@zereight/mcp-gitlab 2.1.4 → 2.1.6

package/build/test/stateless/callback-proxy.test.js

@@ -0,0 +1,393 @@
+/**
+ * Cross-pod integration tests for the callback-proxy flow in stateless mode.
+ *
+ * Verifies that /authorize, /callback, and /token can all land on different
+ * provider instances sharing only OAUTH_STATELESS_SECRET, reproducing the
+ * exact HPA scenario that breaks today's _pendingAuth / _storedTokens
+ * BoundedLRUMaps.
+ *
+ * GitLab's /oauth/token endpoint is stubbed via a fetch monkey-patch so the
+ * tests run offline.
+ */
+import assert from "node:assert/strict";
+import { randomBytes, createHash } from "node:crypto";
+import { after, afterEach, beforeEach, describe, test } from "node:test";
+import { createGitLabOAuthProvider } from "../../oauth-proxy.js";
+import { loadKeyMaterialFromEnv, looksLikeStatelessState, looksLikeStatelessStoredTokensCode, mintPendingAuthState, mintStoredTokensCode, openPendingAuthState, openStoredTokensCode, } from "../../stateless/index.js";
+// ---------------------------------------------------------------------------
+// Fixtures
+// ---------------------------------------------------------------------------
+const GITLAB_BASE = "https://gitlab.example.com";
+const CALLBACK_URL = "https://mcp.example.com/callback";
+const CLIENT_REDIRECT = "https://client.example.com/cb";
+function secret() {
+    return randomBytes(32).toString("base64url");
+}
+function loadMaterial(current, previous) {
+    const env = {
+        OAUTH_STATELESS_SECRET: current,
+    };
+    if (previous)
+        env.OAUTH_STATELESS_SECRET_PREVIOUS = previous;
+    const m = loadKeyMaterialFromEnv(true, env);
+    assert.ok(m);
+    return m;
+}
+function makeProvider(material, { callbackProxy = true } = {}) {
+    return createGitLabOAuthProvider(GITLAB_BASE, "real-gitlab-app-id", "Test Server", false, undefined, callbackProxy, callbackProxy ? CALLBACK_URL : "", material
+        ? {
+            material,
+            clientTtlSeconds: 86400,
+            pendingTtlSeconds: 600,
+            storedTtlSeconds: 600,
+        }
+        : null);
+}
+function installFetchStub(response) {
+    const origFetch = globalThis.fetch;
+    const calls = [];
+    // Use the typed global fetch signature so TS is happy.
+    globalThis.fetch = (async (input, init) => {
+        const url = typeof input === "string" ? input : input.toString();
+        const bodyText = typeof init?.body === "string" ? init.body : "";
+        const body = {};
+        new URLSearchParams(bodyText).forEach((v, k) => (body[k] = v));
+        calls.push({ url, body });
+        return new Response(JSON.stringify({
+            access_token: response.access_token,
+            refresh_token: response.refresh_token ?? "r-token",
+            token_type: response.token_type ?? "Bearer",
+            expires_in: response.expires_in ?? 7200,
+        }), {
+            status: 200,
+            headers: { "content-type": "application/json" },
+        });
+    });
+    return {
+        restore: () => {
+            globalThis.fetch = origFetch;
+        },
+        calls,
+    };
+}
+function makeFakeRes() {
+    const res = {
+        statusCode: 200,
+        body: null,
+        redirectedTo: null,
+        status(code) {
+            this.statusCode = code;
+            return this;
+        },
+        send(text) {
+            this.body = text;
+            return this;
+        },
+        redirect(url) {
+            this.statusCode = 302;
+            this.redirectedTo = url;
+            return this;
+        },
+    };
+    return res;
+}
+function fakeReq(query) {
+    return { query };
+}
+function makeAuthorizeRes() {
+    const r = {
+        redirectedTo: null,
+        redirect(url) {
+            r.redirectedTo = url;
+        },
+    };
+    return r;
+}
+// ---------------------------------------------------------------------------
+// Unit-level tests for the mint/open helpers
+// ---------------------------------------------------------------------------
+describe("mintPendingAuthState / openPendingAuthState", () => {
+    test("roundtrip across pods", () => {
+        const s = secret();
+        const podA = loadMaterial(s);
+        const podB = loadMaterial(s);
+        const state = mintPendingAuthState(podA, {
+            clientId: "v1.cid.xyz",
+            clientRedirectUri: CLIENT_REDIRECT,
+            clientState: "client-state-123",
+            clientCodeChallenge: "challenge-abc",
+            proxyCodeVerifier: "proxy-verifier-def",
+        });
+        assert.ok(looksLikeStatelessState(state));
+        const opened = openPendingAuthState(podB, state, 600);
+        assert.ok(opened);
+        assert.equal(opened.cid, "v1.cid.xyz");
+        assert.equal(opened.cru, CLIENT_REDIRECT);
+        assert.equal(opened.cs, "client-state-123");
+        assert.equal(opened.ccc, "challenge-abc");
+        assert.equal(opened.pcv, "proxy-verifier-def");
+    });
+    test("tampered state rejected", () => {
+        const m = loadMaterial(secret());
+        const state = mintPendingAuthState(m, {
+            clientId: "a",
+            clientRedirectUri: "b",
+            clientCodeChallenge: "c",
+            proxyCodeVerifier: "d",
+        });
+        const parts = state.split(".");
+        const blob = Buffer.from(parts[2], "base64url");
+        blob[Math.floor(blob.length / 2)] ^= 0xff;
+        parts[2] = blob.toString("base64url");
+        const bad = parts.join(".");
+        assert.equal(openPendingAuthState(m, bad, 600), null);
+    });
+    test("expired state rejected", () => {
+        const m = loadMaterial(secret());
+        const past = Math.floor(Date.now() / 1000) - 3600;
+        const state = mintPendingAuthState(m, {
+            clientId: "a",
+            clientRedirectUri: "b",
+            clientCodeChallenge: "c",
+            proxyCodeVerifier: "d",
+            now: () => past,
+        });
+        assert.equal(openPendingAuthState(m, state, 60), null);
+    });
+    test("omitted clientState roundtrips", () => {
+        const m = loadMaterial(secret());
+        const state = mintPendingAuthState(m, {
+            clientId: "a",
+            clientRedirectUri: "b",
+            clientCodeChallenge: "c",
+            proxyCodeVerifier: "d",
+        });
+        const opened = openPendingAuthState(m, state, 600);
+        assert.ok(opened);
+        assert.equal(opened.cs, undefined);
+    });
+});
+describe("mintStoredTokensCode / openStoredTokensCode", () => {
+    test("roundtrip across pods", () => {
+        const s = secret();
+        const podA = loadMaterial(s);
+        const podB = loadMaterial(s);
+        const tokens = {
+            access_token: "gitlab-access-token-value",
+            refresh_token: "gitlab-refresh-token-value",
+            token_type: "Bearer",
+            expires_in: 7200,
+        };
+        const code = mintStoredTokensCode(podA, {
+            tokens,
+            clientId: "v1.cid.xyz",
+            clientRedirectUri: CLIENT_REDIRECT,
+            clientCodeChallenge: "challenge",
+        });
+        assert.ok(looksLikeStatelessStoredTokensCode(code));
+        const opened = openStoredTokensCode(podB, code, 600);
+        assert.ok(opened);
+        assert.equal(opened.t.access_token, tokens.access_token);
+        assert.equal(opened.t.refresh_token, tokens.refresh_token);
+        assert.equal(opened.cid, "v1.cid.xyz");
+    });
+});
+// ---------------------------------------------------------------------------
+// Cross-pod provider integration: /authorize on A → /callback on B → /token on C
+// ---------------------------------------------------------------------------
+describe("callback-proxy cross-pod flow (stateless)", () => {
+    let stub;
+    beforeEach(() => {
+        stub = installFetchStub({ access_token: "gl-access-123" });
+    });
+    afterEach(() => {
+        stub.restore();
+    });
+    test("authorize(A) → callback(B) → exchangeAuthorizationCode(C) all work", async () => {
+        const sharedSecret = secret();
+        const podA = makeProvider(loadMaterial(sharedSecret));
+        const podB = makeProvider(loadMaterial(sharedSecret));
+        const podC = makeProvider(loadMaterial(sharedSecret));
+        // Step 1: register client on podA (signed client_id → every pod can read it)
+        const registered = await podA.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        // Step 2: authorize on podA — captures the redirect URL to GitLab
+        const clientCodeVerifier = randomBytes(32).toString("base64url");
+        const clientCodeChallenge = createHash("sha256")
+            .update(clientCodeVerifier)
+            .digest("base64url");
+        const authorizeRes = makeAuthorizeRes();
+        await podA.authorize(registered, {
+            state: "client-state-xyz",
+            scopes: ["api"],
+            redirectUri: CLIENT_REDIRECT,
+            codeChallenge: clientCodeChallenge,
+        }, authorizeRes);
+        assert.ok(authorizeRes.redirectedTo, "authorize should redirect");
+        const gitlabUrl = new URL(authorizeRes.redirectedTo);
+        assert.equal(gitlabUrl.origin + gitlabUrl.pathname, `${GITLAB_BASE}/oauth/authorize`);
+        const proxyState = gitlabUrl.searchParams.get("state");
+        assert.ok(proxyState, "proxy state present");
+        assert.ok(looksLikeStatelessState(proxyState), "state should be sealed in stateless mode");
+        // Step 3: GitLab redirects to our /callback — on a DIFFERENT pod (B).
+        // No state shared; only OAUTH_STATELESS_SECRET is shared.
+        const cbReq = fakeReq({ code: "gitlab-auth-code-abc", state: proxyState });
+        const cbRes = makeFakeRes();
+        await podB.handleCallback(cbReq, cbRes);
+        assert.equal(cbRes.statusCode, 302, "callback should redirect to client");
+        assert.ok(cbRes.redirectedTo);
+        const clientCallbackUrl = new URL(cbRes.redirectedTo);
+        assert.equal(clientCallbackUrl.origin + clientCallbackUrl.pathname, CLIENT_REDIRECT);
+        assert.equal(clientCallbackUrl.searchParams.get("state"), "client-state-xyz");
+        const proxyCode = clientCallbackUrl.searchParams.get("code");
+        assert.ok(proxyCode);
+        assert.ok(looksLikeStatelessStoredTokensCode(proxyCode), "proxy code should be sealed in stateless mode");
+        // Verify the GitLab token exchange happened with the correct verifier.
+        assert.equal(stub.calls.length, 1);
+        assert.equal(stub.calls[0].url, `${GITLAB_BASE}/oauth/token`);
+        assert.equal(stub.calls[0].body.code, "gitlab-auth-code-abc");
+        assert.equal(stub.calls[0].body.redirect_uri, CALLBACK_URL);
+        assert.ok(stub.calls[0].body.code_verifier, "proxy code_verifier in token call");
+        // Step 4: MCP client redeems the proxy code on a THIRD pod (C).
+        const podCClient = await podC.clientsStore.getClient(registered.client_id);
+        assert.ok(podCClient);
+        const tokens = await podC.exchangeAuthorizationCode(podCClient, proxyCode, clientCodeVerifier, CLIENT_REDIRECT);
+        assert.equal(tokens.access_token, "gl-access-123");
+    });
+    test("exchangeAuthorizationCode rejects wrong PKCE verifier", async () => {
+        const s = secret();
+        const pod = makeProvider(loadMaterial(s));
+        const registered = await pod.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        const correctVerifier = randomBytes(32).toString("base64url");
+        const correctChallenge = createHash("sha256")
+            .update(correctVerifier)
+            .digest("base64url");
+        const authorizeRes = makeAuthorizeRes();
+        await pod.authorize(registered, {
+            state: "s",
+            scopes: ["api"],
+            redirectUri: CLIENT_REDIRECT,
+            codeChallenge: correctChallenge,
+        }, authorizeRes);
+        const proxyState = new URL(authorizeRes.redirectedTo).searchParams.get("state");
+        const cbRes = makeFakeRes();
+        await pod.handleCallback(fakeReq({ code: "gitlab-code", state: proxyState }), cbRes);
+        const proxyCode = new URL(cbRes.redirectedTo).searchParams.get("code");
+        // Redeem with wrong code_verifier
+        const wrongVerifier = randomBytes(32).toString("base64url");
+        await assert.rejects(() => pod.exchangeAuthorizationCode(registered, proxyCode, wrongVerifier, CLIENT_REDIRECT), /PKCE verification failed/);
+    });
+    test("exchangeAuthorizationCode rejects wrong client_id", async () => {
+        const s = secret();
+        const pod = makeProvider(loadMaterial(s));
+        const r1 = await pod.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        const r2 = await pod.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        const verifier = randomBytes(32).toString("base64url");
+        const challenge = createHash("sha256").update(verifier).digest("base64url");
+        const aRes = makeAuthorizeRes();
+        await pod.authorize(r1, {
+            state: "s",
+            scopes: ["api"],
+            redirectUri: CLIENT_REDIRECT,
+            codeChallenge: challenge,
+        }, aRes);
+        const proxyState = new URL(aRes.redirectedTo).searchParams.get("state");
+        const cbRes = makeFakeRes();
+        await pod.handleCallback(fakeReq({ code: "g", state: proxyState }), cbRes);
+        const proxyCode = new URL(cbRes.redirectedTo).searchParams.get("code");
+        // Try to redeem as r2 (different client_id)
+        await assert.rejects(() => pod.exchangeAuthorizationCode(r2, proxyCode, verifier, CLIENT_REDIRECT), /Invalid client for authorization code/);
+    });
+    test("exchangeAuthorizationCode rejects wrong redirect_uri", async () => {
+        const s = secret();
+        const pod = makeProvider(loadMaterial(s));
+        const registered = await pod.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        const verifier = randomBytes(32).toString("base64url");
+        const challenge = createHash("sha256").update(verifier).digest("base64url");
+        const aRes = makeAuthorizeRes();
+        await pod.authorize(registered, {
+            state: "s",
+            scopes: ["api"],
+            redirectUri: CLIENT_REDIRECT,
+            codeChallenge: challenge,
+        }, aRes);
+        const proxyState = new URL(aRes.redirectedTo).searchParams.get("state");
+        const cbRes = makeFakeRes();
+        await pod.handleCallback(fakeReq({ code: "g", state: proxyState }), cbRes);
+        const proxyCode = new URL(cbRes.redirectedTo).searchParams.get("code");
+        await assert.rejects(() => pod.exchangeAuthorizationCode(registered, proxyCode, verifier, "https://attacker.example/cb"), /Invalid redirect_uri for authorization code/);
+    });
+    test("stale state rejected at /callback", async () => {
+        const s = secret();
+        const pod = makeProvider(loadMaterial(s));
+        // Bogus state that wasn't minted by this provider (or wasn't minted at all)
+        const cbRes = makeFakeRes();
+        await pod.handleCallback(fakeReq({ code: "g", state: "v1.ps.totally-bogus" }), cbRes);
+        assert.equal(cbRes.statusCode, 400);
+        assert.match(cbRes.body ?? "", /Unknown or expired state/i);
+    });
+    test("legacy non-stateless provider still works (no regression)", async () => {
+        const pod = makeProvider(null);
+        const registered = await pod.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        const verifier = randomBytes(32).toString("base64url");
+        const challenge = createHash("sha256").update(verifier).digest("base64url");
+        const aRes = makeAuthorizeRes();
+        await pod.authorize(registered, {
+            state: "s",
+            scopes: ["api"],
+            redirectUri: CLIENT_REDIRECT,
+            codeChallenge: challenge,
+        }, aRes);
+        const legacyState = new URL(aRes.redirectedTo).searchParams.get("state");
+        assert.ok(!looksLikeStatelessState(legacyState), "legacy state is a UUID, not sealed");
+        const cbRes = makeFakeRes();
+        await pod.handleCallback(fakeReq({ code: "g", state: legacyState }), cbRes);
+        assert.equal(cbRes.statusCode, 302);
+        const proxyCode = new URL(cbRes.redirectedTo).searchParams.get("code");
+        assert.ok(!looksLikeStatelessStoredTokensCode(proxyCode), "legacy code is a UUID");
+        const tokens = await pod.exchangeAuthorizationCode(registered, proxyCode, verifier, CLIENT_REDIRECT);
+        assert.equal(tokens.access_token, "gl-access-123");
+    });
+    test("different secret on pod B rejects the sealed state", async () => {
+        const podA = makeProvider(loadMaterial(secret()));
+        const podB = makeProvider(loadMaterial(secret())); // different secret
+        const registered = await podA.clientsStore.registerClient({
+            redirect_uris: [CLIENT_REDIRECT],
+            token_endpoint_auth_method: "none",
+        });
+        const verifier = randomBytes(32).toString("base64url");
+        const challenge = createHash("sha256").update(verifier).digest("base64url");
+        const aRes = makeAuthorizeRes();
+        await podA.authorize(registered, {
+            state: "s",
+            scopes: ["api"],
+            redirectUri: CLIENT_REDIRECT,
+            codeChallenge: challenge,
+        }, aRes);
+        const proxyState = new URL(aRes.redirectedTo).searchParams.get("state");
+        const cbRes = makeFakeRes();
+        await podB.handleCallback(fakeReq({ code: "g", state: proxyState }), cbRes);
+        assert.equal(cbRes.statusCode, 400);
+        assert.match(cbRes.body ?? "", /Unknown or expired state/i);
+    });
+});
+after(() => {
+    // no global resources
+});

package/build/test/stateless/client-id.test.js

@@ -0,0 +1,176 @@
+/**
+ * Integration tests for the stateless `client_id` DCR path.
+ *
+ * The key cross-pod claim is that two GitLabOAuthServerProvider instances,
+ * sharing only OAUTH_STATELESS_SECRET, can successfully issue a client_id on
+ * one and validate it on the other — matching the scenario where a Kubernetes
+ * load balancer routes POST /register to pod A and GET /authorize to pod B.
+ */
+import assert from "node:assert/strict";
+import { randomBytes } from "node:crypto";
+import { describe, test } from "node:test";
+import { createGitLabOAuthProvider } from "../../oauth-proxy.js";
+import { mintClientId, openClientId, looksLikeStatelessClientId, } from "../../stateless/client-id.js";
+import { loadKeyMaterialFromEnv } from "../../stateless/index.js";
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function secret() {
+    return randomBytes(32).toString("base64url");
+}
+function loadMaterial(current, previous) {
+    const env = {
+        OAUTH_STATELESS_SECRET: current,
+    };
+    if (previous)
+        env.OAUTH_STATELESS_SECRET_PREVIOUS = previous;
+    const m = loadKeyMaterialFromEnv(true, env);
+    assert.ok(m, "expected material to load");
+    return m;
+}
+function makeProvider(material, { callbackProxy = false } = {}) {
+    return createGitLabOAuthProvider("https://gitlab.example.com", "real-gitlab-app-id", "GitLab MCP Server (test)", false, // readOnly
+    undefined, // customScopes
+    callbackProxy, callbackProxy ? "https://mcp.example.com/callback" : "", material
+        ? {
+            material,
+            clientTtlSeconds: 86400,
+            pendingTtlSeconds: 600,
+            storedTtlSeconds: 600,
+        }
+        : null);
+}
+// ---------------------------------------------------------------------------
+// mint / open helpers (direct)
+// ---------------------------------------------------------------------------
+describe("mintClientId / openClientId", () => {
+    test("roundtrips redirect_uris", () => {
+        const m = loadMaterial(secret());
+        const cid = mintClientId(m, {
+            redirectUris: ["https://client.example.com/cb"],
+            grantTypes: ["authorization_code"],
+            clientName: "Test Client",
+        });
+        assert.ok(looksLikeStatelessClientId(cid));
+        const p = openClientId(m, cid, 86400);
+        assert.ok(p);
+        assert.deepEqual(p.ruris, ["https://client.example.com/cb"]);
+        assert.deepEqual(p.gt, ["authorization_code"]);
+        assert.equal(p.cn, "Test Client");
+    });
+    test("openClientId returns null on signature error", () => {
+        const m1 = loadMaterial(secret());
+        const m2 = loadMaterial(secret()); // different secret entirely
+        const cid = mintClientId(m1, {
+            redirectUris: ["https://client.example.com/cb"],
+        });
+        assert.equal(openClientId(m2, cid, 86400), null);
+    });
+    test("openClientId returns null when expired", () => {
+        const m = loadMaterial(secret());
+        // Mint at t-3600
+        const past = Math.floor(Date.now() / 1000) - 3600;
+        const cid = mintClientId(m, {
+            redirectUris: ["https://client.example.com/cb"],
+            now: () => past,
+        });
+        // TTL = 60s ⇒ expired
+        assert.equal(openClientId(m, cid, 60), null);
+    });
+    test("rotation: cid minted under previous secret still opens", () => {
+        const s1 = secret();
+        const s2 = secret();
+        const mOld = loadMaterial(s1);
+        const cid = mintClientId(mOld, {
+            redirectUris: ["https://client.example.com/cb"],
+        });
+        // Operator rotated: new is current, old is previous.
+        const mRotated = loadMaterial(s2, s1);
+        assert.ok(openClientId(mRotated, cid, 86400));
+    });
+});
+// ---------------------------------------------------------------------------
+// clientsStore end-to-end across two provider instances (cross-pod)
+// ---------------------------------------------------------------------------
+describe("clientsStore cross-pod (stateless)", () => {
+    test("register on pod A ⇒ getClient succeeds on pod B", async () => {
+        const sharedSecret = secret();
+        const podA = makeProvider(loadMaterial(sharedSecret));
+        const podB = makeProvider(loadMaterial(sharedSecret));
+        // Register on A
+        const registered = await podA.clientsStore.registerClient({
+            redirect_uris: ["https://client.example.com/cb"],
+            token_endpoint_auth_method: "none",
+        });
+        assert.ok(looksLikeStatelessClientId(registered.client_id));
+        assert.deepEqual(registered.redirect_uris, ["https://client.example.com/cb"]);
+        // Lookup on B — no shared memory, only shared secret
+        const looked = await podB.clientsStore.getClient(registered.client_id);
+        assert.ok(looked, "B should resolve the signed client_id");
+        assert.equal(looked.client_id, registered.client_id);
+        assert.deepEqual(looked.redirect_uris, ["https://client.example.com/cb"]);
+        // token_endpoint_auth_method defaults to "none" for DCR
+        assert.equal(looked.token_endpoint_auth_method, "none");
+    });
+    test("getClient on pod B with different secret rejects the client_id", async () => {
+        const podA = makeProvider(loadMaterial(secret()));
+        const podB = makeProvider(loadMaterial(secret())); // different secret
+        const registered = await podA.clientsStore.registerClient({
+            redirect_uris: ["https://client.example.com/cb"],
+            token_endpoint_auth_method: "none",
+        });
+        const looked = await podB.clientsStore.getClient(registered.client_id);
+        assert.equal(looked, undefined);
+    });
+    test("non-stateless provider falls back to legacy cache path", async () => {
+        // Simulating a pod with stateless mode OFF — it should keep working
+        // against its own in-memory cache.
+        const provider = makeProvider(null);
+        const registered = await provider.clientsStore.registerClient({
+            redirect_uris: ["https://client.example.com/cb"],
+            token_endpoint_auth_method: "none",
+        });
+        // Legacy mode uses UUID client_ids, not stateless v1.cid.*
+        assert.ok(!looksLikeStatelessClientId(registered.client_id));
+        const looked = await provider.clientsStore.getClient(registered.client_id);
+        assert.ok(looked);
+        assert.deepEqual(looked.redirect_uris, ["https://client.example.com/cb"]);
+    });
+    test("legacy client_id is unchanged in stateless mode (e.g. pre-existing GitLab app uid)", async () => {
+        // A caller that passes a non-stateless client_id should receive the
+        // legacy stub so unrelated flows (like token exchange with a pre-registered
+        // GitLab app) continue to work.
+        const provider = makeProvider(loadMaterial(secret()));
+        const looked = await provider.clientsStore.getClient("legacy-app-id");
+        assert.ok(looked);
+        assert.equal(looked.client_id, "legacy-app-id");
+        // Stub has empty redirect_uris — the caller's code path must tolerate this.
+        assert.deepEqual(looked.redirect_uris, []);
+    });
+    test("rotation: client_id minted on pod-old verifies on pod-rotated", async () => {
+        const s1 = secret();
+        const s2 = secret();
+        const podOld = makeProvider(loadMaterial(s1));
+        const podRotated = makeProvider(loadMaterial(s2, s1));
+        const registered = await podOld.clientsStore.registerClient({
+            redirect_uris: ["https://client.example.com/cb"],
+            token_endpoint_auth_method: "none",
+        });
+        const looked = await podRotated.clientsStore.getClient(registered.client_id);
+        assert.ok(looked);
+        assert.deepEqual(looked.redirect_uris, ["https://client.example.com/cb"]);
+    });
+    test("long redirect_uri list roundtrips", async () => {
+        const sharedSecret = secret();
+        const podA = makeProvider(loadMaterial(sharedSecret));
+        const podB = makeProvider(loadMaterial(sharedSecret));
+        const ruris = Array.from({ length: 5 }, (_, i) => `https://client.example.com/cb-${i}`);
+        const registered = await podA.clientsStore.registerClient({
+            redirect_uris: ruris,
+            token_endpoint_auth_method: "none",
+        });
+        const looked = await podB.clientsStore.getClient(registered.client_id);
+        assert.ok(looked);
+        assert.deepEqual(looked.redirect_uris, ruris);
+    });
+});