Add RegisterHandlers and wire embedded AS routes on vMCP mux

[jhrozek]

Summary

• The vMCP server needs to host both RFC 9728 protected resource metadata and embedded authorization server (AS) OAuth/OIDC endpoints on the same HTTP mux. The previous /.well-known/ catch-all registration would conflict with AS discovery routes.
• Replace /.well-known/ catch-all with explicit /.well-known/oauth-protected-resource path registrations so the AS can own its own /.well-known/ endpoints without conflicts.
• Add RegisterHandlers method on EmbeddedAuthServer that registers /.well-known/openid-configuration, /.well-known/oauth-authorization-server, /.well-known/jwks.json, and /oauth/ routes.
• Add AuthServer field to vmcpserver.Config with nil-guarded route registration in the mux setup.

Fixes #4141

Type of change

• New feature

Test plan

• Linting (task lint-fix)
• Unit tests (task test)

Changes

File	Change
pkg/authserver/runner/embeddedauthserver.go	Add RegisterHandlers(mux) method
pkg/vmcp/server/server.go	Add AuthServer field, explicit .well-known/ paths, Mode B route registration

Special notes for reviewers

This is part of a stacked PR series for the embedded auth server feature. This PR adds only the server-side wiring points. The construction of the EmbeddedAuthServer and config loading come in later PRs:

• scaffolding-3: upstream_inject strategy types + cross-cutting validation
• scaffolding-4: operator reconciler condition for AuthServerConfig
• scaffolding-5: converter + CLI auth server config loading

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 70.58824% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.74%. Comparing base (4838bb4) to head (0bd1c80).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/vmcp/server/server.go	50.00%	2 Missing and 1 partial ⚠️
pkg/authserver/runner/embeddedauthserver.go	90.00%	0 Missing and 1 partial ⚠️
pkg/runner/runner.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4348      +/-   ##
==========================================
- Coverage   68.86%   68.74%   -0.13%     
==========================================
  Files         479      479              
  Lines       48505    48530      +25     
==========================================
- Hits        33404    33362      -42     
+ Misses      12347    12328      -19     
- Partials     2754     2840      +86     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jerm-dro]

question: @jhrozek — AuthInfoHandler and AuthServer are semantically coupled: when an embedded AS is present, the protected resource metadata should advertise that AS's endpoints. Currently they're set independently on Config, which means nothing prevents them from diverging (e.g., AuthInfoHandler pointing to a different AS than the embedded one, or AuthServer being set without any protected resource metadata).

As scaffolding PRs 3-5 land, the auth surface on Config will be four fields: AuthMiddleware, AuthzMiddleware, AuthInfoHandler, and AuthServer. Do you plan to group these into an AuthConfig struct (or have AuthServer produce the AuthInfoHandler itself)? That would:

1. Make the invariant explicit — embedded AS implies its own protected resource metadata
2. Reduce the auth-related field sprawl on server.Config, which is already at 15+ fields (see vMCP anti-pattern Bump golangci/golangci-lint-action from 2f856675483cb8b9378ee77ee0beb67955aca9d7 to 4696ba8babb6127d732c3c6dde519db15edab9ea #3, god object)
3. Let the mux setup in Handler() delegate to a single authConfig.RegisterRoutes(mux) instead of two independent nil checks

Not blocking — just want to understand the plan before the follow-up PRs land.

[jhrozek]

question: @jhrozek — AuthInfoHandler and AuthServer are semantically coupled: when an embedded AS is present, the protected resource metadata should advertise that AS's endpoints. Currently they're set independently on Config, which means nothing prevents them from diverging (e.g., AuthInfoHandler pointing to a different AS than the embedded one, or AuthServer being set without any protected resource metadata).

As scaffolding PRs 3-5 land, the auth surface on Config will be four fields: AuthMiddleware, AuthzMiddleware, AuthInfoHandler, and AuthServer. Do you plan to group these into an AuthConfig struct (or have AuthServer produce the AuthInfoHandler itself)? That would:

yes, I'd like to land a couple of more PRs but I do have a refactoring planned as the last one. Let me push it up in pauses betweeen review iterations as a draft so you can review.