feat(devfront): show client creators and headless filter

backend/internal/handler/dev_handler.go

@@ -127,6 +127,7 @@ type clientSummary struct {
 	Name                             string         `json:"name"`
 	Type                             string         `json:"type"`
 	Status                           string         `json:"status"`
+	CreatorID                        string         `json:"creatorId,omitempty"`
 	CreatedAt                        *time.Time     `json:"createdAt,omitempty"`
 	RedirectURIs                     []string       `json:"redirectUris"`
 	Scopes                           []string       `json:"scopes"`
@@ -3224,6 +3225,7 @@ func (h *DevHandler) mapClientSummary(client domain.HydraClient) clientSummary {
 			}
 		}
 	}
+	creatorID := readMetadataStringValue(client.Metadata, "user_id")
 
 	clientType := "private"
 	if client.IsHeadlessLoginEnabled() {
@@ -3270,6 +3272,7 @@ func (h *DevHandler) mapClientSummary(client domain.HydraClient) clientSummary {
 		Name:                             name,
 		Type:                             clientType,
 		Status:                           status,
+		CreatorID:                        creatorID,
 		CreatedAt:                        createdAt,
 		RedirectURIs:                     client.RedirectURIs,
 		Scopes:                           scopes,

backend/internal/handler/dev_handler_test.go

@@ -2524,6 +2524,20 @@ func TestMapClientSummary_ClassifiesHeadlessLoginAsPrivate(t *testing.T) {
 	assert.Equal(t, "private", summary.Type)
 }
 
+func TestMapClientSummary_ExposesCreatorIDFromMetadataUserID(t *testing.T) {
+	h := &DevHandler{}
+
+	summary := h.mapClientSummary(domain.HydraClient{
+		ClientID:   "client-created-by",
+		ClientName: "Creator Visible App",
+		Metadata: map[string]any{
+			"user_id": "creator-user-id",
+		},
+	})
+
+	assert.Equal(t, "creator-user-id", summary.CreatorID)
+}
+
 func TestCreateClient_HeadlessLoginRejectsInlineJWKS(t *testing.T) {
 	var hydraCalled bool
 	h := &DevHandler{