feat(extension): integrate MCP tool loading and context menu image/selection support

[lcomplete]

Summary

• MCP tool integration: Replace hardcoded Huntly API tools (save, search, huntly_api) with dynamic MCP tool loading via @ai-sdk/mcp; tools are fetched from the Huntly server's SSE endpoint at chat start and closed after streaming finishes
• Context menu enhancements: Add "Send to Chat" image context menu item that queues image attachments; add selection context support that captures selected page content when right-clicking on a selection
• Pending command queue: Background script buffers context commands when the side panel isn't open yet; side panel consumes queued commands on mount
• MCP tool badge: toolSource/toolSourceLabel added to ChatPart; MCP-sourced tools display a badge in ToolCallBlock
• Server auth: McpServerController.isAuthorized now accepts Spring Security session login in addition to MCP token, allowing browser-based access without a separate token

Test plan

• Verify MCP tools load from Huntly server SSE on chat start and are closed after streaming
• Right-click an image → "Send to Chat" attaches the image to the side panel composer
• Right-click selected text → side panel opens with selection context attached
• Test that pending commands queue correctly when panel is closed and are consumed on open
• Confirm MCP tool calls show the "MCP" badge in chat messages
• Run server tests: ./mvnw test -pl huntly-server — McpServerControllerTest should pass including new login-auth cases
• Run extension tests: cd app/extension && yarn test

🤖 Generated with Claude Code

[augmentcode]

🤖 Augment PR Summary

Summary: This PR upgrades the browser extension to load Huntly server tools dynamically via MCP and improves “Send to Chat” context capture.

Changes:

• Adds @ai-sdk/mcp and loads MCP tools from the Huntly server’s SSE endpoint at chat start, closing clients when streaming finishes.
• Replaces hardcoded Huntly API tools with a local-tool set plus optional MCP tools, and tracks tool provenance (toolSource/toolSourceLabel).
• Adds a context menu item to send images to Chat and introduces a pending-command queue so context actions work even if the side panel isn’t open.
• Updates the side panel to consume queued commands, attach image/page/selection context, and display an MCP badge on tool calls.
• Server-side MCP endpoints now accept Spring Security session login (in addition to MCP token) and include new controller tests for login-based access.

Technical Notes: Tool-call metadata is propagated through UI-message conversion to keep MCP attribution stable across streaming updates.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

app/extension/src/background.ts:L1246 — handlePageSidePanelContextMenuClick is implemented (including selection capture + queued commands) but it’s never invoked from the context-menu click handler, so right-clicking a selection and choosing “Chat” won’t attach the selection/page context. Was the intent for CONTEXT_MENU_SIDE_PANEL_PAGE clicks to route through that handler instead of only opening the panel?

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

app/server/huntly-server/src/main/java/com/huntly/server/mcp/McpServerController.java:L278 — isAuthorized returns true for any non-blank Principal name; if Spring injects an anonymous principal (commonly "anonymousUser"), this could unintentionally allow unauthenticated access to MCP endpoints. Consider explicitly rejecting anonymous principals (similar to the Authentication check) before granting login-based access.

Severity: high

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}