v0.40.1

Add dynamic OAuth discovery for community MCP servers (#410)

## Summary
- Community MCP servers from third-party registries (e.g., Kubit) require OAuth but have no `oauth.providers` metadata in their catalog entry, so the existing `IsRemoteOAuthServer()` gate prevents DCR entries from being created
- Adds `RegisterProviderForDynamicDiscovery()` which probes remote servers using `DiscoverOAuthRequirements()` and creates pending DCR entries when OAuth is detected
- Integrates the fallback into all three callsites: working set sync, `docker mcp server enable`, and gateway `mcpadd`
- Expands the gateway OAuth condition to also match remote servers without `oauth.providers`

## Test plan
- [x] `docker mcp catalog-next pull mcp/community-registry`
- [x] `docker mcp profile server add default --server catalog://mcp/community-registry/com-notion-mcp`
- [x] Verify DCR entry is created: `docker mcp oauth ls`
- [x] Authorize the server: `docker mcp oauth authorize com-notion-mcp`
- [x] Verify authorization: `docker mcp oauth ls`
- [x] Revoke and re-authorize: `docker mcp oauth revoke com-notion-mcp`
- [x] Verify existing servers with `oauth.providers` still work (no regression)
- [x] Verify servers that don't require OAuth are not affected (probe returns no OAuth)

Confirming `com-notion-mcp` from community registry successfully authorized via oauth:
```
❯ docker mcp oauth ls
ai-kubit-mcp-server | not authorized
com-notion-mcp      | authorized
github              | authorized
miro-remote         | not authorized
```

Confirming oauth flow for `com-notion-mcp` from community registry:
```
❯ docker mcp oauth authorize com-notion-mcp
Opening your browser for authentication. If it doesn't open automatically, please visit: ...
```