Add OAuth2 gateway to implement authorization for MCP

[thekid]

This PR implements the server-side aspect of #11 based on prototype at https://gist.github.com/thekid/e6ca3935b82a5e79e3337b1f2c3a596d

Example

use io\modelcontextprotocol\McpServer;
use io\modelcontextprotocol\server\{ImplementationsIn, OAuth2Gateway, Clients, UseSession};
use web\Application;
use web\session\InFileSystem;

class Test extends Application {

  public function routes() {
    $clients= new class() extends Clients { /* TBI */ };

    $sessions= (new InFileSystem())->named('oauth');
    $gateway= new OAuth2Gateway('/oauth', $clients, new UseSession($sessions));

    $auth= /* Some class extending web.auth.Authentication */;

    $server= new McpServer(new ImplementationsIn('impl'));
    return [
      '/mcp'   => $gateway->authenticate($server),
      '/oauth' => $gateway->flow($auth, $sessions),
      '/.well-known/oauth-authorization-server' => $gateway->meta(),
    ];
  }
}

Note: The MCP inspector requires direct access to the OAuth metadata and flow even when its connection type is set the Proxy! See here for a CORS filter allowing this.

[thekid]

Released in https://github.com/xp-forge/mcp/releases/tag/v0.8.0

---

⚠️ Please note meta() was renamed to metadata()! The example given in the README file reflects this: https://github.com/xp-forge/mcp?tab=readme-ov-file#authentication