@spec published_token_endpoint_auth_methods_supported() :: [String.t()]

Returns the truth-based list of token_endpoint_auth_method values this issuer's openid-configuration document actually publishes — i.e., [] when the token_endpoint route is not mounted, otherwise the subset the current runtime can truthfully verify on the token endpoint.

@spec token_endpoint_auth_methods_supported() :: [String.t()]

Returns the static module attribute list of token_endpoint_auth_method values this issuer can advertise — the maximum set, irrespective of mounted-route truthfulness.

This is what the DCR invariant test (Phase 25) pins against because it must remain a pure 0-arity (no router lookup, no DB). It is the upper bound: the actually-published discovery document at /.well-known/openid-configuration may publish [] instead when the host app does not mount the token_endpoint route. Use published_token_endpoint_auth_methods_supported/0 for the truth-based set; that is what Phase 27's HTTP DCR surface MUST filter the resolver's accepted methods through.