Part of #167 (hosted multi-user server v1).
What
ProviderClientRecord (OAuth client_id/client_secret) represents the OAuth application registration — it belongs to the server, not the user. Move storage from profile:<identity>:<provider>:client to server:<provider>:client so all users on a hosted instance share the same OAuth app credentials.
See docs/adr/0001-provider-client-record-server-scope.md for the full rationale.
Changes required
utils.py:build_store_key(): add a server-level key variant (e.g. StoreKeyType.SERVER_CLIENT → "server:<provider>:client")AuthService._get_provider_client_credentials(): use server key, ignore self._identityAuthService._save_provider_client_credentials(): use server keyauth/models/connection.py:ProviderClientRecord: remove the profile field- Remove
env:VAR_NAME support from ClientConfig if it exists (confirm it never ships — currently absent from provider.py)
Input flow unchanged
The existing input collection flow (prompting for client_id/client_secret during login) stays exactly as-is. Only the storage key changes.
Migration note
Existing local ProviderClientRecord data stored under profile:<name>:<provider>:client is not migrated automatically. Users on upgraded local deployments must re-enter client credentials once. Document in CHANGELOG.
Part of #167 (hosted multi-user server v1).
What
ProviderClientRecord(OAuthclient_id/client_secret) represents the OAuth application registration — it belongs to the server, not the user. Move storage fromprofile:<identity>:<provider>:clienttoserver:<provider>:clientso all users on a hosted instance share the same OAuth app credentials.See
docs/adr/0001-provider-client-record-server-scope.mdfor the full rationale.Changes required
utils.py:build_store_key(): add a server-level key variant (e.g.StoreKeyType.SERVER_CLIENT→"server:<provider>:client")AuthService._get_provider_client_credentials(): use server key, ignoreself._identityAuthService._save_provider_client_credentials(): use server keyauth/models/connection.py:ProviderClientRecord: remove theprofilefieldenv:VAR_NAMEsupport fromClientConfigif it exists (confirm it never ships — currently absent fromprovider.py)Input flow unchanged
The existing input collection flow (prompting for
client_id/client_secretduring login) stays exactly as-is. Only the storage key changes.Migration note
Existing local
ProviderClientRecorddata stored underprofile:<name>:<provider>:clientis not migrated automatically. Users on upgraded local deployments must re-enter client credentials once. Document in CHANGELOG.