✨ Add OAuth functionality, MCP tools, and feature tests

- 🔒 Added migrations for `oauth_access_tokens`, `oauth_refresh_tokens`, `oauth_auth_codes`, `oauth_clients`, and `oauth_device_codes`.
- 🤖 Created MCP tools (Meetups, Cities, Venues, Courses, Lecturers) for managing entities with authentication and validation.
- 🛠️ Implemented Passport-backed OAuth API guard configuration and validation endpoints.
- ✅ Added comprehensive feature tests for MCP tools and OAuth functionality (access control, validation, and token-based authentication).

tests/Feature/Mcp/OAuthMcpTest.php

@@ -0,0 +1,99 @@
+<?php
+
+use App\Models\User;
+use Laravel\Passport\Passport;
+
+it('configures the passport-backed api guard', function () {
+    expect(config('auth.guards.api.driver'))->toBe('passport');
+});
+
+it('exposes protected-resource discovery metadata', function () {
+    $this->getJson('/.well-known/oauth-protected-resource')
+        ->assertOk()
+        ->assertJsonStructure(['resource', 'authorization_servers', 'scopes_supported'])
+        ->assertJsonPath('scopes_supported', ['mcp:use']);
+});
+
+it('exposes authorization-server discovery metadata pointing at passport', function () {
+    $this->getJson('/.well-known/oauth-authorization-server')
+        ->assertOk()
+        ->assertJsonPath('authorization_endpoint', route('passport.authorizations.authorize'))
+        ->assertJsonPath('token_endpoint', route('passport.token'))
+        ->assertJsonPath('scopes_supported', ['mcp:use'])
+        ->assertJsonPath('code_challenge_methods_supported', ['S256'])
+        ->assertJsonPath('grant_types_supported', ['authorization_code', 'refresh_token']);
+});
+
+it('returns 401 with an OAuth discovery WWW-Authenticate header for guests', function () {
+    $response = $this->postJson('/mcp', [
+        'jsonrpc' => '2.0',
+        'id' => 1,
+        'method' => 'tools/list',
+    ]);
+
+    $response->assertUnauthorized();
+    expect($response->headers->get('WWW-Authenticate'))
+        ->toContain('resource_metadata=')
+        ->toContain('oauth-protected-resource');
+});
+
+it('lets a permitted client register dynamically', function () {
+    $this->postJson('/oauth/register', [
+        'client_name' => 'Claude',
+        'redirect_uris' => ['https://claude.ai/api/mcp/auth_callback'],
+    ])
+        ->assertOk()
+        ->assertJsonStructure(['client_id', 'redirect_uris', 'scope'])
+        ->assertJsonPath('scope', 'mcp:use');
+});
+
+it('rejects dynamic registration from a disallowed redirect domain', function () {
+    $this->postJson('/oauth/register', [
+        'client_name' => 'Evil',
+        'redirect_uris' => ['https://evil.example/callback'],
+    ])
+        ->assertStatus(400)
+        ->assertJsonPath('error', 'invalid_redirect_uri');
+});
+
+it('authenticates the mcp endpoint via a passport oauth token', function () {
+    Passport::actingAs(User::factory()->create(), ['mcp:use']);
+
+    $response = $this->postJson('/mcp', [
+        'jsonrpc' => '2.0',
+        'id' => 1,
+        'method' => 'ping',
+    ]);
+
+    $response->assertSuccessful();
+    expect($response->headers->get('WWW-Authenticate'))->toBeNull();
+});
+
+it('still authenticates the mcp endpoint via a static sanctum token', function () {
+    $token = User::factory()->create()->createToken('claude-code')->plainTextToken;
+
+    $response = $this->withToken($token)->postJson('/mcp', [
+        'jsonrpc' => '2.0',
+        'id' => 1,
+        'method' => 'ping',
+    ]);
+
+    $response->assertSuccessful();
+});
+
+it('rejects a passport token that lacks the mcp:use scope', function () {
+    Passport::actingAs(User::factory()->create(), []);
+
+    $this->postJson('/mcp', [
+        'jsonrpc' => '2.0',
+        'id' => 1,
+        'method' => 'ping',
+    ])->assertForbidden();
+});
+
+it('rejects an authorize request that uses plain PKCE instead of S256', function () {
+    $this->actingAs(User::factory()->create());
+
+    $this->get('/oauth/authorize?response_type=code&client_id=1&redirect_uri=https%3A%2F%2Fclaude.ai%2Fcb&code_challenge=abc123&code_challenge_method=plain')
+        ->assertStatus(400);
+});