feat(gateway): add per-user personal credential store

[ecthelion77]

✨ Feature / Enhancement PR

🔗 Epic / Issue

Closes #4006

---

🚀 Summary (1-2 sentences)

Add a personal credential storage system enabling individual users to store their own API keys/tokens for specific gateways, with automatic per-user auth on non-OAuth tool invocations.

---

🧪 Checks

• make lint passes (ruff + black)
• make test passes
• CHANGELOG updated (if user-facing)

---

📓 Notes

Use case

Some MCP backends require per-user authentication via API keys rather than OAuth. This feature lets each user store their own credentials for a gateway, which are automatically used during tool invocations.

Authentication flow (non-OAuth gateways)

Tool invocation
  └─ Is gateway OAuth? → Yes → existing OAuth flow
  └─ No → Check personal credential for (gateway_id, user_email)
       └─ Found → Build auth header from credential type
       └─ Not found → Fall back to shared gateway auth_value

Supported credential types

• api_key: Authorization: Basic base64(key:X)
• bearer_token: Authorization: Bearer <token>
• basic_auth: Authorization: Basic base64(value)

Changes

File	Change
db.py	user_gateway_credentials table
credential_storage_service.py	CRUD + encryption + auth header builder
credential_router.py	REST API (GET/PUT/DELETE per gateway)
tool_service.py	Personal credential lookup before shared auth
main.py	Router registration
Admin UI (admin.js, gateways.js, admin.html, gateways_partial.html)	Credential modal
Alembic migration	New table
Unit tests	Router + service tests

Security

• Credentials are encrypted at rest using the existing EncryptionService
• Each user can only access their own credentials
• Unique constraint on (gateway_id, user_email) prevents duplicates

[ecthelion77]

Suggested labels: enhancement, python, security, rbac