feat: add OAuth 2.0 gateway for Claude.ai web connectivity

Adds an OAuth 2.0 Authorization Code + PKCE gateway so that web-based
MCP clients (Claude.ai, Claude Code web) can connect without pre-sharing
credentials via request headers.

## Why this is needed

The HTTP Stream transport (PR CognitionAI#30) requires clients to pass Metabase
credentials as request headers. Web clients like Claude.ai do not support
custom headers — they require a standard OAuth 2.0 flow. This gateway
bridges that gap.

## How it works

1. Client discovers the gateway via `/.well-known/oauth-authorization-server`
2. User is redirected to `/oauth/authorize` — an HTML form asking for
   Metabase URL + API key (or username/password)
3. On submit, server stores credentials under a short-lived auth code
   and redirects back to the client
4. Client exchanges the code at `/oauth/token` for a signed JWT
5. All `/mcp` requests carry `Authorization: Bearer <JWT>`
6. Gateway validates the JWT, injects `x-metabase-*` headers, and
   proxies to the upstream HTTP Stream server

## Security

- Credentials are never logged (only session prefix + status)
- Client registration details logged only at LOG_LEVEL=debug
- Auth codes are single-use with a 10-minute TTL
- PKCE (S256) support for public clients
- JWT signed with configurable JWT_SECRET

## Tests (28 passing)

- OAuth discovery endpoints
- Dynamic client registration (RFC 7591)
- Authorization endpoint: form rendering, XSS escaping, validation
- Token endpoint: api-key flow, username/password flow, single-use codes
- PKCE: correct verifier, wrong verifier, missing verifier
- MCP proxy: 401 without token, 401 with invalid token

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: piero-clay