fix: advertise mcp scope in OAuth metadata

[Timmyy3000]

Summary

Advertise the mcp scope in the OAuth authorization server metadata so Claude Web and other OAuth MCP clients see metadata that matches the MCP protected-resource challenge.

What's Included

• Add mcp to the OAuth provider scopes in lib/auth.ts
• Extend MCP OAuth metadata coverage to assert mcp appears in scopes_supported

Tests

• TEST_DATABASE_URL=postgres://arin:arin@localhost:5434/arin_test bun test tests/mcp-oauth.test.ts: passed
• �un run typecheck: passed

Test Plan

• Verify the path-aware auth metadata route includes mcp in scopes_supported
• Verify the existing MCP OAuth discovery and auth behavior still passes unchanged

Local Review Findings

• P0: none
• P1: none
• P2: none

[github-actions]

 enkii  ·  code review

Working on this PR…

View job run

[github-actions]

 enkii  ·  code review

Summary

Adds mcp to the OAuth provider's supported scopes so the authorization server metadata matches the MCP protected-resource challenge. The change is a single-line scope addition plus a corresponding test assertion. No issues found — the change is correct, consistent with existing MCP auth plumbing, and the test matcher (arrayContaining) is appropriate. Safe to merge.

Mergeability Score: 5/5

Safe to merge from this review's perspective.

[github-actions]

 enkii  ·  security review

Summary

Security review: no exploitable vulnerabilities found. This PR adds mcp to the OAuth provider's advertised scopes, aligning the authorization server metadata with the protected resource metadata that already required the mcp scope. The change is a configuration-only metadata fix in lib/auth.ts; no authentication, authorization, or input validation logic is modified. The JWT verification path in lib/mcp/auth.ts is unchanged. Safe to merge.

Mergeability Score: 5/5

Safe to merge from this review's perspective.