feat(mcp-gateway): add management dashboard

[pandemicsyn]

Summary

• Add an admin-gated MCP Gateway management dashboard for personal and organization scopes, including connection discovery, setup, connect URL management, assignments, credentials, and provider sign-in controls.
• Introduce an app-owned dashboard tRPC/control-plane surface while preserving the existing two-plane architecture: apps/web manages configuration and OAuth workflows, and services/mcp-gateway remains responsible for runtime token verification and credential-injecting proxy behavior.
• Harden gateway lifecycle boundaries exposed by the dashboard: scope-bind management mutations, persist initial static provider credentials atomically, normalize DB timestamps at the tRPC boundary, reject OAuth client authentication-method changes without a secret lifecycle, and require confirmations for destructive connection actions.
• Move resource-specific OAuth registration under /api/mcp-gateway/oauth/register/resource/... to avoid Next.js dynamic route conflicts while retaining the specified registration capability.

Verification

see demo in slack

Visual Changes

Before	After
MCP Gateway dashboard unavailable (screenshot pending)	Personal connection list and setup flow (screenshot pending)
Organization MCP Gateway management unavailable (screenshot pending)	Organization detail, assignment, and credential management surface (screenshot pending)

Reviewer Notes

• This is stacked on feat/mcp-gateway-implementation / PR feat(mcp-gateway): implement OAuth runtime gateway #3717; review this PR as the dashboard and follow-up hardening layer rather than the underlying gateway implementation.
• Dashboard visibility is intentionally gated behind user.is_admin during rollout.
• Focus areas: OAuth/provider sign-in setup behavior, tenant-scoped management mutations, destructive action lifecycle semantics, and the moved resource-specific registration route.