Motivation

• Discord token verification previously accepted any access token that passed /api/oauth2/@me and had the required scopes regardless of which Discord application minted the token, breaking audience/client binding and enabling cross-app authentication bypass.

Description

• Add an expected_client_id parameter to DiscordTokenVerifier and store it on the verifier.
• During verify_token, compare the application.id returned by Discord with expected_client_id and reject the token if they do not match.
• Thread the provider client_id into DiscordTokenVerifier from DiscordProvider so provider-based usage enforces the client/audience binding automatically.
• Update tests to assert the verifier is bound to the provider client_id, add a test that rejects tokens from a different Discord application, and update an existing http-client test to satisfy the new verifier signature.

Testing

• Ran uv sync successfully.
• Ran the full test suite with uv run pytest -n auto; the run surfaced unrelated, pre-existing timeouts/failures in this environment (11 failed, 4679 passed, 1 error) so the repository-wide run is not green here but failures are not related to the changes.
• Ran targeted tests uv run pytest tests/server/auth/providers/test_discord.py tests/server/auth/providers/test_http_client.py -n auto and both passed (26 passed).
• Ran static hooks uv run prek run --all-files which failed to initialize external prettier hook due to network access to pre-commit mirror (environment restriction), not due to code linting errors.

Codex Task