fix: add downstream token API for OAuth broker migration

[abhijitjavelin]

Summary

New API endpoints for storing/retrieving encrypted per-user downstream OAuth tokens. This migrates the token broker from admin's user_mcp_tokens to zeroid's downstream_tokens.

Endpoints

Method	Path	Purpose
POST	/api/v1/downstream-tokens/{server_slug}	Store encrypted token
GET	/api/v1/downstream-tokens/{server_slug}	Fetch decrypted token
DELETE	/api/v1/downstream-tokens/{server_slug}	Disconnect
GET	/api/v1/downstream-tokens	List connected servers

Changes

• domain/downstream_token.go — model
• migrations/007 — table + indexes
• internal/store/postgres/downstream_token.go — CRUD
• internal/service/downstream_token.go — encrypt/decrypt (AES-256-GCM), auto-refresh
• internal/handler/downstream_token.go — Huma handlers
• config.go — EncryptionKey in TokenConfig
• server.go — wire service, repo, routes

Test plan

• Store token → encrypted in DB
• Get token → decrypted correctly
• List tokens → returns status without secrets
• Delete token → returns 404 on subsequent get
• Auto-refresh with expired token + refresh_token

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request introduces a downstream token management system to store and retrieve encrypted third-party OAuth tokens. It includes a new database schema, a repository layer, a service layer featuring AES-256-GCM encryption and automatic token refresh, and corresponding REST API endpoints. Feedback highlights several critical improvements: ensuring the encryption key is correctly mapped to environment variables, removing hardcoded security defaults, implementing timeouts for external HTTP requests, and using synchronization mechanisms like singleflight to prevent race conditions during token refreshes. Additionally, the mandatory requirement for tenant-specific headers in API handlers should be re-evaluated.