Wire CIMD config through embedded AS and enable storage decorator

[amirejaz]

Summary

Phase 2 PR 3 of CIMD embedded AS support — depends on #5343.

This is the wiring PR. All CIMD logic lives in PRs 1 and 2; this PR threads the configuration through the existing authserver config chain and activates the decorator.

Config chain: RunConfig.CIMD → Config.CIMD* → AuthorizationServerParams → AuthorizationServerConfig → discovery handler

With this PR, operators can enable CIMD by setting:

authServer:
  cimd:
    enabled: true
    cache_max_size: 256       # optional, default 256
    cache_fallback_ttl: 5m    # optional, default 5m

When enabled:

• The embedded AS discovery documents advertise client_id_metadata_document_supported: true on both /.well-known/oauth-authorization-server and /.well-known/openid-configuration
• CIMDStorageDecorator wraps the storage so GetClient intercepts HTTPS client_id values, fetches the metadata document, and caches the result

CIMD is opt-in (disabled by default) to avoid introducing outbound HTTPS fetching in existing deployments without explicit operator action.

Key implementation note

The decorator is applied after runLegacyMigration (which needs the unwrapped *RedisStorage for type assertion) and before createProvider (so fosite holds the decorated storage and HTTPS client_id values are intercepted during GetClient).

Known limitations

• Operator CRD not updated: MCPExternalAuthConfig has no authServer.cimd field yet. Kubernetes operators must configure CIMD via RunConfig YAML directly. CRD support is deferred to a follow-up (tracked with // TODO(cimd) comments in config.go).

Type of change

• New feature (non-breaking, opt-in only)

Test plan

• go test ./pkg/authserver/... — all 13 packages pass
• Config validation: CIMDCacheMaxSize < 1 rejected at boot when enabled
• Defaults applied: 256 entries, 5 min fallback TTL when not specified
• Discovery tests: client_id_metadata_document_supported present/absent based on CIMDEnabled
• resolveCIMDConfig nil-guard tested

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 79.41176% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.77%. Comparing base (2043cf6) to head (1d2c18c).

Files with missing lines	Patch %	Lines
pkg/authserver/server_impl.go	42.85%	3 Missing and 1 partial ⚠️
pkg/authserver/config.go	66.66%	1 Missing and 1 partial ⚠️
pkg/oauthproto/cimd.go	90.90%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5348      +/-   ##
==========================================
- Coverage   68.81%   68.77%   -0.04%     
==========================================
  Files         627      627              
  Lines       63594    63625      +31     
==========================================
- Hits        43762    43759       -3     
- Misses      16583    16612      +29     
- Partials     3249     3254       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.