fix: exclude MCP paths from basic auth and route OAuth discovery

- Exclude /mcp, /sse, /message, and /.well-known/oauth-* from basic
  auth so MCP clients can connect without HTTP credentials.
- Route OAuth discovery paths to the MCP server instead of the
  frontend SPA, so clients receive proper HTTP responses (404 when
  OAuth is disabled) instead of HTML.

Author: bjcoombs

deploy/demo/Caddyfile

@@ -19,7 +19,7 @@ demo.meridianhub.cloud, *.demo.meridianhub.cloud {
 	# Uses a negated matcher to explicitly exclude health probes from auth,
 	# since Caddy's default directive order runs basicauth before handle blocks.
 	@not_health_probes {
-		not path /healthz /readyz
+		not path /healthz /readyz /mcp /sse /message /.well-known/oauth-*
 	}
 	basicauth @not_health_probes {
 		demo $2a$14$xfFb2xnq6vOhKOEh7TTgTula3G.F6MxoT7DawQLGBPziCgjTcWCrS
@@ -32,6 +32,8 @@ demo.meridianhub.cloud, *.demo.meridianhub.cloud {
 
 	# MCP Server: streamable HTTP + legacy SSE transport
 	# NOTE: Requires mcp-server container to be running; routes will 502 until deployed.
+	# OAuth discovery paths must also route to MCP server so Claude Code's
+	# MCP client receives proper JSON (not the frontend SPA HTML).
 	handle /mcp {
 		reverse_proxy mcp-server:8090
 	}
@@ -41,6 +43,12 @@ demo.meridianhub.cloud, *.demo.meridianhub.cloud {
 	handle /message {
 		reverse_proxy mcp-server:8090
 	}
+	handle /.well-known/oauth-authorization-server {
+		reverse_proxy mcp-server:8090
+	}
+	handle /.well-known/oauth-protected-resource {
+		reverse_proxy mcp-server:8090
+	}
 
 	# API: ConnectRPC + version
 	@api {