Refactor auth resolution logic in CLI backend discoverer

[jhrozek]

Context

Currently, the CLI backend discoverer in pkg/vmcp/aggregator/cli_discoverer.go contains authentication resolution logic that determines which auth strategy to use for each backend. This logic was flagged in PR #2451 review as being in the wrong location from an architectural perspective.

Current Implementation

The resolveAuthConfig() method in cli_discoverer.go (lines 141-160):

• Checks for backend-specific auth configuration
• Falls back to default auth configuration
• Returns auth strategy type and metadata

Proposed Change

Move this logic to the OutgoingAuthConfig struct as a method, improving separation of concerns:

// In pkg/vmcp/config/config.go
func (c *OutgoingAuthConfig) ResolveForBackend(backendID string) (string, map[string]any) {
    if strategy, ok := c.Backends[backendID]; ok && strategy != nil {
        return strategy.Type, strategy.Metadata
    }
    if c.Default != nil {
        return c.Default.Type, c.Default.Metadata
    }
    return "", nil
}

Then update the discoverer to call:

authStrategy, authMetadata := d.authConfig.ResolveForBackend(name)

Benefits

• Better separation of concerns - config knows how to resolve itself
• Makes auth resolution logic more predictable and testable
• Discoverer focuses on discovery, not config resolution
• Could be reused by other components that need auth resolution

Related

• Original PR: Implement outgoing authentication strategies for vMCP #2451
• Review comment: Implement outgoing authentication strategies for vMCP #2451 (comment)