Add Virtual MCP Server proposal (#2106)

* Add Virtual MCP Server proposal

This proposal introduces a Virtual MCP Server that aggregates multiple
MCP servers from a ToolHive group into a single unified interface.

Key features:
- Leverages existing ToolHive groups for backend management
- Uses existing ToolsFilter and ToolOverride constructs
- Supports per-backend authentication strategies
- Enables composite tools for cross-service workflows
- Maintains full MCP protocol compatibility

The Virtual MCP Server will simplify client integration by providing a
single connection point while handling the complexity of multiple backend
authentication requirements and tool namespace management.

Signed-off-by: Juan Antonio Osorio <[email protected]>

* Clarify Virtual MCP authentication boundaries and token flow

This commit addresses feedback about the two authentication boundaries
in the Virtual MCP proposal and clarifies that exchanged tokens are
meant for backend APIs, not for authenticating to backend MCP servers.

Key changes:

- Updated "Two Authentication Boundaries" section to explicitly state
  that outgoing authentication is for "Backend APIs" with tokens that
  backend MCP servers use directly to call upstream APIs

- Enhanced architecture diagram to show the complete token flow:
  Client → Virtual MCP → Backend MCP Server → External API, making it
  clear that APIs validate tokens, not MCP servers

- Revised security model to emphasize API-level authentication and
  added property explaining MCP server simplicity (focus on business
  logic, not auth)

- Updated sequence diagram to include External API as separate
  participant with explicit note that backend MCP does NOT validate
  tokens

- Added concrete Google Docs MCP server example demonstrating the full
  authentication flow with tokens scoped for Google Workspace API

- Updated configuration comments to clarify that token audiences are
  for backend APIs (e.g., "github-api" for GitHub's REST API)

This design follows the ToolHive pattern where MCP servers focus on
business logic while security relies on network isolation and properly
scoped API tokens validated by the external APIs themselves.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* Address elicitation cancellation comment.

Signed-off-by: Juan Antonio Osorio <[email protected]>

* Re-organize implementation phases

Signed-off-by: Juan Antonio Osorio <[email protected]>

---------

Signed-off-by: Juan Antonio Osorio <[email protected]>
Co-authored-by: Claude <[email protected]>

Author: JAORMX