feat(headers): unify display + server-side convert-to-secret for redacted values

User feedback: the Headers card looked split-brained. A non-sensitive
header showed `••••XX (NN chars)` with a Convert-to-secret button. The
Authorization header showed `***REDACTED***` with no button — exactly
the most-likely candidate for "move me to keyring" was the one the UI
refused to convert, because the client side couldn't hand the real value
to the existing two-step (POST /secrets, then PATCH server) flow.

This change unifies both display and conversion:

1. **Single mask format on the wire** — internal/oauth/logging.go
   replaces the `***REDACTED***` sentinel in RedactStringHeaders with
   MaskValue(v), producing `••••<last2> (<N> chars)` for literal
   secrets. The same format the Web UI / macOS tray have been computing
   client-side. Bare ${keyring:NAME} / ${env:VAR} references pass
   through unchanged (they're labels, not secrets; the UI needs to
   recognise them to render the keyring chip).

2. **Server-side atomic convert** — new endpoint:
       POST /api/v1/servers/{name}/config-to-secret
       body: {"scope": "header"|"env", "key": "<k>", "secret_name": "<n>"}
   The backend reads the real value from the loaded config, stores it
   in the OS keyring under secret_name, and rewrites the config field
   with ${keyring:<n>}. The client never has to possess the plaintext,
   so Convert-to-secret now works on the redacted-on-read path too.

3. **Reveal button removed from KVValueCell.vue** — with all literals
   displayed identically and Convert-to-secret available everywhere,
   the reveal toggle was a security-shaped speed bump with no real use
   case. The two paths to peek at a value (open the config file, or
   edit-cancel) remain. revealedKeys reactive state and the
   reveal/hide events disappear from the parent too.

4. **Symmetric macOS Swift cleanup** — ServerDetailView.swift::kvRow
   drops the `value != "***REDACTED***"` gate on the Convert-to-secret
   button. maskedHeaderValue() drops the sentinel special case.
   performConvertToSecret() calls the new atomic endpoint via the new
   APIClient.convertConfigToSecret helper instead of two-stepping
   through storeSecret + PATCH.

Backend tests updated for the new format:

- internal/oauth/logging_test.go::TestRedactStringHeaders — asserts the
  ••••et (40 chars) mask shape with length + last-2 suffix. New
  sub-tests pin the keyring/env-ref pass-through, short-value (<=4
  chars -> bare ••••), and empty-value ((empty)) edge cases.
- internal/runtime/event_bus_payload_test.go — SSE redaction test
  asserts the new format on the wire.
- internal/server/e2e_test.go — both PR #425 round-trip tests now
  assert mask shape instead of literal sentinel.

New backend test coverage:

- internal/httpapi/patch_server_test.go — 9 new sub-tests for the
  /config-to-secret endpoint validation paths: missing scope / key /
  secret_name, invalid scope, key not on server, value already a
  reference (keyring + env separately), empty value, server not found.
  Happy-path lives in the live verification because secret.Resolver is
  a concrete struct without a mock.

End-to-end verification on live local mcpproxy:

  GET /api/v1/servers
  -> synapbus.headers.Authorization = ••••59 (71 chars)            # new format
  -> kaggle.headers.Authorization   = ••••N} (30 chars)            # Bearer\${k...} also masked

  POST /api/v1/servers/synapbus/config-to-secret
       {"scope":"header","key":"Authorization","secret_name":"synapbus-authorization"}
  -> 200 {"reference":"\${keyring:synapbus-authorization}"}
  -> on disk: {"Authorization": "\${keyring:synapbus-authorization}"}
  -> GET response: passes the bare reference through unchanged

  Web UI: Headers row transformed from
          `Authorization ••••59 (71 chars) [lock] Convert to secret`
          to
          `Authorization [key-chip] stored in keyring: synapbus-authorization`
          via the Convert-to-secret modal — no intermediate steps for
          the user, no plaintext on the client.

  CLI: `upstream patch synapbus --header X-Cli-Verify=hello` /
       `upstream patch synapbus --header-remove X-Cli-Verify` still
       work; the keyring reference on Authorization survives both.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: claude

frontend/src/components/KVValueCell.vue

@@ -13,53 +13,43 @@
     <button class="btn btn-xs btn-ghost" :disabled="busy" @click="$emit('cancel-edit')">Cancel</button>
   </div>
   <div v-else class="flex gap-2 items-center flex-wrap">
-    <!-- Keyring reference: rendered as a chip; no reveal toggle. -->
+    <!-- Keyring reference: rendered as a chip; no convert affordance. -->
     <template v-if="isKeyringRef">
       <span class="badge badge-info badge-sm gap-1" :title="rawValue">
         <span aria-hidden="true">🔑</span>
         <span class="font-mono text-xs">stored in keyring: {{ keyringName }}</span>
       </span>
     </template>
-    <!-- Env reference (${env:VAR}): also a chip with no reveal toggle. -->
+    <!-- Env reference (${env:VAR}): also a chip. -->
     <template v-else-if="isEnvRef">
       <span class="badge badge-ghost badge-sm gap-1" :title="rawValue">
         <span aria-hidden="true">$</span>
         <span class="font-mono text-xs">env var: {{ envRefName }}</span>
       </span>
     </template>
-    <!-- Literal value path. Two sub-cases:
-         1. Backend redacted the value (`***REDACTED***` sentinel). The
-            real string isn't on the client; reveal would just expose
-            the sentinel and Convert-to-secret has nothing to upload to
-            the keyring. We surface a small "backend-redacted" hint
-            instead so the user understands why those actions are
-            disabled. Editing the value still works through the inline
-            edit button — the PATCH endpoint deep-merges, so typing a
-            new value replaces just that one header server-side.
-         2. Plaintext literal: mask by default, eye to reveal, lock to
-            convert. -->
+    <!-- Literal value path. Two cases produce identical visuals:
+         1. Header value the backend already masked (`••••<last2> (<N> chars)`
+            format from oauth.RedactStringHeaders) — we render the masked
+            string verbatim. Convert-to-secret on these rows hits the
+            server-side `/config-to-secret` endpoint, which has the real
+            value on disk.
+         2. Plaintext literal (env vars, or headers when
+            `reveal_secret_headers: true`) — we mask client-side using
+            the same format so it looks the same to the user.
+         The UI no longer has a reveal button; the two routes to peek
+         at the value (edit + cancel, or open the config file) are
+         documented in CLAUDE.md. -->
     <template v-else>
-      <code v-if="isBackendRedacted" class="bg-base-200 px-1.5 py-0.5 rounded text-xs text-base-content/50" title="Backend redacted this value. Edit to overwrite — the PATCH endpoint deep-merges, so the unchanged real value is preserved.">{{ rawValue }}</code>
-      <template v-else>
-        <code v-if="revealed" class="bg-base-200 px-1.5 py-0.5 rounded text-xs break-all">{{ rawValue }}</code>
-        <code v-else class="bg-base-200 px-1.5 py-0.5 rounded text-xs text-base-content/50">{{ redactedPreview }}</code>
-        <button
-          class="btn btn-ghost btn-xs"
-          :title="revealed ? 'Hide value' : 'Reveal value'"
-          @click="revealed ? $emit('hide') : $emit('reveal')"
-        >
-          <span aria-hidden="true">{{ revealed ? '🙈' : '👁' }}</span>
-        </button>
-        <button
-          class="btn btn-ghost btn-xs"
-          title="Move value into the OS keyring and reference it as ${keyring:name}"
-          @click="$emit('convert')"
-          :disabled="busy"
-        >
-          <span aria-hidden="true">🔒</span>
-          <span class="hidden md:inline ml-1">Convert to secret</span>
-        </button>
-      </template>
+      <code class="bg-base-200 px-1.5 py-0.5 rounded text-xs text-base-content/70 font-mono break-all">{{ displayValue }}</code>
+      <button
+        class="btn btn-ghost btn-xs"
+        title="Move value into the OS keyring and reference it as ${keyring:name}"
+        @click="$emit('convert')"
+        :disabled="busy"
+      >
+        <span aria-hidden="true">🔒</span>
+        <span class="hidden md:inline ml-1">Convert to secret</span>
+      </button>
     </template>
     <button class="btn btn-ghost btn-xs" title="Edit" @click="$emit('start-edit')" :disabled="busy">✎</button>
     <button class="btn btn-ghost btn-xs text-error" title="Delete" @click="$emit('delete')" :disabled="busy">✕</button>
@@ -70,22 +60,19 @@
 import { computed, nextTick, ref, watch } from 'vue'
 
 // KVValueCell encapsulates the per-row UI for the Headers and Environment
-// Variables cards on ServerDetail. It owns the visual state (revealed vs
-// hidden, edit-in-progress draft) and emits intent events; the parent owns
-// the persistence (PATCH the server, refresh the store).
+// Variables cards on ServerDetail. It owns the visual state (edit-in-
+// progress draft) and emits intent events; the parent owns the
+// persistence (PATCH the server, call config-to-secret, refresh).
 
 const props = defineProps<{
   scope: 'header' | 'env'
   k: string
   rawValue: string
   isEditing: boolean
-  revealed: boolean
   busy?: boolean
 }>()
 
 const emit = defineEmits<{
-  (e: 'reveal'): void
-  (e: 'hide'): void
   (e: 'start-edit'): void
   (e: 'cancel-edit'): void
   (e: 'save', value: string): void
@@ -123,20 +110,21 @@ const envRefName = computed(() => {
   const m = (props.rawValue ?? '').match(/^\$\{env:([^}]+)\}$/)
   return m ? m[1] : ''
 })
-// The Go backend redacts secret header values via
-// `redactServerHeaders` so an MCP agent calling `upstream_servers list`
-// cannot exfiltrate Bearer tokens (PR #425). The REST API and SSE
-// channel inherit the same redaction. When that sentinel surfaces, the
-// real string is not in our hands — reveal/convert are disabled, but
-// editing still works because the PATCH endpoint deep-merges (the
-// untouched redacted key simply stays out of the patch body).
-const isBackendRedacted = computed(() => props.rawValue === '***REDACTED***')
 
-const redactedPreview = computed(() => {
+// Render the literal value with the masked-display format. If the
+// backend already masked the value (sensitive header, default redaction
+// policy), it arrives already in this exact format — we pass it
+// through unchanged. If the backend sent plaintext (env var, or headers
+// when `reveal_secret_headers: true`), we mask client-side here for
+// consistency. The detection is "starts with a mask bullet", which is
+// idempotent: re-masking a masked string is a no-op.
+const MASK_PREFIX = '••••'
+const displayValue = computed(() => {
   const v = props.rawValue ?? ''
   if (!v) return '(empty)'
-  if (v.length <= 4) return '••••'
-  return '••••' + v.slice(-2) + ` (${v.length} chars)`
+  if (v.startsWith(MASK_PREFIX) || v === '(empty)') return v
+  if (v.length <= 4) return MASK_PREFIX
+  return MASK_PREFIX + v.slice(-2) + ` (${v.length} chars)`
 })
 
 const placeholder = computed(() =>

frontend/src/services/api.ts

@@ -294,15 +294,37 @@ class APIService {
 
   // storeSecret stashes a value in the OS keyring under the given name and
   // returns the ${keyring:<name>} reference string callers can substitute
-  // back into the server config. Used by the "Convert to secret" affordance
-  // on the Headers and Environment Variables cards.
+  // back into the server config. Kept for legacy callers; the
+  // Headers/Environment Variables "Convert to secret" flow now uses the
+  // atomic convertConfigToSecret() instead.
   async storeSecret(name: string, value: string): Promise<APIResponse<{ reference?: string }>> {
     return this.request<{ reference?: string }>('/api/v1/secrets', {
       method: 'POST',
       body: JSON.stringify({ name, value, type: 'keyring' }),
     })
   }
 
+  // convertConfigToSecret asks the backend to atomically (a) read the real
+  // value of a header / env key from the server config, (b) store it in
+  // the OS keyring under `secretName`, and (c) rewrite the config field
+  // with the `${keyring:<name>}` reference. The client never has to
+  // possess the real value — which matters when the API redacts
+  // sensitive header values on the read path.
+  async convertConfigToSecret(
+    serverName: string,
+    scope: 'header' | 'env',
+    key: string,
+    secretName: string
+  ): Promise<APIResponse<{ reference?: string }>> {
+    return this.request<{ reference?: string }>(
+      `/api/v1/servers/${encodeURIComponent(serverName)}/config-to-secret`,
+      {
+        method: 'POST',
+        body: JSON.stringify({ scope, key, secret_name: secretName }),
+      }
+    )
+  }
+
   async getServerTools(serverName: string): Promise<APIResponse<{ tools: Tool[] }>> {
     return this.request<{ tools: Tool[] }>(`/api/v1/servers/${encodeURIComponent(serverName)}/tools`)
   }

frontend/src/views/ServerDetail.vue

@@ -676,10 +676,7 @@
                           :k="k"
                           :raw-value="serverHeaders[k]"
                           :is-editing="editingKey === `hdr::${k}`"
-                          :revealed="revealedKeys.has(`hdr::${k}`)"
                           :busy="kvPatchInFlight"
-                          @reveal="revealedKeys.add(`hdr::${k}`)"
-                          @hide="revealedKeys.delete(`hdr::${k}`)"
                           @start-edit="startEdit('hdr', k)"
                           @cancel-edit="cancelEdit"
                           @save="(val) => saveEdit('header', k, val)"
@@ -743,10 +740,7 @@
                           :k="k"
                           :raw-value="serverEnv[k]"
                           :is-editing="editingKey === `env::${k}`"
-                          :revealed="revealedKeys.has(`env::${k}`)"
                           :busy="kvPatchInFlight"
-                          @reveal="revealedKeys.add(`env::${k}`)"
-                          @hide="revealedKeys.delete(`env::${k}`)"
                           @start-edit="startEdit('env', k)"
                           @cancel-edit="cancelEdit"
                           @save="(val) => saveEdit('env', k, val)"
@@ -2321,7 +2315,6 @@ const envKeys = computed(() => Object.keys(serverEnv.value).sort())
 const hasHeaders = computed(() => headerKeys.value.length > 0)
 const hasEnv = computed(() => envKeys.value.length > 0)
 
-const revealedKeys = ref<Set<string>>(new Set())
 const editingKey = ref<string | null>(null)
 const kvPatchInFlight = ref(false)
 
@@ -2461,19 +2454,22 @@ function closeConvertModal() {
 
 async function commitConvert() {
   const m = convertModal.value
-  if (!m.secretName || !m.rawValue) return
+  if (!m.secretName || !server.value) return
   m.busy = true
   try {
-    const storeResp = await api.storeSecret(m.secretName, m.rawValue)
-    if (!storeResp.success) {
-      systemStore.addToast({ type: 'error', title: 'Failed to store secret', message: storeResp.error || 'Unknown error' })
+    // Atomic server-side conversion: the backend reads the real value
+    // from the loaded config (so we don't need the plaintext on the
+    // client — important when the API redacts sensitive headers on the
+    // read path), stores it in keyring, and rewrites the config field
+    // with the ${keyring:NAME} reference. Single round-trip, single
+    // failure surface.
+    const resp = await api.convertConfigToSecret(server.value.name, m.scope, m.key, m.secretName)
+    if (!resp.success) {
+      systemStore.addToast({ type: 'error', title: 'Convert failed', message: resp.error || 'Unknown error' })
       return
     }
-    const ref = `\${keyring:${m.secretName}}`
-    await patchServerDiff(
-      { [scopeKey(m.scope)]: { [m.key]: ref } },
-      `Converted ${m.key} to secret`
-    )
+    await serversStore.fetchServers(true)
+    systemStore.addToast({ type: 'success', title: `Converted ${m.key} to secret`, message: '' })
     closeConvertModal()
   } catch (e: any) {
     systemStore.addToast({ type: 'error', title: 'Convert failed', message: e?.message || String(e) })

internal/httpapi/patch_server_test.go

@@ -133,9 +133,9 @@ func TestHandlePatchServer_ExplicitBoolsTakePrecedence(t *testing.T) {
 // TestHandlePatchServer_HeadersDeepMerge verifies that PATCH /api/v1/servers
 // preserves existing header keys not mentioned in the request body. This is
 // the foundation of the Web UI / macOS tray edit flow: clients send a diff
-// against the redacted view of headers, so any key whose value is
-// `***REDACTED***` and unchanged stays out of the patch — and the backend
-// must NOT wipe it.
+// against the redacted view of headers, so any key whose masked-display
+// value (`••••<last2> (<N> chars)`) is unchanged stays out of the patch —
+// and the backend must NOT wipe it.
 func TestHandlePatchServer_HeadersDeepMerge(t *testing.T) {
 	logger := zap.NewNop().Sugar()
 	mockCtrl := &mockPatchServerController{
@@ -154,8 +154,8 @@ func TestHandlePatchServer_HeadersDeepMerge(t *testing.T) {
 	srv := NewServer(mockCtrl, logger, nil)
 
 	// Client sends just X-New-Header. Authorization is omitted because
-	// its redacted view (`***REDACTED***`) matched the original, and
-	// X-Trace is omitted because the user didn't touch it.
+	// its masked view (`••••<last2> (<N> chars)`) matched the original
+	// in the diff, and X-Trace is omitted because the user didn't touch it.
 	body, _ := json.Marshal(map[string]any{
 		"headers": map[string]string{"X-New-Header": "new-value"},
 	})
@@ -335,3 +335,131 @@ func TestHandlePatchServer_HeadersEmptyStringSetsNotDeletes(t *testing.T) {
 	assert.Equal(t, "value", got["X-Original"], "X-Original must be preserved")
 	assert.Len(t, got, 2)
 }
+
+// TestHandleConvertConfigToSecret_ValidationErrors covers the input
+// validation paths on POST /api/v1/servers/{id}/config-to-secret that
+// happen BEFORE we touch the secret resolver — so they're testable with
+// a nil resolver via the existing mock. Happy-path lives in the live
+// verification scripts because secret.Resolver is a concrete struct and
+// faking it would mean stubbing the whole keyring provider chain.
+func TestHandleConvertConfigToSecret_ValidationErrors(t *testing.T) {
+	logger := zap.NewNop().Sugar()
+
+	cases := []struct {
+		name       string
+		existing   *config.ServerConfig
+		body       string
+		wantStatus int
+		wantInBody string
+	}{
+		{
+			name:       "missing scope",
+			existing:   &config.ServerConfig{Name: "synapbus", Protocol: "http", Enabled: true},
+			body:       `{"key": "Authorization", "secret_name": "synapbus-auth"}`,
+			wantStatus: 400,
+			wantInBody: `scope`,
+		},
+		{
+			name:       "invalid scope",
+			existing:   &config.ServerConfig{Name: "synapbus", Protocol: "http", Enabled: true},
+			body:       `{"scope": "isolation", "key": "image", "secret_name": "foo"}`,
+			wantStatus: 400,
+			wantInBody: `scope`,
+		},
+		{
+			name:       "missing key",
+			existing:   &config.ServerConfig{Name: "synapbus", Protocol: "http", Enabled: true},
+			body:       `{"scope": "header", "secret_name": "synapbus-auth"}`,
+			wantStatus: 400,
+			wantInBody: `key`,
+		},
+		{
+			name:       "missing secret name",
+			existing:   &config.ServerConfig{Name: "synapbus", Protocol: "http", Enabled: true},
+			body:       `{"scope": "header", "key": "Authorization"}`,
+			wantStatus: 400,
+			wantInBody: `secret_name`,
+		},
+		{
+			name: "key not present on server",
+			existing: &config.ServerConfig{
+				Name: "synapbus", Protocol: "http", Enabled: true,
+				Headers: map[string]string{"X-Trace": "on"},
+			},
+			body:       `{"scope": "header", "key": "Authorization", "secret_name": "synapbus-auth"}`,
+			wantStatus: 404,
+			wantInBody: "Authorization",
+		},
+		{
+			name: "value is already a keyring reference",
+			existing: &config.ServerConfig{
+				Name: "synapbus", Protocol: "http", Enabled: true,
+				Headers: map[string]string{"Authorization": "${keyring:already-stored}"},
+			},
+			body:       `{"scope": "header", "key": "Authorization", "secret_name": "synapbus-auth"}`,
+			wantStatus: 400,
+			wantInBody: "already a reference",
+		},
+		{
+			name: "value is already an env reference",
+			existing: &config.ServerConfig{
+				Name: "synapbus", Protocol: "http", Enabled: true,
+				Headers: map[string]string{"Authorization": "${env:FOO}"},
+			},
+			body:       `{"scope": "header", "key": "Authorization", "secret_name": "synapbus-auth"}`,
+			wantStatus: 400,
+			wantInBody: "already a reference",
+		},
+		{
+			name: "empty value",
+			existing: &config.ServerConfig{
+				Name: "synapbus", Protocol: "http", Enabled: true,
+				Headers: map[string]string{"Authorization": ""},
+			},
+			body:       `{"scope": "header", "key": "Authorization", "secret_name": "synapbus-auth"}`,
+			wantStatus: 400,
+			wantInBody: "no value to store",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockCtrl := &mockPatchServerController{
+				apiKey:         "test-key",
+				existingServer: tc.existing,
+			}
+			srv := NewServer(mockCtrl, logger, nil)
+
+			req := httptest.NewRequest(http.MethodPost, "/api/v1/servers/synapbus/config-to-secret", bytes.NewReader([]byte(tc.body)))
+			req.Header.Set("Content-Type", "application/json")
+			req.Header.Set("X-API-Key", "test-key")
+			w := httptest.NewRecorder()
+			srv.ServeHTTP(w, req)
+
+			require.Equal(t, tc.wantStatus, w.Code, "body=%s", w.Body.String())
+			require.Contains(t, w.Body.String(), tc.wantInBody)
+			// The update path must not have been invoked when validation
+			// rejects the request.
+			assert.Nil(t, mockCtrl.capturedUpdates, "validation errors must not call UpdateServer")
+		})
+	}
+}
+
+// TestHandleConvertConfigToSecret_ServerNotFound verifies the 404 path
+// for an unknown server name. Separate from the validation-errors table
+// because it needs an empty server list, not a single populated entry.
+func TestHandleConvertConfigToSecret_ServerNotFound(t *testing.T) {
+	logger := zap.NewNop().Sugar()
+	mockCtrl := &mockPatchServerController{apiKey: "test-key", existingServer: nil}
+	srv := NewServer(mockCtrl, logger, nil)
+
+	body := []byte(`{"scope": "header", "key": "Authorization", "secret_name": "x"}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/servers/missing/config-to-secret", bytes.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-API-Key", "test-key")
+	w := httptest.NewRecorder()
+	srv.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusNotFound, w.Code, "body=%s", w.Body.String())
+	require.Contains(t, w.Body.String(), `missing`)
+}