feat: add OAuth protected resource metadata (RFC 9728)

[mattzcarey]

Summary

• Upgrades @cloudflare/workers-oauth-provider to v0.2.4 (released) — replaces the pkg.pr.new preview build
• Configures scopesSupported and resourceMetadata on the OAuthProvider so the /.well-known/oauth-protected-resource endpoint returns proper metadata for MCP auth discovery

What's in workers-oauth-provider v0.2.4

• /.well-known/oauth-protected-resource endpoint (#136)
• resource_metadata in WWW-Authenticate headers (#143)
• RFC 8252 loopback port flexibility for native apps (#145) — fixes OAuth authorize rejects valid localhost redirect URIs for CLI clients #44, where CLI clients (Claude Code, Cursor) using localhost/127.0.0.1 redirect URIs with dynamic ports were rejected on /authorize with "Invalid redirect URI"
• Exact match for root apiHandler route (#140)
• Generic Env type for OAuthProviderOptions (#150)
• allowPlainPKCE option to enforce S256 PKCE (#151)

Verified on staging

$ curl https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource
{
  "resource": "https://staging.mcp.cloudflare.com",
  "authorization_servers": ["https://staging.mcp.cloudflare.com"],
  "scopes_supported": ["offline_access", "user:read", "account:read", ...],
  "bearer_methods_supported": ["header"],
  "resource_name": "Cloudflare API MCP Server"
}

Test plan

• npm run check passes (format, lint, typecheck, tests)
• Deployed to staging
• /.well-known/oauth-protected-resource returns valid RFC 9728 metadata
• /.well-known/oauth-authorization-server still works correctly
• Bumped to released v0.2.4 (no longer using pkg.pr.new preview)

[mattzcarey]

Tested and working on staging via MCP Inspector. The /.well-known/oauth-protected-resource endpoint returns correct metadata and the OAuth flow completes successfully.