MCP compatibility for AI agents: server registry, JSON-RPC client, gateway, run-time tool catalog

Agents can now use Model Context Protocol servers. End to end:
- SharedKernel seam IMcpGateway (ListToolsAsync / CallToolAsync) + McpToolDescriptor / McpToolResult,
  so the Assembler discovers and can invoke MCP tools without referencing Integrations' tables.
- Integrations: McpServerConfig (org-scoped, owner-only; auth headers AES-GCM encrypted, never
  returned — only their names) + AddMcpServers migration. McpClient: a dependency-free Streamable-HTTP
  JSON-RPC 2.0 client (initialize → notifications/initialized → tools/list / tools/call), carrying the
  Mcp-Session-Id and parsing both application/json and text/event-stream replies. McpGateway resolves
  an org's servers, decrypts headers server-side, and is best-effort: an unreachable server is logged
  and skipped, never failing the run. CRUD + connectivity-test endpoints (create/test/delete owner-only
  via ManageApiKeys; list via ConfigureAgents to bind).
- OrgBoard: Agent gains McpServerIds (uuid[]; migration backfills existing agents to empty) flowing
  through ConfigureAgent + AgentRunContext.
- Assembler: AgentRunExecutor lists the agent's MCP tools (best-effort) and PromptAssembler renders a
  "# Tools (MCP)" catalog — labelled as data, never instructions — and records it in the run trace.
- Client: SeatsPage gains an MCP servers card (add/test/delete, encrypted auth header) and a per-agent
  MCP server multi-select; api client gains del().

Note: discovery + the governed call gateway are in place now; the autonomous model-driven tool-call
loop (model emits tool_calls → gated execution → feedback) needs a tool-calling model client and is
the next increment — the stub model can't drive it.

Verified: ArchitectureTests 8/8, IntegrationTests 53/53 (McpClientTests: JSON-RPC handshake/session,
json + SSE; McpServerRegistryTests: owner-only, encrypted-header-never-returned, graceful test,
Member 403; PromptAssemblerMcpTests: catalog + trace, omitted when empty), client build green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/TeamUp.IntegrationTests/McpServerRegistryTests.cs

@@ -0,0 +1,117 @@
+using System.Net;
+using System.Net.Http.Headers;
+using System.Net.Http.Json;
+using Xunit;
+
+namespace TeamUp.IntegrationTests;
+
+/// <summary>
+/// The MCP server registry: owner-only to create (ManageApiKeys), team-owners may list (to bind),
+/// auth-header values are encrypted and never returned (only their names), and an unreachable server
+/// fails the test endpoint gracefully rather than throwing.
+/// </summary>
+public sealed class McpServerRegistryTests(PostgresFixture postgres) : IClassFixture<PostgresFixture>
+{
+    private sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);
+
+    private sealed record AuthResponse(string Token, Guid MemberId);
+
+    private sealed record InviteResponse(Guid InvitationId, string Token);
+
+    private sealed record McpServerDto(Guid Id, string Name, string Endpoint, bool Enabled, List<string> HeaderNames);
+
+    private sealed record McpTestResultDto(bool Success, string? Error, int ToolCount, List<string> ToolNames);
+
+    [Fact]
+    public async Task Owner_registers_a_server_with_encrypted_headers_and_a_member_cannot()
+    {
+        await using var factory = new TeamUpWebFactory(postgres.ConnectionString);
+        using var anon = factory.CreateClient();
+
+        var owner = await PostOk<BootstrapResponse>(anon, "/api/identity/bootstrap", new
+        {
+            organizationName = "AliaSaaS",
+            ownerEmail = "owner@alia.test",
+            ownerDisplayName = "Owner",
+            ownerPassword = "Passw0rd!",
+        });
+        using var client = Authed(factory, owner.Token);
+
+        // Create with an auth header — the response exposes only the header NAME, never its value.
+        var created = await PostOk<McpServerDto>(client, "/api/integrations/mcp-servers", new
+        {
+            organizationId = owner.OrganizationId,
+            name = "GitHub MCP",
+            endpoint = "https://mcp.example.com/mcp",
+            headers = new Dictionary<string, string> { ["Authorization"] = "Bearer super-secret-token" },
+        });
+        Assert.Equal("GitHub MCP", created.Name);
+        Assert.True(created.Enabled);
+        Assert.Equal(["Authorization"], created.HeaderNames);
+
+        // Listing also never leaks the value.
+        var list = await client.GetFromJsonAsync<List<McpServerDto>>(
+            $"/api/integrations/mcp-servers?organizationId={owner.OrganizationId}");
+        var server = Assert.Single(list!);
+        Assert.Equal(["Authorization"], server.HeaderNames);
+
+        // A bad endpoint is rejected.
+        var bad = await client.PostAsJsonAsync("/api/integrations/mcp-servers", new
+        {
+            organizationId = owner.OrganizationId,
+            name = "Bad",
+            endpoint = "not-a-url",
+            headers = (object?)null,
+        });
+        Assert.Equal(HttpStatusCode.BadRequest, bad.StatusCode);
+
+        // Test endpoint on an unreachable server fails gracefully (no throw), reporting the reason.
+        var test = await client.PostAsync($"/api/integrations/mcp-servers/{created.Id}/test", content: null);
+        Assert.Equal(HttpStatusCode.OK, test.StatusCode);
+        var result = await test.Content.ReadFromJsonAsync<McpTestResultDto>();
+        Assert.False(result!.Success);
+        Assert.NotNull(result.Error);
+
+        // A plain Member cannot register a server (ManageApiKeys is owner-only).
+        var invite = await PostOk<InviteResponse>(client, "/api/identity/invitations", new
+        {
+            email = "dev@alia.test",
+            scopeType = "Organization",
+            scopeId = owner.OrganizationId,
+            role = "Member",
+            organizationId = owner.OrganizationId,
+        });
+        var member = await PostOk<AuthResponse>(anon, "/api/identity/invitations/accept",
+            new { token = invite.Token, displayName = "Dev", password = "Passw0rd!" });
+        using var memberClient = Authed(factory, member.Token);
+
+        var forbidden = await memberClient.PostAsJsonAsync("/api/integrations/mcp-servers", new
+        {
+            organizationId = owner.OrganizationId,
+            name = "Nope",
+            endpoint = "https://mcp.example.com/mcp",
+            headers = (object?)null,
+        });
+        Assert.Equal(HttpStatusCode.Forbidden, forbidden.StatusCode);
+
+        // The owner can delete it.
+        var deleted = await client.DeleteAsync($"/api/integrations/mcp-servers/{created.Id}");
+        Assert.Equal(HttpStatusCode.NoContent, deleted.StatusCode);
+    }
+
+    private static HttpClient Authed(TeamUpWebFactory factory, string token)
+    {
+        var client = factory.CreateClient();
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        return client;
+    }
+
+    private static async Task<T> PostOk<T>(HttpClient client, string url, object body)
+    {
+        var response = await client.PostAsJsonAsync(url, body);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        var value = await response.Content.ReadFromJsonAsync<T>();
+        Assert.NotNull(value);
+        return value!;
+    }
+}