feat(mcp): multi-tenant Entra ID validation (#2629)

* feat(mcp): multi-tenant Entra ID validation

Detect inbound Entra v2 tokens by issuer pattern, fetch per-teamspace
configuration (tenantId, audience, requiredScope) from the Context7
app, and verify the token against the matching tenant's JWKS. The MCP
server only validates — user resolution happens in the app middleware
against the entra_user_mappings table.

Per-tenant JWKS cache and a 5-minute in-memory config cache keyed by
JWT audience reduce overhead under load.

* fix(mcp): prettier formatting + refresh changeset

Resolves prettier/eslint errors blocking the test workflow, and refreshes
the changeset to match the actual MCP-side behavior (validate only; user
resolution lives in the app middleware).

* fix(mcp): only negative-cache 404 responses, not transient errors

Address review: caching null under the same 5-minute TTL on every failure
mode meant one transient blip (5xx, network error, JSON parse error) locked
every Entra token for that audience out of the server for 5 minutes with a
misleading "Unknown audience" message.

Now only the authoritative 404 ("audience not configured") is cached as
null. 5xx, network errors, and parse errors fall through without caching
so the next request retries.