feat(mcp): expose Tencent tools over MCP

[rephapeng]

Summary

Adds an MCP (Model Context Protocol) surface for the Tencent Cloud provider, so the Tencent inventory/scan/cost/maker capabilities already in the tree are reachable from MCP clients — not just the CLI.

• New cmd/mcp_tencent.go registers ten Tencent tools on the shared MCP server.
• One-line wiring: registerTencentMCPTools(server) in newClankerMCPServer() (cmd/mcp.go).

Design

Each tool delegates to clanker-api's existing HTTP surface behind bearer auth rather than calling the Tencent SDK directly:

• /api/v1/tencent/* — resources, the ten security scans, metrics, cost, vouchers, topology, expiry
• /api/v1/maker/* — plan / apply / history

So the MCP layer introduces no new Tencent credentials and no new provider code — every endpoint it calls already ships in internal/api. Adding a future tool is a one-function addition.

Tools: list, scan (the ten security audits), metrics, expiry, cost, vouchers, topology, audit_history, maker_plan, maker_apply. The write tools (maker_apply) require explicit human_approved=true.

Test plan

• go build ./... against master (Docker, golang:1.25, -mod=mod)
• go vet ./cmd/...
• gofmt -s -l clean
• Manual: run clanker mcp + clanker-api, exercise a read tool (clanker_tencent_list) and confirm it returns the same JSON as GET /api/v1/tencent/resources/{type}

[rafeegnash]

Thanks for this — really well thought out. A few things stood out:

• The architectural choice to delegate to clanker-api over HTTP instead of duplicating the Tencent SDK into the MCP layer is the right call. One set of creds in .env, and every future endpoint becomes a one-function MCP exposure here.
• I verified every endpoint you call against internal/api/routes.go — all 27 land on real handlers (including the ten scan kinds, the two metric products, the three voucher paths, expiry, topology, and the three maker routes).
• The schema work is more thorough than what's already in the tree. The footnote about mcp.WithInputSchema[T]() reflecting empty schemas in this version of mark3labs/mcp-go is a useful catch — it tells us the existing Vercel/Fly/Railway/Verda tools (and the Sentry ones we just landed) probably need the same treatment in a follow-up.
• The write-tool gating on clanker_tencent_maker_apply is layered exactly the way it should be: hint annotations for MCP-aware clients, explicit policy in the description so the LLM sees it, required human_approved=true schema gate, and a server-side backstop refusal. Combined with the existing destroyer=true validator that's a solid four-layer guard.

CI is green across both Go 1.23 and 1.24 builds. Squash-merging.