feat: MCP server over SSE with OIDC auth

- Extract shared MCP tool handlers to mcp_common.py
- mcp_server.py now uses shared handlers (stdio transport for local dev)
- New routes/mcp.py: SSE transport behind existing OIDC Bearer auth
- Mount MCP ASGI app at /mcp in main.py when AI_FEATURES_ENABLED
- /mcp/sse  -> establishes SSE stream (requires valid token when auth enabled)
- /mcp/messages/ -> receives MCP client messages
- Update README with SSE MCP docs
- Add tests for mount existence, auth, and message routing

backend/tests/conftest.py

@@ -30,6 +30,7 @@ def client(mock_events_collection, mock_watermarks_collection, monkeypatch):
     monkeypatch.setattr("routes.fetch.get_watermark", lambda source: None)
     monkeypatch.setattr("routes.fetch.set_watermark", lambda source, ts: None)
     monkeypatch.setattr("auth.AUTH_ENABLED", False)
+    monkeypatch.setattr("routes.mcp.AUTH_ENABLED", False)
     monkeypatch.setattr("database.db.command", lambda cmd: {"ok": 1} if cmd == "ping" else {})
 
     # Mock audit trail and rules collections so tests don't wait on real MongoDB

backend/tests/test_api.py

@@ -36,6 +36,25 @@ print('OK')
     assert "OK" in result.stdout
 
 
+def test_mcp_sse_mount_exists():
+    from main import app
+
+    mcp_mounts = [r for r in app.routes if getattr(r, "path", "") == "/mcp"]
+    assert len(mcp_mounts) == 1, "MCP mount not found in app routes"
+
+
+def test_mcp_messages_no_session(client):
+    response = client.post("/mcp/messages/")
+    # MCP transport returns 400 when session_id is missing, 404 when session not found
+    assert response.status_code in (400, 404)
+
+
+def test_mcp_sse_auth_required_when_enabled(client, monkeypatch):
+    monkeypatch.setattr("routes.mcp.AUTH_ENABLED", True)
+    response = client.get("/mcp/sse")
+    assert response.status_code == 401
+
+
 def test_health(client):
     response = client.get("/health")
     assert response.status_code == 200