Persist DCR client credentials for OAuth session restoration

[flfeurmou-indeed]

Summary

Extend OAuth token persistence to also store Dynamic Client Registration (DCR) client credentials. This enables workloads that use DCR (like Datadog and Glean) to restore OAuth sessions across restarts without requiring a new browser-based authentication flow.

This PR builds on #3382 which added refresh token persistence, addressing the remaining issue where DCR servers still required re-authentication because the dynamically registered client_id (and client_secret where applicable) were lost on restart.

Problem

Remote MCP servers that use Dynamic Client Registration (e.g., Datadog, Glean) would lose their OAuth sessions after workload restarts because:

1. The refresh token was being persisted (feat(auth): persist OAuth tokens across workload restarts #3382 fix)
2. But the DCR-issued client_id was not persisted
3. Without the original client_id, the token refresh request fails with "Client ID is required" or similar errors

Solution

Store DCR client credentials in the secret manager alongside refresh tokens:

• CachedClientIDRef: Reference to the stored client ID
• CachedClientSecretRef: Reference to the stored client secret (when issued)

For PKCE flows (like Datadog), only the client_id is persisted since no client_secret is issued.

Changes

• Add CachedClientIDRef and CachedClientSecretRef fields to remote.Config
• Add HasCachedClientCredentials() and ClearCachedClientCredentials() helper methods
• Add TokenTypeOAuthClientID to secrets for secure storage
• Expose ClientID and ClientSecret in OAuthFlowResult from discovery
• Add ClientCredentialsPersister type for DCR credential persistence
• Update handler to restore and persist DCR credentials
• Update runner to wire up the client credentials persister
• Regenerate swagger documentation
• Add unit tests for new functionality

Testing

• All existing tests pass
• New unit tests added for HasCachedClientCredentials and ClearCachedClientCredentials
• Manually tested with Datadog MCP (PKCE flow) - sessions survive restarts

Related

Closes #3335

[codecov]

Codecov Report

❌ Patch coverage is 8.33333% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.64%. Comparing base (a7962a6) to head (4351e7e).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/auth/remote/handler.go	0.00%	27 Missing ⚠️
pkg/runner/runner.go	0.00%	26 Missing ⚠️
pkg/auth/discovery/discovery.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3418      +/-   ##
==========================================
- Coverage   64.79%   64.64%   -0.15%     
==========================================
  Files         381      381              
  Lines       37149    37207      +58     
==========================================
- Hits        24071    24054      -17     
- Misses      11191    11268      +77     
+ Partials     1887     1885       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.