Move OAuth secret management into pkg/auth/oauth (#2462)

Previously pkg/oauth/ contained only OAuth client secret management
functions (ProcessOAuthClientSecret, StoreSecretInManager), which
was confusing because it shared a similar name with pkg/auth/oauth/
which contains the actual OAuth/OIDC protocol implementation.

This change:
- Moves pkg/oauth/client_secret.go → pkg/auth/oauth/secrets.go
- Updates 2 call sites: cmd/thv/app/run_flags.go, pkg/runner/config.go
- Removes pkg/oauth/ directory entirely

Benefits:
- Clearer package structure (all OAuth code under pkg/auth/oauth/)
- No more confusion between pkg/oauth and pkg/auth/oauth
- Better separation: secrets.go for secret management, flow.go for OAuth protocol

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>

Author: JAORMX

cmd/thv/app/run_flags.go

@@ -8,6 +8,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/stacklok/toolhive/pkg/auth"
+	authoauth "github.com/stacklok/toolhive/pkg/auth/oauth"
 	"github.com/stacklok/toolhive/pkg/authz"
 	"github.com/stacklok/toolhive/pkg/cli"
 	cfg "github.com/stacklok/toolhive/pkg/config"
@@ -17,7 +18,6 @@ import (
 	"github.com/stacklok/toolhive/pkg/ignore"
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/networking"
-	"github.com/stacklok/toolhive/pkg/oauth"
 	"github.com/stacklok/toolhive/pkg/process"
 	"github.com/stacklok/toolhive/pkg/registry"
 	"github.com/stacklok/toolhive/pkg/runner"
@@ -854,5 +854,5 @@ func createTelemetryConfig(otelEndpoint string, otelEnablePrometheusMetricsPath
 
 // processOAuthClientSecret processes an OAuth client secret, converting plain text to secret reference if needed
 func processOAuthClientSecret(clientSecret, workloadName string) (string, error) {
-	return oauth.ProcessOAuthClientSecret(workloadName, clientSecret)
+	return authoauth.ProcessOAuthClientSecret(workloadName, clientSecret)
 }

pkg/oauth/client_secret.go renamed to pkg/auth/oauth/secrets.go

@@ -1,4 +1,4 @@
-// Package oauth contains the OAuth management logic for ToolHive.
+// Package oauth contains OAuth/OIDC protocol implementation for ToolHive.
 package oauth
 
 import (

pkg/oauth/client_secret_test.go renamed to pkg/auth/oauth/secrets_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/stacklok/toolhive/pkg/audit"
 	"github.com/stacklok/toolhive/pkg/auth"
+	authoauth "github.com/stacklok/toolhive/pkg/auth/oauth"
 	"github.com/stacklok/toolhive/pkg/authz"
 	"github.com/stacklok/toolhive/pkg/container"
 	rt "github.com/stacklok/toolhive/pkg/container/runtime"
@@ -18,7 +19,6 @@ import (
 	"github.com/stacklok/toolhive/pkg/labels"
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/networking"
-	"github.com/stacklok/toolhive/pkg/oauth"
 	"github.com/stacklok/toolhive/pkg/permissions"
 	"github.com/stacklok/toolhive/pkg/registry"
 	"github.com/stacklok/toolhive/pkg/secrets"
@@ -225,7 +225,7 @@ func migrateOAuthClientSecret(config *RunConfig) error {
 	}
 
 	// The client secret is in plain text format - migrate it
-	cliFormatSecret, err := oauth.ProcessOAuthClientSecret(config.Name, config.RemoteAuthConfig.ClientSecret)
+	cliFormatSecret, err := authoauth.ProcessOAuthClientSecret(config.Name, config.RemoteAuthConfig.ClientSecret)
 	if err != nil {
 		return fmt.Errorf("failed to process OAuth client secret: %w", err)
 	}