feat: support custom static auth header injection for remote MCP catalog entries

[worthyfarmstead-rgb]

Summary

Adds support for custom static HTTP header injection in MCP catalog entries, enabling integration with upstream MCP servers that require API keys in non-Authorization headers (e.g. x-api-key).

Closes #3717

Problem

Static credentials for remote MCP servers currently only support Authorization header injection via access_token or raw_access_token. Many third-party APIs and MCP wrappers expect API keys in custom headers like x-api-key, which today requires a proxy or upstream server modification.

Solution

Extends the existing UserConfigFieldSchema with an optional headerName property. When a catalog admin configures a credential field with headerName, the backend injects the corresponding secret value as that HTTP header instead of the default Authorization header.

Changes

Backend (platform/backend)

• types/mcp-catalog.ts: Added headerName: z.string().optional() to UserConfigFieldSchema
• clients/mcp-client.ts: Added custom header injection loop for both local (streamable-http) and remote transport paths — iterates over catalogItem.userConfig entries and injects any field with headerName set

Frontend (platform/frontend)

• mcp-catalog-form.types.ts: Added custom_header to authMethod enum and customHeaderName field
• mcp-catalog-form.utils.ts: Handles form→API and API→form transforms for the new auth method
• mcp-catalog-form.tsx: Added "Custom header" radio option with header name input field

Design decisions

• Follows the existing enterprise-managed credentials pattern (headerName / headerValue) but extends it to static userConfig fields
• Backwards-compatible: existing catalog items without headerName are unaffected
• Custom headers are additive — they don't conflict with the existing access_token/raw_access_token fallback chain
• Multiple custom headers are supported by defining multiple userConfig fields with different headerName values

Test plan

• Create a remote MCP catalog entry with "Custom header" auth method and header name x-api-key
• Install the server and provide a valid API key value
• Verify the outbound request to the upstream MCP server includes x-api-key: <value>
• Verify existing bearer/raw_token/oauth auth methods still work unchanged
• Verify editing an existing custom-header catalog item correctly populates the form

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[worthyfarmstead-rgb]

I have read the CLA Document and I hereby sign the CLA