feat(secrets-mcp): MCP 请求日志、探测 404 与资源元数据

- 新增 logging 中间件：记录 client_ip、ua、JSON-RPC、tool 等
- tools 各入口/出口结构化日志
- 探测型 404（/.well-known、GET /mcp）降为 debug
- /.well-known/oauth-protected-resource 最小元数据
- secrets-mcp 0.1.11

Made-with: Cursor

crates/secrets-mcp/src/web.rs

@@ -117,6 +117,10 @@ pub fn web_router() -> Router<AppState> {
             "/favicon.ico",
             get(|| async { Redirect::permanent("/favicon.svg") }),
         )
+        .route(
+            "/.well-known/oauth-protected-resource",
+            get(oauth_protected_resource_metadata),
+        )
         .route("/", get(login_page))
         .route("/auth/google", get(auth_google))
         .route("/auth/google/callback", get(auth_google_callback))
@@ -626,6 +630,28 @@ async fn api_apikey_regenerate(
     Ok(Json(ApiKeyResponse { api_key }))
 }
 
+// ── OAuth / Well-known ────────────────────────────────────────────────────────
+
+/// RFC 9728 — OAuth 2.0 Protected Resource Metadata.
+///
+/// Advertises that this server accepts Bearer tokens in the `Authorization`
+/// header.  We deliberately omit `authorization_servers` because this service
+/// issues its own API keys (no external OAuth AS is involved).  MCP clients
+/// that probe this endpoint will see the resource identifier and stop looking
+/// for a delegated OAuth flow.
+async fn oauth_protected_resource_metadata(State(state): State<AppState>) -> impl IntoResponse {
+    let body = serde_json::json!({
+        "resource": state.base_url,
+        "bearer_methods_supported": ["header"],
+        "resource_documentation": format!("{}/dashboard", state.base_url),
+    });
+    (
+        StatusCode::OK,
+        [(header::CONTENT_TYPE, "application/json")],
+        axum::Json(body),
+    )
+}
+
 // ── Helper ────────────────────────────────────────────────────────────────────
 
 fn render_template<T: Template>(tmpl: T) -> Result<Response, StatusCode> {