fix(mcp): include scope in OAuth authorization URL for pre-registered clients

[lexlian]

Issue for this PR

Closes #28895

Type of change

• Bug fix

What does this PR do?

When running opencode mcp auth <name> for a remote MCP server with a pre-registered OAuth client (oauth.clientId + oauth.scope), the generated authorization URL drops the scope parameter. This is because SDK v1.27.1 does not fall back to clientMetadata.scope when building the auth URL for pre-registered clients — the scope only appears in the WWW-Authenticate header, PRM scopes_supported, or in SDK v2+.

The fix augments the authorization URL in McpOAuthProvider.redirectToAuthorization before the redirect callback fires. A guard (!url.searchParams.has("scope")) ensures we don't duplicate scope once the SDK is upgraded.

This single change covers both the startAuth (CLI auth) and connectRemote (runtime connection) code paths since both use the same redirectToAuthorization method.

How did you verify your code works?

• Added 7 new unit tests covering: scope appending, SDK upgrade guard (no duplication), empty string scope, multi-space scope encoding, URLs with no query params, and existing param preservation
• All 51 MCP tests pass across 6 test files
• Typecheck passes across all 15 packages

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[ghost]

The following comment was made by an LLM, it may be inaccurate:

The searches primarily return the current PR (#29219) itself. PR #27068 appears in one result as a related MCP OAuth fix, but it's about RFC 8414 discovery which is a different issue. No duplicate PRs addressing the same scope parameter issue in OAuth authorization URLs were found.

No duplicate PRs found