feat: harden Claude MCP OAuth transport

tests/conftest.py

@@ -9,9 +9,11 @@ from aegis_gitea_mcp.audit import reset_audit_logger
 from aegis_gitea_mcp.auth import reset_validator
 from aegis_gitea_mcp.config import reset_settings
 from aegis_gitea_mcp.oauth import reset_oauth_validator
+from aegis_gitea_mcp.oauth_flow import reset_oauth_client_registry
 from aegis_gitea_mcp.observability import reset_metrics_registry
 from aegis_gitea_mcp.policy import reset_policy_engine
 from aegis_gitea_mcp.rate_limit import reset_rate_limiter
+from aegis_gitea_mcp.server import reset_repo_authz_cache
 
 
 @pytest.fixture(autouse=True)
@@ -22,6 +24,8 @@ def reset_globals(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Generator[
     reset_audit_logger()
     reset_validator()
     reset_oauth_validator()
+    reset_oauth_client_registry()
+    reset_repo_authz_cache()
     reset_policy_engine()
     reset_rate_limiter()
     reset_metrics_registry()
@@ -37,6 +41,8 @@ def reset_globals(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> Generator[
     reset_audit_logger()
     reset_validator()
     reset_oauth_validator()
+    reset_oauth_client_registry()
+    reset_repo_authz_cache()
     reset_policy_engine()
     reset_rate_limiter()
     reset_metrics_registry()
@@ -66,4 +72,5 @@ def mock_env_oauth(monkeypatch: pytest.MonkeyPatch) -> None:
     monkeypatch.setenv("OAUTH_MODE", "true")
     monkeypatch.setenv("GITEA_OAUTH_CLIENT_ID", "test-client-id")
     monkeypatch.setenv("GITEA_OAUTH_CLIENT_SECRET", "test-client-secret")
+    monkeypatch.setenv("OAUTH_STATE_SECRET", "test-state-secret-0123456789abcdef")
     monkeypatch.setenv("STARTUP_VALIDATE_GITEA", "false")