feat(config): per-upstream auth_broker block + teams credential keys (spec 074, MCP-1035)

[Dumbris]

Summary

Spec 074 T2 (MCP-1035) — the config-schema foundation for per-user upstream token brokering (server edition). No blockers; parallel with T1.

Per-upstream auth_broker (server edition)

ServerConfig.AuthBroker *AuthBrokerConfig:

• mode: token_exchange | entra_obo | oauth_connect
• token_endpoint, resource (RFC 8707 audience), scopes[], client_id, client_secret
• header (default Authorization) + header_format (default Bearer {token}) — FR-016

Teams-level keys (teams_config.go)

• credential_encryption_key — env fallback MCPPROXY_CRED_KEY (explicit config wins)
• store_idp_tokens bool — default false, privacy-preserving (FR-006)

Validation

• Rejects auth_broker on stdio / non-HTTP-family upstreams with a clear "unsupported in this phase" message (FR-002).
• HTTP-family upstreams (http / sse / streamable-http, plus inferred URL-only) pass; header defaults applied in place.
• Opt-in per server; upstreams without a broker behave exactly as today (FR-003).

Edition isolation

AuthBrokerConfig + its validator live behind //go:build server; the personal edition gets an empty-struct stub + no-op validator (mirrors the existing TeamsConfig pattern). Personal edition unaffected. AuthBroker carries swaggerignore like Teams — make swagger-verify confirms no OpenAPI drift.

Testing (TDD, test-first)

• internal/config/auth_broker_test.go: defaults, valid HTTP broker, stdio + implied-stdio rejection, invalid/missing mode, missing token_endpoint, all valid modes, no-broker-unaffected, JSON round-trip.
• internal/config/teams_credential_test.go: store_idp_tokens default false + parse, cred-key parse, env fallback, config-wins-over-env.

Verification (all green):

• go test ./internal/config/... -race (personal) ✅
• go test -tags server ./internal/config/... -race ✅
• go build ./cmd/mcpproxy + go build -tags server ./cmd/mcpproxy ✅
• ./scripts/run-linter.sh → 0 issues ✅
• make swagger-verify → up to date ✅

FR-002, FR-003, FR-006, FR-016 (config side).

Related #587

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	c786d39
Status:	✅  Deploy successful!
Preview URL:	https://a8cf30c4.mcpproxy-docs.pages.dev
Branch Preview URL:	https://074-t2-config-auth-broker.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: 074-t2-config-auth-broker

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (24 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 26966810712 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.