fix(mcp): add RFC 9728 PRM, RFC 8707 audience binding, and collab sub-feature gating

Root cause: claude.ai's MCP connector (spec 2025-06-18) requires the resource server
to publish Protected Resource Metadata and return WWW-Authenticate on 401s to bind
the /mcp endpoint to its AS. Without these, it silently shows no tools after OAuth.

- Add /.well-known/oauth-protected-resource (RFC 9728) with addon gating
- Emit WWW-Authenticate: Bearer resource_metadata=... on 401/auth-failure 403s
- Open CORS (origin: *) on both .well-known/* endpoints per RFC 8414/9728
- Accept resource parameter at authorize + token endpoints (RFC 8707)
- Store audience on oauth_tokens; validate on every MCP request
- Refresh tokens inherit audience; add resource_parameter_supported to AS metadata
- DB migration: ADD COLUMN audience TEXT to oauth_tokens
- Gate collab MCP tools/resources by chat/notes/polls sub-features individually
- Invalidate MCP sessions when collab sub-features are toggled in admin
- Update test mocks and MCP.md

server/src/app.ts

@@ -77,6 +77,11 @@ export function createApp(): express.Application {
 
   const shouldForceHttps = process.env.FORCE_HTTPS === 'true';
 
+  // RFC 8414 / RFC 9728: discovery docs are world-readable — open CORS regardless of deployment config
+  app.use(
+    ['/.well-known/oauth-authorization-server', '/.well-known/oauth-protected-resource'],
+    cors({ origin: '*', credentials: false }),
+  );
   app.use(cors({ origin: corsOrigin, credentials: true }));
   app.use(helmet({
     contentSecurityPolicy: {