Add bearer-token authentication to /mcp endpoint

[fccview]

Summary by CodeRabbit

Release Notes

• New Features

  • Added optional bearer token authentication for the MCP endpoint (Authorization: Bearer <token>). When enabled, unauthorized requests return 401 Unauthorized with the proper WWW-Authenticate header. The health check endpoint remains open.

• Documentation

  • Updated the MCP sidecar docs and client examples for the modern Streamable HTTP /mcp interface, including required bearer header usage and updated environment variable names.

• Tests

  • Added/updated coverage for auth, routing changes, and configuration token trimming.

• Removed

  • Legacy SSE endpoints are no longer available (now return 404 Not Found).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d4716f57-4f10-4ab1-88c1-c69fa0e3dabb

📥 Commits

Reviewing files that changed from the base of the PR and between 9613e53 and 2c7110b.

📒 Files selected for processing (1)

• main_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• degoog-org/docs (manual)
• degoog-org/degoog (auto-detected)

🚧 Files skipped from review as they are similar to previous changes (1)

• main_test.go

---

📝 Walkthrough

Walkthrough

The PR adds optional bearer-token authentication to the /mcp endpoint. DEGOOG_MCP_API_KEY is renamed to DEGOOG_MCP_DEGOOG_API_KEY (upstream auth), and a new DEGOOG_MCP_AUTH_TOKEN environment variable is introduced for inbound client auth. The Config struct gains an AuthToken field. buildMux now accepts config and wraps /mcp with a bouncer middleware that performs SHA-256 constant-time bearer-token comparison, returning 401 with a WWW-Authenticate: Bearer header on failure; /healthz remains unauthenticated. Legacy SSE routing is removed. Integration tests replace the prior route-pattern test, and the README and docker-compose.yml are updated to document the new variables and auth behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding bearer-token authentication to the /mcp endpoint, which is reflected across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch develop

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@main_test.go`:
- Line 22: Replace all instances of httptest.NewRequest with
httptest.NewRequestWithContext throughout main_test.go to comply with the noctx
linting rule. For each occurrence of httptest.NewRequest, add
context.Background() as the first parameter to the function call and change the
function name to httptest.NewRequestWithContext. This applies to all test
functions that use httptest.NewRequest to create HTTP requests for testing with
mux.ServeHTTP.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 694b420c-5e3f-4c05-ae26-3ee8a8d33d1e

📥 Commits

Reviewing files that changed from the base of the PR and between 41e17f4 and f338e29.

📒 Files selected for processing (6)

• README.md
• docker-compose.yml
• internal/config/config.go
• main.go
• main_test.go
• tests/config_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• degoog-org/docs (manual)
• degoog-org/degoog (auto-detected)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@main_test.go`:
- Line 22: The code in main_test.go calls context.Background() on line 22 but
the context package is not imported, causing an undefined error. Add the context
package to the import statement at the top of the main_test.go file to resolve
the undefined reference and allow the tests to compile and run successfully.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c5528d15-f464-49d7-b30c-f024bd148ebb

📥 Commits

Reviewing files that changed from the base of the PR and between f338e29 and 9613e53.

📒 Files selected for processing (1)

• main_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• degoog-org/docs (manual)
• degoog-org/degoog (auto-detected)