feat(cli): server-edition credential command group (spec 074 T9)

[Dumbris]

Summary

Adds the server-edition mcpproxy credential command group (spec 074 T9, MCP-1042), built on the T8 per-user brokered-credential REST surfaces (/api/v1/user/credentials, merged in #692).

• mcpproxy credential list — table of brokered upstreams + connection status + metadata (no secrets)
• mcpproxy credential status <server> — one upstream's connection detail
• mcpproxy credential connect <server> — prints the browser connect URL (OAuth connect flow)
• mcpproxy credential rm <server> — disconnect/revoke (aliases: remove, disconnect)

Design notes

• Secret redaction (FR-026): responses are decoded into a typed CredentialStatus view that has no token fields, so token material is dropped rather than rendered — even if a response carries it. Covered by TestListCredentials_DropsSecretMaterial and TestRenderCredential_NoSecretLeak.
• Auth model: the T8 surfaces sit behind session-or-Bearer auth (not the API-key/socket group), so the CLI targets a server URL (--url / MCPPROXY_SERVER_URL) and presents a user JWT (--token / MCPPROXY_TOKEN). A NewClientWithBearer transport was added to the shared CLI client.
• connect prints (rather than follows) the browser URL — the connect flow binds to the user's browser session server-side. Slash-named registry servers are path-escaped.
• Output: honors -o table|json|yaml and MCPPROXY_OUTPUT via the existing internal/cli/output formatters.
• Edition isolation: all new code is //go:build server; commands are registered via a build-tagged seam (mirroring collectServerEditionInfo). Verified credential is absent in the personal binary.

Testing

• go test -tags server ./internal/cliclient/... ./cmd/mcpproxy/... — green (incl. -race)
• Both editions build (go build [-tags server] ./cmd/mcpproxy)
• golangci-lint v2.5.0 (CI config) clean with and without --build-tags server
• End-to-end smoke against a stub server: list/status/rm render correctly; secret in the stub response is not leaked; connect URL escapes slash-named servers

Docs (ENG-9)

docs/cli/credential-commands.md — full reference. (Server-edition routes aren't covered by swagger.yaml/verify-oas-coverage.)

Related: spec 074 T9 / MCP-1042. Blocked-by T8 (#692) — merged.

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	80bde2e
Status:	✅  Deploy successful!
Preview URL:	https://516f0890.mcpproxy-docs.pages.dev
Branch Preview URL:	https://074-t9-credential-cli.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 0% with 8 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/cliclient/client.go	0.00%	5 Missing and 1 partial ⚠️
cmd/mcpproxy/main.go	0.00%	1 Missing ⚠️
cmd/mcpproxy/serveredition_commands_stub.go	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: 074-t9-credential-cli

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27605230022 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.