safire 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f9d11ee8ab8db74c9b225f12835caaf092616a0044372252617783b6187e3043
-  data.tar.gz: 8d73cdb90ed9d4ca7ec1e028bfe3e68464c7284f73e2d101a084be346e9b0085
+  metadata.gz: e2907e363c56d115aedcc6b5bb0aa55a1780757a7a9fc8dfc3f8853262c4c926
+  data.tar.gz: 2cf29245a45cb4ad067418a1a23ad2c3bcddac91c3bb672a0b2b6901391af761
 SHA512:
-  metadata.gz: bf3cd169be16cb9598f2de3f572d0efeeb6c0ed98826b0690588c684e15c2a95afc6cf340d35a53c0f6d9eebc11c59dafdcdd02e71b0ddb8fbf629071644d90b
-  data.tar.gz: 6beaec7923441fb46d8fc4cc193ffff16354bb60fb62f141a3a36131e22f275df3d4ddfa31dd5548eebb6ad3a8872cd952c4cc4ab9dc31968b9eb644b0d097be
+  metadata.gz: 814cf46717388979bd1a5e7a3666a30fcd1cdc19fd6eb4f71e30a0916d91993104bdf94566736390e3ec39f320eef1ec1bd1621afcacfc8c89b9de376522d038
+  data.tar.gz: 15dbfb7e5927ebbf91ae9aad6e2658f7f4cc9e42a6e0282267844c063e4693651a6c7348b6e71f24dfc5d75d525b5b0a3a0339e3888d9410c6c15babbbdf8944

data/.claude/skills/release-safire/SKILL.md

@@ -0,0 +1,151 @@
+---
+name: release-safire
+description: Run the full Safire gem release workflow
+argument-hint: Optional target version (e.g. 0.3.0); omit to auto-determine from CHANGELOG
+---
+
+# Safire Release Workflow
+
+You are guiding the user through a complete Safire gem release. Follow each phase in order. **Never modify files or run commands without explicit user approval.** All commits must use `-s` (Signed-off-by) and one-line subjects.
+
+## Context
+
+Before proceeding, gather context by reading these files directly (do not shell out):
+- Read `lib/safire/version.rb` to determine the current version
+- Read `CHANGELOG.md` to find the `## [Unreleased]` section and its entries
+- Run `git branch --show-current` to confirm the current branch
+- Run `git status --short` to check for any uncommitted changes
+
+---
+
+## Phase 1: Determine Target Version
+
+Target version argument: $ARGUMENTS
+
+If `$ARGUMENTS` is blank, analyze the [Unreleased] CHANGELOG section and recommend a version bump:
+- **PATCH** (X.Y.Z+1): bug fixes only
+- **MINOR** (X.Y+1.0): new backward-compatible features
+- **MAJOR** (X+1.0.0): breaking changes
+
+Present your recommendation with reasoning. Ask the user to confirm or provide a different version before proceeding.
+
+---
+
+## Phase 2: Pre-Release Checks
+
+Present this checklist and ask the user to approve running all checks before proceeding:
+
+1. `bundle exec rspec` — all tests must pass
+2. `bundle exec rubocop` — zero offenses
+3. `bundle exec bundler-audit check --update` — no known vulnerabilities
+4. `cd docs && bundle exec jekyll build` — docs must build clean
+
+Run each check sequentially and report results. If any check fails, stop and clearly describe what needs to be fixed. Do not proceed to Phase 3 until all checks pass.
+
+---
+
+## Phase 3: Create Release Branch
+
+Ask the user to approve creating the release branch, then run:
+
+```
+git checkout main
+git pull origin main
+git checkout -b release-X.Y.Z
+```
+
+Replace `X.Y.Z` with the confirmed target version.
+
+---
+
+## Phase 4: Update CHANGELOG.md (docs commit)
+
+Show the user the exact diff you will make:
+- Rename `## [Unreleased]` → `## [X.Y.Z] - YYYY-MM-DD` (use today's date)
+- Add a fresh empty `## [Unreleased]` section above the new versioned entry
+
+Wait for approval, then edit `CHANGELOG.md`.
+
+After editing, ask the user to approve this commit:
+```
+git add CHANGELOG.md
+git commit -s -m "Update CHANGELOG for vX.Y.Z"
+```
+
+Stage `CHANGELOG.md` only — no other files.
+
+---
+
+## Phase 5: Bump Version and Update Gemfile.lock (release commit)
+
+Show the user the exact change to `lib/safire/version.rb`:
+```ruby
+VERSION = 'X.Y.Z'.freeze
+```
+
+Wait for approval, then edit the file and run `bundle install` to regenerate `Gemfile.lock`.
+
+Ask the user to approve this commit:
+```
+git add lib/safire/version.rb Gemfile.lock
+git commit -s -m "Bump version to X.Y.Z"
+```
+
+Stage `lib/safire/version.rb` and `Gemfile.lock` only — no other files.
+
+---
+
+## Phase 6: Local Gem Verification
+
+Ask the user to approve running local verification (no files will be committed):
+
+```bash
+gem build safire.gemspec
+gem install ./safire-X.Y.Z.gem
+ruby -e "require 'safire'; puts Safire::VERSION"
+rm safire-X.Y.Z.gem
+```
+
+The `ruby -e` line must print `X.Y.Z`. If it does not, stop and report the issue. Never commit the `.gem` file.
+
+---
+
+## Phase 7: Push Release Branch
+
+Ask the user to approve:
+```
+git push -u origin release-X.Y.Z
+```
+
+---
+
+## Phase 8: Open Release PR
+
+Show the proposed PR and ask for approval before running `gh pr create`:
+
+- **Title:** `Release vX.Y.Z`
+- **Body:** the full CHANGELOG entry for this version (the `## [X.Y.Z] - YYYY-MM-DD` block)
+
+---
+
+## Phase 9: Post-Merge Instructions
+
+After the PR is created, tell the user the remaining manual steps:
+
+1. **Merge the PR** once CI passes and it is approved.
+2. **Create a GitHub Release** after merge:
+   - Tag: `vX.Y.Z` on `main`
+   - Title: `Safire vX.Y.Z`
+   - Notes: the CHANGELOG entry for this version
+3. **Publishing is automated** — `.github/workflows/publish-gem.yml` triggers on release creation.
+4. **Verify** once published: `gem info safire -r`
+
+---
+
+## Rules (never violate)
+
+- All commits use `-s`; subjects are one-line only
+- Two-commit structure on the release branch: docs commit (CHANGELOG) then release commit (version.rb + Gemfile.lock)
+- Never commit a `.gem` file
+- Separate doc changes from code changes into distinct commits
+- Always get explicit user approval before modifying files or running commands

data/CHANGELOG.md

@@ -7,13 +7,84 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.0] - 2026-04-15
+
+### Added
+
+- `Safire::Client#register_client` implements the OAuth 2.0 Dynamic Client Registration
+  Protocol (RFC 7591): POSTs client metadata to the server's registration endpoint and
+  returns the response as a Hash containing at minimum a `client_id`
+  - Endpoint is resolved from SMART discovery (`registration_endpoint` field) when not
+    supplied explicitly via the `registration_endpoint:` keyword argument; HTTPS is
+    enforced on the endpoint regardless of source
+  - Supports an optional initial access token via the `authorization:` keyword argument
+    (full `Authorization` header value including token type prefix)
+  - Raises `Safire::Errors::DiscoveryError` when no registration endpoint is available,
+    `Safire::Errors::RegistrationError` on server error or a 2xx response missing
+    `client_id`, and `Safire::Errors::NetworkError` on transport failure
+- `Safire::Errors::RegistrationError` — new error class for Dynamic Client Registration
+  failures; inherits from `Safire::Errors::OAuthError` with `status`, `error_code`,
+  `error_description`, and `received_fields` attributes
+- `Safire::Errors::OAuthError` — new shared base class for `RegistrationError`,
+  `TokenError`, and `AuthError`; provides `status`, `error_code`, and
+  `error_description` attributes and can be used as a single rescue point for any
+  server-side OAuth protocol error
+
+### Changed
+
+- `client_id` is now optional at `ClientConfig` and `Protocols::Smart` initialization;
+  all authorization flows (`authorization_url`, `request_access_token`, `refresh_token`,
+  `request_backend_token`) validate its presence at call time and raise
+  `Safire::Errors::ConfigurationError` if it is absent
+- `Protocols::Smart#token_endpoint` now raises `Safire::Errors::DiscoveryError` when
+  the discovery response does not include a `token_endpoint` field, rather than silently
+  passing `nil` to the HTTP client
+
+## [0.2.0] - 2026-04-04
+
+### Added
+
+- SMART Backend Services Authorization flow (`client_credentials` grant) via
+  `Safire::Client#request_backend_token` and `Safire::Protocols::Smart#request_backend_token`:
+  - Authenticates exclusively via a signed JWT assertion (RS384 or ES384); no redirect,
+    PKCE, or user interaction required
+  - Scope defaults to `["system/*.rs"]` when none is configured or provided
+  - `private_key` and `kid` can be overridden per call
+- `token_response_valid?` now accepts a `flow:` keyword argument (`:app_launch` default):
+  when `flow: :backend_services`, also validates `expires_in` presence (required per
+  SMART Backend Services spec)
+- `token_response_valid?` accepts both `"Bearer"` (SMART App Launch spec) and `"bearer"`
+  (SMART Backend Services) as valid `token_type` values; the non-compliance warning
+  now references the expected value for the active flow
+- `SmartMetadata#supports_backend_services?` returns `true` when the server advertises the
+  `client_credentials` grant type and supports `private_key_jwt` authentication
+  (i.e. `grant_types_supported` includes `"client_credentials"` and
+  `supports_asymmetric_auth?` is `true`)
+
+### Changed
+
+- Corrected spec name throughout: "SMART on FHIR" → "SMART App Launch" per the
+  [SMART App Launch IG](https://hl7.org/fhir/smart-app-launch/); Backend Services is
+  presented as a feature within the spec, not a separate spec
+- `redirect_uri` and `authorization_endpoint` are now optional in `Safire::Protocols::Smart`;
+  both are validated only when `authorization_url` is called (app launch flow)
+- `redirect_uri` is now optional in `Safire::ClientConfig` to support backend services
+  clients that operate without a redirect URI; the field is still validated when provided
+
+### Fixed
+
+- YARD API docs nav links broken after in-page navigation: relative hrefs from the nav
+  iframe were resolved against the parent window URL (which changes on each navigation)
+  instead of the iframe base; `bin/docs` now patches the generated `full_list.js` to
+  resolve links to absolute URLs before messaging the parent
+
 ## [0.1.0] - 2026-03-25
 
 ### Added
 
 - `Safire::Client` facade with `protocol:` (`:smart`) and `client_type:`
   (`:public`, `:confidential_symmetric`, `:confidential_asymmetric`) keywords
-- SMART on FHIR App Launch 2.2.0 support via `Safire::Protocols::Smart`:
+- SMART App Launch 2.2.0 support via `Safire::Protocols::Smart`:
   - Server metadata discovery from `/.well-known/smart-configuration`
   - Authorization URL builder for GET and POST-based authorization
     (`authorize-post` capability)

data/Gemfile

@@ -20,6 +20,7 @@ group :development do
 end
 
 group :test do
+  gem 'dotenv', '~> 3.0'
   gem 'simplecov', require: false
   gem 'simplecov-cobertura', require: false
   gem 'webmock', '~> 3.18'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    safire (0.1.0)
+    safire (0.3.0)
       activesupport (~> 8.0.0)
       addressable (~> 2.8)
       faraday (~> 2.14)
@@ -47,6 +47,7 @@ GEM
       reline (>= 0.3.8)
     diff-lcs (1.6.2)
     docile (1.4.1)
+    dotenv (3.2.0)
     drb (2.2.3)
     erb (5.0.3)
     faraday (2.14.1)
@@ -65,7 +66,7 @@ GEM
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.19.2)
+    json (2.19.3)
     jwt (2.10.2)
       base64
     language_server-protocol (3.17.0.5)
@@ -77,7 +78,7 @@ GEM
     net-http (0.9.1)
       uri (>= 0.11.1)
     parallel (1.27.0)
-    parser (3.3.10.2)
+    parser (3.3.11.1)
       ast (~> 2.4.1)
       racc
     pp (0.6.3)
@@ -117,11 +118,11 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.6)
-    rubocop (1.86.0)
+    rubocop (1.86.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
-      parallel (~> 1.10)
+      parallel (>= 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
@@ -147,7 +148,7 @@ GEM
     simplecov_json_formatter (0.1.4)
     stringio (3.1.9)
     thor (1.4.0)
-    timecop (0.9.10)
+    timecop (0.9.11)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (3.2.0)
@@ -158,7 +159,7 @@ GEM
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.38)
+    yard (0.9.41)
 
 PLATFORMS
   ruby
@@ -167,6 +168,7 @@ PLATFORMS
 DEPENDENCIES
   bundler-audit (~> 0.9)
   debug
+  dotenv (~> 3.0)
   pry
   pry-byebug
   rspec (~> 3.12)

data/README.md

@@ -5,19 +5,21 @@
 [![Coverage](https://codecov.io/gh/vanessuniq/safire/branch/main/graph/badge.svg)](https://codecov.io/gh/vanessuniq/safire)
 [![Documentation](https://img.shields.io/badge/docs-yard-blue.svg)](https://vanessuniq.github.io/safire)
 
-Safire is a lean Ruby library that implements [SMART on FHIR](https://hl7.org/fhir/smart-app-launch/) and [UDAP](https://hl7.org/fhir/us/udap-security/) client protocols for healthcare applications.
+Safire is a Ruby gem implementing the [SMART App Launch 2.2.0](https://hl7.org/fhir/smart-app-launch/) specification and the [UDAP Security](https://hl7.org/fhir/us/udap-security/) protocol for healthcare client applications. It handles OAuth 2.0 authorization against HL7 FHIR servers, covering PKCE, private key JWT assertions, and the Backend Services system-to-system flow, so you can focus on your application rather than protocol plumbing.
 
 ---
 
 ## Features
 
-### SMART on FHIR App Launch (v2.2.0)
+### SMART App Launch (v2.2.0)
 
+- Dynamic Client Registration (RFC 7591): obtain a `client_id` at runtime by POSTing client metadata to the server's registration endpoint
 - Discovery (`/.well-known/smart-configuration`)
 - Public Client (PKCE)
 - Confidential Symmetric Client (`client_secret` + HTTP Basic Auth)
 - Confidential Asymmetric Client (`private_key_jwt` with RS384/ES384)
 - POST-Based Authorization
+- Backend Services (`client_credentials` grant, JWT assertion, no user interaction or PKCE; scope defaults to `system/*.rs`)
 
 ### UDAP
 
@@ -46,10 +48,12 @@ require 'safire'
 
 # Step 1 — Create a client (Hash config or Safire::ClientConfig.new)
 client = Safire::Client.new(
-  base_url:     'https://launch.smarthealthit.org/v/r4/sim/eyJoIjoiMSJ9/fhir',
-  client_id:    'my_client_id',
-  redirect_uri: 'https://myapp.example.com/callback',
-  scopes:       ['openid', 'profile', 'patient/*.read']
+  {
+    base_url:     'https://launch.smarthealthit.org/v/r4/sim/eyJoIjoiMSJ9/fhir',
+    client_id:    'my_client_id',
+    redirect_uri: 'https://myapp.example.com/callback',
+    scopes:       ['openid', 'profile', 'patient/*.read']
+  }
 )
 
 # Step 2 — Discover SMART metadata (lazy — only called when needed)
@@ -98,6 +102,35 @@ client = Safire::Client.new(
 # Authorization and token exchange are identical — Safire builds the JWT assertion automatically
 ```
 
+### Backend Services (system-to-system)
+
+No user interaction, redirect URI, or PKCE required — the client authenticates entirely via a signed JWT assertion:
+
+```ruby
+client = Safire::Client.new(
+  {
+    base_url:    'https://fhir.example.com',
+    client_id:   'my_backend_client',
+    private_key: OpenSSL::PKey::RSA.new(File.read('private_key.pem')),
+    kid:         'my-key-id-123',
+    scopes:      ['system/Patient.rs', 'system/Observation.rs']
+  }
+)
+
+token_data = client.request_backend_token
+# token_data => { "access_token" => "...", "token_type" => "Bearer", "expires_in" => 300, ... }
+
+# Override scope or credentials per call
+token_data = client.request_backend_token(
+  scopes:      ['system/Patient.rs'],
+  private_key: OpenSSL::PKey::RSA.new(File.read('new_key.pem')),
+  kid:         'new-key-id'
+)
+
+# Validate the token response (flow: :backend_services also checks expires_in)
+client.token_response_valid?(token_data, flow: :backend_services)
+```
+
 ---
 
 ## Configuration
@@ -122,7 +155,7 @@ bin/demo
 # Visit http://localhost:4567
 ```
 
-Demonstrates SMART discovery, all authorization flows, and token refresh. See [`examples/sinatra_app/README.md`](examples/sinatra_app/README.md) for details.
+Demonstrates Dynamic Client Registration, SMART discovery, all authorization flows, token refresh, and backend services token requests. See [`examples/sinatra_app/README.md`](examples/sinatra_app/README.md) for details.
 
 ---
 

data/ROADMAP.md

@@ -1,6 +1,6 @@
 # Safire Roadmap
 
-## Current Release — v0.0.1
+## Current Release — v0.2.0
 
 Safire is in early development (pre-release). The API is functional but not yet stable — breaking changes may occur before v1.0.0. Published to [RubyGems](https://rubygems.org/gems/safire).
 
@@ -10,7 +10,7 @@ Feedback, bug reports, and pull requests are welcome via the [issue tracker](htt
 
 ## Implemented Features
 
-### SMART on FHIR App Launch (v2.2.0)
+### SMART App Launch (v2.2.0)
 
 - **Discovery** — lazy fetch of `/.well-known/smart-configuration`; metadata cached per client instance
 - **Public Client** — PKCE-only authorization code flow (RS256/ES256)
@@ -19,16 +19,13 @@ Feedback, bug reports, and pull requests are welcome via the [issue tracker](htt
 - **POST-Based Authorization** — form-encoded authorization requests
 - **JWT Assertion Builder** — signed JWT assertions with configurable `kid` and expiry
 - **PKCE** — automatic code verifier and challenge generation
+- **Backend Services** — `client_credentials` grant for system-to-system flows; JWT assertion (RS384/ES384); no user interaction, redirect, or PKCE required; scope defaults to `system/*.rs` when not configured
+- **Dynamic Client Registration** — runtime client registration per [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591); endpoint discovered from SMART metadata or supplied explicitly; supports initial access token
 
 ---
 
 ## Planned Features
 
-### SMART on FHIR
-
-- **Backend Services** — `client_credentials` grant for system-to-system flows (no user interaction)
-- **Dynamic Client Registration** — programmatic client registration per [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591)
-
 ### UDAP Security
 
 - **UDAP Discovery** — `/.well-known/udap` metadata fetch and validation

data/docs/Gemfile.lock

@@ -4,7 +4,7 @@ GEM
     addressable (2.8.8)
       public_suffix (>= 2.0.2, < 8.0)
     base64 (0.3.0)
-    bigdecimal (4.0.1)
+    bigdecimal (4.1.1)
     colorator (1.1.0)
     concurrent-ruby (1.3.6)
     csv (3.3.5)
@@ -140,7 +140,7 @@ DEPENDENCIES
 CHECKSUMS
   addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057
   base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
-  bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
+  bigdecimal (4.1.1) sha256=1c09efab961da45203c8316b0cdaec0ff391dfadb952dd459584b63ebf8054ca
   colorator (1.1.0) sha256=e2f85daf57af47d740db2a32191d1bdfb0f6503a0dfbc8327d0c9154d5ddfc38
   concurrent-ruby (1.3.6) sha256=6b56837e1e7e5292f9864f34b69c5a2cbc75c0cf5338f1ce9903d10fa762d5ab
   csv (3.3.5) sha256=6e5134ac3383ef728b7f02725d9872934f523cb40b961479f69cf3afa6c8e73f

data/docs/_config.yml

@@ -19,7 +19,10 @@
 # in the templates via {{ site.myvariable }}.
 
 title: Safire Documentation
-description: SMART on FHIR and UDAP implementation library for Ruby
+tagline: Ruby gem for SMART App Launch and UDAP protocols
+description: SMART App Launch and UDAP implementation library for Ruby
+author: Vanessa Fotso
+lang: en-US
 baseurl: /safire
 url: https://vanessuniq.github.io
 

data/docs/adr/ADR-002-facade-and-forwardable.md

@@ -13,7 +13,7 @@ nav_order: 2
 
 ## Context
 
-Safire must support multiple authorization protocols (SMART on FHIR, UDAP) from a single public entry point. There are several ways to structure this:
+Safire must support multiple authorization protocols (SMART App Launch, UDAP) from a single public entry point. There are several ways to structure this:
 
 **Option A — Monolithic `Client`:** implement all protocol logic directly inside `Safire::Client`. Simple at first, but grows unbounded as each protocol adds methods, and makes it impossible to test protocol logic in isolation.
 

data/docs/adr/ADR-003-protocol-vs-client-type.md

@@ -13,7 +13,7 @@ nav_order: 3
 
 ## Context
 
-`Safire::Client` needs to support multiple healthcare authorization protocols (SMART on FHIR, UDAP) and, within SMART, multiple client authentication methods (public, confidential symmetric, confidential asymmetric). There are two ways to model this:
+`Safire::Client` needs to support multiple healthcare authorization protocols (SMART, UDAP) and, within SMART, multiple client authentication methods (public, confidential symmetric, confidential asymmetric). There are two ways to model this:
 
 **Option A — flat enum:** a single parameter enumerating every combination.
 

data/docs/adr/ADR-006-lazy-discovery.md

@@ -13,7 +13,7 @@ nav_order: 6
 
 ## Context
 
-SMART on FHIR clients need the authorization server's endpoints (`authorization_endpoint`, `token_endpoint`) to build authorization URLs and request tokens. These are obtained by fetching `/.well-known/smart-configuration`. There are two approaches:
+SMART clients need the authorization server's endpoints (`authorization_endpoint`, `token_endpoint`) to build authorization URLs and request tokens. These are obtained by fetching `/.well-known/smart-configuration`. There are two approaches:
 
 **Option A — eager discovery:** fetch metadata in `Smart#initialize`.
 

data/docs/adr/ADR-008-warn-return-false-for-compliance-validation.md

@@ -25,7 +25,7 @@ The question is: what should compliance checks do when they find a violation?
 
 **Option B — Warn and return false:** log a warning via `Safire.logger` for each violation found, then return `false`. Never raise.
 
-Option A treats a non-compliant server as an unrecoverable error. In practice, some production FHIR servers have minor token response non-compliance (e.g. `token_type: "bearer"` in lowercase rather than `"Bearer"`) but are otherwise functional. Raising an exception would prevent Safire from working with those servers entirely, with no way for callers to override the decision.
+Option A treats a non-compliant server as an unrecoverable error. In practice, some production FHIR servers have minor token response non-compliance (e.g. returning `token_type: "BEARER"` instead of the spec-required value) but are otherwise functional. Raising an exception would prevent Safire from working with those servers entirely, with no way for callers to override the decision.
 
 Option B lets the caller decide what to do: they can check the return value, observe the warnings in their logs, and choose to proceed or abort. This is consistent with how Ruby standard library methods (e.g. `URI.parse`, `JSON.parse` with `rescue nil`) handle validation — surface the issue, let the caller decide.
 
@@ -38,9 +38,9 @@ There is also a clear boundary: **the caller controls the config** (configuratio
 Compliance validation methods use the **warn + return false** pattern:
 
 ```ruby
-def token_response_valid?(response)
+def token_response_valid?(response, flow: :app_launch)
   # ...
-  Safire.logger.warn("SMART token response non-compliance: token_type is #{...}; expected 'Bearer'")
+  Safire.logger.warn("SMART token response non-compliance: token_type is #{...}; expected 'Bearer' (SMART App Launch spec)")
   false
 end
 
@@ -72,3 +72,4 @@ Configuration validation (`ClientConfig#validate!`, `Smart#validate!`) raises `C
 **Trade-offs:**
 - Callers who do not call `token_response_valid?` get no compliance signal at all — non-compliant responses are silently accepted; this is intentional (opt-in, not opt-out)
 - The distinction between "warn + return false" and "raise" must be maintained consistently — new validation methods should follow the same rule: server behaviour → warn; caller configuration → raise
+- `token_response_valid?` accepts a `flow:` keyword argument (`:app_launch` default, `:backend_services`) that adjusts which fields are required and what the warning messages say. For example, `token_type` must be `"Bearer"` (App Launch spec) or `"bearer"` (Backend Services spec), and `expires_in` is RECOMMENDED for App Launch but REQUIRED for Backend Services. Callers opt in to the stricter backend-services validation by passing `flow: :backend_services`

data/docs/adr/ADR-009-oauth-error-hierarchy.md

@@ -0,0 +1,80 @@
+---
+layout: default
+title: "ADR-009: OAuthError base class and ReceivesFields mixin for protocol error hierarchy"
+parent: Architecture Decision Records
+nav_order: 9
+---
+
+# ADR-009: OAuthError base class and ReceivesFields mixin for protocol error hierarchy
+
+**Status:** Accepted
+
+---
+
+## Context
+
+Three protocol operations can return OAuth2-style error responses: token exchange (`TokenError`), authorization failure (`AuthError`), and dynamic client registration (`RegistrationError`). All three carry the same RFC-defined fields — HTTP `status`, an OAuth2 `error` code, and an `error_description` string — and all three produce structured error messages from those fields.
+
+`TokenError` and `RegistrationError` have a second failure path: the server returns a 2xx response but omits the field the caller requires (`access_token` or `client_id`). In that case the error must report which fields were present in the response, without logging their values, to assist debugging without leaking data.
+
+Without a shared foundation, each error class would duplicate the constructor, the attribute readers, and the message-building logic.
+
+**Option A — Duplicate per class:** each error class independently defines `attr_reader :status, :error_code, :error_description`, its own constructor, and its own `build_message` method.
+
+**Option B — Extract a shared base:** introduce `OAuthError < Error` with a template-method design; each subclass overrides `operation_label` to supply the lead phrase of the error message. Extract a `ReceivesFields` mixin for the structural failure path (`received_fields` attribute + constructor forwarding), included only by the two classes that need it.
+
+---
+
+## Decision
+
+Option B — `OAuthError` as a shared base class with `ReceivesFields` as a private mixin.
+
+```ruby
+class OAuthError < Error
+  attr_reader :status, :error_code, :error_description
+
+  def initialize(status: nil, error_code: nil, error_description: nil)
+    @status = status; @error_code = error_code; @error_description = error_description
+    super(build_message)
+  end
+
+  private
+
+  def operation_label
+    raise NotImplementedError, "#{self.class} must define #operation_label"
+  end
+
+  def build_message
+    parts = [operation_label]
+    parts << "HTTP #{@status}" if @status
+    parts << @error_code       if @error_code
+    parts << @error_description if @error_description
+    parts.join(' — ')
+  end
+end
+
+module ReceivesFields
+  def self.included(base) = base.attr_reader :received_fields
+  def initialize(received_fields: nil, **) = (@received_fields = received_fields; super(**))
+end
+
+class TokenError        < OAuthError; include ReceivesFields; ... end
+class AuthError         < OAuthError; ...                          end
+class RegistrationError < OAuthError; include ReceivesFields; ... end
+```
+
+Each subclass defines only `operation_label` and, when needed, overrides `build_message` for the structural path.
+
+---
+
+## Consequences
+
+**Benefits:**
+- DRY: each concrete error class is a handful of lines; the shared attributes and message format are defined once
+- Consistent error messages across all three operations; callers and log parsers see the same structure
+- `ReceivesFields` is `@api private` — callers interact only with `TokenError` and `RegistrationError`; the mixin is an implementation detail
+- Adding a new OAuth-style error (e.g. for a future introspection endpoint) requires only a new subclass with `operation_label`
+
+**Trade-offs:**
+- The `operation_label` template method raises `NotImplementedError` at runtime if a subclass forgets to define it; a compile-time check is not possible in Ruby
+- `ReceivesFields` modifies the constructor via `super(**)` forwarding, which requires care when the inheritance chain has multiple `initialize` overrides