fix(admin): preserve OAuth client_secret when editing gateways and A2A agents

When editing a gateway or A2A agent via the admin UI, the client_secret
field was set to empty string in the edit form (unlike all other secret
fields which use the masked placeholder). The backend then received an
empty value and silently dropped the client_secret key from oauth_config,
causing the existing encrypted secret to be lost on save.

This fix applies two layers of defense:

Backend (admin.py):
- Gateway and A2A agent edit handlers now send the masked placeholder
  value when client_secret is empty/masked, so the service layer's
  protect_oauth_config_for_storage() preserves the existing encrypted
  secret from the database.

Frontend (gateways.js, a2aAgents.js, servers.js):
- Edit forms now show MASKED_AUTH_VALUE when a client_secret exists,
  consistent with how bearer tokens, passwords, and other secrets are
  handled in the UI.

Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>

Author: Olivier Gintrand

mcpgateway/admin.py

@@ -12394,10 +12394,13 @@ async def admin_edit_gateway(
                     oauth_config["redirect_uri"] = oauth_redirect_uri
                 if oauth_client_id:
                     oauth_config["client_id"] = oauth_client_id
-                if oauth_client_secret:
-                    # Encrypt the client secret
+                if oauth_client_secret and oauth_client_secret != settings.masked_auth_value:
+                    # Encrypt the new client secret
                     encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = await encryption.encrypt_secret_async(oauth_client_secret)
+                elif oauth_client_id:
+                    # client_id present but secret left blank or masked — preserve existing secret
+                    oauth_config["client_secret"] = settings.masked_auth_value
 
                 # Add username and password for password grant type
                 if oauth_username:
@@ -15719,10 +15722,13 @@ async def admin_edit_a2a_agent(
                     oauth_config["redirect_uri"] = oauth_redirect_uri
                 if oauth_client_id:
                     oauth_config["client_id"] = oauth_client_id
-                if oauth_client_secret:
-                    # Encrypt the client secret
+                if oauth_client_secret and oauth_client_secret != settings.masked_auth_value:
+                    # Encrypt the new client secret
                     encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = await encryption.encrypt_secret_async(oauth_client_secret)
+                elif oauth_client_id:
+                    # client_id present but secret left blank or masked — preserve existing secret
+                    oauth_config["client_secret"] = settings.masked_auth_value
 
                 # Add username and password for password grant type
                 if oauth_username:

mcpgateway/admin_ui/a2aAgents.js

@@ -513,7 +513,7 @@ export const editA2AAgent = async function (agentId) {
             oauthClientIdField.value = config.client_id || "";
           }
           if (oauthClientSecretField) {
-            oauthClientSecretField.value = ""; // Don't populate secret for security
+            oauthClientSecretField.value = config.client_secret ? MASKED_AUTH_VALUE : "";
           }
           if (oauthTokenUrlField) {
             oauthTokenUrlField.value = config.token_url || "";

mcpgateway/admin_ui/gateways.js

@@ -510,7 +510,7 @@ export const editGateway = async function (gatewayId) {
             oauthClientIdField.value = config.client_id || "";
           }
           if (oauthClientSecretField) {
-            oauthClientSecretField.value = ""; // Don't populate secret for security
+            oauthClientSecretField.value = config.client_secret ? MASKED_AUTH_VALUE : "";
           }
           if (oauthTokenUrlField) {
             oauthTokenUrlField.value = config.token_url || "";

mcpgateway/admin_ui/servers.js

@@ -1,5 +1,6 @@
 import { AppState } from "./appState.js";
 import { getCatalogUrl } from "./configExport.js";
+import { MASKED_AUTH_VALUE } from "./constants.js";
 import { toggleViewPublic } from "./filters.js";
 import { initGatewaySelect } from "./gateways.js";
 import { openModal } from "./modals.js";
@@ -857,6 +858,16 @@ export const editServer = async function (serverId) {
       if (oauthTokenEndpointField) {
         oauthTokenEndpointField.value = server.oauthConfig.token_endpoint || "";
       }
+
+      // Extract client_id for DCR bypass (pre-registered client)
+      const oauthClientIdField = safeGetElement("edit-server-oauth-client-id");
+      if (oauthClientIdField) {
+        oauthClientIdField.value = server.oauthConfig.client_id || "";
+      }
+      const oauthClientSecretField = safeGetElement("edit-server-oauth-client-secret");
+      if (oauthClientSecretField) {
+        oauthClientSecretField.value = server.oauthConfig.client_secret ? MASKED_AUTH_VALUE : "";
+      }
     } else {
       // Clear OAuth config fields when no config exists
       if (oauthAuthServerField) oauthAuthServerField.value = "";