, names)
+}
+
+// Show writes a human-readable representation of the config to w.
+// If the config is not yet configured it prints a hint to run "config set".
+func (c *Config) Show(w io.Writer) error {
+	if !c.IsConfigured() {
+		_, err := fmt.Fprintln(w, "LLM gateway is not configured. Run \"thv llm config set\" to configure it.")
+		return err
+	}
+
+	var err error
+	writef := func(format string, args ...any) {
+		if err == nil {
+			_, err = fmt.Fprintf(w, format, args...)
+		}
+	}
+
+	writef("Gateway URL:   %s\n", c.GatewayURL)
+	writef("OIDC Issuer:   %s\n", c.OIDC.Issuer)
+	writef("OIDC Client:   %s\n", c.OIDC.ClientID)
+	if c.OIDC.Audience != "" {
+		writef("Audience:      %s\n", c.OIDC.Audience)
+	}
+	writef("Proxy Port:    %d\n", c.EffectiveProxyPort())
+	writef("Scopes:        %v\n", c.OIDC.EffectiveScopes())
+	if len(c.ConfiguredTools) > 0 {
+		writef("Configured tools:\n")
+		for _, t := range c.ConfiguredTools {
+			writef("  - %s (%s)  %s\n", t.Tool, t.Mode, t.ConfigPath)
+		}
+	}
+	return err
+}