feat(auth): DCR hooks, introspection auth, and prehandler fixes

[getlarge]

Summary

Adds DCR proxy hooks and introspection authentication support for Ory Hydra integration.

⚠️ Dependency: This PR depends on #97 (OIDC Discovery) and should be merged after it.

Changes

1. Skip /oauth/register in auth prehandler

DCR endpoint must be accessible before client has credentials.

2. Add introspectionAuth configuration

Supports bearer (API key), basic (client credentials), or none for token introspection authentication.

tokenValidation: {
  introspectionEndpoint: 'https://ory.example.com/admin/oauth2/introspect',
  introspectionAuth: { type: 'bearer', token: 'api-key' }
}

3. Add dcrHooks for DCR proxy pattern

Enables MCP server to act as a DCR proxy with request/response transformation.

dcrHooks: {
  upstreamEndpoint: 'https://ory.example.com/oauth2/register',
  onResponse: async (response) => {
    // Clean empty fields that break Claude Code's Zod validation
    if (response.client_uri === '') delete response.client_uri;
    return response;
  }
}

Breaking Change

/oauth/register returns 501 unless dcrHooks is configured. This prevents infinite loops when OIDC discovery points back to the MCP server.

Tests

• ✅ All 45 OAuth/token-validator tests pass
• ✅ New tests for introspectionAuth (bearer, basic, none)
• ✅ New tests for dcrHooks (501 without config, proxy with hooks)

Related

• Depends on: feat(auth): OIDC Discovery and redirect_uri support for OAuth compliance #97 (OIDC Discovery)
• Issue: feat(auth): DCR hooks, introspection auth, and prehandler fixes #99

🤖 Generated with Claude Code

[mcollina]

can you rebase?

[getlarge]

Happily.
That’s great to see those PRs being merged, I hope you’ll keep the dynamic going, as another PR to bring OpenTelemetry support will come at the same time. Tonight or tomorrow.
Happy JS days :)