feat: add documentation for Client ID Metadata Document (CIMD)

[jhickmanit]

This PR adds comprehensive documentation for the new Client ID Metadata Document (CIMD) feature in Hydra.

What is CIMD? CIMD allows Hydra to treat a client_id as an HTTPS URL and fetch client metadata (redirect URIs, JWKS, auth methods, etc.) from that URL at runtime. This follows the draft OAuth Client ID Metadata Document specification.

Documentation coverage The new guide (client-id-metadata-document.mdx) covers:

Overview of CIMD modes (disabled, optional, enforced)

• Configuration reference with all keys and defaults
• Discovery/well-known behavior - clarifies CIMD fields appear in .well-known endpoints only when enabled
• Client metadata document setup with validation rules and example JSON
• Runtime behavior including SSRF protections, caching, timeout/size limits
• Operational guidance for deployments
• Testing checklist for validation

Key points

• Feature is disabled by default (enabled: false)
• Enforces HTTPS-only, path required, no fragments
• SSRF protection via IP allowlists
• Configurable cache TTLs, timeouts, and response size limits
• Works across auth, token, device, logout, and CORS flows

Related Issue or Design Document

feature pr: https://github.com/ory-corp/cloud/pull/10158

Checklist

• [X] I have read the contributing guidelines and signed the CLA.
• [X] I have referenced an issue containing the design document if my change introduces a new feature.
• [X] I have read the security policy.
• [X] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
• [X] I have added tests that prove my fix is effective or that my feature works.
• [X] I have added the necessary documentation within the code base (if appropriate).

Further comments