feat(auth): add Grafana Cloud access policy token authentication

[sd2k]

Summary

Adds support for authenticating with Grafana instances using Cloud access policy tokens as an alternative to service account tokens or API keys.

• mcpgrafana.go: Added GRAFANA_CLOUD_ACCESS_POLICY_TOKEN env var support, CloudAccessPolicyToken config field, extraction from both env and X-Cloud-Access-Policy-Token request header (header takes precedence), and X-Access-Token header injection across all transport paths (BuildTransport, NewGrafanaClient)
• proxied_client.go: Added X-Access-Token header for proxied MCP datasource connections
• mcpgrafana_test.go: Tests covering env extraction, header extraction with precedence, and transport header injection (with and without extra headers)
• README.md: Documentation for the new authentication method including configuration example

Closes #561

Test plan

• Verify TestCloudAccessPolicyTokenFromEnv passes (token set and unset scenarios)
• Verify TestCloudAccessPolicyTokenFromHeaders passes (header-only, env-only, and header-takes-precedence scenarios)
• Verify TestCloudAccessPolicyTokenTransport passes (header injection via BuildTransport, no header when unset, coexistence with extra headers)
• Verify existing tests continue to pass (no regressions in auth handling)
• Manual test: configure GRAFANA_CLOUD_ACCESS_POLICY_TOKEN against a Grafana Cloud instance and confirm successful authentication

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches request authentication/header injection across multiple client transports; mistakes could cause auth failures or unintended credential precedence, though the change is gated and covered by unit tests.

Overview
Adds Grafana Cloud access policy token authentication as an alternative to service account/API key auth.

Introduces GRAFANA_CLOUD_ACCESS_POLICY_TOKEN (and X-Cloud-Access-Policy-Token for SSE/HTTP) to populate a new GrafanaConfig.CloudAccessPolicyToken, and injects the corresponding X-Access-Token: Bearer ... header across client/transport paths (including proxied MCP datasource connections), while explicitly not overriding on-behalf-of auth when AccessToken is set. Includes unit tests for env/header precedence and transport header injection, plus README documentation and examples.

^{Written by Cursor Bugbot for commit cc1c96a. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.}

[cursor]

Bugbot Autofix prepared fixes for 1 of the 1 bugs found in the latest run.

• ✅ Fixed: Missing OBO auth guard in proxied client
  • Added the missing '&& config.AccessToken == ""' guard to the CloudAccessPolicyToken check in proxied_client.go to match the pattern used in BuildTransport and NewGrafanaClient, ensuring OBO authentication takes precedence.

Or push these changes by commenting:

@cursor push b7baec6864

Preview (b7baec6864)

diff --git a/proxied_client.go b/proxied_client.go
--- a/proxied_client.go
+++ b/proxied_client.go
@@ -36,8 +36,10 @@
 		headers["Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
 	}
 
-	// Add cloud access policy token header if configured
-	if config.CloudAccessPolicyToken != "" {
+	// Add cloud access policy token header only when on-behalf-of auth is not
+	// active. OBO auth also uses X-Access-Token (set by authRoundTripper in
+	// tool-specific clients) and should take precedence.
+	if config.CloudAccessPolicyToken != "" && config.AccessToken == "" {
 		headers["X-Access-Token"] = "Bearer " + config.CloudAccessPolicyToken
 	}

[github-actions]

MCP Token Analysis

✅ Passed

Metric	Value
Baseline	14373 tokens
Current	14373 tokens
Change	+0 (+0.0%)