feat(auth): implement OAuth 2.0 authorization code flow and dynamic client registration

- Add OAuth 2.0 support with authorization code flow and dynamic client registration.
- Introduce new handlers for OAuth metadata, client registration, authorization, and token issuance.
- Enhance authentication middleware to support OAuth client credentials.
- Create in-memory stores for authorization codes and tokens.
- Update configuration to include OAuth client details.
- Ensure validation checks for OAuth clients in the configuration.

README.md

@@ -47,7 +47,28 @@ A Go MCP server for capturing and retrieving thoughts, memory, and project conte
 Config is YAML-driven. Copy `configs/config.example.yaml` and set:
 
 - `database.url` — Postgres connection string
-- `auth.keys` — API keys for MCP endpoint access via `x-brain-key` or `Authorization: Bearer <key>`
+- `auth.mode` — `api_keys` or `oauth_client_credentials`
+- `auth.keys` — API keys for MCP access via `x-brain-key` or `Authorization: Bearer <key>` when `auth.mode=api_keys`
+- `auth.oauth.clients` — client registry when `auth.mode=oauth_client_credentials`
+
+**OAuth Client Credentials flow** (`auth.mode=oauth_client_credentials`):
+
+1. Obtain a token — `POST /oauth/token` (public, no auth required):
+   ```
+   POST /oauth/token
+   Content-Type: application/x-www-form-urlencoded
+   Authorization: Basic base64(client_id:client_secret)
+
+   grant_type=client_credentials
+   ```
+   Returns: `{"access_token": "...", "token_type": "bearer", "expires_in": 3600}`
+
+2. Use the token on the MCP endpoint:
+   ```
+   Authorization: Bearer <access_token>
+   ```
+
+Alternatively, pass `client_id` and `client_secret` as body parameters instead of `Authorization: Basic`. Direct `Authorization: Basic` credential validation on the MCP endpoint is also supported as a fallback (no token required).
 - `ai.litellm.base_url` and `ai.litellm.api_key` — LiteLLM proxy
 - `ai.ollama.base_url` and `ai.ollama.api_key` — Ollama local or remote server