feat(customermcp): Phase 3 — Infrastructure Context Resources and Inventory Tools (#4597)

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary

Implements Phase 3 of the Customer-Facing MCP Server. This phase adds
infrastructure context — sources and snapshots — enabling AI agents to
understand what infrastructure is connected, what resource types are
discoverable, and what snapshots exist.

## What changed

### New Tools (4)

| Tool | Scope | Description |
| --- | --- | --- |
| `list_sources` | `sources:read` | List all connected sources with
optional `status` and `type` filters |
| `get_source_status` | `sources:read` | Get detailed status for a
specific source by UUID |
| `list_snapshots` | `changes:read` | List all infrastructure snapshots
with summary counts |
| `get_snapshot` | `changes:read` | Get snapshot details; summary by
default, full items with `include_items=true` |

### New Resources (2)

| Resource | Scope | Description |
| --- | --- | --- |
| `sources://list` | `sources:read` | Static list of all connected
sources |
| `sources://{source_id}/types` | `sources:read` | Resource template:
available types for a specific source |

### Architecture patterns established

1. **MCP ResourceTemplate** — First use of `server.AddResourceTemplate`
with RFC 6570 URI templates and scope-enforced `addResourceTemplate`
wrapper
2. **Cross-service gateway calls** — `SnapshotsServiceClient` created
once at startup with `ContextAwareAuthTransport` for per-request JWT
passthrough to the gateway
3. **sdp-go interface reuse** — `ManagementServiceHandler` and
`SnapshotsServiceClient` used directly as deps (no custom interfaces),
following the updated convention from the plan

### Files changed

| File | Change |
| --- | --- |
| `go/auth/auth_client.go` | Add `ContextAwareAuthTransport` and
`NewContextAwareAuthClient` for per-request JWT extraction |
| `go/auth/context_aware_auth_test.go` | Unit tests for the new
transport |
| `services/api-server/customermcp/deps.go` | Add `SourcesService` and
`SnapshotsService` fields to `Deps` |
| `services/api-server/customermcp/sources.go` | `list_sources` and
`get_source_status` tool handlers |
| `services/api-server/customermcp/snapshots.go` | `list_snapshots` and
`get_snapshot` tool handlers |
| `services/api-server/customermcp/resources.go` | `sources://list`
resource and `sources://{source_id}/types` template |
| `services/api-server/customermcp/scope.go` | `addResourceTemplate`
scope wrapper |
| `services/api-server/customermcp/tools.go` | Register all 4 new tools
|
| `services/api-server/customermcp/format.go` | `formatSourceStatus` and
`formatSourceManaged` helpers |
| `services/api-server/customermcp/sources_test.go` | Comprehensive
tests for source tools and resources |
| `services/api-server/customermcp/snapshots_test.go` | Comprehensive
tests for snapshot tools |
| `services/api-server/customermcp/changes_test.go` | Update test deps
for new tool registration |
| `services/api-server/customermcp/mcp_test.go` | Update test deps for
new tool registration |
| `services/api-server/service/main.go` | Add `ManagementService()`
accessor |
| `services/api-server/cmd/start.go` | Wire `SourcesService` and
`SnapshotsService` after Init() |

## Testing

- 43 new tests covering all tool handlers, resource handlers, scope
enforcement, format helpers, registration, error handling, and the
context-aware auth transport
- All existing Phase 1/2 tests continue to pass (40+ tests)
- Full compilation verified across `api-server`, `auth`, and
`customermcp` packages

<!-- CURSOR_AGENT_PR_BODY_END -->

Linear Issue:
[ENG-3579](https://linear.app/overmind/issue/ENG-3579/phase-3-customer-mcp-infrastructure-context-resources-and-inventory)

<div><a
href="https://cursor.com/agents/bc-56e4e223-5d42-425f-8aab-4f88772ddd27"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a
href="https://cursor.com/background-agent?bcId=bc-56e4e223-5d42-425f-8aab-4f88772ddd27"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>
GitOrigin-RevId: 47728085e9b6275fd49ce451ff683e2e3a8f1c6b

Author: DavidS-ovm

go/auth/auth_client.go

@@ -52,6 +52,42 @@ func NewAuthenticatedClient(ctx context.Context, from *http.Client) *http.Client
 	}
 }
 
+// ContextAwareAuthTransport is an http.RoundTripper that extracts the user JWT
+// from each request's context at call time (not at client-creation time). This
+// enables a single persistent http.Client to pass through per-request JWTs,
+// which is needed when the client is created once at startup but serves
+// requests from different users.
+type ContextAwareAuthTransport struct {
+	from http.RoundTripper
+}
+
+// RoundTrip extracts the JWT from the request's context and adds it as a
+// Bearer token in the Authorization header.
+func (t *ContextAwareAuthTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("X-Overmind-Interactive", "false")
+
+	if token, ok := req.Context().Value(UserTokenContextKey{}).(string); ok && token != "" {
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token))
+	}
+
+	return t.from.RoundTrip(req)
+}
+
+// NewContextAwareAuthClient creates an http.Client whose transport extracts the
+// JWT from each outgoing request's context. Unlike NewAuthenticatedClient (which
+// captures the token once), this client re-reads the token on every call —
+// making it safe to reuse across requests from different users.
+func NewContextAwareAuthClient(from *http.Client) *http.Client {
+	return &http.Client{
+		Transport: &ContextAwareAuthTransport{
+			from: from.Transport,
+		},
+		CheckRedirect: from.CheckRedirect,
+		Jar:           from.Jar,
+		Timeout:       from.Timeout,
+	}
+}
+
 // AuthenticatedAdminClient Returns a bookmark client that uses the auth
 // embedded in the context and otel instrumentation
 func AuthenticatedAdminClient(ctx context.Context, apiUrl string) sdpconnect.AdminServiceClient {

go/auth/context_aware_auth_test.go

@@ -0,0 +1,81 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestContextAwareAuthTransport_InjectsToken(t *testing.T) {
+	var capturedAuth string
+	ts := httptest.NewServer(http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		capturedAuth = r.Header.Get("Authorization")
+	}))
+	defer ts.Close()
+
+	client := NewContextAwareAuthClient(ts.Client())
+
+	ctx := context.WithValue(context.Background(), UserTokenContextKey{}, "test-jwt-token")
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL, nil)
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if capturedAuth != "Bearer test-jwt-token" {
+		t.Errorf("expected 'Bearer test-jwt-token', got %q", capturedAuth)
+	}
+}
+
+func TestContextAwareAuthTransport_NoToken(t *testing.T) {
+	var capturedAuth string
+	ts := httptest.NewServer(http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		capturedAuth = r.Header.Get("Authorization")
+	}))
+	defer ts.Close()
+
+	client := NewContextAwareAuthClient(ts.Client())
+
+	req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, ts.URL, nil)
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if capturedAuth != "" {
+		t.Errorf("expected empty auth header, got %q", capturedAuth)
+	}
+}
+
+func TestContextAwareAuthTransport_DifferentTokensPerRequest(t *testing.T) {
+	var capturedTokens []string
+	ts := httptest.NewServer(http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		capturedTokens = append(capturedTokens, r.Header.Get("Authorization"))
+	}))
+	defer ts.Close()
+
+	client := NewContextAwareAuthClient(ts.Client())
+
+	for _, token := range []string{"token-a", "token-b"} {
+		ctx := context.WithValue(context.Background(), UserTokenContextKey{}, token)
+		req, _ := http.NewRequestWithContext(ctx, http.MethodGet, ts.URL, nil)
+		resp, err := client.Do(req)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		resp.Body.Close()
+	}
+
+	if len(capturedTokens) != 2 {
+		t.Fatalf("expected 2 requests, got %d", len(capturedTokens))
+	}
+	if capturedTokens[0] != "Bearer token-a" {
+		t.Errorf("first request: expected 'Bearer token-a', got %q", capturedTokens[0])
+	}
+	if capturedTokens[1] != "Bearer token-b" {
+		t.Errorf("second request: expected 'Bearer token-b', got %q", capturedTokens[1])
+	}
+}