feat(connect): on-demand per-client status REST route + denied remediation (spec 075 T025-T029)

[Dumbris]

What

Polish for the macOS TCC-safe Connect wizard (spec 075, T025–T029). Completes the REST contract in specs/075-macos-tcc-connect/contracts/connect-status.md on top of the already-merged US1 (#706) and US2 (#707).

• GET /api/v1/connect/{client} (new): on-demand single-client status that reads the config at request time and resolves access_state to accessible|absent|malformed|denied. This is the sole Connect endpoint that opens a client config file, so on macOS it is the only place an App-Data privacy prompt may legitimately appear (scoped to user action). Unknown client → 404; a denial is reported in-band (200 + access_state="denied" + remediation), not as an HTTP error.
• Denied connect/disconnect → 403: a permission-denied *connect.AccessError maps to 403 Forbidden carrying the remediation text, distinct from a generic 400 or a 404 not-found.
• The overall GET /api/v1/connect listing already serialized the additive access_state (unknown) / remediation fields — confirmed additive-only, no content reads.
• Docs: macOS "App Data privacy & Connect" note (cause + tccutil reset) in docs/api/rest-api.md; CLAUDE.md REST-payload note for the new fields.
• Regenerated oas/ (swagger + docs.go) for the new route.

Note: the diagnostics <diag-pkg> doctor check (T027/T029 mention) is a separate issue (MCP-2831) not yet on main, so it is out of this PR's lint/test scope.

Tests (TDD)

New internal/httpapi/connect_test.go cases, written failing first:

• TestHandleGetConnectStatus_IncludesAccessStateUnknown — overall listing additive, no content read.
• TestHandleGetConnectClientStatus_Connected|Absent|UnknownClient|DeniedSurfacesRemediation — on-demand route resolution + 404 + in-band denial.
• TestHandleConnectClient_DeniedReturnsRemediation — denied write → 403 with remediation.

Verification

• go build ./cmd/mcpproxy + go build -tags server ./cmd/mcpproxy ✅
• go test -race ./internal/connect/... ./internal/httpapi/... ✅
• golangci-lint run --config .github/.golangci.yml ./internal/connect/... ./internal/httpapi/... → 0 issues ✅
• ./scripts/test-api-e2e.sh → 65/65 PASS (SC-006, no regression) ✅

Related #696

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	07c59f1
Status:	✅  Deploy successful!
Preview URL:	https://fc023c1f.mcpproxy-docs.pages.dev
Branch Preview URL:	https://feat-075-connect-rest-polish.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 68.00000% with 8 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/httpapi/connect.go	66.66%	6 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: feat/075-connect-rest-polish

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27741995541 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.