feat(teams): CredentialStore interface + AES-256-GCM BBolt backend (074-T1)

[Dumbris]

Summary

Foundation task MCP-1034 / 074-T1 for upstream token brokering (spec 074). No blockers. New server-edition package internal/teams/broker/ (//go:build server).

• CredentialStore interface (Get/Put/Delete/List) — the abstraction seam so external secret managers (Vault/AWS) can be added later without changing callers (FR-023).
• BBoltAESStore backend — bucket user_upstream_credentials:
  • upstream creds keyed <userID>:<serverKey> (serverKey = existing SHA256(name+url) scheme, see oauth.GenerateServerKey)
  • idp subject tokens keyed by bare <userID> (empty serverKey selects them)
• UpstreamCredential value model (Type, AccessToken, RefreshToken, ExpiresAt, Scopes, TokenType, Audience, ObtainedVia, UpdatedAt), JSON-serialized then AES-256-GCM encrypted with a per-record random nonce (FR-020), isolated per user (FR-021).
• Master key from env MCPPROXY_CRED_KEY or teams.credential_encryption_key (32-byte base64). Missing key → store disabled gracefully (rest of gateway unaffected, logged for startup surfacing); present-but-invalid → loud error (FR-022).
• Decryption failure (e.g. rotated key) → record treated as absent, never fatal; List skips undecryptable records.
• Adds teams.credential_encryption_key config field as the config-side key source.

Mirrors the obot-platform/mcp-oauth-proxy AES approach.

Tests (TDD — test-first, all green with -race)

• encrypt/decrypt roundtrip (+ asserts plaintext token absent on disk)
• per-user isolation (incl. userID-prefix bleed guard)
• subject-token keying + List exclusion
• nonce uniqueness (same plaintext → different ciphertext)
• expiry helpers (IsExpired/IsValid/ExpiresWithin, zero = never)
• missing-key disabled path (all ops → ErrStoreDisabled)
• invalid/short key → constructor error
• key-changed → ErrNotFound (not-connected)
• ResolveMasterKey env-over-config precedence

Verification

go build ./cmd/mcpproxy                         # personal: OK
go build -tags server ./cmd/mcpproxy            # server:   OK
go test -tags server -race ./internal/teams/broker/ ./internal/config/   # ok
golangci-lint run --build-tags=server ./internal/teams/broker/...        # 0 issues

Notes

• Docs: no docs/ file documents teams config keys (they live in CLAUDE.md, which is at the 40k CI size limit); the field is an inert foundation seam not yet wired/activated, so user-facing docs are deferred to the downstream startup-wiring task. Spec FRs already documented in specs/074-upstream-token-brokering/spec.md.
• Out of scope (downstream tasks): startup wiring + "surface disabled at startup", token-exchange/refresh, callers.

Related spec: specs/074-upstream-token-brokering · FR-020..FR-023

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	2526aa9
Status:	✅  Deploy successful!
Preview URL:	https://69aeac4b.mcpproxy-docs.pages.dev
Branch Preview URL:	https://mcp-1034-credential-store.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: mcp-1034-credential-store

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (24 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 26935941638 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.