feat: wire shared MCP OAuth stores in unified binary with integration tests (#2160)

Create shared ConsentCodeStore (BFF) and OIDCStateStore (MCP) instances at
startup and pass them to both the BFF consent handler and MCP OIDC handler.
This enables the full consent-based OAuth 2.1 flow when running in unified
binary mode.

- Add oauthwiring package as public factory for MCP OAuth components
  (avoids importing internal/auth from cmd/meridian)
- Add MCPOAuthEndpoints struct and WithMCPOAuthEndpoints ServerOption to
  mount /oauth/*, /.well-known/oauth-authorization-server, and
  /oauth/register on the gateway
- Add wireMCPOAuth in wire_gateway.go with adapter types bridging
  gateway.ConsentCodeStore <-> mcpauth.ConsentCodeConsumer and
  mcpauth.OIDCStateStore <-> gateway.OIDCStatePeeker
- Add Server.Handler() for test access to the HTTP mux
- Add 6 integration tests covering full approve flow, deny flow,
  PKCE integrity, tenant isolation, metadata endpoint, and dynamic
  client registration

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

cmd/meridian/main.go

@@ -329,6 +329,12 @@ func setupAndStartGateway(ctx context.Context, infra *unifiedInfra, grpcPort, ht
 	bffSigner, bffAuthOpts := wireBFFAuth(infra.conns.gormDB("identity"), logger)
 	extraGWOpts = append(extraGWOpts, bffAuthOpts...)
 
+	mcpOAuthOpts, mcpOAuthCleanup := wireMCPOAuth(bffSigner, logger)
+	extraGWOpts = append(extraGWOpts, mcpOAuthOpts...)
+	if mcpOAuthCleanup != nil {
+		defer mcpOAuthCleanup()
+	}
+
 	baseDomain := env.GetEnvOrDefault("BASE_DOMAIN", "localhost")
 	identityEmailOutboxRepo := email.NewPostgresOutboxRepository(infra.conns.gormDB("identity"))
 	if regOpt := wireRegistration(infra.conns.gormDB("identity"), infra.conns.gormDB("tenant"), infra.loopback.rawConn, baseDomain, identityEmailOutboxRepo, logger); regOpt != nil {