There are few executors, which use "is-augment" as configuration option. For example HolderOfKeyEnforceExecutor or PKCEEnforceExecutor. It will be good to rename this option to "auto-configure" per the feedback on the mailing list https://groups.google.com/g/keycloak-dev/c/MfoTQbNPljE .
Regarding SecureClientAuthEnforceExecutorFactory, I am thinking about remove of the "is-augment" configuration option entirely and instead just rename configuration option "Augment Client Authentication Method" as "Default Client Authenticator" . In case that this option is not set, it will mean that there won't be any auto-configured client authenticator. In case optis set, it will set client authenticator to the specified configuration, but just in case that it is not pre-set on the client (Similar behaviour like SecureSigningAlgorithmEnforceExecutorFactory is doing for default algorithms). So instead of 3 configuration options for SecureClientAuthEnforceExecutorFactory, we can keep 2 options.