refactor(agent): split mcp_server.rs into integrations/mcp submodule (#342)

Converts apps/agent/src-tauri/src/integrations/mcp_server.rs (2,022 LOC) into
integrations/mcp/ with separate files for server lifecycle, JSON-RPC handling,
auth, the developer-activity classifier, and tests. No public API change:
McpServer is re-exported from integrations::mcp so main.rs is unchanged.

Layout:
- mcp/mod.rs (13 LOC) — module declarations + McpServer re-export
- mcp/server.rs (92 LOC) — bind/serve/shutdown
- mcp/rpc.rs (330 LOC) — JSON-RPC dispatch, tool listing/calls, telemetry push
- mcp/auth.rs (32 LOC) — bearer-token check
- mcp/developer_activity/mod.rs (294 LOC) — policy-check -> activity projection
- mcp/developer_activity/shell_tokens.rs (305 LOC) — tokenizer + helpers
- mcp/developer_activity/package_command.rs (176 LOC) — npm/pnpm/pip/...
- mcp/developer_activity/cloud_command.rs (130 LOC) — aws/gcloud/gh/vercel/...
- mcp/developer_activity/secret_targets.rs (62 LOC) — secret-path detection
- mcp/developer_activity/metadata.rs (51 LOC) — activity IDs + metadata
- mcp/tests.rs (616 LOC) — all 18 tests moved unchanged

All production files are below the 600-line cap. The developer-activity
classifier stays in-tree per the swarm synthesis (deferred extraction).

Co-authored-by: bb-connor <bb-connor@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bb-connor

apps/agent/src-tauri/src/integrations/mcp/auth.rs

@@ -0,0 +1,32 @@
+//! Authentication for incoming MCP JSON-RPC requests.
+
+use crate::agent_auth::read_local_api_token;
+use crate::security::auth::constant_time_eq_token;
+use axum::http::header::AUTHORIZATION;
+use axum::http::HeaderMap;
+
+/// Verify the bearer token on an incoming MCP JSON-RPC request.
+pub(super) fn mcp_authorized(headers: &HeaderMap, auth_token: &str) -> bool {
+    let token = headers
+        .get(AUTHORIZATION)
+        .and_then(|value| value.to_str().ok())
+        .map(str::trim)
+        .and_then(|value| value.strip_prefix("Bearer "))
+        .map(str::trim);
+
+    let expected_token = match read_local_api_token() {
+        Ok(token) => token,
+        Err(err) => {
+            tracing::warn!(
+                error = %err,
+                "Falling back to startup MCP auth token because current token could not be read"
+            );
+            auth_token.to_string()
+        }
+    };
+
+    match token {
+        Some(candidate) => constant_time_eq_token(candidate, &expected_token),
+        None => false,
+    }
+}

apps/agent/src-tauri/src/integrations/mcp/developer_activity/cloud_command.rs

@@ -0,0 +1,130 @@
+//! Cloud-CLI command classification (aws/gcloud/az/gh/vercel/etc).
+
+use super::shell_tokens::executable_name;
+
+pub(super) struct CloudCommand {
+    pub(super) provider: &'static str,
+    pub(super) image: String,
+    pub(super) args: Vec<String>,
+}
+
+pub(super) fn cloud_command(command: &[String]) -> Option<CloudCommand> {
+    let image = command.first()?.clone();
+    let executable = executable_name(&image);
+    let provider = match executable.as_str() {
+        "aws" => "aws",
+        "gcloud" => "gcloud",
+        "az" => "az",
+        "gh" => "gh",
+        "vercel" => "vercel",
+        "netlify" => "netlify",
+        "wrangler" => "wrangler",
+        "doctl" => "doctl",
+        "fly" | "flyctl" => "fly",
+        "op" => "op",
+        "vault" => "vault",
+        "doppler" => "doppler",
+        "heroku" => "heroku",
+        "supabase" => "supabase",
+        "kubectl" => "kubectl",
+        "pulumi" => "pulumi",
+        "circleci" => "circleci",
+        "glab" => "glab",
+        "buildkite-agent" | "bk" => "buildkite",
+        _ => return None,
+    };
+    Some(CloudCommand {
+        provider,
+        image,
+        args: command.iter().skip(1).cloned().collect(),
+    })
+}
+
+pub(super) fn cloud_cli_args_are_sensitive(args: &[String]) -> bool {
+    let joined = args.join(" ").to_ascii_lowercase();
+    [
+        "secretsmanager get-secret-value",
+        "ssm get-parameter",
+        "ssm get-parameters",
+        "iam create-access-key",
+        "iam put-user-policy",
+        "iam attach-user-policy",
+        "ecr get-login-password",
+        "sts get-session-token",
+        "sts assume-role",
+        "auth print-access-token",
+        "secrets versions access",
+        "iam service-accounts keys create",
+        "keyvault secret show",
+        "keyvault secret download",
+        "account get-access-token",
+        "ad app credential reset",
+        "secret set",
+        "secret put",
+        "secret bulk",
+        "secret list",
+        "secret delete",
+        "versions secret put",
+        "versions secret bulk",
+        "registry docker-config",
+        "registry login",
+        "kubernetes cluster kubeconfig save",
+        "secrets set",
+        "secrets import",
+        "secrets unset",
+        "secrets list",
+        "tokens create",
+        "tokens revoke",
+        "auth token",
+        "variable set",
+        "variable update",
+        "variable delete",
+        "variable get",
+        "variable list",
+        "variable export",
+        "secret get",
+        "secret create",
+        "secret update",
+        "env pull",
+        "env add",
+        "env rm",
+        "env remove",
+        "env ls",
+        "env:get",
+        "env:list",
+        "env:set",
+        "env:import",
+        "env:unset",
+        "item get",
+        "document get",
+        "op://",
+        "kv get",
+        "read secret/",
+        "token create",
+        "secrets download",
+        "configs tokens create",
+        "config:get",
+        "config:set",
+        "secrets pull",
+        "get secret",
+        "describe secret",
+        "config view --raw",
+        "--show-secrets",
+        "context store-secret",
+        "context remove-secret",
+        "runner token create",
+        "runner token list",
+    ]
+    .iter()
+    .any(|needle| joined.contains(needle))
+        || args.iter().any(|arg| {
+            let arg = arg.to_ascii_lowercase();
+            arg.contains("secret")
+                || arg.contains("token")
+                || arg.contains("credential")
+                || arg.contains("access-key")
+                || arg == "iam"
+                || arg == "sts"
+                || arg == "keyvault"
+        })
+}

apps/agent/src-tauri/src/integrations/mcp/developer_activity/metadata.rs

@@ -0,0 +1,51 @@
+//! Metadata helpers and activity identifiers for developer-activity records.
+
+use crate::policy::PolicyCheckInput;
+use hush_core::sha256;
+
+pub(super) fn mcp_shell_activity_metadata(
+    base_metadata: &serde_json::Value,
+    input: &PolicyCheckInput,
+    classifier: &str,
+) -> serde_json::Value {
+    let mut metadata = base_metadata.as_object().cloned().unwrap_or_default();
+    metadata.insert(
+        "collectorKind".to_string(),
+        serde_json::Value::String("mcp_policy_check".to_string()),
+    );
+    metadata.insert(
+        "shellClassifier".to_string(),
+        serde_json::Value::String(classifier.to_string()),
+    );
+    if let Some(content) = input
+        .content
+        .as_deref()
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+    {
+        metadata.insert(
+            "policyContent".to_string(),
+            serde_json::Value::String(content.to_string()),
+        );
+    }
+    serde_json::Value::Object(metadata)
+}
+
+pub(super) fn local_mcp_activity_id(
+    prefix: &str,
+    session_id: Option<&str>,
+    agent_id: &str,
+    target: &str,
+) -> String {
+    let material = format!(
+        "{prefix}\0{}\0{agent_id}\0{target}",
+        session_id.unwrap_or_default()
+    );
+    let digest = sha256(material.as_bytes()).to_hex_prefixed();
+    let fragment = digest
+        .trim_start_matches("0x")
+        .chars()
+        .take(32)
+        .collect::<String>();
+    format!("{prefix}-{fragment}")
+}