Add reactive 401 detection for bearer token authentication failures

[amirejaz]

Summary

Implements reactive detection for bearer token authentication failures by detecting 401 Unauthorized responses from remote MCP servers. When a bearer token becomes invalid, the workload is automatically marked as unauthenticated status, providing clear feedback to users.

Changes

Transport Layer (pkg/transport/):

• Added UnauthorizedResponseCallback type to pkg/transport/types/transport.go
• Added onUnauthorizedResponse callback field to TransparentProxy struct
• Added SetOnUnauthorizedResponse method to HTTPTransport interface
• Updated NewTransparentProxy constructor to accept unauthorized response callback
• Added 401 detection in tracingTransport.RoundTrip - checks for http.StatusUnauthorized after receiving response
• Added isMarkedUnauthorized flag to prevent repeated status updates on multiple 401 responses

Runner Layer (pkg/runner/runner.go):

• Wired up unauthorized response callback for remote servers
• Marks workload as WorkloadStatusUnauthenticated when 401 is received
• Provides actionable error message: "Bearer token authentication failed. Please restart the server with a new token"
• Preserves unauthenticated status when setting workload to running (prevents overwriting unauthenticated state)

Tests (pkg/transport/proxy/transparent/transparent_test.go):

• TestTransparentProxy_UnauthorizedResponseCallback - Verifies callback is invoked on 401 response
• TestTransparentProxy_UnauthorizedResponseCallback_Multiple401s - Verifies callback is called for each 401
• TestTransparentProxy_NoUnauthorizedCallbackOnSuccess - Verifies callback is NOT called for successful responses
• TestTransparentProxy_NilUnauthorizedCallback - Verifies nil callback doesn't cause panics

Behavior

• 401 Detection: When a 401 Unauthorized response is received from a remote MCP server, the callback is invoked
• Status Update: Workload status is updated to unauthenticated with a clear error message
• Prevent Duplicates: Flag prevents repeated status updates if multiple 401s are received
• Status Preservation: Unauthenticated status is preserved when workload transitions to running state

Design Decisions

1. Callback Pattern: Follows the same pattern as onHealthCheckFailed for consistency
2. Reactive Detection: Detects 401s as they occur (not proactive like OAuth token monitoring)
3. Status Preservation: Prevents overwriting unauthenticated status when setting to running
4. Duplicate Prevention: Flag prevents spam of status updates on repeated 401s

Related PRs

• PR1: Bearer token foundation - ✅ Merged
• PR2: Secret reference pattern - ✅ Merged
• PR3: Authentication discovery improvements - ✅ Merged
• PR4: This PR - Unauthenticated state detection

Testing

All tests pass:

• ✅ New 401 detection tests
• ✅ Existing transport tests
• ✅ Runner tests
• ✅ No linting errors

[codecov]

Codecov Report

❌ Patch coverage is 60.78431% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.17%. Comparing base (62fc780) to head (823a4a6).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/runner/runner.go	0.00%	18 Missing ⚠️
pkg/transport/http.go	93.75%	1 Missing ⚠️
pkg/transport/stdio.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3201   +/-   ##
=======================================
  Coverage   57.16%   57.17%           
=======================================
  Files         346      346           
  Lines       34325    34363   +38     
=======================================
+ Hits        19623    19647   +24     
- Misses      13074    13083    +9     
- Partials     1628     1633    +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.