From 1bd9658d30134e1f811db366cf5b19d3c86f1c93 Mon Sep 17 00:00:00 2001
From: Quinn Stearns <quinn@speakeasy.com>
Date: Tue, 19 May 2026 20:01:45 -0700
Subject: [PATCH] mig: add audience and scope to remote session clients

---
 server/database/schema.sql                    |  2 ++
 server/internal/database/models.go            |  2 ++
 server/internal/remotesessions/repo/models.go |  2 ++
 .../remotesessions/repo/queries.sql.go        | 20 ++++++++++++++-----
 ...ce_and_scope_to_remote_session_clients.sql |  2 ++
 server/migrations/atlas.sum                   |  3 ++-
 6 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 server/migrations/20260520030115_add_audience_and_scope_to_remote_session_clients.sql

diff --git a/server/database/schema.sql b/server/database/schema.sql
index 60ea9c8eb1..c139988c89 100644
--- a/server/database/schema.sql
+++ b/server/database/schema.sql
@@ -864,6 +864,8 @@ CREATE TABLE IF NOT EXISTS remote_session_clients (
   client_id_issued_at timestamptz,
   client_secret_expires_at timestamptz,
   token_endpoint_auth_method TEXT,
+  scope TEXT[],
+  audience TEXT,
 
   created_at timestamptz NOT NULL DEFAULT clock_timestamp(),
   updated_at timestamptz NOT NULL DEFAULT clock_timestamp(),
diff --git a/server/internal/database/models.go b/server/internal/database/models.go
index 5085340cca..e81be868b7 100644
--- a/server/internal/database/models.go
+++ b/server/internal/database/models.go
@@ -1131,6 +1131,8 @@ type RemoteSessionClient struct {
 	ClientIDIssuedAt        pgtype.Timestamptz
 	ClientSecretExpiresAt   pgtype.Timestamptz
 	TokenEndpointAuthMethod pgtype.Text
+	Scope                   []string
+	Audience                pgtype.Text
 	CreatedAt               pgtype.Timestamptz
 	UpdatedAt               pgtype.Timestamptz
 	DeletedAt               pgtype.Timestamptz
diff --git a/server/internal/remotesessions/repo/models.go b/server/internal/remotesessions/repo/models.go
index 2989ceaf69..54c889ca82 100644
--- a/server/internal/remotesessions/repo/models.go
+++ b/server/internal/remotesessions/repo/models.go
@@ -36,6 +36,8 @@ type RemoteSessionClient struct {
 	ClientIDIssuedAt        pgtype.Timestamptz
 	ClientSecretExpiresAt   pgtype.Timestamptz
 	TokenEndpointAuthMethod pgtype.Text
+	Scope                   []string
+	Audience                pgtype.Text
 	CreatedAt               pgtype.Timestamptz
 	UpdatedAt               pgtype.Timestamptz
 	DeletedAt               pgtype.Timestamptz
diff --git a/server/internal/remotesessions/repo/queries.sql.go b/server/internal/remotesessions/repo/queries.sql.go
index 477ec21a00..b7beb6b056 100644
--- a/server/internal/remotesessions/repo/queries.sql.go
+++ b/server/internal/remotesessions/repo/queries.sql.go
@@ -60,7 +60,7 @@ VALUES (
     $7,
     $8
 )
-RETURNING id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, created_at, updated_at, deleted_at, deleted
+RETURNING id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, scope, audience, created_at, updated_at, deleted_at, deleted
 `
 
 type CreateRemoteSessionClientParams struct {
@@ -96,6 +96,8 @@ func (q *Queries) CreateRemoteSessionClient(ctx context.Context, arg CreateRemot
 		&i.ClientIDIssuedAt,
 		&i.ClientSecretExpiresAt,
 		&i.TokenEndpointAuthMethod,
+		&i.Scope,
+		&i.Audience,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.DeletedAt,
@@ -201,7 +203,7 @@ const deleteRemoteSessionClient = `-- name: DeleteRemoteSessionClient :one
 UPDATE remote_session_clients
 SET deleted_at = clock_timestamp()
 WHERE id = $1 AND project_id = $2 AND deleted IS FALSE
-RETURNING id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, created_at, updated_at, deleted_at, deleted
+RETURNING id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, scope, audience, created_at, updated_at, deleted_at, deleted
 `
 
 type DeleteRemoteSessionClientParams struct {
@@ -222,6 +224,8 @@ func (q *Queries) DeleteRemoteSessionClient(ctx context.Context, arg DeleteRemot
 		&i.ClientIDIssuedAt,
 		&i.ClientSecretExpiresAt,
 		&i.TokenEndpointAuthMethod,
+		&i.Scope,
+		&i.Audience,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.DeletedAt,
@@ -376,7 +380,7 @@ func (q *Queries) GetRemoteSessionByID(ctx context.Context, arg GetRemoteSession
 }
 
 const getRemoteSessionClientByID = `-- name: GetRemoteSessionClientByID :one
-SELECT id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, created_at, updated_at, deleted_at, deleted
+SELECT id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, scope, audience, created_at, updated_at, deleted_at, deleted
 FROM remote_session_clients
 WHERE id = $1 AND project_id = $2 AND deleted IS FALSE
 `
@@ -399,6 +403,8 @@ func (q *Queries) GetRemoteSessionClientByID(ctx context.Context, arg GetRemoteS
 		&i.ClientIDIssuedAt,
 		&i.ClientSecretExpiresAt,
 		&i.TokenEndpointAuthMethod,
+		&i.Scope,
+		&i.Audience,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.DeletedAt,
@@ -640,7 +646,7 @@ func (q *Queries) ListConnectedClientIDsForSubject(ctx context.Context, arg List
 }
 
 const listRemoteSessionClientsByProjectID = `-- name: ListRemoteSessionClientsByProjectID :many
-SELECT id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, created_at, updated_at, deleted_at, deleted
+SELECT id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, scope, audience, created_at, updated_at, deleted_at, deleted
 FROM remote_session_clients
 WHERE project_id = $1
   AND deleted IS FALSE
@@ -684,6 +690,8 @@ func (q *Queries) ListRemoteSessionClientsByProjectID(ctx context.Context, arg L
 			&i.ClientIDIssuedAt,
 			&i.ClientSecretExpiresAt,
 			&i.TokenEndpointAuthMethod,
+			&i.Scope,
+			&i.Audience,
 			&i.CreatedAt,
 			&i.UpdatedAt,
 			&i.DeletedAt,
@@ -959,7 +967,7 @@ SET
     token_endpoint_auth_method = COALESCE($4, token_endpoint_auth_method),
     updated_at = clock_timestamp()
 WHERE id = $5 AND project_id = $6 AND deleted IS FALSE
-RETURNING id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, created_at, updated_at, deleted_at, deleted
+RETURNING id, project_id, remote_session_issuer_id, user_session_issuer_id, client_id, client_secret_encrypted, client_id_issued_at, client_secret_expires_at, token_endpoint_auth_method, scope, audience, created_at, updated_at, deleted_at, deleted
 `
 
 type UpdateRemoteSessionClientParams struct {
@@ -991,6 +999,8 @@ func (q *Queries) UpdateRemoteSessionClient(ctx context.Context, arg UpdateRemot
 		&i.ClientIDIssuedAt,
 		&i.ClientSecretExpiresAt,
 		&i.TokenEndpointAuthMethod,
+		&i.Scope,
+		&i.Audience,
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.DeletedAt,
diff --git a/server/migrations/20260520030115_add_audience_and_scope_to_remote_session_clients.sql b/server/migrations/20260520030115_add_audience_and_scope_to_remote_session_clients.sql
new file mode 100644
index 0000000000..ab5b30ba47
--- /dev/null
+++ b/server/migrations/20260520030115_add_audience_and_scope_to_remote_session_clients.sql
@@ -0,0 +1,2 @@
+-- Modify "remote_session_clients" table
+ALTER TABLE "remote_session_clients" ADD COLUMN "scope" text[] NULL, ADD COLUMN "audience" text NULL;
diff --git a/server/migrations/atlas.sum b/server/migrations/atlas.sum
index 41b5fea8c9..83d9b76c2f 100644
--- a/server/migrations/atlas.sum
+++ b/server/migrations/atlas.sum
@@ -1,4 +1,4 @@
-h1:LvR2Up6I4Li09LtfI4ElgEr738wykaSHNJMj6Pr1/08=
+h1:yLYZzhrYgdoHXVAQj1cgsFYXcTWrhufBUbgWQFRSD2Q=
 20250502122425_initial-tables.sql h1:Hu3O60/bB4fjZpUay8FzyOjw6vngp087zU+U/wVKn7k=
 20250502130852_initial-indexes.sql h1:oYbnwi9y9PPTqu7uVbSPSALhCY8XF3rv03nDfG4b7mo=
 20250502154250_relax-http-security-fields.sql h1:0+OYIDq7IHmx7CP5BChVwfpF2rOSrRDxnqawXio2EVo=
@@ -183,3 +183,4 @@ h1:LvR2Up6I4Li09LtfI4ElgEr738wykaSHNJMj6Pr1/08=
 20260518114737_add_effect_to_principal_grants.sql h1:J3lR6SeKv0v+S+ecUzf2oHgI2nI5aXCZXKimjxWmLOo=
 20260518145220_age-2366-mcp_servers-user_session_issuer_id.sql h1:sfZwy1S/Axh3pmIYxEW0/ODPqfZ8H4+id0EhWc8LNac=
 20260518213910_add-remote-session-client-token-endpoint-auth-method.sql h1:JuOMsaREjEdVpN5V9su1Gi7al06kmYwZw6LGLyYqq3o=
+20260520030115_add_audience_and_scope_to_remote_session_clients.sql h1:61DiqJmzoI4CR7F8oyNtDzs0hGFtsXliB4LVsHA+b5E=