feat(auth): add OAuth 2.1 for remote MCP deployments

[5queezer]

Summary

• Adds opt-in OAuth 2.1 authentication behind --auth oauth for remote server deployments (e.g. Cloud Run, Fly.io)
• Subclasses FastMCP's InMemoryOAuthProvider with a password-based login page in the /authorize flow
• Enables claude.ai custom connector integration via Dynamic Client Registration (DCR)

Changes

File	Change
linkedin_mcp_server/auth.py	New — PasswordOAuthProvider with login page, brute-force lockout (5 attempts)
linkedin_mcp_server/config/schema.py	OAuthConfig dataclass + validation (skipped for --login/--status/--logout)
linkedin_mcp_server/config/loaders.py	AUTH, OAUTH_BASE_URL, OAUTH_PASSWORD env vars + CLI args
linkedin_mcp_server/server.py	Pass auth=PasswordOAuthProvider(...) to FastMCP() when enabled
linkedin_mcp_server/cli_main.py	Wire oauth_config through to create_mcp_server()
tests/test_auth.py	New — 12 tests: unit + integration (401, .well-known, lockout)
tests/test_config.py	12 new tests for OAuthConfig + env vars + command-only mode bypass
README.md	Remote deployment + OAuth section
docs/docker-hub.md	OAuth env vars in table
manifest.json	OAuth env vars in user_config

Security

• Timing-safe password comparison (secrets.compare_digest)
• PKCE enforced by MCP SDK's TokenHandler
• XSS prevention via html.escape() on all template inputs
• Brute-force lockout: 5 failed attempts invalidates the auth request
• 10-minute TTL on pending authorization requests
• Single-use authorization codes

Test plan

• 301 tests pass (uv run pytest --cov -v)
• Pre-commit hooks pass (ruff, ruff-format, ty)
• Manual E2E: deploy with --auth oauth, verify 401 on unauthenticated /mcp, verify .well-known/oauth-authorization-server returns metadata
• Manual E2E: complete OAuth flow through claude.ai custom connector

Prompt

Implement the OAuth 2.1 authentication plan from docs/superpowers/plans/2026-03-19-oauth-auth.md

Closes #231

🤖 Generated with Claude Code (Claude Opus 4.6)