Support RFC 8414 path-based issuer discovery URLs

[jhrozek]

Summary

• PR Add RegisterHandlers and wire embedded AS routes on vMCP mux #4348 replaced the /.well-known/ catch-all mux pattern with explicit
  exact registrations to prevent the auth server from intercepting
  /.well-known/oauth-protected-resource (owned by the vMCP server). This
  inadvertently broke RFC 8414 Section 3.1 discovery for path-based issuers:
  clients construct /.well-known/oauth-authorization-server/{issuer-path}
  but the exact pattern only matched /.well-known/oauth-authorization-server.
• Register trailing-slash prefix variants on both the http.ServeMux
  (Routes()) and chi router (WellKnownRoutes) so subpaths are routed to
  the discovery handlers.

Type of change

• Bug fix

Test plan

• Unit tests (task test)
• Manual testing (describe below)

Verified end-to-end with a VirtualMCPServer deployed to a kind cluster
behind ngrok with a path-based issuer (https://toolhive.ngrok.app/inject-test).
Claude Code successfully discovered the auth server via
/.well-known/oauth-authorization-server/inject-test, completed the
multi-upstream OAuth flow (Okta + GitHub + Google), and called tools.

Changes

File	Change
pkg/authserver/runner/embeddedauthserver.go	Add trailing-slash prefix entries to Routes() for discovery paths
pkg/authserver/server/handlers/handler.go	Add wildcard chi routes for discovery handlers
pkg/authserver/runner/embeddedauthserver_test.go	Update TestRoutes expected count (4 → 6)

Special notes for reviewers

The regression was introduced in #4348 which correctly avoided a /.well-known/
catch-all but did not account for RFC 8414 Section 3.1 where clients insert
/.well-known/oauth-authorization-server before the issuer's path component.
This only manifests when the issuer has a path (e.g., multi-tenant deployments
behind a shared domain). Issuers at the domain root are unaffected.

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.50%. Comparing base (d57d73b) to head (af368e1).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4406   +/-   ##
=======================================
  Coverage   69.49%   69.50%           
=======================================
  Files         485      485           
  Lines       49841    49845    +4     
=======================================
+ Hits        34638    34645    +7     
+ Misses      12528    12525    -3     
  Partials     2675     2675           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.