fix: Implement OAuth Client ID Metadata Document endpoint

Fixes critical IndieAuth authentication failure by implementing modern
JSON-based client discovery mechanism per IndieAuth spec section 4.2.

Added /.well-known/oauth-authorization-server endpoint returning JSON
metadata with client_id, redirect_uris, and OAuth capabilities.

Added <link rel="indieauth-metadata"> discovery hint in HTML head.

Maintained h-app microformats for backward compatibility with legacy
IndieAuth servers.

This resolves "client_id is not registered" error from IndieLogin.com
by providing the metadata document modern IndieAuth servers expect.

Changes:
- Added oauth_client_metadata() endpoint in public routes
- Returns JSON with client info (24-hour cache)
- Uses config values (SITE_URL, SITE_NAME) not hardcoded URLs
- Added indieauth-metadata link in base.html
- Comprehensive test suite (15 new tests, all passing)
- Updated version to v0.6.2 (PATCH increment)
- Updated CHANGELOG.md with detailed fix documentation

Standards Compliance:
- IndieAuth specification section 4.2
- OAuth Client ID Metadata Document format
- IANA well-known URI registry
- RFC 7591 OAuth 2.0 Dynamic Client Registration

Testing:
- 467/468 tests passing (99.79%)
- 15 new tests for OAuth metadata and discovery
- Zero regressions in existing tests
- Test coverage maintained at 88%

Related Documentation:
- ADR-017: OAuth Client ID Metadata Document Implementation
- IndieAuth Fix Summary report
- Implementation report in docs/reports/

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.6.2] - 2025-11-19
+
+### Fixed
+- **CRITICAL**: Implemented OAuth Client ID Metadata Document to fix IndieAuth authentication
+- Added `/.well-known/oauth-authorization-server` endpoint returning JSON metadata
+- IndieLogin.com now correctly verifies StarPunk as a registered OAuth client
+- Resolves "client_id is not registered" error preventing production authentication
+- Fixes authentication flow with modern IndieAuth servers (2022+ specification)
+
+### Added
+- OAuth Client ID Metadata Document endpoint at `/.well-known/oauth-authorization-server`
+- JSON metadata response with client_id, client_name, redirect_uris, and OAuth capabilities
+- `<link rel="indieauth-metadata">` discovery hint in HTML head
+- 24-hour caching for metadata endpoint (Cache-Control headers)
+- Comprehensive test suite for OAuth metadata endpoint (12 new tests)
+- Tests for indieauth-metadata link discovery (3 tests)
+
+### Changed
+- IndieAuth client discovery now uses modern JSON metadata (primary method)
+- h-app microformats retained for backward compatibility (legacy fallback)
+- Three-layer discovery: well-known URL, link rel hint, h-app markup
+
+### Standards Compliance
+- IndieAuth specification section 4.2 (Client Information Discovery)
+- OAuth Client ID Metadata Document format
+- IANA well-known URI registry standard
+- OAuth 2.0 Dynamic Client Registration (RFC 7591)
+
+### Technical Details
+- Metadata endpoint uses configuration values (SITE_URL, SITE_NAME)
+- client_id exactly matches document URL (spec requirement)
+- redirect_uris properly formatted as array
+- Supports PKCE (S256 code challenge method)
+- Public client configuration (no client secret)
+
+### Related Documentation
+- ADR-017: OAuth Client ID Metadata Document Implementation
+- IndieAuth Fix Summary report
+- IndieAuth Client Discovery Root Cause Analysis
+
 ## [0.6.1] - 2025-11-19
 
 ### Fixed