actual-oauth-proxy (OAuth 2.1 protected)
Endpoints:
  POST /mcp        — MCP Streamable HTTP (requires OAuth bearer)
  GET  /authorize  — OAuth 2.1 authorization (admin-gated via /interaction)
  POST /token      — Token endpoint
  POST /register   — Dynamic Client Registration
  GET  /.well-known/oauth-authorization-server
  GET  /health     — Health probe