feat(platform): opencode MCP bridge — remote A2A tools over HTTP (#800)
Implements sub-issues #809 (MCPHandler), #810 (tool filtering), #811
(per-token rate limiting), #813 (opencode.json), #814 (docs).
Routes (registered under wsAuth — bearer token binds to :id):
GET /workspaces/:id/mcp/stream — SSE transport (backwards compat)
POST /workspaces/:id/mcp — Streamable HTTP transport (primary)
Security conditions from review (all mandatory):
C1: WorkspaceAuth middleware rejects requests without valid bearer token
C2: MCPRateLimiter (120 req/min/token, SHA-256 keyed) applied on both routes
C3: commit_memory/recall_memory with scope=GLOBAL → permission error;
send_message_to_user excluded unless MOLECULE_MCP_ALLOW_SEND_MESSAGE=true
Tools: list_peers, get_workspace_info, delegate_task, delegate_task_async,
check_task_status, send_message_to_user (opt-in), commit_memory, recall_memory.
All mirror workspace-template/a2a_mcp_server.py TOOLS list.
Also adds: org-templates/molecule-dev/opencode.json, docs/integrations/opencode.md,
.env.example entries for MOLECULE_MCP_ALLOW_SEND_MESSAGE and MOLECULE_MCP_URL.
Tests: 29 new tests (20 handler + 9 middleware). All passing.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
18c00726b8