fix: prevent _auth_ metadata from leaking to upstream MCP servers

[Dumbris]

Summary

• injectAuthMetadata() was mutating the args map in-place, causing _auth_* fields (auth_type, agent_name, token_prefix) to be forwarded to upstream MCP servers via CallTool()
• FastMCP-based servers using Pydantic's validate_call reject unknown keyword arguments, breaking all tool calls for authenticated users
• Fix: injectAuthMetadata() now returns a shallow copy; all 3 call sites use separate activityArgs for logging and clean args for upstream forwarding
• Added test TestInjectAuthMetadata_DoesNotMutateOriginal to prevent regression

Closes #322

Test plan

• All 8 TestInjectAuthMetadata_* / TestGetAuthMetadata_* tests pass
• Both personal and server edition builds compile
• Full internal/... test suite passes (only pre-existing e2e timeout unrelated to change)

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	542e7de
Status:	✅  Deploy successful!
Preview URL:	https://c3f8bf60.mcpproxy-docs.pages.dev
Branch Preview URL:	https://fix-auth-metadata-injection.mcpproxy-docs.pages.dev

View logs

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: fix/auth-metadata-injection-322

Available Artifacts

• archive-darwin-amd64 (24 MB)
• archive-darwin-arm64 (21 MB)
• archive-linux-amd64 (13 MB)
• archive-linux-arm64 (11 MB)
• archive-windows-amd64 (23 MB)
• archive-windows-arm64 (21 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (26 MB)
• installer-dmg-darwin-arm64 (24 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 22858711861 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.