v.0.0.5

What Changed

MCP mTLS client-certificate support

• Added optional outbound mTLS for HTTP-streamable MCP channels.
• New global flags/env: --mcp.client-cert, --mcp.client-key, MCP_CLIENT_CERT, MCP_CLIENT_KEY.
• Added per-channel overrides in --mcp.server-url entries via client-cert=... and client-key=....
• Supports env:VAR path references and validates incomplete/misapplied configs early (including stdio incompatibility).
• MCP route logs now include mTLS status details.

OAuth auth-server metadata compatibility

• Keeps authorization_servers[0] as the source of truth and metadata fetch target.
• Accepts auth-server metadata even when metadata issuer differs from authorization_servers[0] (external IdP issuer topology support).
• Preserves mismatch diagnostics (expected issuer, metadata issuer, warning) in discovery result/logging.
• Prefers exact-issuer candidates when both exact and mismatch candidates are available.

Platform and docs

• Added shared client-certificate loading/apply plumbing (pkg/tlsconfig, transport wiring, MCP factory integration).
• Added broad unit test coverage for new config, mTLS transport behavior, and OAuth metadata selection behavior.
• Bumped Go toolchain baseline from 1.25.4 to 1.26.0 (go.mod and Docker builder image).

Full Changelog: v.0.0.4...v.0.0.5