Built-in OAuth2 client-registration admin screen (todo §6); /admin/clients lists/registers/deletes the Hydra OAuth2 clients other apps log in through us with. New src/admin-clients.ts (pure builders + handleAdminClients, mirroring the §5 Users/Roles screens): list (search/paginate over one fetched Hydra page), register (GET form + POST), read-only detail, delete-confirm. src/hydra-admin.ts gains the client half of the admin API — createClient/listClients/getClient/deleteClient over /admin/clients (+ a nextPageToken Link parser like kratos-admin) and the registration fields on OAuth2Client. Register builds a standard authorization-code client (+ refresh_token), confidential (client_secret_basic) or public (PKCE/none), with an optional first-party auto-consent flag; Hydra returns the client_secret once, so the register POST renders the new client's detail page with the one-time secret directly (no PRG) and it is never re-shown (getClient carries no secret; the detail test asserts it). Writes go only to Hydra; gated admin-only (anon->/login, non-admin->403) + every mutation CSRF-guarded via requireAdmin/guardedForm like §5; a Hydra 4xx (bad redirect/scope) re-renders the form (400), a 5xx -> 500 (mirrors oauth-login.ts); :id via safeDecode (malformed->404). Wired into app.ts (/admin/clients, gated on the hydra client present) and the shared adminSection (Users.Groups.Roles.OAuth2 clients, i-globe) so it shows for admins and is invisible otherwise. New views (admin/clients, client-form, client-detail + partials/client-{form,detail}-body) reuse the shell/filter-bar/data-table/field blocks; one .detail-list CSS rule; README Layout/§6 updated. Tests-first: hydra-admin.test.ts (client CRUD contracts incl. Link pagination/404->null/204), admin-clients.test.ts (builder/validation/payload matrix), app.test.ts HTTP integration (gate/list/register-shows-secret-once/invalid+CSRF-reject/detail-hides-secret/delete + malformed-%->404). Stability-reviewer run as a local PR: APPROVE, no Critical/High; addressed its one nit (dropped a dead URL.protocol check in validateClientInput). Boot-verified the client CRUD live against real Hydra v26.2.0 (create->201 w/ one-time secret -> list finds it -> get -> delete -> get null); torn down. typecheck + 274 units green.

src/app.test.ts

@@ -9,7 +9,7 @@ import { fileURLToPath } from "node:url";
 import { createApp, type AppOptions } from "./app.ts";
 import { CSRF_COOKIE, issueCsrfToken } from "./csrf.ts";
 import { can, check, GuardError, requireSession } from "./guards.ts";
-import { HydraError, type HydraAdmin } from "./hydra-admin.ts";
+import { HydraError, type HydraAdmin, type OAuth2Client } from "./hydra-admin.ts";
 import { staticJwks } from "./jwks.ts";
 import type { ExpandTree, KetoClient, RelationTuple, SubjectSet } from "./keto-client.ts";
 import type { Identity, KratosAdmin } from "./kratos-admin.ts";
@@ -498,8 +498,12 @@ test("logout (CSRF-guarded POST): valid token revokes the Kratos session + clear
 const stubHydra = (over: Partial<HydraAdmin> = {}): HydraAdmin => ({
   acceptConsentRequest: async () => ({ redirect: "http://127.0.0.1:4444/oauth2/auth?consent_verifier=v" }),
   acceptLoginRequest: async () => ({ redirect: "http://127.0.0.1:4444/oauth2/auth?login_verifier=v" }),
+  createClient: async (c) => ({ ...c, client_id: "c1", client_secret: "s3cr3t" }),
+  deleteClient: async () => {},
+  getClient: async () => null,
   getConsentRequest: async () => ({ challenge: "cons1", client: { client_name: "Acme Reports" }, requested_scope: ["openid", "profile"], skip: false, subject: OAUTH_SUBJECT }),
   getLoginRequest: async () => ({ challenge: "chal1", skip: false, subject: "" }),
+  listClients: async () => ({ clients: [], nextPageToken: null }),
   rejectConsentRequest: async () => ({ redirect: "http://acme.example/cb?error=access_denied" }),
   rejectLoginRequest: async () => { throw new Error("unused"); },
   ...over,
@@ -839,6 +843,63 @@ test("admin Roles screen: gate, list, create, assign user/group, effective acces
   assert.equal((await get("/admin/roles/%ZZ")).status, 404);
 });
 
+// Built-in OAuth2 clients admin screen (§6): gate + list/register/detail/delete over HTTP against an
+// in-memory Hydra. Registration shows the one-time client_secret on the post-create page (no PRG).
+test("admin OAuth2 clients screen: gate, list, register (one-time secret), detail, delete (CSRF-guarded)", async (t) => {
+  const store: OAuth2Client[] = [
+    { client_id: "existing", client_name: "Reporting", redirect_uris: ["https://reporting.example/cb"], scope: "openid", token_endpoint_auth_method: "client_secret_basic" },
+  ];
+  let seq = 0;
+  const hydra = stubHydra({
+    createClient: async (c) => { const created = { ...c, client_id: `gen-${++seq}`, client_secret: `secret-${seq}` }; store.push(created); return created; },
+    deleteClient: async (id) => { const i = store.findIndex((c) => c.client_id === id); if (i >= 0) store.splice(i, 1); },
+    getClient: async (id) => store.find((c) => c.client_id === id) ?? null,
+    listClients: async () => ({ clients: store, nextPageToken: null }),
+  });
+  const { get, post, token, url } = await adminHarness(t, { hydra });
+
+  await assertAdminGate(url, get, "/admin/clients");
+
+  // List: the existing client shows + the "register" link.
+  const listHtml = await (await get("/admin/clients")).text();
+  assert.match(listHtml, /href="\/admin\/clients\/existing"/);
+  assert.match(listHtml, /href="\/admin\/clients\/new"/);
+  assert.match(listHtml, /Reporting/);
+
+  // Register: the form renders; a valid post creates the client and shows the one-time secret + id.
+  assert.match(await (await get("/admin/clients/new")).text(), /Register client/);
+  const created = await post("/admin/clients", `_csrf=${token}&name=Grafana&redirectUris=${encodeURIComponent("https://graf/cb")}&scope=openid+offline_access`);
+  assert.equal(created.status, 200); // not a redirect — the secret is shown once
+  const createdHtml = await created.text();
+  assert.match(createdHtml, /Client registered/);
+  assert.match(createdHtml, /secret-1/); // the one-time client_secret
+  assert.match(createdHtml, /gen-1/);    // the generated client_id
+  assert.ok(store.some((c) => c.client_name === "Grafana" && c.token_endpoint_auth_method === "client_secret_basic"));
+
+  // Invalid input (missing redirect URI) and a missing CSRF token are both refused, nothing created.
+  const before = store.length;
+  assert.equal((await post("/admin/clients", `_csrf=${token}&name=NoRedirect&redirectUris=`)).status, 400);
+  assert.equal((await post("/admin/clients", `name=x&redirectUris=${encodeURIComponent("https://x/cb")}`)).status, 403);
+  assert.equal(store.length, before);
+
+  // Detail: read-only info, never the secret again, a delete control.
+  const detail = await (await get("/admin/clients/existing")).text();
+  assert.match(detail, /reporting\.example\/cb/);
+  assert.doesNotMatch(detail, /Client secret/i); // the secret is shown only once, at creation
+  assert.match(detail, /href="\/admin\/clients\/existing\/delete"/);
+
+  // Delete: a confirm step (GET) then the POST removes the client, back to the list.
+  assert.match(await (await get("/admin/clients/existing/delete")).text(), /Cancel/);
+  const del = await post("/admin/clients/existing/delete", `_csrf=${token}`);
+  assert.equal(del.status, 303);
+  assert.equal(del.headers.get("location"), "/admin/clients");
+  assert.ok(!store.some((c) => c.client_id === "existing"));
+
+  // Unknown id → 404; malformed %-encoding doesn't 500.
+  assert.equal((await get("/admin/clients/does-not-exist")).status, 404);
+  assert.equal((await get("/admin/clients/%ZZ")).status, 404);
+});
+
 test("resolveStaticPath blocks traversal and control chars, allows nested files", () => {
   assert.equal(resolveStaticPath("/srv/public", "../app.ts"), null);
   assert.equal(resolveStaticPath("/srv/public", "a\x00b"), null);