feat(mcp): add config command reporting resolved configuration provenance

[glorydavid03023]

Summary

Adds a config command to the gittensory-mcp CLI that prints the resolved effective configuration and where each value came from:

$ gittensory-mcp config
API URL: https://gittensory-api.aethereal.dev (default)
Active profile: default (1 configured)
Config file: absent (location: default)
Cache dir: default
Token: not configured
Source upload: disabled (unsupported)

$ gittensory-mcp config --json
{
  "apiUrl": "https://gittensory-api.aethereal.dev",
  "apiUrlSource": "default",
  "activeProfile": "default",
  "profileCount": 1,
  "configured": false,
  "configPathSource": "default",
  "cacheDirSource": "default",
  "tokenConfigured": false,
  "tokenSource": "none",
  "sourceUpload": { "default": false, "supported": false },
  "profile": { ... }
}

Each value is attributed to its source — environment, profile, config (file), or default.

Why this is useful (and not a duplicate of existing commands)

This fills a real diagnostic gap. status reports health/version, doctor runs check-style diagnostics, and whoami shows session identity — but none answer the common question "what configuration is actually in effect, and which source supplied it?" That question comes up whenever an API URL, profile, or config-file location is not being picked up as expected (env vs profile vs global config vs default). config makes that resolution explicit in one place.

Why no linked issue

Additive, low-risk CLI ergonomics only. No public-behavior, auth/session, schema, deploy, or frontend-architecture change, so per CONTRIBUTING this does not require an issue first. Happy to file one if maintainers prefer.

Privacy

Output prints provenance labels only — never token values or local absolute paths — preserving the CLI's existing redaction invariant. A test asserts that neither a configured token nor the config directory path appears in output.

Changes

• packages/gittensory-mcp/bin/gittensory-mcp.js — config dispatch in runCli, configCommand() with resolvedApiUrlSource() / resolvedConfigPathSource() / resolvedTokenSource() helpers, and a help-text usage line.
• test/unit/mcp-cli.test.ts — cover default resolution, environment overrides (with token/path non-leak assertions), named-profile resolution from the config file, and a global config file reached through a config-path override.
• packages/gittensory-mcp/README.md — document the command, its sources, and the --json form.

Contract notes

No MCP tool or HTTP/OpenAPI contract changes. Adds a local CLI command surface only; the --json payload is additive and parseable.

Validation

Intended gate (CONTRIBUTING required checks):

npm run build:mcp
npm run test:mcp-pack
npm run typecheck
npm run test:coverage
npm run test:ci

Transparency note: my local authoring environment had no Node runtime available, so I could not execute the gate locally before opening this PR. The change was prepared against the existing CLI dispatch/config-resolution/test patterns and is intended to be validated by CI on this PR (I will also run the full gate locally). I aimed for thorough branch coverage of the new provenance helpers; if any check needs adjustment I'll follow up promptly.

Security / privacy

No auth, cookie, CORS, GitHub App output, identity, or contributor-evidence changes. The command exposes only provenance labels, the public API URL, and the user's own profile state — no tokens, local paths, wallet/hotkey, or scoring context.

[JSONbored]

@glorydavid03023 this is a useful MCP diagnostic command, but it needs validation evidence before merge.

A few notes:

• Showing config provenance without printing token values or local paths is the right behavior.
• The --json shape is useful for tooling.
• The blocker is validation evidence, not the command idea.

Required changes:

• Run the relevant MCP gate locally or clearly state any environment blocker with exact skipped checks.
• Keep the token/path redaction assertions in the tests.
• Make sure README output examples match the final command output.

Validation expected:

• npm run build:mcp
• npm run test:mcp-pack
• npm run typecheck
• Focused test/unit/mcp-cli.test.ts

[gittensory]

Note

Gittensory Gate skipped

PR closed before full evaluation. No late first comment was created.

Signal	Result	Evidence	Action
Gate result	⚠️ Skipped	#335 is no longer open.	No action.

---

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

[glorydavid03023]

Rebased onto the latest main (resolved the test-file overlap with the now-merged version and completion commands) and validated locally on Node v20.18.1 (CI runs Node 22):

• npm run build:mcp → pass (exit 0)
• npm run typecheck → pass (exit 0)
• Focused test/unit/mcp-cli.test.ts → the 4 config cases pass, and the merged version/completion cases still pass
• gittensory-mcp config smoke output verified (provenance + redaction)

The one pre-existing test that times out locally (rejects unsafe server-provided packet markdown, a git init + subprocess test) is environment-only and passes on CI. Diff is exactly the 3 expected files.

[JSONbored]

@glorydavid03023 this is ready.

A few notes:

• config fills a real gap between status, doctor, and whoami.
• The output reports source provenance without leaking tokens or local absolute paths.
• The tests cover default, environment, profile, and config-file resolution.
• No code changes requested.