fix(diagnosis): stop flagging client_id as prohibited inline PAR param

[ryanbas21]

Summary

• The par:inline-params-with-request-uri diagnosis rule incorrectly treated client_id as a prohibited inline parameter in PAR authorization requests
• Per RFC 9126, client_id is required alongside request_uri — only params like redirect_uri and scope should be flagged
• Added test confirming a valid request_uri + client_id authorize URL does not trigger the warning

Test plan

• Existing test (flags inline params alongside request_uri) still passes — redirect_uri in the URL correctly triggers the warning
• New test (does not flag request_uri with only client_id) confirms the false positive is gone
• Full diagnosis-engine test suite passes (41 tests)

🤖 Generated with Claude Code

[pullfrog]

No new issues found.

TL;DR — Fixes a false positive in the par:inline-params-with-request-uri diagnosis rule where client_id was incorrectly flagged as a prohibited inline parameter alongside request_uri. Per RFC 9126, client_id is required in that context.

Key changes

• Remove client_id from prohibited inline PAR params — The hasInlineParams check now only flags redirect_uri and scope, aligning the code with its own existing description ("only request_uri and client_id should be present") and RFC 9126.
• Add regression test — Confirms request_uri + client_id alone does not trigger the warning, while existing test still validates that redirect_uri alongside request_uri is caught.

_{Summary ｜ 3 files ｜ 1 commit ｜ base: main ← fix/par-inline-params-rule}

The change is correct, consistent with the existing error description, and well-tested. The test suite passes (the unrelated message-handler.test.ts failure is a pre-existing build resolution issue).

  ^{｜ View workflow run ｜ 𝕏}