npm - @lobu/gateway - Versions diffs - 2.8.0 → 3.0.6 - Mend

@lobu/gateway 2.8.0 → 3.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/package.json +2 -2
package/src/__tests__/agent-config-routes.test.ts +254 -0
package/src/__tests__/agent-history-routes.test.ts +72 -0
package/src/__tests__/agent-routes.test.ts +68 -0
package/src/__tests__/agent-schedules-routes.test.ts +59 -0
package/src/__tests__/agent-settings-store.test.ts +323 -0
package/src/__tests__/chat-instance-manager-slack.test.ts +204 -0
package/src/__tests__/chat-response-bridge.test.ts +131 -0
package/src/__tests__/config-memory-plugins.test.ts +92 -0
package/src/__tests__/config-request-store.test.ts +127 -0
package/src/__tests__/connection-routes.test.ts +144 -0
package/src/__tests__/core-services-store-selection.test.ts +92 -0
package/src/__tests__/docker-deployment.test.ts +1211 -0
package/src/__tests__/embedded-deployment.test.ts +342 -0
package/src/__tests__/grant-store.test.ts +148 -0
package/src/__tests__/http-proxy.test.ts +281 -0
package/src/__tests__/instruction-service.test.ts +37 -0
package/src/__tests__/link-buttons.test.ts +112 -0
package/src/__tests__/lobu.test.ts +32 -0
package/src/__tests__/mcp-config-service.test.ts +347 -0
package/src/__tests__/mcp-proxy.test.ts +696 -0
package/src/__tests__/message-handler-bridge.test.ts +17 -0
package/src/__tests__/model-selection.test.ts +172 -0
package/src/__tests__/oauth-templates.test.ts +39 -0
package/src/__tests__/platform-adapter-slack-send.test.ts +114 -0
package/src/__tests__/platform-helpers-model-resolution.test.ts +253 -0
package/src/__tests__/provider-inheritance.test.ts +212 -0
package/src/__tests__/routes/cli-auth.test.ts +337 -0
package/src/__tests__/routes/interactions.test.ts +121 -0
package/src/__tests__/secret-proxy.test.ts +85 -0
package/src/__tests__/session-manager.test.ts +572 -0
package/src/__tests__/setup.ts +133 -0
package/src/__tests__/skill-and-mcp-registry.test.ts +203 -0
package/src/__tests__/slack-routes.test.ts +161 -0
package/src/__tests__/system-config-resolver.test.ts +75 -0
package/src/__tests__/system-message-limiter.test.ts +89 -0
package/src/__tests__/system-skills-service.test.ts +362 -0
package/src/__tests__/transcription-service.test.ts +222 -0
package/src/__tests__/utils/rate-limiter.test.ts +102 -0
package/src/__tests__/worker-connection-manager.test.ts +497 -0
package/src/__tests__/worker-job-router.test.ts +722 -0
package/src/api/index.ts +1 -0
package/src/api/platform.ts +292 -0
package/src/api/response-renderer.ts +157 -0
package/src/auth/agent-metadata-store.ts +168 -0
package/src/auth/api-auth-middleware.ts +69 -0
package/src/auth/api-key-provider-module.ts +213 -0
package/src/auth/base-provider-module.ts +201 -0
package/src/auth/chatgpt/chatgpt-oauth-module.ts +185 -0
package/src/auth/chatgpt/device-code-client.ts +218 -0
package/src/auth/chatgpt/index.ts +1 -0
package/src/auth/claude/oauth-module.ts +280 -0
package/src/auth/cli/token-service.ts +249 -0
package/src/auth/external/client.ts +560 -0
package/src/auth/external/device-code-client.ts +225 -0
package/src/auth/mcp/config-service.ts +392 -0
package/src/auth/mcp/proxy.ts +1088 -0
package/src/auth/mcp/string-substitution.ts +17 -0
package/src/auth/mcp/tool-cache.ts +90 -0
package/src/auth/oauth/base-client.ts +267 -0
package/src/auth/oauth/client.ts +153 -0
package/src/auth/oauth/credentials.ts +7 -0
package/src/auth/oauth/providers.ts +69 -0
package/src/auth/oauth/state-store.ts +150 -0
package/src/auth/oauth-templates.ts +179 -0
package/src/auth/provider-catalog.ts +220 -0
package/src/auth/provider-model-options.ts +41 -0
package/src/auth/settings/agent-settings-store.ts +565 -0
package/src/auth/settings/auth-profiles-manager.ts +216 -0
package/src/auth/settings/index.ts +12 -0
package/src/auth/settings/model-preference-store.ts +52 -0
package/src/auth/settings/model-selection.ts +135 -0
package/src/auth/settings/resolved-settings-view.ts +298 -0
package/src/auth/settings/template-utils.ts +44 -0
package/src/auth/settings/token-service.ts +88 -0
package/src/auth/system-env-store.ts +98 -0
package/src/auth/user-agents-store.ts +68 -0
package/src/channels/binding-service.ts +214 -0
package/src/channels/index.ts +4 -0
package/src/cli/gateway.ts +1304 -0
package/src/cli/index.ts +74 -0
package/src/commands/built-in-commands.ts +80 -0
package/src/commands/command-dispatcher.ts +94 -0
package/src/commands/command-reply-adapters.ts +27 -0
package/src/config/file-loader.ts +618 -0
package/src/config/index.ts +588 -0
package/src/config/network-allowlist.ts +71 -0
package/src/connections/chat-instance-manager.ts +1284 -0
package/src/connections/chat-response-bridge.ts +618 -0
package/src/connections/index.ts +7 -0
package/src/connections/interaction-bridge.ts +831 -0
package/src/connections/message-handler-bridge.ts +415 -0
package/src/connections/platform-auth-methods.ts +15 -0
package/src/connections/types.ts +84 -0
package/src/gateway/connection-manager.ts +291 -0
package/src/gateway/index.ts +700 -0
package/src/gateway/job-router.ts +201 -0
package/src/gateway-main.ts +200 -0
package/src/index.ts +41 -0
package/src/infrastructure/queue/index.ts +12 -0
package/src/infrastructure/queue/queue-producer.ts +148 -0
package/src/infrastructure/queue/redis-queue.ts +361 -0
package/src/infrastructure/queue/types.ts +133 -0
package/src/infrastructure/redis/system-message-limiter.ts +94 -0
package/src/interactions/config-request-store.ts +198 -0
package/src/interactions.ts +363 -0
package/src/lobu.ts +311 -0
package/src/metrics/prometheus.ts +159 -0
package/src/modules/module-system.ts +179 -0
package/src/orchestration/base-deployment-manager.ts +900 -0
package/src/orchestration/deployment-utils.ts +98 -0
package/src/orchestration/impl/docker-deployment.ts +620 -0
package/src/orchestration/impl/embedded-deployment.ts +268 -0
package/src/orchestration/impl/index.ts +8 -0
package/src/orchestration/impl/k8s/deployment.ts +1061 -0
package/src/orchestration/impl/k8s/helpers.ts +610 -0
package/src/orchestration/impl/k8s/index.ts +1 -0
package/src/orchestration/index.ts +333 -0
package/src/orchestration/message-consumer.ts +584 -0
package/src/orchestration/scheduled-wakeup.ts +704 -0
package/src/permissions/approval-policy.ts +36 -0
package/src/permissions/grant-store.ts +219 -0
package/src/platform/file-handler.ts +66 -0
package/src/platform/link-buttons.ts +57 -0
package/src/platform/renderer-utils.ts +44 -0
package/src/platform/response-renderer.ts +84 -0
package/src/platform/unified-thread-consumer.ts +187 -0
package/src/platform.ts +318 -0
package/src/proxy/http-proxy.ts +752 -0
package/src/proxy/proxy-manager.ts +81 -0
package/src/proxy/secret-proxy.ts +402 -0
package/src/proxy/token-refresh-job.ts +143 -0
package/src/routes/internal/audio.ts +141 -0
package/src/routes/internal/device-auth.ts +566 -0
package/src/routes/internal/files.ts +226 -0
package/src/routes/internal/history.ts +69 -0
package/src/routes/internal/images.ts +127 -0
package/src/routes/internal/interactions.ts +84 -0
package/src/routes/internal/middleware.ts +23 -0
package/src/routes/internal/schedule.ts +226 -0
package/src/routes/internal/types.ts +22 -0
package/src/routes/openapi-auto.ts +239 -0
package/src/routes/public/agent-access.ts +23 -0
package/src/routes/public/agent-config.ts +675 -0
package/src/routes/public/agent-history.ts +422 -0
package/src/routes/public/agent-schedules.ts +296 -0
package/src/routes/public/agent.ts +1086 -0
package/src/routes/public/agents.ts +373 -0
package/src/routes/public/channels.ts +191 -0
package/src/routes/public/cli-auth.ts +883 -0
package/src/routes/public/connections.ts +574 -0
package/src/routes/public/landing.ts +16 -0
package/src/routes/public/oauth.ts +147 -0
package/src/routes/public/settings-auth.ts +104 -0
package/src/routes/public/slack.ts +173 -0
package/src/routes/shared/agent-ownership.ts +101 -0
package/src/routes/shared/token-verifier.ts +34 -0
package/src/services/core-services.ts +1053 -0
package/src/services/image-generation-service.ts +257 -0
package/src/services/instruction-service.ts +318 -0
package/src/services/mcp-registry.ts +94 -0
package/src/services/platform-helpers.ts +287 -0
package/src/services/session-manager.ts +262 -0
package/src/services/settings-resolver.ts +74 -0
package/src/services/system-config-resolver.ts +90 -0
package/src/services/system-skills-service.ts +229 -0
package/src/services/transcription-service.ts +684 -0
package/src/session.ts +110 -0
package/src/spaces/index.ts +1 -0
package/src/spaces/space-resolver.ts +17 -0
package/src/stores/in-memory-agent-store.ts +403 -0
package/src/stores/redis-agent-store.ts +279 -0
package/src/utils/public-url.ts +44 -0
package/src/utils/rate-limiter.ts +94 -0
package/tsconfig.json +33 -0

package/src/auth/external/client.ts ADDED Viewed

@@ -0,0 +1,560 @@
+import { randomBytes } from "node:crypto";
+import { createLogger } from "@lobu/core";
+import { OAuthClient } from "../oauth/client";
+import type { OAuthCredentials } from "../oauth/credentials";
+import type { OAuthProviderConfig } from "../oauth/providers";
+import {
+  DEVICE_CODE_GRANT_TYPE,
+  type DeviceAuthorizationStartResult,
+  GenericDeviceCodeClient,
+} from "./device-code-client";
+const logger = createLogger("external-auth-client");
+const EXTERNAL_AUTH_CACHE_KEY = "external:auth:client:v3";
+const DISCOVERY_CACHE_TTL_MS = 5 * 60 * 1000;
+const DEFAULT_SCOPE = "profile:read";
+export interface ExternalAuthConfig {
+  issuerUrl: string;
+  clientId?: string;
+  clientSecret?: string;
+  authorizeUrl?: string;
+  tokenUrl?: string;
+  userinfoUrl?: string;
+  deviceAuthorizationUrl?: string;
+  redirectUri: string;
+  /** Additional redirect URIs to register (e.g. PUBLIC_GATEWAY_URL alongside localhost) */
+  additionalRedirectUris?: string[];
+  scope?: string;
+  cacheStore?: {
+    get: (key: string) => Promise<string | null>;
+    set: (key: string, value: string, ttlSeconds: number) => Promise<void>;
+  };
+}
+interface WellKnownMetadata {
+  issuer?: string;
+  authorization_endpoint?: string;
+  token_endpoint?: string;
+  registration_endpoint?: string;
+  userinfo_endpoint?: string;
+  device_authorization_endpoint?: string;
+  token_endpoint_auth_methods_supported?: string[];
+  grant_types_supported?: string[];
+}
+interface UserInfoResponse {
+  sub: string;
+  email: string;
+  name?: string;
+}
+interface DynamicClientCredentials {
+  client_id: string;
+  client_secret?: string;
+  token_endpoint_auth_method?:
+    | "none"
+    | "client_secret_post"
+    | "client_secret_basic";
+  client_secret_expires_at?: number;
+  grant_types?: string[];
+}
+interface ResolvedExternalAuthConfig {
+  clientId: string;
+  clientSecret?: string;
+  authUrl?: string;
+  tokenUrl?: string;
+  userinfoUrl?: string;
+  deviceAuthorizationUrl?: string;
+  grantTypesSupported: string[];
+  tokenEndpointAuthMethod:
+    | "none"
+    | "client_secret_post"
+    | "client_secret_basic";
+}
+export interface ExternalAuthCapabilities {
+  browser: boolean;
+  device: boolean;
+}
+export type ExternalDeviceAuthorizationPollResult =
+  | {
+      status: "pending";
+      interval?: number;
+    }
+  | {
+      status: "error";
+      error: string;
+      errorCode?: string;
+    }
+  | {
+      status: "complete";
+      credentials: OAuthCredentials;
+      user?: UserInfoResponse;
+    };
+export class ExternalAuthClient {
+  private discoveryCache: {
+    metadata: WellKnownMetadata | null;
+    resolvedAt: number;
+  } | null = null;
+  constructor(private readonly config: ExternalAuthConfig) {}
+  generateCodeVerifier(): string {
+    return randomBytes(32).toString("base64url");
+  }
+  async buildAuthUrl(
+    state: string,
+    codeVerifier: string,
+    redirectUri?: string
+  ): Promise<string> {
+    const resolved = await this.resolveConfig();
+    if (!resolved.authUrl || !resolved.tokenUrl) {
+      throw new Error(
+        "External auth: authorization and token URLs are required for browser login"
+      );
+    }
+    return this.buildOAuthClient(resolved).buildAuthUrl(
+      state,
+      codeVerifier,
+      redirectUri
+    );
+  }
+  async exchangeCodeForToken(
+    code: string,
+    codeVerifier: string,
+    redirectUri?: string
+  ): Promise<OAuthCredentials> {
+    const resolved = await this.resolveConfig();
+    if (!resolved.authUrl || !resolved.tokenUrl) {
+      throw new Error(
+        "External auth: authorization and token URLs are required for browser login"
+      );
+    }
+    return this.buildOAuthClient(resolved).exchangeCodeForToken(
+      code,
+      codeVerifier,
+      redirectUri
+    );
+  }
+  async fetchUserInfo(accessToken: string): Promise<UserInfoResponse> {
+    const resolved = await this.resolveConfig();
+    if (!resolved.userinfoUrl) {
+      throw new Error(
+        "External auth: userinfo endpoint not available (expose it via OIDC discovery)"
+      );
+    }
+    const response = await fetch(resolved.userinfoUrl, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+      },
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(
+        `Failed to fetch user info: ${response.status} ${errorText}`
+      );
+    }
+    const data = (await response.json()) as UserInfoResponse;
+    logger.info("Fetched external auth user info", {
+      sub: data.sub,
+      email: data.email,
+    });
+    return data;
+  }
+  async getCapabilities(): Promise<ExternalAuthCapabilities> {
+    const resolved = await this.resolveConfig();
+    return {
+      browser: !!(resolved.authUrl && resolved.tokenUrl),
+      device: !!(resolved.deviceAuthorizationUrl && resolved.tokenUrl),
+    };
+  }
+  async startDeviceAuthorization(): Promise<DeviceAuthorizationStartResult> {
+    const resolved = await this.resolveConfig();
+    if (!resolved.deviceAuthorizationUrl || !resolved.tokenUrl) {
+      throw new Error("External auth: device authorization is not supported");
+    }
+    try {
+      return await this.buildDeviceCodeClient(resolved).requestDeviceCode();
+    } catch (error) {
+      if (
+        this.config.clientId &&
+        error instanceof Error &&
+        error.message.includes("invalid_client")
+      ) {
+        logger.warn(
+          "Static external auth client was rejected for device flow, retrying with dynamic registration"
+        );
+        const dynamicResolved = await this.resolveConfig({
+          forceDynamicClient: true,
+        });
+        return this.buildDeviceCodeClient(dynamicResolved).requestDeviceCode();
+      }
+      throw error;
+    }
+  }
+  async pollDeviceAuthorization(
+    deviceAuthId: string,
+    intervalSeconds?: number
+  ): Promise<ExternalDeviceAuthorizationPollResult> {
+    const resolved = await this.resolveConfig();
+    if (!resolved.deviceAuthorizationUrl || !resolved.tokenUrl) {
+      throw new Error("External auth: device authorization is not supported");
+    }
+    const result = await this.buildDeviceCodeClient(resolved).pollForToken(
+      deviceAuthId,
+      intervalSeconds
+    );
+    if (result.status !== "complete") {
+      return result;
+    }
+    const user = resolved.userinfoUrl
+      ? await this.fetchUserInfo(result.credentials.accessToken)
+      : undefined;
+    return {
+      ...result,
+      user,
+    };
+  }
+  static isConfigured(): boolean {
+    return !!process.env.MEMORY_URL;
+  }
+  static fromEnv(
+    publicGatewayUrl: string,
+    cacheStore?: ExternalAuthConfig["cacheStore"]
+  ): ExternalAuthClient | null {
+    const authMcpUrl = process.env.MEMORY_URL;
+    if (!authMcpUrl) return null;
+    const issuerUrl = authMcpUrl.replace(/\/+$/, "");
+    const callbackPath = "/connect/oauth/callback";
+    // Register redirect URIs for both the configured public URL and localhost
+    // so OAuth works regardless of how the user accesses the gateway
+    const redirectUri = `${publicGatewayUrl}${callbackPath}`;
+    const additionalRedirectUris = [
+      `http://localhost:8080${callbackPath}`,
+    ].filter((uri) => uri !== redirectUri);
+    return new ExternalAuthClient({
+      issuerUrl,
+      redirectUri,
+      additionalRedirectUris,
+      scope: DEFAULT_SCOPE,
+      cacheStore,
+    });
+  }
+  private async resolveConfig(options?: {
+    forceDynamicClient?: boolean;
+  }): Promise<ResolvedExternalAuthConfig> {
+    const metadata = await this.discoverMetadata();
+    const dynamicCredentials = await this.getDynamicClientCredentials(
+      metadata,
+      {
+        forceRegistration: options?.forceDynamicClient,
+      }
+    );
+    const clientId = dynamicCredentials?.client_id || this.config.clientId;
+    const clientSecret =
+      dynamicCredentials?.client_secret || this.config.clientSecret;
+    if (!clientId) {
+      throw new Error(
+        "External auth: client registration failed and no static client ID is configured"
+      );
+    }
+    const authMethods = metadata?.token_endpoint_auth_methods_supported;
+    const tokenEndpointAuthMethod =
+      dynamicCredentials?.token_endpoint_auth_method ||
+      this.selectTokenEndpointAuthMethod(authMethods, clientSecret);
+    return {
+      clientId,
+      clientSecret,
+      authUrl: this.config.authorizeUrl || metadata?.authorization_endpoint,
+      tokenUrl: this.config.tokenUrl || metadata?.token_endpoint,
+      userinfoUrl: this.config.userinfoUrl || metadata?.userinfo_endpoint,
+      deviceAuthorizationUrl:
+        this.config.deviceAuthorizationUrl ||
+        metadata?.device_authorization_endpoint,
+      grantTypesSupported: metadata?.grant_types_supported || [],
+      tokenEndpointAuthMethod,
+    };
+  }
+  private buildOAuthClient(resolved: ResolvedExternalAuthConfig): OAuthClient {
+    const providerConfig: OAuthProviderConfig = {
+      id: "external-auth",
+      name: "External Auth",
+      clientId: resolved.clientId,
+      clientSecret: resolved.clientSecret,
+      authUrl: resolved.authUrl!,
+      tokenUrl: resolved.tokenUrl!,
+      redirectUri: this.config.redirectUri,
+      scope: this.config.scope || DEFAULT_SCOPE,
+      usePKCE: true,
+      responseType: "code",
+      grantType: "authorization_code",
+      tokenEndpointAuthMethod: resolved.tokenEndpointAuthMethod,
+      requireRefreshToken: false,
+    };
+    return new OAuthClient(providerConfig);
+  }
+  private buildDeviceCodeClient(
+    resolved: ResolvedExternalAuthConfig
+  ): GenericDeviceCodeClient {
+    return new GenericDeviceCodeClient({
+      clientId: resolved.clientId,
+      clientSecret: resolved.clientSecret,
+      tokenUrl: resolved.tokenUrl!,
+      deviceAuthorizationUrl: resolved.deviceAuthorizationUrl!,
+      scope: this.config.scope || DEFAULT_SCOPE,
+      tokenEndpointAuthMethod: resolved.tokenEndpointAuthMethod,
+    });
+  }
+  private async discoverMetadata(): Promise<WellKnownMetadata | null> {
+    if (
+      this.discoveryCache &&
+      Date.now() - this.discoveryCache.resolvedAt < DISCOVERY_CACHE_TTL_MS
+    ) {
+      return this.discoveryCache.metadata;
+    }
+    const discoveryUrls = this.getDiscoveryUrls();
+    for (const wellKnownUrl of discoveryUrls) {
+      try {
+        logger.info(`Discovering external auth endpoints from ${wellKnownUrl}`);
+        const response = await fetch(wellKnownUrl);
+        if (!response.ok) {
+          logger.warn(
+            `Failed to fetch external auth metadata from ${wellKnownUrl}: ${response.status}`
+          );
+          continue;
+        }
+        const metadata = (await response.json()) as WellKnownMetadata;
+        logger.info("Discovered external auth endpoints", {
+          discoveryUrl: wellKnownUrl,
+          authUrl: this.config.authorizeUrl || metadata.authorization_endpoint,
+          tokenUrl: this.config.tokenUrl || metadata.token_endpoint,
+          userinfoUrl:
+            this.config.userinfoUrl || metadata.userinfo_endpoint || null,
+          deviceAuthorizationUrl:
+            this.config.deviceAuthorizationUrl ||
+            metadata.device_authorization_endpoint ||
+            null,
+          registrationEndpoint: metadata.registration_endpoint || null,
+        });
+        this.discoveryCache = { metadata, resolvedAt: Date.now() };
+        return metadata;
+      } catch (error) {
+        logger.warn("Failed to discover external auth endpoints", {
+          discoveryUrl: wellKnownUrl,
+          error,
+        });
+      }
+    }
+    this.discoveryCache = { metadata: null, resolvedAt: Date.now() };
+    return null;
+  }
+  private getDiscoveryUrls(): string[] {
+    const trimmedIssuerUrl = this.config.issuerUrl.replace(/\/+$/, "");
+    const candidates = [`${trimmedIssuerUrl}/.well-known/openid-configuration`];
+    try {
+      const origin = new URL(trimmedIssuerUrl).origin;
+      const rootDiscoveryUrl = `${origin}/.well-known/openid-configuration`;
+      if (!candidates.includes(rootDiscoveryUrl)) {
+        candidates.push(rootDiscoveryUrl);
+      }
+    } catch {
+      // Ignore invalid issuer URLs here; fetch will surface the real error.
+    }
+    return candidates;
+  }
+  private async getDynamicClientCredentials(
+    metadata: WellKnownMetadata | null,
+    options?: { forceRegistration?: boolean }
+  ): Promise<DynamicClientCredentials | null> {
+    if (!options?.forceRegistration) {
+      const cached = await this.getCachedClientCredentials();
+      if (cached) {
+        return cached;
+      }
+    }
+    if (!metadata?.registration_endpoint) {
+      return null;
+    }
+    if (!options?.forceRegistration && this.config.clientId) {
+      return null;
+    }
+    try {
+      const requestedAuthMethod = this.selectTokenEndpointAuthMethod(
+        metadata.token_endpoint_auth_methods_supported,
+        undefined
+      );
+      const supportsDeviceGrant =
+        !!metadata.device_authorization_endpoint ||
+        metadata.grant_types_supported?.includes(DEVICE_CODE_GRANT_TYPE);
+      logger.info("Registering external auth client dynamically", {
+        registrationEndpoint: metadata.registration_endpoint,
+        requestedAuthMethod,
+        supportsDeviceGrant,
+      });
+      const response = await fetch(metadata.registration_endpoint, {
+        method: "POST",
+        headers: {
+          Accept: "application/json",
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          client_name: "Lobu CLI and Settings",
+          redirect_uris: [
+            this.config.redirectUri,
+            ...(this.config.additionalRedirectUris || []),
+          ].filter((v, i, a) => a.indexOf(v) === i),
+          grant_types: supportsDeviceGrant
+            ? ["authorization_code", "refresh_token", DEVICE_CODE_GRANT_TYPE]
+            : ["authorization_code", "refresh_token"],
+          response_types: ["code"],
+          token_endpoint_auth_method: requestedAuthMethod,
+        }),
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        logger.warn("External auth client registration failed", {
+          status: response.status,
+          errorText,
+        });
+        return null;
+      }
+      const credentials = (await response.json()) as DynamicClientCredentials;
+      await this.cacheClientCredentials(credentials);
+      logger.info("External auth client registered", {
+        clientId: credentials.client_id,
+        tokenEndpointAuthMethod:
+          credentials.token_endpoint_auth_method || requestedAuthMethod,
+      });
+      return credentials;
+    } catch (error) {
+      logger.warn("External auth client registration failed", { error });
+      return null;
+    }
+  }
+  private async getCachedClientCredentials(): Promise<DynamicClientCredentials | null> {
+    if (!this.config.cacheStore) {
+      return null;
+    }
+    try {
+      const raw = await this.config.cacheStore.get(EXTERNAL_AUTH_CACHE_KEY);
+      if (!raw) {
+        return null;
+      }
+      return JSON.parse(raw) as DynamicClientCredentials;
+    } catch (error) {
+      logger.warn("Failed to load cached external auth client", { error });
+      return null;
+    }
+  }
+  private async cacheClientCredentials(
+    credentials: DynamicClientCredentials
+  ): Promise<void> {
+    if (!this.config.cacheStore) {
+      return;
+    }
+    const ttlSeconds =
+      credentials.client_secret_expires_at &&
+      credentials.client_secret_expires_at > 0
+        ? Math.max(
+            60,
+            Math.floor(credentials.client_secret_expires_at - Date.now() / 1000)
+          )
+        : 7 * 24 * 60 * 60;
+    try {
+      await this.config.cacheStore.set(
+        EXTERNAL_AUTH_CACHE_KEY,
+        JSON.stringify(credentials),
+        ttlSeconds
+      );
+    } catch (error) {
+      logger.warn("Failed to cache external auth client", { error });
+    }
+  }
+  private selectTokenEndpointAuthMethod(
+    supportedMethods: string[] | undefined,
+    clientSecret?: string
+  ): "none" | "client_secret_post" | "client_secret_basic" {
+    const methods = new Set(supportedMethods || []);
+    if (!clientSecret) {
+      if (methods.size === 0 || methods.has("none")) {
+        return "none";
+      }
+      if (methods.has("client_secret_post")) {
+        return "client_secret_post";
+      }
+      if (methods.has("client_secret_basic")) {
+        return "client_secret_basic";
+      }
+      return "none";
+    }
+    if (methods.has("client_secret_post")) {
+      return "client_secret_post";
+    }
+    if (methods.has("client_secret_basic")) {
+      return "client_secret_basic";
+    }
+    if (methods.has("none")) {
+      return "none";
+    }
+    return "client_secret_post";
+  }
+}