feat(m7.3): MCP tenant-scoped bearer tokens

LLM clients (Claude Desktop, Cursor, ChatGPT) can't run a Keycloak
OIDC flow, so the MCP server can't use JWTs for auth. This PR
introduces opaque static bearer tokens minted per-tenant via new
agent endpoints, validated by the MCP server, and used to route
incoming MCP requests to the caller's per-tenant database.

Until now, the MCP server connected to a single shared MongoDB DB
with no auth and no tenant awareness — every tool (list_findings,
list_sbom_packages, etc.) returned data across all tenants. After
M7.2 made the agent per-tenant, MCP was the lone cross-tenant data
leak. This closes it.

Design summary
- Token format: `mcpt_<43 url-safe random chars>` (48 chars total).
  Opaque, never embeds tenant_id, never stored in plaintext.
- Storage: cross-tenant `<prefix>__admin.mcp_tokens` collection,
  keyed by SHA-256 hash. Each row carries the tenant_id, name,
  created_by, created_at, last_used_at, revoked flag.
- Agent endpoints (tenant-scoped via TenantCtx):
    POST   /api/v1/mcp-tokens    → mint (returns raw token ONCE)
    GET    /api/v1/mcp-tokens    → list (metadata + 12-char prefix,
                                   never the hash)
    DELETE /api/v1/mcp-tokens/id → soft revoke
- MCP middleware: extract `Authorization: Bearer mcpt_...`, sniff
  the prefix, SHA-256 → lookup in admin DB → reject if missing or
  revoked. Updates last_used_at fire-and-forget so it never blocks.
  Sets `tokio::task_local!` TENANT_ID for the inner service call;
  the rmcp tool handlers read it and resolve the per-tenant DB.
- task_local is scoped via TENANT_ID.scope(...) around next.run(req)
  so the rmcp tool handlers downstream see the tenant_id without
  modifying their (macro-generated) signatures.

Files
- compliance-core/src/models/mcp_token.rs (new) — McpToken +
  McpTokenView (public projection without the hash).
- compliance-agent/src/database.rs — DatabasePool::admin_db() +
  admin_db_name(): cross-tenant access for token storage.
- compliance-agent/src/api/handlers/mcp_tokens.rs (new) — three
  endpoints. Token generation: 32 random bytes → URL-safe base64,
  no padding. SHA-256 hex stored.
- compliance-mcp/src/database.rs — replaced single Database with
  DatabasePool. Tenant-scoped Database constructed per request.
  Same sanitization + 63-byte cap + hash fallback as the agent.
- compliance-mcp/src/auth.rs (new) — bearer middleware + task_local.
  Includes a SHA-256 round-trip test against a known vector.
- compliance-mcp/src/main.rs — HTTP transport: bearer middleware
  layered on /mcp (not /health, so orca's container probe still
  works). stdio transport: falls back to STDIO_TENANT_ID env (defaults
  to "dev") so local development still works; logged loudly as
  not-for-production.
- compliance-mcp/src/server.rs — each of the 12 tool handlers
  resolves the per-tenant DB via task_local before calling its tool
  fn. Tool fns themselves are unchanged.

Token UX
- Generated by the dashboard (or curl + KC JWT) — user sees raw
  token exactly once, copies it into their LLM client config.
- Dashboard UI for management is a follow-up; can use curl in the
  meantime:
    curl -X POST https://comp-dev.../api/v1/mcp-tokens \
      -H "Authorization: Bearer $KC_JWT" \
      -H "Content-Type: application/json" \
      -d '{"name":"Claude Desktop"}'

Test plan
- cargo fmt --all clean
- cargo clippy --workspace --exclude compliance-dashboard
  -- -D warnings clean
- cargo test -p compliance-core --lib — 7 pass
- cargo test -p compliance-agent --lib — 230 pass (+2 new for
  token generation + sha256 stability)
- cargo test -p compliance-agent --test tenant_isolation — 6 pass
- cargo test -p compliance-mcp — 34 pass (+1 new sha256 vector)

What's deferred
- Dashboard UI for managing tokens (page + create modal + list/
  revoke). Trivial once the API is live.
- Token expiry + per-tool scope (today every token grants access
  to all 12 tools for its tenant).
- Lifting DatabasePool into compliance-core (duplicated for now
  in compliance-mcp to keep this PR focused; lift if a third
  consumer appears).

Production
- The `<prefix>__admin` DB needs to NOT collide with a tenant
  DB. Sanitized tenant_id never starts with `_admin` for any
  current tenant_id shape (UUIDs); flagged in the database.rs
  docstring so tenant provisioning can reject `_admin*` ids
  proactively.
- orca-infra MCP service block already has MONGODB_URI /
  MONGODB_DATABASE — no new env needed. No KC creds since MCP
  doesn't use Keycloak for its own auth.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

compliance-core/src/models/mcp_token.rs

@@ -0,0 +1,69 @@
+//! Per-tenant API tokens used by `compliance-mcp` to authenticate MCP
+//! HTTP requests on behalf of LLM clients (Claude Desktop, Cursor,
+//! ChatGPT, etc.) that can't run a Keycloak OIDC flow.
+//!
+//! Tokens are opaque strings of the form `mcpt_<44 url-safe random
+//! chars>`. The raw value is shown to the user exactly once at
+//! creation; the database only ever sees the SHA-256 hash. Lookups go
+//! through the cross-tenant `<prefix>__admin.mcp_tokens` collection
+//! and return the `tenant_id` the MCP server should route to.
+
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+
+/// Persisted token metadata. `token_hash` is the SHA-256 hex of the
+/// raw token; the raw token itself is never stored.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct McpToken {
+    #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
+    pub id: Option<bson::oid::ObjectId>,
+    /// SHA-256 hex of the raw token. Unique index in the collection.
+    pub token_hash: String,
+    /// First 8 chars of the raw token — purely for UI display so users
+    /// can identify which token is which without re-issuing.
+    pub token_prefix: String,
+    /// Routes to `<db_prefix>_<tenant_id>` on MCP requests.
+    pub tenant_id: String,
+    /// User-given label, e.g. "Claude Desktop" or "Sharang's laptop".
+    pub name: String,
+    /// Keycloak `sub` of the user who created this token, for audit.
+    pub created_by: String,
+    #[serde(with = "super::serde_helpers::bson_datetime")]
+    pub created_at: DateTime<Utc>,
+    #[serde(default, with = "super::serde_helpers::opt_bson_datetime")]
+    pub last_used_at: Option<DateTime<Utc>>,
+    /// Soft-delete flag. A revoked token doc stays around for audit
+    /// but never authenticates.
+    #[serde(default)]
+    pub revoked: bool,
+}
+
+/// Public projection of a token — never includes the hash.
+/// Returned by `GET /api/v1/mcp-tokens`.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct McpTokenView {
+    pub id: String,
+    pub name: String,
+    /// `mcpt_xxxx…` so the user can identify which row is which.
+    pub token_prefix: String,
+    pub created_by: String,
+    #[serde(with = "super::serde_helpers::bson_datetime")]
+    pub created_at: DateTime<Utc>,
+    #[serde(default, with = "super::serde_helpers::opt_bson_datetime")]
+    pub last_used_at: Option<DateTime<Utc>>,
+    pub revoked: bool,
+}
+
+impl From<&McpToken> for McpTokenView {
+    fn from(t: &McpToken) -> Self {
+        Self {
+            id: t.id.map(|o| o.to_hex()).unwrap_or_default(),
+            name: t.name.clone(),
+            token_prefix: t.token_prefix.clone(),
+            created_by: t.created_by.clone(),
+            created_at: t.created_at,
+            last_used_at: t.last_used_at,
+            revoked: t.revoked,
+        }
+    }
+}

compliance-core/src/models/mod.rs

@@ -7,6 +7,7 @@ pub mod finding;
 pub mod graph;
 pub mod issue;
 pub mod mcp;
+pub mod mcp_token;
 pub mod notification;
 pub mod pentest;
 pub mod repository;
@@ -28,6 +29,7 @@ pub use graph::{
 };
 pub use issue::{IssueStatus, TrackerIssue, TrackerType};
 pub use mcp::{McpServerConfig, McpServerStatus, McpTransport};
+pub use mcp_token::{McpToken, McpTokenView};
 pub use notification::{CveNotification, NotificationSeverity, NotificationStatus};
 pub use pentest::{
     AttackChainNode, AttackNodeStatus, AuthMode, CodeContextHint, Environment, IdentityProvider,