MCP server scaffold with device flow authentication

[The127]

Summary

Add an MCP (Model Context Protocol) server to Keyline that authenticates via the OIDC device flow. The MCP server acts as a bridge between AI agents and the existing Keyline REST API.

Design

• New cmd/mcp/ entrypoint
• On startup, initiates device flow against the configured Keyline instance
• User approves in browser → MCP server receives access + refresh tokens
• All subsequent MCP tool calls are translated into REST API calls using the user's token
• Token refresh happens silently when the access token expires
• The user's existing RBAC permissions apply — no privilege escalation

Configuration

• --issuer-url — Keyline OIDC issuer URL
• --client-id — OIDC client_id (must have device flow enabled)
• --virtual-server — virtual server name (default: keyline)

Acceptance Criteria

• cmd/mcp/main.go starts an MCP server (stdio transport)
• Device flow authentication on startup with user approval prompt
• Access token stored in memory, refreshed automatically
• MCP server exposes tool listing (initially empty, tools added in subsequent issues)
• Clean shutdown on SIGINT/SIGTERM