feat: mcpctl mcptoken verbs + mcpd auth dispatch + audit plumbing

Adds the end-to-end CLI surface for McpTokens and the mcpd auth dispatch
that recognizes them.

mcpd auth middleware:
  - Dispatch on the `mcpctl_pat_` bearer prefix. McpToken bearers resolve
    through a new `findMcpToken(hash)` dep, populating `request.mcpToken`
    and `request.userId = ownerId`. Everything else follows the existing
    session path.
  - Returns 401 for revoked / expired / unknown tokens.
  - Global RBAC hook now threads `mcpTokenSha` into `canAccess` /
    `canRunOperation` / `getAllowedScope`, and enforces a hard
    project-scope check: a McpToken principal can only hit
    `/api/v1/projects/<its-project>/...`.

CLI verbs:
  - `mcpctl create mcptoken <name> -p <proj> [--rbac empty|clone]
    [--bind role:view,resource:servers] [--ttl 30d|never|ISO]
    [--description ...] [--force]` — returns the raw token once.
  - `mcpctl get mcptokens [-p <proj>]` — table with
    NAME/PROJECT/PREFIX/CREATED/LAST USED/EXPIRES/STATUS.
  - `mcpctl get mcptoken <name> -p <proj>` and
    `mcpctl describe mcptoken <name> -p <proj>` — describe surfaces the
    auto-created RBAC bindings.
  - `mcpctl delete mcptoken <name> -p <proj>`.
  - `apply -f` support with `kind: mcptoken`. Tokens are immutable, so
    apply creates if missing and skips if the name is already active.

Audit plumbing:
  - `AuditEvent` / collector now carry optional `tokenName` / `tokenSha`.
    `setSessionMcpToken` sits alongside `setSessionUserName`; both feed a
    per-session principal map used at emit time.
  - `AuditEventService` query accepts `tokenName` / `tokenSha` filters.
  - Console `AuditEvent` type carries the new fields so a follow-up can
    add a TOKEN column.

Completions regenerated. 1764/1764 tests pass workspace-wide.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/mcpd/tests/auth.test.ts

@@ -99,3 +99,76 @@ describe('auth middleware', () => {
     expect(findSession).toHaveBeenCalledWith('my-token');
   });
 });
+
+describe('auth middleware — McpToken dispatch', () => {
+  async function setupAppWithMcpToken(deps: Parameters<typeof createAuthMiddleware>[0]) {
+    app = Fastify({ logger: false });
+    const authMiddleware = createAuthMiddleware(deps);
+    app.addHook('preHandler', authMiddleware);
+    app.get('/protected', async (request) => ({
+      userId: request.userId,
+      mcpToken: request.mcpToken,
+    }));
+    return app.ready();
+  }
+
+  it('routes mcpctl_pat_ bearers to findMcpToken and skips findSession', async () => {
+    const findSession = vi.fn(async () => null);
+    const findMcpToken = vi.fn(async () => ({
+      tokenId: 'ctok1',
+      tokenName: 'mytok',
+      tokenSha: 'deadbeef',
+      projectId: 'cproj1',
+      projectName: 'myproj',
+      ownerId: 'cuser1',
+      expiresAt: null,
+      revokedAt: null,
+    }));
+    await setupAppWithMcpToken({ findSession, findMcpToken });
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer mcpctl_pat_abcdefghij' },
+    });
+    expect(res.statusCode).toBe(200);
+    expect(findSession).not.toHaveBeenCalled();
+    expect(findMcpToken).toHaveBeenCalledTimes(1);
+    const body = res.json<{ userId: string; mcpToken: { tokenName: string; projectName: string } }>();
+    expect(body.userId).toBe('cuser1');
+    expect(body.mcpToken.tokenName).toBe('mytok');
+    expect(body.mcpToken.projectName).toBe('myproj');
+  });
+
+  it('returns 401 for a revoked McpToken', async () => {
+    await setupAppWithMcpToken({
+      findSession: async () => null,
+      findMcpToken: async () => ({
+        tokenId: 'ctok1',
+        tokenName: 'mytok',
+        tokenSha: 'x',
+        projectId: 'p',
+        projectName: 'p',
+        ownerId: 'u',
+        expiresAt: null,
+        revokedAt: new Date(),
+      }),
+    });
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer mcpctl_pat_revoked' },
+    });
+    expect(res.statusCode).toBe(401);
+    expect(res.json<{ error: string }>().error).toContain('revoked');
+  });
+
+  it('returns 401 when a mcpctl_pat_ bearer arrives but findMcpToken is not configured', async () => {
+    await setupAppWithMcpToken({ findSession: async () => null });
+    const res = await app.inject({
+      method: 'GET',
+      url: '/protected',
+      headers: { authorization: 'Bearer mcpctl_pat_no-lookup-wired' },
+    });
+    expect(res.statusCode).toBe(401);
+  });
+});