Filter MCP features based on granular RBACs

[Steve-Mcl]

Description

Introduce RBAC for Expert Insights MCP features, to ensure that users only see and interact with MCP server features they have permission to access based on the granular RBACS

The most important changes are:

RBAC and Permission System Enhancements:

• Added new, granular MCP-related permission keys (e.g., expert:insights:mcp:allow, expert:insights:mcp:tool:destructive) to the Permissions object in forge/lib/permissions.js
• Implemented the filterAccessibleMCPServerFeatures function in new file forge/services/expert.js. This is called once in the MCP listing endpoint (for displaying to users) and every time the user chats (to ensure validity before posting to the BE service.

Backend API Changes (Expert API):

• Updated the /expert routes in forge/routes/api/expert.js to:
  • Pass team membership model through request object for permission checks.
  • Filter MCP server features using the new RBAC logic before returning them to the frontend.
  • Ensure only running instances with accessible applications and appropriate permissions are included in the MCP server list.

Model and Data Structure Updates:

• Updated the attributes returned for Project and Device models in forge/ee/db/models/MCPRegistration.js to include the state to preven requesting MCP features from an instance that isnt supposed to be running (avoid timeouts)
• Added the application field to the MCP server item schema to improve association between instances and their applications

Frontend tweaks:

• Modified frontend/src/components/expert/components/CapabilitiesSelector.vue to hide sections in the tooltip (e.g. if there are no tools, dont show the tools header and empty section!)

Test Updates:

• Updated unit tests in test/unit/forge/routes/api/expert_spec.js to include the state and ApplicationId fields in test data, aligning tests with the new RBAC and filtering logic
• Added test Expert API -> service enabled -> MCP features Endpoint -> ✔ should only get permitted mcp features when granular RBACs is enabled

Related Issue(s)

closes #6491

Checklist

• I have read the contribution guidelines
• Suitable unit/system level tests have been added and they pass
• Documentation has been updated
  • Upgrade instructions
  • Configuration details
  • Concepts
• Changes flowforge.yml?
  • Issue/PR raised on FlowFuse/helm to update ConfigMap Template
  • Issue/PR raised on FlowFuse/CloudProject to update values for Staging/Production
• Link to Changelog Entry PR, or note why one is not needed.
  Changelog for MCP annotations and RBACs website#4381

Labels

• Includes a DB migration? -> add the area:migration label

[codecov]

Codecov Report

❌ Patch coverage is 77.88462% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.43%. Comparing base (ff69e98) to head (1943d77).
⚠️ Report is 16 commits behind head on main.

Files with missing lines	Patch %	Lines
forge/routes/api/expert.js	63.82%	17 Missing ⚠️
forge/services/expert.js	89.47%	6 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6494   +/-   ##
=======================================
  Coverage   76.42%   76.43%           
=======================================
  Files         396      397    +1     
  Lines       19890    19987   +97     
  Branches     4771     4808   +37     
=======================================
+ Hits        15201    15277   +76     
- Misses       4689     4710   +21     

Flag	Coverage Δ
backend	76.43% <77.88%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Steve-Mcl]

Merged main to see if unrelated (flaky?) e2e test passes...

  1) FlowFuse - Brokers
       Third Party Broker
         should allow users to alter their newly created 3rd party broker:
     CypressError: `cy.click()` can only be called on a single element. Your subject contained 2 elements. Pass `{ multiple: true }` if you want to serially click each element.