feat(mcp): introduce OAuth 2.1 auth and enforce addon gating

OAuth 2.1 authentication for MCP:
- Add OAuth 2.1 authorization server with PKCE support (routes/oauth.ts)
- Add OAuth service for client CRUD, auth-code flow, and token management (services/oauthService.ts)
- Add typed scope definitions and enforcement helpers (mcp/scopes.ts)
- Add OAuth consent UI page (OAuthAuthorizePage.tsx)
- Add client-side scope labels and descriptions (api/oauthScopes.ts)
- Integrate OAuth token auth into MCP handler alongside existing static tokens
- All OAuth endpoints gated on `mcp` addon

Addon gating across MCP tools, resources, and prompts:
- Add typed ADDON_IDS constant (server/src/addons.ts) replacing all string literals
- Gate budget tools and resources (trip-budget, per-person, settlement) on `budget` addon
- Gate packing tools and resources (trip-packing, trip-packing-bags, trip-todos) on `packing` addon
- Gate todos tools on `packing` addon (mirrors web UI Lists tab behavior)
- Expand atlas gate to cover full tool body (bucket-list + country tools no longer leak)
- Expand collab gate to cover full tool body (collab notes no longer leak)
- Gate packing-list and budget-overview MCP prompts on their respective addons
- Gate get_trip_summary sections per addon; blank packing/budget/collab_notes/todos when disabled
- Remove trip-files resource and files field from get_trip_summary
- Replace all isAddonEnabled('literal') calls with ADDON_IDS constants

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/src/mcp/tools/prompts.ts

@@ -3,8 +3,30 @@ import { z } from 'zod';
 import { canAccessTrip } from '../../db/database';
 import { getTripSummary } from '../../services/tripService';
 import { listItems as listPackingItems } from '../../services/packingService';
+import { isAddonEnabled } from '../../services/adminService';
+import { ADDON_IDS } from '../../addons';
 
-export function registerMcpPrompts(server: McpServer, _userId: number): void {
+export function registerMcpPrompts(server: McpServer, _userId: number, isStaticToken = false): void {
+  if (isStaticToken) {
+    server.registerPrompt(
+      'token_auth_notice',
+      {
+        title: 'Static Token Auth Notice',
+        description: 'Notification that this session uses a static API token which will be deprecated',
+        argsSchema: {},
+      },
+      async () => ({
+        description: 'Static token deprecation notice',
+        messages: [{
+          role: 'user' as const,
+          content: {
+            type: 'text' as const,
+            text: '⚠️ This MCP connection is authenticated with a static API token (trek_…). Static token authentication will be deprecated in a future version of TREK. Please inform the user that they should migrate to OAuth 2.1 by going to Settings → Integrations → MCP → OAuth Clients in TREK and registering an OAuth 2.1 application for their MCP client.',
+          },
+        }],
+      })
+    );
+  }
   const userId = _userId;
 
   server.registerPrompt(
@@ -43,7 +65,7 @@ ${days?.map((d: any, i: number) => `Day ${i + 1} (${d.date}): ${d.assignments?.l
     }
   );
 
-  server.registerPrompt(
+  if (isAddonEnabled(ADDON_IDS.PACKING)) server.registerPrompt(
     'packing-list',
     {
       title: 'Packing List',
@@ -77,7 +99,7 @@ ${days?.map((d: any, i: number) => `Day ${i + 1} (${d.date}): ${d.assignments?.l
     }
   );
 
-  server.registerPrompt(
+  if (isAddonEnabled(ADDON_IDS.BUDGET)) server.registerPrompt(
     'budget-overview',
     {
       title: 'Budget Overview',