Ole-Morten Duesund fee12a2ac0 feat(oauth): /.well-known discovery endpoints (forgejo-mcp-broker-b2o) ... Adds RFC 8414 (oauth-authorization-server) and RFC 9728 (oauth- protected-resource) metadata documents. Both URLs are derived from cfg.Issuer at construction time, never from inbound request headers. Test TestDiscovery_IssuerIgnoresHostHeader explicitly probes this — a malicious Host: evil.example.com value must not leak into the published metadata. Defense against the OAuth metadata-spoofing class starts at the discovery layer. Capabilities published reflect the actual OAuth surface: - response_types_supported = ["code"] - grant_types_supported = ["authorization_code", "refresh_token"] - code_challenge_methods_supported = ["S256"] (PKCE only, no plain) - token_endpoint_auth_methods_supported = ["none"] (PKCE-only public clients) Protected-resource metadata advertises /mcp as the resource; phase 5 will mount the gated MCP endpoint there. Closes forgejo-mcp-broker-b2o. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-04-27 17:08:12 +02:00
..
bridge	test(bridge): integration test against real forgejo-mcp (forgejo-mcp-broker-xot)	2026-04-27 16:28:32 +02:00
buildinfo	feat: bootstrap Go project layout (forgejo-mcp-broker-n84)	2026-04-24 16:54:27 +02:00
config	feat(config): flag + env parsing with validation (forgejo-mcp-broker-9nq)	2026-04-24 17:10:18 +02:00
forgejo	feat(forgejo): upstream OAuth client (forgejo-mcp-broker-b9i)	2026-04-27 13:31:19 +02:00
httpserver	feat(httpserver,log): /healthz, graceful shutdown, slog constructor	2026-04-24 17:26:32 +02:00
log	feat(httpserver,log): /healthz, graceful shutdown, slog constructor	2026-04-24 17:26:32 +02:00
oauth	feat(oauth): /.well-known discovery endpoints (forgejo-mcp-broker-b2o)	2026-04-27 17:08:12 +02:00
store	feat(store): OAuth tables migration (forgejo-mcp-broker-cpb)	2026-04-27 13:28:12 +02:00
supervisor	test(supervisor): stress tests for FD/goroutine/zombie leaks (forgejo-mcp-broker-31t)	2026-04-27 16:04:34 +02:00