Address review feedback: fix comment, add fallback test, update arch docs

Fix contradictory comment in integration test that described fallback
behavior while the fixture actually tests the override path (F1).

Add explicit empty-string ResourceURL test case to verify the fallback
to createServiceURL is exercised even when the field is present but
empty (F3).

Update operator architecture doc to list resourceUrl alongside audience
and scopes as a per-server override on oidcConfigRef (F4).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ChrisJBurns

cmd/thv-operator/pkg/oidc/resolver_configref_test.go

@@ -70,6 +70,29 @@ func TestResolveFromConfigRef_KubernetesServiceAccountType(t *testing.T) {
 				JWKSAllowPrivateIP: true,
 			},
 		},
+		{
+			name: "empty resourceUrl falls back to derived service URL",
+			ref: &mcpv1alpha1.MCPOIDCConfigReference{
+				Name: "k", Audience: "my-aud", Scopes: []string{"openid"},
+				ResourceURL: "",
+			},
+			oidcCfg: &mcpv1alpha1.MCPOIDCConfig{
+				Spec: mcpv1alpha1.MCPOIDCConfigSpec{
+					Type: mcpv1alpha1.MCPOIDCConfigTypeKubernetesServiceAccount,
+					KubernetesServiceAccount: &mcpv1alpha1.KubernetesServiceAccountOIDCConfig{
+						Issuer: "https://kubernetes.default.svc",
+					},
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer: "https://kubernetes.default.svc", Audience: "my-aud",
+				Scopes:             []string{"openid"},
+				ResourceURL:        "http://srv.default.svc.cluster.local:8080",
+				ThvCABundlePath:    defaultK8sCABundlePath,
+				JWKSAuthTokenPath:  defaultK8sTokenPath,
+				JWKSAllowPrivateIP: true,
+			},
+		},
 		{
 			name: "nil KSA config falls back to all defaults",
 			ref: &mcpv1alpha1.MCPOIDCConfigReference{

docs/arch/09-operator-architecture.md

@@ -219,6 +219,7 @@ MCPOIDCConfig eliminates OIDC configuration duplication — define an identity p
 **Per-server overrides** live in the workload's `oidcConfigRef` field (not the shared spec):
 - `audience` (required) — Must be unique per server to prevent token replay
 - `scopes` (optional) — Defaults to `["openid"]`
+- `resourceUrl` (optional) — Public URL for OAuth protected resource metadata (RFC 9728); defaults to internal service URL
 
 **Status fields** include a `Ready` condition, `configHash` for change detection, and `referencingWorkloads` tracking which resources reference this config. Deletion is blocked while references exist (finalizer pattern).
 
@@ -255,7 +256,7 @@ Defines a proxy for remote MCP servers with authentication, authorization, audit
 
 **Key fields:**
 - `remoteUrl` - URL of the remote MCP server to proxy
-- `oidcConfigRef` - Reference to shared MCPOIDCConfig (with per-server `audience` and `scopes`)
+- `oidcConfigRef` - Reference to shared MCPOIDCConfig (with per-server `audience`, `scopes`, and `resourceUrl`)
 - `externalAuthConfigRef` - Token exchange for remote service authentication
 - `authzConfig` - Authorization policies
 - `toolConfigRef` - Tool filtering and renaming
@@ -629,6 +630,7 @@ spec:
     name: corporate-idp
     audience: my-server      # per-server, prevents token replay
     scopes: ["openid"]       # optional, defaults to ["openid"]
+    resourceUrl: https://mcp.example.com  # optional, defaults to internal service URL
 ```
 
 **MCPTelemetryConfig reference:**