fix(mcp): address remaining code review findings for RBAC tool visibility

- app.py: clarify execute_sql requires SQL Lab access (not write access)
  in both the instructions preamble and Permission Awareness section
- auth.py: add log_denial param to check_tool_permission() to suppress
  noisy WARNING logs during tools/list scanning; downgrade "No authenticated
  user found" from ERROR to DEBUG in _setup_user_context
- middleware.py: fail completely closed (return []) on credential failures
  instead of returning tools with no class_permission_name, which could
  include protect=True tools requiring auth; remove _public_tools_only helper
- server.py: catch PermissionError (invalid API key) in addition to
  ValueError in _tool_allowed_for_current_user
- tests: add tests for fail-closed branches (PermissionError, bad ValueError,
  and no-auth-configured ValueError in RBACToolVisibilityMiddleware)