OAuth2 MCP Server Authentication

External MCP server connections now support standard OAuth2 authorization code flows with PKCE, metadata discovery, and encrypted credential storage. Runtype refreshes tokens proactively and retries once on 401s, so saved MCP tools keep working in normal execution paths without manual re-auth.

This makes it much easier to connect enterprise or vendor-hosted MCP servers that sit behind modern OAuth providers.