feat(mcp-gateway): implement OAuth runtime gateway

[pandemicsyn]

Summary

• Implement PR2 of the MCP Gateway as a stacked change on feat/mcp-gateway-scaffold, adding the app-owned OAuth/control plane, shared gateway domain package, gateway Postgres schema/migration, and Worker-owned runtime proxy.
• Add dynamic client registration, authorization-code plus refresh-token flows, provider authorization and grant persistence, derived connect tokens, route/assignment lifecycle handling, encrypted secrets, per-instance DO refresh coordination, and strict runtime rechecks for scoped connect routes.
• Harden the runtime boundary with route-key rotation, owner/context checks, Origin validation, strict header filtering, non-public upstream rejection, no redirect credential forwarding, explicit bearer provider tokens, consent-gated authorization, and a single consolidated Kilo v1 gateway spec.
• Add local key-generation tooling, copy-ready Worker dev vars, fixture-driven app flow coverage, Worker route/proxy tests, soft-delete cleanup coverage, and IPv4/IPv6 public-address policy regressions.

Verification

• Started the local mcp-gateway Worker and confirmed it booted on http://0.0.0.0:8806.
• Requested GET /health locally and confirmed a 200 response with {"status":"ok","service":"mcp-gateway"}.
• Requested GET /.well-known/oauth-protected-resource locally and confirmed protected-resource metadata is returned.
• Requested an unauthenticated scoped /mcp-connect/... route locally and confirmed a 401 OAuth challenge with WWW-Authenticate.
• Additional manual verification details:

Visual Changes

N/A

Reviewer Notes

• This PR is intentionally stacked on feat/mcp-gateway-scaffold; the base should remain that branch until PR1 merges.
• The app owns first-level OAuth and provider callbacks, while the Worker owns protected-resource metadata, runtime proxying, fresh Postgres rechecks, credential injection, and per-instance refresh coordination.
• The consolidated .specs/mcp-gateway-auth.md is now the single in-repo contract for Kilo v1; the earlier baseline/profile split was removed.
• The Worker does best-effort dual-stack DoH validation for arbitrary third-party upstreams and explicitly does not follow redirects with injected credentials.