[HTTP AUTH SPIKE - do not merge yet] Add HTTP transport with Auth0 middleware and configuration updates

[keremgocen]

• adds temporary helper flags
• ResourceIdentifier in config now we try to validate it in JWT's registeredClaims (audience in auth0)
• fixes RFC 9728, the protected resource metadata header from Bearer realm= to Bearer resource_metadata=
• adds native corsMiddleware to allow all origins, we should disable this in main I think?
• updates golangic config to complain about unused stuff and todo notes

[Note] We are not planning to merge the extra auth flow endpoints apart from the changes in the handleProtectedResourceMetadata. This PR is for the rest of the team to test the auth changes locally.

[irene221b]

	// Redirect to Auth0 callback endpoint (typically not used, but for completeness)
	auth0URL := fmt.Sprintf("https://%s/login/callback?%s", s.config.Auth0Domain, r.URL.RawQuery)

How restricted is r.URL.RawQuery is? Can someone set it to ?#redirect=www.fake-target.site to achieve a redirect here?

[keremgocen]

How restricted is r.URL.RawQuery is? Can someone set it to ?#redirect=www.fake-target.site to achieve a redirect here?

Good call, as of now, it looks like both /authorize and /callback handlers are vulnerable to open redirect attacks, but we are not planning to merge these changes to main.

According to the MCP authorisation spec I was only expecting to implement the GET /.well-known/oauth-protected-resource endpoint, which returns the protected resource metadata per RFC9728. But I noticed vscode MCP client is actually calling these auth flow endpoints on the MCP server as well (it should call the auth server directly). We are trying to figure out why and if there's anything missing with our config, so hopefully everything in this PR apart from the resource metadata endpoint will be deleted.

(meanwhile I'll convert this PR to draft as well, thanks for the security ping😂)