feat(db): add oauth_clients table for dynamic client registration

* Introduced oauth_clients table with fields for client_id, client_name, redirect_uris, and created_at.
* Updated agent_persona_parts, agent_persona_skills, agent_persona_guardrails, agent_persona_traits, and arc_stage_parts tables to use unique constraints instead of primary keys for composite indexes.

internal/auth/middleware.go

@@ -17,6 +17,22 @@ type contextKey string
 
 const keyIDContextKey contextKey = "auth.key_id"
 
+// wwwAuthenticate returns the value for a WWW-Authenticate header.
+// It advertises Bearer and, when a public URL is known, the OAuth metadata URL per RFC 9728.
+func wwwAuthenticate(r *http.Request, publicURL string) string {
+	base := publicURL
+	if base == "" {
+		scheme := "https"
+		if proto := r.Header.Get("X-Forwarded-Proto"); proto != "" {
+			scheme = strings.ToLower(proto)
+		} else if r.TLS == nil {
+			scheme = "http"
+		}
+		base = scheme + "://" + r.Host
+	}
+	return `Bearer resource_metadata="` + base + `/.well-known/oauth-authorization-server"`
+}
+
 func Middleware(cfg config.AuthConfig, keyring *Keyring, oauthRegistry *OAuthRegistry, tokenStore *TokenStore, tracker *AccessTracker, log *slog.Logger) func(http.Handler) http.Handler {
 	headerName := cfg.HeaderName
 	if headerName == "" {
@@ -69,6 +85,7 @@ func Middleware(cfg config.AuthConfig, keyring *Keyring, oauthRegistry *OAuthReg
 					}
 				}
 				log.Warn("bearer token rejected", slog.String("remote_addr", remoteAddr))
+				w.Header().Set("WWW-Authenticate", wwwAuthenticate(r, "")+`, error="invalid_token"`)
 				http.Error(w, "invalid token or API key", http.StatusUnauthorized)
 				return
 			}
@@ -105,6 +122,7 @@ func Middleware(cfg config.AuthConfig, keyring *Keyring, oauthRegistry *OAuthReg
 				}
 			}
 
+			w.Header().Set("WWW-Authenticate", wwwAuthenticate(r, ""))
 			http.Error(w, "authentication required", http.StatusUnauthorized)
 		})
 	}