Add constants for authentication strategy types and metadata keys

[jhrozek]

Context

The vMCP authentication system currently uses magic strings for strategy types and metadata keys throughout the codebase. This was flagged in PR #2451 review as something that should use defined constants instead.

Current Usage of Magic Strings

Strategy Types:

• "header_injection" in pkg/vmcp/auth/strategies/outgoing.go
• "unauthenticated" in pkg/vmcp/auth/strategies/outgoing.go

Metadata Keys:

• "header_name" in pkg/vmcp/auth/strategies/header_injection.go
• "header_value" in pkg/vmcp/auth/strategies/header_injection.go

Proposed Change

Create pkg/vmcp/auth/strategies/constants.go:

package strategies

// Strategy type identifiers
const (
    StrategyTypeUnauthenticated = "unauthenticated"
    StrategyTypeHeaderInjection = "header_injection"
    // Future: StrategyTypeTokenExchange, StrategyTypeServiceAccount, etc.
)

// Metadata key names
const (
    MetadataHeaderName  = "header_name"
    MetadataHeaderValue = "header_value"
    // Future: MetadataTokenURL, MetadataClientID, etc.
)

Then replace all magic strings with these constants throughout:

• pkg/vmcp/auth/strategies/outgoing.go
• pkg/vmcp/auth/strategies/header_injection.go
• pkg/vmcp/auth/strategies/unauthenticated.go
• pkg/vmcp/config/yaml_loader.go (transform functions)

Benefits

• Type safety and autocomplete
• Single source of truth for string values
• Easier refactoring if names need to change
• Prevents typos in strategy/key names
• Self-documenting code

Related

• Original PR: Implement outgoing authentication strategies for vMCP #2451
• Review comments:
  • Implement outgoing authentication strategies for vMCP #2451 (comment)
  • Implement outgoing authentication strategies for vMCP #2451 (comment)
  • Implement outgoing authentication strategies for vMCP #2451 (comment)