feat(diagnostics): classify OAuth login-required (MCP-1820)

[Dumbris]

Summary

Foundation task MCP-1820 under epic MCP-1819. Makes OAuth "needs sign-in" classify correctly instead of falling through to MCPX_UNKNOWN_UNCLASSIFIED (which drives a misleading "file a bug" CTA), and stops the health calculator from painting an expected first-time login as unhealthy/red.

Changes

• internal/diagnostics/codes.go — add MCPX_OAUTH_LOGIN_REQUIRED and MCPX_OAUTH_REAUTH_REQUIRED (OAUTH domain), documented as actionable user-states (NOT faults).
• internal/diagnostics/registry.go — catalog entries with login-oriented fix steps (Sign in / Sign in again), never file-a-bug. Login = warn, re-auth = error.
• internal/diagnostics/classifier.go — classifyOAuth string backstops: "oauth authentication required", "login available", "mcpproxy auth login" → login; "re-login available", "re-authentication required", "server error with stored token" → re-auth. Re-auth is matched first because "re-login available" contains "login available".
• internal/upstream/core/connection_oauth.go — ErrOAuthPending.Code() typed fast-path: default/login-available message → OAuthLoginRequired; the stored-token-broke (server-5xx) message → OAuthReauthRequired.
• internal/health/calculator.go — error/disconnected branches: first-time sign-in → degraded/amber + login + "Sign-in required"; re-auth and other genuine OAuth errors (revoked / invalid_grant) stay unhealthy/red. Connection-failure precedence in isOAuthRelatedError preserved (offline servers still suggest restart).
• docs/errors/ — pages for both new codes + catalog index entries.

Tests (TDD)

• internal/diagnostics/classifier_test.go — both codes, typed fast-path + string backstop (incl. the re-login/login substring-ordering case).
• internal/upstream/core/oauth_error_test.go — ErrOAuthPending.Code() + end-to-end diagnostics.Classify.
• internal/health/calculator_test.go — login → degraded+login+"Sign-in required"; re-auth → unhealthy+login (both error and disconnected states).

Verification

• go build ./... — clean
• go test -race ./internal/diagnostics/... ./internal/health/... ./internal/upstream/... ./internal/runtime/... — all green
• ./scripts/run-linter.sh — 0 issues

Related #MCP-1820

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	75dcefc
Status:	✅  Deploy successful!
Preview URL:	https://1495c3ca.mcpproxy-docs.pages.dev
Branch Preview URL:	https://mcp-1820-oauth-login-classif.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: mcp-1820-oauth-login-classify

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (24 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27221871300 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

[mcpproxy-gatekeeper]

✅ Gatekeeper approval — Codex review verdict: ACCEPT.

This approval is posted automatically by the MCPProxy Gatekeeper App on behalf of the Codex reviewer (verdict of record lives in the Paperclip review thread). Author≠approver satisfied; QA + CI gates enforced separately.

Auto-approved per Model B (MCP-1249).