Extend unmanaged OAuth flow to drive code exchange in-process

[trungutt]

Why

The current unmanaged OAuth flow (WithManagedOAuth(false), added in #830 by @rumpl) emits an elicitation carrying only authorization-server metadata and expects the connected client to:

1. Generate PKCE + state
2. Run Dynamic Client Registration if needed
3. Open the browser
4. Run a callback server (or use a deeplink)
5. Exchange the code for a token at the auth server's token endpoint
6. Return the resulting {access_token, refresh_token, …} via ResumeElicitation

That contract works fine when the client is a Go process (the CLI mirror at pkg/runtime/remote_runtime.go:handleOAuthElicitation reuses the same helpers). It is a poor fit for hosts that want to be thin couriers, such as an Electron app delivering the OAuth callback via a custom URI scheme deeplink: every such host ends up re-implementing PKCE / DCR / token exchange in the host language.

This PR extends the unmanaged flow with an opt-in sub-behavior where the runtime drives everything itself and the client just relays the deeplink payload back.

What changes

A new server-level flag — --mcp-oauth-redirect-uri=<URL> (also MCPOAuthRedirectURI on RuntimeConfig and WithUnmanagedOAuthRedirectURI on the runtime). When set, handleUnmanagedOAuthFlow:

• Generates state + PKCE in-process
• Runs DCR if the auth server advertises a registration endpoint (or uses the per-toolset clientId/clientSecret from RemoteOAuthConfig)
• Builds the full authorize URL with the configured redirect_uri
• Emits an elicitation whose Meta includes:
  • cagent/authorize_url — URL the client should open in the browser
  • cagent/state — state value the client must echo back
  • plus the existing cagent/server_url, auth_server, auth_server_metadata, resource_metadata
• Accepts {code, state} as a ResumeElicitation payload, verifies state in constant time, exchanges the code at the token endpoint (same redirect_uri per RFC 6749 §4.1.3), and stores the resulting token in the keychain with client credentials stamped on for silent refresh

When the flag is not set, the elicitation shape stays identical to today and the runtime expects the legacy {access_token, …} reply. CLI-mirror clients continue to work unchanged.

The new path also accepts the legacy {access_token, …} reply, so a client that prefers to do the exchange itself (despite docker-agent offering an authorize_url) is still free to.

A per-toolset RemoteOAuthConfig.CallbackRedirectURL overrides the runtime-wide flag for that toolset.

What docker-agent does NOT know

Per the OSS/proprietary boundary discussion, none of the host-specific bits leak into the runtime:

• The bouncer URL is opaque: docker-agent just embeds whatever string you pass into the authorize URL and re-sends the same string at the token endpoint
• No mention of any specific deeplink scheme, host application, or product anywhere in the code path
• A third party building an Electron / web / IDE host can set the flag to their own redirect URI and the runtime works the same way

Companion changes (other repos)

• docker/ai#610 (merged): a generic HTTPS bouncer that 302s into a custom URI scheme. The specific bouncer URL belongs to the host, not the runtime.
• docker/pinata#41190: registers a docker-desktop://... deeplink in Docker Desktop's custom URL handler.
• docker/pinata#41192: wires the Authenticate / Cancel buttons in Gordon's OAuth dialog. After this docker-agent PR ships, those buttons can drive the new contract.

Tests

pkg/tools/mcp/oauth_test.go gets six new tests:

• TestUnmanagedOAuthFlow_DriveFlow_ExchangesCodeForToken — happy path: docker-agent emits authorize_url + state, client returns {code, state}, docker-agent exchanges the code (asserts RFC 6749 §4.1.3 redirect_uri parity at the token endpoint), token stored with client credentials.
• TestUnmanagedOAuthFlow_DriveFlow_RejectsStateMismatch — CSRF check: token endpoint must not be hit if state doesn't match.
• TestUnmanagedOAuthFlow_DriveFlow_AcceptsLegacyAccessTokenReply — back-compat: client may still return {access_token, …} on the new path.
• TestUnmanagedOAuthFlow_LegacyMode_NoAuthorizeURLInElicitation — when the flag is empty, the elicitation does not carry cagent/authorize_url / cagent/state.
• TestUnmanagedOAuthFlow_LegacyMode_RejectsCodeStateReply — defensive: a {code, state} reply with no flag set is an error (no stored verifier to exchange with).
• TestUnmanagedRedirectURI_PerToolsetTakesPrecedence — RemoteOAuthConfig.CallbackRedirectURL overrides the runtime-wide flag.

Existing OAuth tests untouched and still pass.

Backwards compatibility

• The legacy unmanaged contract ({access_token, …} reply) is preserved verbatim when the flag is empty.
• OAuthCapable gains a new method SetUnmanagedOAuthRedirectURI. All in-tree implementations updated (pkg/tools/mcp/{mcp,remote,session_client}.go, pkg/tools/builtin/mcpcatalog). External OAuthCapable implementations (if any) will need the same one-line addition; for stdio-style toolsets the implementation is a no-op.
• The CLI mirror at pkg/runtime/remote_runtime.go:handleOAuthElicitation is untouched and continues to read cagent/server_url only; the new meta keys are additive and harmless to legacy readers.

Docs

docs/features/remote-mcp/index.md gets a new "Unmanaged OAuth flow (server mode)" section describing both sub-behaviors and the elicitation meta keys.