Extract DCR resolver into pkg/auth/dcr

Sub-issue 4a of #5145. Creates the shared pkg/auth/dcr package and
migrates the embedded authserver to consume it. The CLI flow
migration (pkg/auth/discovery::PerformOAuthFlow) is left to
sub-issue 4b (#5219) so this slice stays under the project's
PR-size limit.

Files moved (renamed via git mv so the diff shows as renames, not
deletions + additions):

  pkg/authserver/runner/dcr.go              -> pkg/auth/dcr/resolver.go
  pkg/authserver/runner/dcr_store.go        -> pkg/auth/dcr/store.go
  pkg/authserver/runner/dcr_test.go         -> pkg/auth/dcr/resolver_test.go
  pkg/authserver/runner/dcr_store_test.go   -> pkg/auth/dcr/store_test.go
  pkg/authserver/runner/dcr_testhelpers_test.go -> pkg/auth/dcr/testhelpers_test.go

Public API surface (renamed from runner-package internals because
they now cross a package boundary):

  Resolution            (was DCRResolution)
  Key                   (was DCRKey, alias to storage.DCRKey unchanged)
  CredentialStore       (was the package-private dcrResolutionCache)
  ResolveCredentials    (was resolveDCRCredentials)
  NeedsDCR              (was needsDCR)
  ConsumeResolution     (was consumeResolution)
  ApplyResolutionToOAuth2Config (was applyResolutionToOAuth2Config)
  LogStepError          (was logDCRStepError)
  NewInMemoryStore      (new convenience constructor wrapping
                         storage.NewMemoryStorage; mirrors the pattern
                         the per-test newMemoryDCRStore helpers use)
  NewStorageBackedStore (was the package-private newStorageBackedStore)
  SanitizeErrorForLog   (was sanitizeErrorForLog; promoted to
                         exported because the deferred-cleanup log
                         path in pkg/authserver/runner needs it)

Names follow the pkg/auth/dcr.* form so the linter's stuttering
check (revive: dcr.DCRResolution would stutter) passes and the
surface reads as ordinary package API.

resolveSecret was duplicated into the dcr package because
pkg/auth/dcr must stay profile-agnostic and cannot reach back into
pkg/authserver/runner. The duplication is intentional and called
out in a comment; future consolidation can move it into a shared
helper if a third caller appears. A parallel TestResolveSecret /
TestResolveSecretWithEnvVar suite in pkg/auth/dcr/secret_test.go
mirrors the runner-package twin's observable contract so any
future drift between the two copies fails CI on at least one side.

Review-feedback bits applied alongside the move:

- Package doc comment in pkg/auth/dcr/resolver.go now documents the
  process-global singleflight in a Concurrency section, and labels
  the profile-agnostic framing as a target state for sub-issue 4b
  rather than as a description of the current API shape (the
  package's public API still takes embedded-authserver types).
- dcrFlight var doc gains a cross-consumer caveat naming the
  "third consumer with colliding redirect URI" failure mode.
- Flight-key construction extracted into flightKeyOf(Key) string so
  the canonical key shape is inspectable rather than buried in a
  string-concatenation literal.
- endpointsFromMetadata gains a defensive nil check; the function's
  doc comment names the oauthproto contract being defended.
- newMemoryDCRStore test helper is duplicated across the two
  packages because Go test helpers cannot be shared without
  exporting them; the duplication is documented at both sites.

Acceptance criteria status (#5145):

  AC#1 (pkg/auth/dcr exists, exports a stateful resolver, consumed
       by both call sites): partially met — package exists and is
       consumed by EmbeddedAuthServer. CLI flow migration is
       sub-issue 4b (#5219).
  AC#2 (stateless RFC 7591 helpers in pkg/oauthproto): met
       (already satisfied before this PR).
  AC#3 (no direct oauthproto.RegisterClientDynamically calls
       outside pkg/auth/dcr): not yet met — pkg/auth/discovery
       still calls it. Resolved by sub-issue 4b (#5219).
  AC#4 (review-property behaviours apply to CLI flow): not yet
       met — same dependency on 4b (#5219).

Closes #5220.

Verified via task lint-fix (0 issues), task license-check (clean),
and go test -count=1 -race ./pkg/auth/dcr/... ./pkg/authserver/...
(all pass).

Author: tgrunnagle

pkg/authserver/runner/dcr.go pkg/auth/dcr/resolver.gopkg/authserver/runner/dcr.go renamed to pkg/auth/dcr/resolver.go

@@ -0,0 +1,118 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package dcr
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestResolveSecret pins the dcr-package copy of resolveSecret to the same
+// observable contract as the parallel runner-package copy
+// (pkg/authserver/runner/embeddedauthserver_test.go::TestResolveSecret*).
+// Two physically-distinct copies of this helper exist by design (the dcr
+// package must not reach back into pkg/authserver/runner per its
+// profile-agnostic charter); this test guards against silent drift between
+// them. If a future bug fix lands on one copy without being mirrored to the
+// other, this test or its runner-package twin will fail.
+//
+// Cases that take t.Setenv() are kept out of the parallel sub-suite because
+// t.Setenv requires a non-parallel test scope.
+func TestResolveSecret(t *testing.T) {
+	t.Parallel()
+
+	tmpDir := t.TempDir()
+	secretFile := filepath.Join(tmpDir, "secret")
+	require.NoError(t, os.WriteFile(secretFile, []byte("  secret-value  \n"), 0o600))
+
+	cases := []struct {
+		name        string
+		file        string
+		envVar      string
+		want        string
+		wantErr     bool
+		wantErrSubs []string
+	}{
+		{
+			name: "neither file nor env var set returns empty string and no error",
+			file: "", envVar: "",
+			want: "",
+		},
+		{
+			name: "file content is read and surrounding whitespace trimmed",
+			file: secretFile, envVar: "",
+			want: "secret-value",
+		},
+		{
+			name: "missing file returns wrapped read error",
+			file: "/nonexistent/file", envVar: "",
+			wantErr: true, wantErrSubs: []string{"failed to read secret file"},
+		},
+		{
+			name: "env var name is set but env var is empty returns explanatory error",
+			// Use a unique env var name that won't be set in the environment.
+			file: "", envVar: "TEST_SECRET_NOT_SET_DCR_PKG_12345",
+			wantErr: true, wantErrSubs: []string{"environment variable", "is not set"},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			got, err := resolveSecret(tc.file, tc.envVar)
+			if tc.wantErr {
+				require.Error(t, err)
+				for _, sub := range tc.wantErrSubs {
+					assert.Contains(t, err.Error(), sub)
+				}
+				assert.Empty(t, got)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tc.want, got)
+		})
+	}
+}
+
+// TestResolveSecretWithEnvVar covers the env-var paths separately because
+// t.Setenv requires a non-parallel test scope. Mirrors the runner-package
+// twin (TestResolveSecretWithEnvVar in embeddedauthserver_test.go).
+func TestResolveSecretWithEnvVar(t *testing.T) {
+	tmpDir := t.TempDir()
+	secretFile := filepath.Join(tmpDir, "secret")
+	require.NoError(t, os.WriteFile(secretFile, []byte("secret-from-file"), 0o600))
+
+	t.Run("file takes precedence over env var when both are set", func(t *testing.T) {
+		envVar := "TEST_SECRET_FILE_PRECEDENCE_DCR_PKG"
+		t.Setenv(envVar, "secret-from-env")
+
+		got, err := resolveSecret(secretFile, envVar)
+		require.NoError(t, err)
+		assert.Equal(t, "secret-from-file", got)
+	})
+
+	t.Run("env var is read when file is empty", func(t *testing.T) {
+		envVar := "TEST_SECRET_ENV_ONLY_DCR_PKG"
+		t.Setenv(envVar, "secret-from-env")
+
+		got, err := resolveSecret("", envVar)
+		require.NoError(t, err)
+		assert.Equal(t, "secret-from-env", got)
+	})
+
+	t.Run("missing file does not silently fall back to env var", func(t *testing.T) {
+		envVar := "TEST_SECRET_NO_FALLBACK_DCR_PKG"
+		t.Setenv(envVar, "secret-from-env")
+
+		got, err := resolveSecret("/nonexistent/file", envVar)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to read secret file")
+		assert.Empty(t, got)
+	})
+}

pkg/authserver/runner/dcr_test.go pkg/auth/dcr/resolver_test.gopkg/authserver/runner/dcr_test.go renamed to pkg/auth/dcr/resolver_test.go

@@ -1,7 +1,7 @@
 // SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
 // SPDX-License-Identifier: Apache-2.0
 
-package runner
+package dcr
 
 import (
 	"context"
@@ -18,64 +18,78 @@ import (
 // long-lived and are only purged by explicit RFC 7592 deregistration.
 const dcrStaleAgeThreshold = 90 * 24 * time.Hour
 
-// DCRKey is a re-export of storage.DCRKey, kept as a package-local alias so
-// existing runner-side callers continue to compile against runner.DCRKey
-// while the canonical definition lives in pkg/authserver/storage. The
-// canonical form (and its ScopesHash constructor) MUST live in a single place
-// so any future Redis backend hashes keys identically to the in-memory
-// backend; see storage.DCRKey for the field documentation.
-type DCRKey = storage.DCRKey
+// Key is a re-export of storage.DCRKey, kept as a package-local alias so
+// callers in this package can reference the canonical cache key without an
+// explicit storage. qualifier on every call site, while the canonical
+// definition lives in pkg/authserver/storage. The canonical form (and its
+// ScopesHash constructor) MUST live in a single place so any future Redis
+// backend hashes keys identically to the in-memory backend; see
+// storage.DCRKey for the field documentation.
+type Key = storage.DCRKey
 
-// dcrResolutionCache caches RFC 7591 Dynamic Client Registration resolutions
+// CredentialStore caches RFC 7591 Dynamic Client Registration resolutions
 // keyed by the (Issuer, RedirectURI, ScopesHash) tuple. Implementations must
 // be safe for concurrent use.
 //
 // This is the runner-facing interface used by the DCR resolver. It is a
 // narrow re-projection of storage.DCRCredentialStore that exchanges
-// *DCRResolution values (the resolver's working type) instead of
+// *Resolution values (the resolver's working type) instead of
 // *storage.DCRCredentials so the resolver internals stay agnostic to the
 // persistence layer's exact field shape.
 //
 // Implementations in this package are thin adapters around a
 // storage.DCRCredentialStore — the durable map / Redis hash lives over
-// there, and this interface adds a per-call DCRResolution <-> DCRCredentials
+// there, and this interface adds a per-call Resolution <-> DCRCredentials
 // translation. There is exactly one persistence implementation per backend:
-// storage.MemoryStorage and storage.RedisStorage. See newStorageBackedStore
+// storage.MemoryStorage and storage.RedisStorage. See NewStorageBackedStore
 // for the adapter.
-type dcrResolutionCache interface {
+type CredentialStore interface {
 	// Get returns the cached resolution for key, or (nil, false, nil) if the
 	// key is not present. An error is returned only on backend failure.
-	Get(ctx context.Context, key DCRKey) (*DCRResolution, bool, error)
+	Get(ctx context.Context, key Key) (*Resolution, bool, error)
 
 	// Put stores the resolution for key, overwriting any existing entry.
 	// Implementations must reject a nil resolution with an error rather
 	// than silently succeeding — a no-op would leave callers with no
 	// debug trail for the subsequent Get miss.
-	Put(ctx context.Context, key DCRKey, resolution *DCRResolution) error
+	Put(ctx context.Context, key Key, resolution *Resolution) error
 }
 
-// newStorageBackedStore returns a dcrResolutionCache that delegates to a
+// NewInMemoryStore returns a thread-safe in-memory CredentialStore intended
+// for tests and single-replica development deployments. It is a thin adapter
+// over storage.NewMemoryStorage so the resolver-side cache and the
+// authserver's main storage backend share a single in-memory implementation.
+//
+// Production deployments should use a Redis-backed
+// storage.DCRCredentialStore (instantiated via storage.NewRedisStorage and
+// passed through this package's storage-backed adapter), which addresses
+// cross-replica sharing, durability, and cross-process coordination.
+func NewInMemoryStore() CredentialStore {
+	return NewStorageBackedStore(storage.NewMemoryStorage())
+}
+
+// NewStorageBackedStore returns a CredentialStore that delegates to a
 // storage.DCRCredentialStore for durable persistence and translates
-// DCRResolution values into DCRCredentials at the boundary. The returned
+// Resolution values into DCRCredentials at the boundary. The returned
 // store is safe for concurrent use because the underlying
 // storage.DCRCredentialStore must be (per its interface contract).
-func newStorageBackedStore(backend storage.DCRCredentialStore) dcrResolutionCache {
+func NewStorageBackedStore(backend storage.DCRCredentialStore) CredentialStore {
 	return &storageBackedStore{backend: backend}
 }
 
-// storageBackedStore is the runner-side dcrResolutionCache wrapping a
+// storageBackedStore is the dcr-package CredentialStore wrapping a
 // storage.DCRCredentialStore. Its methods are the only place that converts
-// between the resolver's *DCRResolution and the persisted
+// between the resolver's *Resolution and the persisted
 // *storage.DCRCredentials shapes.
 type storageBackedStore struct {
 	backend storage.DCRCredentialStore
 }
 
-// Get implements dcrResolutionCache.
+// Get implements CredentialStore.
 //
 // A storage-level ErrNotFound is translated into the (nil, false, nil)
 // miss-tuple advertised by the interface. Other errors propagate as-is.
-func (s *storageBackedStore) Get(ctx context.Context, key DCRKey) (*DCRResolution, bool, error) {
+func (s *storageBackedStore) Get(ctx context.Context, key Key) (*Resolution, bool, error) {
 	creds, err := s.backend.GetDCRCredentials(ctx, key)
 	if err != nil {
 		if errors.Is(err, storage.ErrNotFound) {
@@ -86,27 +100,27 @@ func (s *storageBackedStore) Get(ctx context.Context, key DCRKey) (*DCRResolutio
 	return credentialsToResolution(creds), true, nil
 }
 
-// Put implements dcrResolutionCache.
+// Put implements CredentialStore.
 //
 // A nil resolution is rejected rather than silently no-oped: a caller
 // passing nil would otherwise get a successful return, observe a miss on
 // the next Get, and have no error trail to debug from. Failing loudly at
 // the boundary makes such bugs visible at the first call.
-func (s *storageBackedStore) Put(ctx context.Context, key DCRKey, resolution *DCRResolution) error {
+func (s *storageBackedStore) Put(ctx context.Context, key Key, resolution *Resolution) error {
 	if resolution == nil {
 		return fmt.Errorf("dcr: resolution must not be nil")
 	}
 	creds := resolutionToCredentials(key, resolution)
 	return s.backend.StoreDCRCredentials(ctx, creds)
 }
 
-// resolutionToCredentials converts a resolver-side *DCRResolution into the
-// persisted *storage.DCRCredentials shape. The DCRKey is supplied separately
+// resolutionToCredentials converts a resolver-side *Resolution into the
+// persisted *storage.DCRCredentials shape. The Key is supplied separately
 // because storage.DCRCredentials carries the key as a struct field rather
 // than implicitly via a map key, so the persistence layer can round-trip it
 // across processes and backends.
 //
-// Fields that exist on DCRResolution but not on DCRCredentials are dropped:
+// Fields that exist on Resolution but not on DCRCredentials are dropped:
 //   - ClientIDIssuedAt: informational only per RFC 7591 §3.2.1; the resolver
 //     does not consult it for cache invalidation, so it does not need to
 //     survive a process restart.
@@ -116,7 +130,7 @@ func (s *storageBackedStore) Put(ctx context.Context, key DCRKey, resolution *DC
 // CreatedAt and ClientSecretExpiresAt are preserved so cache observers
 // (e.g. lookupCachedResolution's staleness Warn) and TTL-aware backends
 // (Redis) keep their existing behaviour after a restart.
-func resolutionToCredentials(key DCRKey, res *DCRResolution) *storage.DCRCredentials {
+func resolutionToCredentials(key Key, res *Resolution) *storage.DCRCredentials {
 	if res == nil {
 		return nil
 	}
@@ -136,17 +150,17 @@ func resolutionToCredentials(key DCRKey, res *DCRResolution) *storage.DCRCredent
 
 // credentialsToResolution is the inverse of resolutionToCredentials. The
 // RedirectURI is recovered from the persisted Key so consumers that read it
-// off the resolution (e.g. consumeResolution, which writes it back onto a
+// off the resolution (e.g. ConsumeResolution, which writes it back onto a
 // run-config copy when the caller left it empty) see the canonical value.
 //
 // ClientIDIssuedAt is left zero because it is not persisted. Callers that
 // care about it (none today) must read it directly from the live RFC 7591
 // response, not from a cached resolution.
-func credentialsToResolution(creds *storage.DCRCredentials) *DCRResolution {
+func credentialsToResolution(creds *storage.DCRCredentials) *Resolution {
 	if creds == nil {
 		return nil
 	}
-	return &DCRResolution{
+	return &Resolution{
 		ClientID:                creds.ClientID,
 		ClientSecret:            creds.ClientSecret,
 		AuthorizationEndpoint:   creds.AuthorizationEndpoint,