auth: fail closed startup when PAT/OAuth scopes are insufficient

[davidahmann]

Problem

Startup can proceed with insufficient PAT/OAuth scopes and degrade into partial functionality, which obscures permission root causes.

Why Now

Scope-scoped operation is a core safety contract and should fail closed when scope requirements are unmet.

What Changed

• Added startup scope validation for classic PAT (ghp_) and OAuth access tokens (gho_).
• Changed startup behavior to fail closed when scope fetch fails for these token types.
• Added deterministic evaluation of configured inventory vs token scopes:
  • evaluateScopeRequirements(...) returns sorted missing scopes and blocked tools.
  • Startup now exits with explicit missing-scope + blocked-tool details when any configured tools are unauthorized.
• Added focused tests for token-type gating, read-only repo allowance semantics, and deterministic sorted outputs.

Validation

• go test ./internal/ghmcp -run 'TestShouldValidateTokenScopesAtStartup|TestEvaluateScopeRequirements' ✅
• go test ./cmd/github-mcp-server ./internal/ghmcp ✅

Refs #2075

[davidahmann]

Implemented issue #2075 by adding startup fail-closed scope validation for PAT/OAuth tokens, deterministic missing-scope/blocked-tool reporting, and targeted helper tests for token gating and stable output ordering. Validation: targeted and package go tests passed.

This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr

[davidahmann]

Implementation summary: added startup fail-closed scope validation for PAT/OAuth tokens with deterministic missing-scope and blocked-tool reporting, plus helper tests for token gating and output determinism. Validation: targeted go tests passed.

This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr