Implement upstream_inject strategy and SubjectProviderName

[jhrozek]

Summary

• Phase 2 of the embedded auth server work (RFC-0054): backends configured with
  upstream_inject need to receive per-provider upstream IDP tokens. This adds
  the runtime strategy and extends token_exchange to source its subject token
  from upstream tokens when SubjectProviderName is configured.
• Adds UpstreamInjectStrategy (stateless, follows the header_injection pattern)
  that reads from Identity.UpstreamTokens and sets the Authorization header.
• Extends TokenExchangeStrategy to resolve the subject token from upstream tokens
  when SubjectProviderName is set, falling back to Identity.Token.
• Fixes a bug in handleSpecValidationError that swallowed the status-apply error
  and proceeded to ensureDeployment even when the ConfigMap was not created.

Fixes #4145

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)

Changes

File	Change
pkg/vmcp/auth/strategies/upstream_inject.go	New UpstreamInjectStrategy — looks up provider token from identity, sets Bearer header
pkg/vmcp/auth/strategies/upstream_inject_test.go	Comprehensive tests: valid injection, missing identity, nil map, health check bypass, validation
pkg/vmcp/auth/strategies/tokenexchange.go	Resolve subject token from UpstreamTokens[SubjectProviderName] when configured
pkg/vmcp/auth/strategies/tokenexchange_test.go	Tests for upstream token selection and ErrUpstreamTokenNotFound sentinel
pkg/vmcp/auth/types/types.go	Add ErrUpstreamTokenNotFound, StrategyTypeUpstreamInject, SubjectProviderName field
pkg/vmcp/auth/factory/outgoing.go	Register upstream_inject in factory
pkg/vmcp/auth/factory/outgoing_test.go	Add strategy to registry assertions
cmd/thv-operator/controllers/virtualmcpserver_controller.go	Fix handleSpecValidationError to propagate status-apply errors and stop reconciliation

Special notes for reviewers

• Stacked on Wire embedded auth server into VirtualMCPServer converter and deployment #4383. Review only the top commit.
• The controller fix is small but important: previously if ensureVmcpConfigConfigMap returned a SpecValidationError, the reconciler would swallow a failed status update and then fall through to ensureDeployment with a potentially stale/missing ConfigMap.

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 84.93151% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.49%. Comparing base (7cff3cd) to head (99c8e33).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...perator/controllers/virtualmcpserver_controller.go	67.85%	7 Missing and 2 partials ⚠️
pkg/vmcp/auth/factory/outgoing.go	60.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4390      +/-   ##
==========================================
+ Coverage   69.47%   69.49%   +0.02%     
==========================================
  Files         485      486       +1     
  Lines       49969    50017      +48     
==========================================
+ Hits        34715    34760      +45     
- Misses      12570    12574       +4     
+ Partials     2684     2683       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

The base branch was changed.