keycloak client cleanup

docs/DEVELOPER-GUIDE.md

@@ -772,7 +772,7 @@ Internet → Traefik → Service:8080 → Auth Sidecar:8080 → localhost → Yo
 Three authentication modes are supported:
 1. **Token-based**: Static tokens (simple, good for service-to-service or internal apps)
 2. **OIDC**: OpenID Connect (full SSO, good for user-facing apps)
-3. **MCP**: OAuth 2.0 for MCP servers via RFC 9728 / RFC 7591 (good for MCP tool servers requiring OAuth-based access control)
+3. **MCP**: OAuth 2.0 for MCP servers via RFC 9728 (Protected Resource Metadata); Keycloak provides native RFC 7591 Dynamic Client Registration (good for MCP tool servers requiring OAuth-based access control)
 
 ---
 
@@ -1013,7 +1013,7 @@ auth:
     scopes: "openid,profile,email"  # OIDC scopes (optional)
     callbackPath: /auth/callback    # OAuth callback path (optional)
 
-  # MCP mode configuration (RFC 9728 / RFC 7591)
+  # MCP mode configuration (RFC 9728)
   mcp:
     resource: ""                 # Protected resource URL (required for MCP)
     authority: ""                # Authorization server URL (required for MCP)
@@ -1161,7 +1161,7 @@ ingress:
   host: mcp-server.forteapps.net
 ```
 
-The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) for authorization server discovery and RFC 7591 (OAuth 2.0 Dynamic Client Registration) for automatic client registration. MCP clients discover the authorization server and scopes from the `/.well-known/oauth-protected-resource` endpoint served by the sidecar.
+The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) for authorization server discovery. Dynamic Client Registration (RFC 7591) is handled natively by Keycloak; MCP clients discover the authorization server and scopes from the `/.well-known/oauth-protected-resource` endpoint served by the sidecar and then register directly with Keycloak.
 
 #### Example 4: Disabling Authentication