Add secrets management support to ToolHive MCP server

[JAORMX]

Overview

This PR implements comprehensive secrets management functionality for the ToolHive MCP server, enabling users to manage secrets and pass them to MCP servers through the MCP interface.

Changes

New MCP Tools

• list_secrets - Lists all available secrets from the ToolHive secrets store with descriptions
• set_secret - Sets secrets by reading values from file paths (file-based input only for security)

Enhanced run_server Tool

• Added secrets parameter with structured SecretMapping objects
• Supports passing secrets to MCP servers when running them
• Converts to runner's expected format ("secret_name,target=ENV_VAR_NAME")

Implementation Details

• Security-focused: File-based secret input only, no direct value input
• Comprehensive validation: File existence, size limits (1MB), content validation
• Provider integration: Works with existing ToolHive secrets providers (encrypted, 1Password, etc.)
• Structured responses: JSON-formatted responses following MCP patterns

Files Added/Modified

• pkg/mcp/server/list_secrets.go - List secrets tool implementation
• pkg/mcp/server/set_secret.go - Set secret tool with validation
• pkg/mcp/server/run_server.go - Enhanced with SecretMapping and prepareSecrets
• pkg/mcp/server/handler.go - Added configProvider for secrets access
• pkg/mcp/server/server.go - Updated tool registrations with schemas
• Comprehensive test coverage for all new functionality

Usage Examples

List available secrets

{
  "name": "list_secrets"
}

Set a secret from file

{
  "name": "set_secret",
  "arguments": {
    "secret_name": "github-token",
    "file_path": "/path/to/token.txt"
  }
}

Run server with secrets

{
  "name": "run_server",
  "arguments": {
    "server": "github",
    "secrets": [
      {
        "name": "github-token",
        "target": "GITHUB_PERSONAL_ACCESS_TOKEN"
      }
    ]
  }
}

Testing

• ✅ All tests pass
• ✅ Linting clean (0 issues)
• ✅ Comprehensive test coverage including edge cases and error scenarios
• ✅ Integration with existing ToolHive secrets infrastructure

Security Considerations

• File-based secret input only (no direct value input)
• File path sanitization using filepath.Clean()
• File size limits to prevent resource exhaustion
• Provider capability checks (read-only vs read-write)
• Secrets never appear in logs or command history

This enhancement allows users to manage ToolHive secrets through the MCP interface and seamlessly pass them to MCP servers, matching the CLI --secret flag functionality but accessible through the MCP protocol.

[codecov]

Codecov Report

❌ Patch coverage is 63.19018% with 60 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.63%. Comparing base (975da43) to head (54835b1).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/mcp/server/set_secret.go	50.76%	29 Missing and 3 partials ⚠️
pkg/mcp/server/list_secrets.go	26.47%	25 Missing ⚠️
pkg/mcp/server/run_server.go	80.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2006      +/-   ##
==========================================
+ Coverage   47.58%   47.63%   +0.05%     
==========================================
  Files         232      234       +2     
  Lines       28646    28808     +162     
==========================================
+ Hits        13630    13723      +93     
- Misses      13989    14060      +71     
+ Partials     1027     1025       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.