feat(auth): migrate to gitea.d-ma.be/mathias/mcp-chassis v0.1.0

First real port of the MCP chassis library — abort-criterion check for
spike S3 of the 2026-05 homelab architecture review.

Changes:
- Drop internal/auth/jwt.go (~79 LOC) — chassis provides JWTValidator
  with identical signature.
- Drop internal/auth/bearer.go (~42 LOC) — chassis BearerMiddleware
  has the same static-or-JWT semantics plus an optional WWW-Authenticate
  resource_metadata challenge (consumed via new resourceMetadataURL arg).
- Drop internal/auth/bearer_test.go — same scenarios are covered in
  the chassis bearer_test.go now.
- main.go: import chassis as `chassisauth`, build resourceMetadataURL
  only when both DexIssuerURL + MCPResourceURL are set, replace the
  inline /.well-known/oauth-protected-resource handler with the chassis
  ProtectedResourceHandler.

internal/auth/caller.go (oauth2-proxy header → context) stays — chassis
out-of-scope.

Net LOC change: -~150 LOC duplicated infra + a 5-LOC import.
go.mod gains gitea.d-ma.be/mathias/mcp-chassis v0.1.0 (jwx/v2 + testify
already transitive, no new top-level deps).

Verifies abort criterion: one PR, one binary's worth of port, task check
green (lint + test + vet + govulncheck clean). Per the S3 spike spec,
this clears the chassis to continue. Next port: hyperguild/ingestion
(brain-mcp), filed as a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/gitea-mcp/main.go

@@ -2,10 +2,12 @@ package main
 
 import (
 	"context"
-	"encoding/json"
 	"log/slog"
 	"net/http"
 	"os"
+	"strings"
+
+	chassisauth "gitea.d-ma.be/mathias/mcp-chassis/auth"
 
 	"gitea.d-ma.be/mathias/gitea-mcp/internal/allowlist"
 	"gitea.d-ma.be/mathias/gitea-mcp/internal/auth"
@@ -27,7 +29,7 @@ func main() {
 
 	ctx := context.Background()
 
-	jwtValidator, err := auth.NewJWTValidator(ctx, cfg.DexIssuerURL, cfg.MCPAudience)
+	jwtValidator, err := chassisauth.NewJWTValidator(ctx, cfg.DexIssuerURL, cfg.MCPAudience)
 	if err != nil {
 		logger.Warn("jwt validator init failed; JWT auth disabled", "err", err)
 	}
@@ -78,9 +80,17 @@ func main() {
 		Sessions: mcp.NewSessionStore(),
 	})
 
+	// resourceMetadataURL is only emitted in the WWW-Authenticate challenge
+	// when both MCPResourceURL and a Dex issuer are wired; empty disables
+	// the challenge so static-only clients aren't pushed into OAuth discovery.
+	var resourceMetadataURL string
+	if cfg.MCPResourceURL != "" && cfg.DexIssuerURL != "" {
+		resourceMetadataURL = strings.TrimRight(cfg.MCPResourceURL, "/") + "/.well-known/oauth-protected-resource"
+	}
+
 	mux := http.NewServeMux()
 	mux.Handle("/mcp", mcp.OriginAllowlist(cfg.OriginAllowlist)(
-		auth.BearerMiddleware(jwtValidator, cfg.StaticToken,
+		chassisauth.BearerMiddleware(cfg.StaticToken, jwtValidator, "gitea", resourceMetadataURL,
 			auth.CallerMiddleware(mcpSrv),
 		),
 	))
@@ -88,21 +98,10 @@ func main() {
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte("ok"))
 	})
-	mux.HandleFunc("/.well-known/oauth-protected-resource", func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != http.MethodGet {
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-			return
-		}
-		w.Header().Set("Content-Type", "application/json")
-		payload := map[string]any{
-			"resource":             cfg.MCPResourceURL,
-			"authorization_servers": []string{},
-		}
-		if cfg.DexIssuerURL != "" {
-			payload["authorization_servers"] = []string{cfg.DexIssuerURL}
-		}
-		_ = json.NewEncoder(w).Encode(payload)
-	})
+	if cfg.DexIssuerURL != "" {
+		mux.HandleFunc("GET /.well-known/oauth-protected-resource",
+			chassisauth.ProtectedResourceHandler(cfg.MCPResourceURL, cfg.DexIssuerURL))
+	}
 
 	addr := ":" + cfg.Port
 	logger.Info("gitea-mcp starting", "addr", addr, "version", "0.1.0")