feat(auth): accept sktsec_-prefixed Socket API keys as Bearer tokens

[annextuckner]

Problem

A client could only authenticate to an OAuth-enabled HTTP deployment (e.g. https://mcp.socket.dev/) with an OAuth access token. routeRequest ran every Authorization: Bearer token through OAuth introspection, so a raw Socket API key was rejected as invalid_token. A config like this failed:

"socket-mcp": {
  "command": "npx",
  "args": ["-y", "mcp-remote", "https://mcp.socket.dev/",
           "--header", "Authorization: Bearer sktsec_..."]
}

Change

Recognize a Socket API token by its sktsec_ prefix on the standard Authorization: Bearer header and apply it directly to req.auth, bypassing introspection. The auth dispatch is now:

Bearer token	OAuth on	OAuth off
sktsec_-prefixed	Socket API key (skip introspection)	Socket API key
other	OAuth introspection (unchanged)	applyClientApiKey (unchanged)

This keeps the same header working in both modes — no custom header needed — and leaves OAuth and non-OAuth behavior otherwise untouched.

The API-key helpers were extracted into lib/http-auth.ts (keeps http-server.ts under the 500-line lint cap); the test file was renamed to match.

Note

This trusts the sktsec_ prefix as the discriminator between Socket API tokens and OAuth access tokens — consistent with the SOCKET_PUBLIC_API_TOKEN constant in @socketsecurity/lib.

Verification

• pnpm run lint ✅
• pnpm test — 144 passed ✅
• pnpm run test:tsc ✅

Local manual test (OAuth off): MCP_HTTP_MODE=true SOCKET_API_TOKEN=<sktsec_...> node --experimental-strip-types index.ts --http, then point mcp-remote at http://localhost:3000/ with --header "Authorization: Bearer sktsec_...".

🤖 Generated with Claude Code

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[Bret Comnes (bcomnes)]

LGTM