feat(mcp): introduce OAuth 2.1 auth and enforce addon gating

OAuth 2.1 authentication for MCP:
- Add OAuth 2.1 authorization server with PKCE support (routes/oauth.ts)
- Add OAuth service for client CRUD, auth-code flow, and token management (services/oauthService.ts)
- Add typed scope definitions and enforcement helpers (mcp/scopes.ts)
- Add OAuth consent UI page (OAuthAuthorizePage.tsx)
- Add client-side scope labels and descriptions (api/oauthScopes.ts)
- Integrate OAuth token auth into MCP handler alongside existing static tokens
- All OAuth endpoints gated on `mcp` addon

Addon gating across MCP tools, resources, and prompts:
- Add typed ADDON_IDS constant (server/src/addons.ts) replacing all string literals
- Gate budget tools and resources (trip-budget, per-person, settlement) on `budget` addon
- Gate packing tools and resources (trip-packing, trip-packing-bags, trip-todos) on `packing` addon
- Gate todos tools on `packing` addon (mirrors web UI Lists tab behavior)
- Expand atlas gate to cover full tool body (bucket-list + country tools no longer leak)
- Expand collab gate to cover full tool body (collab notes no longer leak)
- Gate packing-list and budget-overview MCP prompts on their respective addons
- Gate get_trip_summary sections per addon; blank packing/budget/collab_notes/todos when disabled
- Remove trip-files resource and files field from get_trip_summary
- Replace all isAddonEnabled('literal') calls with ADDON_IDS constants

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/src/mcp/tools/assignments.ts

@@ -15,11 +15,15 @@ import {
   TOOL_ANNOTATIONS_NON_IDEMPOTENT,
   demoDenied, noAccess, ok,
 } from './_shared';
+import { canRead, canWrite } from '../scopes';
+
+export function registerAssignmentTools(server: McpServer, userId: number, scopes: string[] | null): void {
+  const R = canRead(scopes, 'places');
+  const W = canWrite(scopes, 'places');
 
-export function registerAssignmentTools(server: McpServer, userId: number): void {
   // --- ASSIGNMENTS ---
 
-  server.registerTool(
+  if (W) server.registerTool(
     'assign_place_to_day',
     {
       description: 'Assign a place to a specific day in a trip.',
@@ -42,7 +46,7 @@ export function registerAssignmentTools(server: McpServer, userId: number): void
     }
   );
 
-  server.registerTool(
+  if (W) server.registerTool(
     'unassign_place',
     {
       description: 'Remove a place assignment from a day.',
@@ -64,7 +68,7 @@ export function registerAssignmentTools(server: McpServer, userId: number): void
     }
   );
 
-  server.registerTool(
+  if (W) server.registerTool(
     'update_assignment_time',
     {
       description: 'Set the start and/or end time for a place assignment on a day (e.g. "09:00", "11:30"). Pass null to clear a time.',
@@ -91,7 +95,7 @@ export function registerAssignmentTools(server: McpServer, userId: number): void
     }
   );
 
-  server.registerTool(
+  if (W) server.registerTool(
     'move_assignment',
     {
       description: 'Move a place assignment to a different day.',
@@ -113,7 +117,7 @@ export function registerAssignmentTools(server: McpServer, userId: number): void
     }
   );
 
-  server.registerTool(
+  if (R) server.registerTool(
     'get_assignment_participants',
     {
       description: 'Get the list of users participating in a specific place assignment.',
@@ -130,7 +134,7 @@ export function registerAssignmentTools(server: McpServer, userId: number): void
     }
   );
 
-  server.registerTool(
+  if (W) server.registerTool(
     'set_assignment_participants',
     {
       description: 'Set the participants for a place assignment (replaces current list).',
@@ -152,7 +156,7 @@ export function registerAssignmentTools(server: McpServer, userId: number): void
 
   // --- REORDER ---
 
-  server.registerTool(
+  if (W) server.registerTool(
     'reorder_day_assignments',
     {
       description: 'Reorder places within a day by providing the assignment IDs in the desired order.',