feat: PlatformSystemResourceProvider (system-scope MCP resources)

[poxet]

Summary

Phase 5 MCP work, system-scope slice. Exposes read-only diagnostic data under platform://system/* for Developer callers.

What's new

PlatformSystemResourceProvider in Tharga.Platform.Mcp — opt-in via McpPlatformOptions.ExposeSystemResources (default false).

Resources (listed only when the matching dependency is registered):

URI	Source
platform://system/apikeys	IApiKeyAdministrationService.GetSystemKeysAsync() — raw values / hashes redacted
platform://system/roles	ITenantRoleRegistry.All
platform://system/audit	CompositeAuditLogger.QueryAsync — last 7 days, top 100

Non-Developer callers get an empty ListResourcesAsync and UnauthorizedAccessException from ReadResourceAsync.

Sample wiring

Tharga.Platform.Sample now registers the MCP bridge:

builder.Services.AddThargaMcp(mcp => mcp.AddMcpPlatform());
// ...
app.UseThargaMcp();

Deferred

Cross-tenant team listing (platform://system/teams) and per-team API-key listing require a new ITeamService.GetAllTeamsAsync() method and matching base-class / repository implementation. Tracked as a follow-up.

A related cross-project request was filed under Tharga.Mcp to have UseThargaMcp() auto-apply .RequireAuthorization() when ThargaMcpOptions.RequireAuth == true. Once that lands, MapMcpPlatform() in this package becomes redundant.

Tests

11 new (9 provider + 2 registration). Full suite: 235 passing.

Test plan

• Build + security checks pass
• Sample runs; MCP endpoint at /mcp responds
• With ExposeSystemResources = true, Developer sees the three resources; non-Developer sees none

[codecov]

Codecov Report

❌ Patch coverage is 91.58879% with 9 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...rga.Platform.Mcp/PlatformSystemResourceProvider.cs	91.34%	3 Missing and 6 partials ⚠️

📢 Thoughts on this report? Let us know!