security: close SEC-H4/H6 gaps from second-pass review

- SEC-H6: remove conditional audience check in mcp/index.ts — audience is
  now always enforced against the mcpResource URL. Add migration to revoke
  pre-existing oauth_tokens with audience=NULL so dead rows don't linger.
- SEC-H4: validate doc.issuer against config.issuer inside discover() to
  prevent a MITM'd discovery doc from supplying a crafted expected issuer.
  verifyIdToken caller now passes config.issuer as ground truth, not
  doc.issuer.
- tests: cover three new OIDC callback failure paths (no_id_token,
  id_token_invalid, subject_mismatch) and two idempotency caps (key length
  >128 chars returns 400, body >256 KiB skips caching).

server/src/mcp/index.ts

@@ -180,11 +180,10 @@ function verifyToken(authHeader: string | undefined): VerifyTokenResult | null {
   if (token.startsWith('trekoa_')) {
     const result = getUserByAccessToken(token);
     if (!result) return null;
-    // RFC 8707: if the token carries an audience, it must match this resource endpoint
-    if (result.audience !== null) {
-      const expected = `${(getAppUrl() || '').replace(/\/+$/, '')}/mcp`;
-      if (result.audience !== expected) return null;
-    }
+    // RFC 8707: audience must always match this resource endpoint.
+    // Pre-audit tokens with audience=null are revoked by the SEC-H6 migration.
+    const expected = `${(getAppUrl() || '').replace(/\/+$/, '')}/mcp`;
+    if (result.audience !== expected) return null;
     return { user: result.user, scopes: result.scopes, clientId: result.clientId, isStaticToken: false };
   }