They did the right thing in hindsight: leave security open until clear patterns emerge, then solidify those patterns into a spec. The spec is still in draft and currently, they are trying to find a simpler solution for client registration than DCR, which apparently ephemeral clients seems to solve for now.

If they had made the security spec without waiting for user information they would most certainly have chosen a suboptimal solution.

Or... They could just use any of the existing API specs and wouldn't have to scramble to fix whatever Claude Code spat out.