fix(mcp): include scope in clientMetadata and add callbackPort option

Two related OAuth issues with remote MCP servers:

1. `scope` config field was accepted but never propagated to
   `clientMetadata`. The MCP SDK uses `clientMetadata.scope` as its
   last-resort fallback when neither the WWW-Authenticate header nor
   the Protected Resource Metadata (scopes_supported) advertise scopes.
   For servers whose metadata returns no scopes (e.g. AWS Bedrock
   AgentCore), the authorization request was sent with no scope
   parameter, causing IdPs such as Okta to reject with
   "No scopes were requested."

2. The callback port was hardcoded to 19876 with no way to override it
   short of providing a full `redirectUri`. Added `callbackPort` as a
   shorthand in the OAuth config — when set it constructs the redirect
   URI as `http://127.0.0.1:<callbackPort>/mcp/oauth/callback`.
   `redirectUri` still takes precedence if both are provided.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>