OAuth metadata implementation

[mattdholloway]

Depends on: https://github.com/github/github-mcp-server-remote/pull/628

Summary

This pull request adds comprehensive support for OAuth 2.0 Protected Resource Metadata (RFC 9728) to the GitHub MCP server in HTTP mode. The main improvements include introducing a new oauth package for serving OAuth resource metadata endpoints, updating server configuration to support a public base URL, and enhancing authentication middleware to comply with OAuth standards. The purpose of these changes is to migrate functionality from the Remote MCP Server to OSS as part of the upcoming HTTP handler changes.

Why

Closes: https://github.com/github/copilot-mcp-core/issues/1206

What changed

• OAuth Protected Resource Metadata Support
• Authentication Middleware Enhancements
• Configuration and Header Support

MCP impact

• No tool or API changes
• Tool schema or behavior changed
• New tool added

Prompts tested (tool changes only)

Security / limits

• No security or limits impact
• Auth / permissions considered
• Data exposure, filtering, or token/size limits considered

Tool renaming

• I am renaming tools as part of this PR (e.g. a part of a consolidation effort)
  • I have added the new tool aliases in deprecated_tool_aliases.go
• I am not renaming tools as part of this PR

Note: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.

Lint & tests

• Linted locally with ./script/lint
• Tested locally with ./script/test

Docs

• Not needed
• Updated (README / docs / examples)