feat(mcp-gateway): add management dashboard

[pandemicsyn]

Summary

• Add an admin-gated MCP Gateway management dashboard for personal and organization scopes, including connection discovery, setup, connect URL management, assignments, credentials, and provider sign-in controls.
• Introduce an app-owned dashboard tRPC/control-plane surface while preserving the two-plane architecture: apps/web manages configuration and OAuth workflows, while services/mcp-gateway remains responsible for runtime token verification and credential-injecting proxy behavior.
• Harden dashboard lifecycle boundaries: scope-bind management mutations, persist initial static provider credentials atomically, normalize DB timestamps at the tRPC boundary, reject OAuth client authentication-method changes without a secret lifecycle, require confirmations for destructive actions, and keep the dashboard rollout gated to admins for personal connections.
• Move resource-specific OAuth registration under /api/mcp-gateway/oauth/register/resource/... to avoid Next.js dynamic route conflicts while retaining the required registration capability.
• Separate Kilo gateway scopes from upstream provider scopes. This avoids incorrectly sending Kilo's profile scope to remote providers, preserves remote protected-resource resource values, stores upstream scope provenance on the config, and lets both dashboard sign-in and Codex-triggered sign-in use the same resolved provider OAuth configuration.
• Preserve discovered provider scope provenance by only treating user-edited scope values as overrides, and polish the dashboard's accessibility and interaction details around auth hints, checkbox contrast, internal navigation, and responsive status display.

Verification

• Manual dashboard demo and OAuth flow verification were shared in Slack.
• Additional manual verification details:

Visual Changes

Before	After
MCP Gateway dashboard unavailable (screenshot pending)	Personal connection list and setup flow (screenshot pending)
Organization MCP Gateway management unavailable (screenshot pending)	Organization detail, assignment, and credential management surface (screenshot pending)

Reviewer Notes

• This PR now targets main; the underlying gateway implementation and production hostname work have already landed separately.
• The upstream OAuth scope change adds provider_scopes, provider_scope_source, and provider_resource to the config model because remote provider scopes are not the same thing as Kilo gateway scopes.
• Focus areas: OAuth/provider sign-in setup behavior, tenant-scoped management mutations, destructive action lifecycle semantics, and provider scope/resource resolution.

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Remaining | Recommendation: Address before merge

Executive Summary

The latest commit (56175f800) is a pure UI/UX polish change to McpGatewaySetupContent.tsx — no new issues introduced. The one remaining open item is the deferred SSRF concern on the discover mutation.

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
apps/web/src/routers/mcp-gateway-router.ts	N/A	discover mutation still uses baseProcedure (plain authenticated procedure). It makes outbound HTTP requests to caller-supplied URLs and can be used as an SSRF probe by any authenticated user. Deferred by author.

Resolved Issues

File	Previous Issue	Status
apps/web/src/lib/mcp-gateway/provider-oauth-service.ts	startDashboardProviderSignIn hardcoded scopes: ['profile']	✅ Fixed
apps/web/src/app/(app)/cloud/mcp-gateway/page.tsx	adminOnly: false gate missing	✅ Fixed in 5e0479f95
apps/web/src/lib/mcp-gateway/provider-oauth-service.ts	requireBearerTokenType redundant null check after the call	✅ Fixed
apps/web/src/lib/mcp-gateway/config-service.ts	providerScopeSource used as ProviderScopeSource cast	✅ Fixed
apps/web/src/app/(app)/cloud/mcp-gateway/McpGatewaySetupContent.tsx	Empty providerScopes = [] sent as truthy override	✅ Fixed in 9fe0955f5
apps/web/src/app/(app)/cloud/mcp-gateway/McpGatewaySetupContent.tsx	Duplicate id="auth-mode-hint" breaking aria-describedby	✅ Fixed in 9fe0955f5

Latest Commit Analysis (56175f8)

McpGatewaySetupContent.tsx — UI/UX polish to the setup flow:

• Adds providerScopesExpanded draft flag; collapses provider scopes behind a progressive-disclosure + Add provider scopes button. The scopes field auto-reveals when providerScopes or providerScopesEdited is truthy, keeping existing data visible.
• Removes authModeLabel helper (only caller was the review row, which is also removed).
• Refactors DiscoveryStatus from early-return branches into a single ternary tree under one outer aria-live="polite" wrapper; logic is equivalent.
• Adds inline accessIncomplete hint messages below the disabled submit button for oauth_static and static_headers modes — covers all cases where accessIncomplete can be true.
• Layout changes: max-width 5xl→3xl, heading text-2xl font-semibold→text-3xl font-bold, ReviewRow layout changed to sm:grid sm:grid-cols-[9rem_minmax(0,1fr)].
• No logic changes, no new issues.

Files Reviewed (21 files — incremental since 579ef1f)

• apps/web/src/app/(app)/cloud/mcp-gateway/McpGatewaySetupContent.tsx — layout/UX polish only, no issues
• apps/web/src/app/(app)/cloud/mcp-gateway/McpGatewayDetailContent.tsx — layout polish only (prior commit), no issues
• apps/web/src/app/(app)/cloud/mcp-gateway/McpGatewayListContent.tsx — no issues
• apps/web/src/app/(app)/cloud/mcp-gateway/OrgMemberPicker.tsx — no issues
• apps/web/src/lib/mcp-gateway/config-service.ts — no issues
• apps/web/src/routers/mcp-gateway-router.ts — SSRF concern on discover carried forward (deferred)

Fix these issues in Kilo Cloud

---

_{Reviewed by claude-4.6-sonnet-20260217 · 720,959 tokens}

_{Review guidance: REVIEW.md from base branch main}