feat(oauth): add OAuth authentication for MCP HTTP mode

[jwerle]

• discover oauth server metadata, expose protected resource metadata, and introspect bearer tokens for incoming requests
• pass auth'd access tokens through to Socket API calls returning 401/403 when auth fails

[Copilot]

Pull request overview

This PR adds OAuth 2.0 authentication support for the MCP server when running in HTTP mode. It implements the full OAuth resource-server flow: discovery of the upstream authorization server's metadata, exposure of a protected resource metadata endpoint (RFC 9728), per-request Bearer token introspection, scope checking, and forwarding the validated token to Socket API calls. Non-OAuth HTTP mode and stdio mode continue to work with a static API key.

Changes:

• Added OAuth metadata discovery, token introspection (verifyAccessToken), and request authentication (authenticateRequest) functions with all associated helpers
• Exposed /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource endpoints when OAuth is enabled
• Threaded extra.authInfo.token through to Socket API calls so authenticated tokens are forwarded, with explicit 401/403 error handling

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.