Add authentication middleware integration #50
Description
Overview
The registry server currently has no authentication. We should integrate the authentication middleware from toolhive to support OAuth/OIDC validation.
This builds on top of PR #47's configuration management to allow auth settings to be configured via YAML.
What needs to be done
First, we need to add toolhive as a dependency (preferably as a Go module, but we can copy pkg/auth if needed). The Config struct in pkg/config/config.go should be extended to include auth configuration - things like whether auth is enabled, what mode to use (OIDC/local/anonymous for dev), which paths need protection, and the OIDC settings (issuer, audience, client ID, etc).
We'll need middleware that can handle different auth modes. For production, it should validate JWT tokens using the toolhive TokenValidator. For development, it should support local user or anonymous modes. The middleware needs to be path-aware so we can have some public endpoints (like /health and /docs) while protecting others.
The router setup will need updates to wire in the auth middleware and separate public from protected routes using Chi's route groups. Config should drive which paths require auth rather than hardcoding it.
Testing should cover the different auth modes and path protection logic, using the table-driven pattern we use elsewhere. Swagger annotations need security definitions added, and we should document how to configure auth for different OIDC providers.
Design notes
Auth should be optional - if not configured, it just doesn't run. Protected paths should come from config. Always keep /health, /docs, and /.well-known endpoints public. We're keeping it simple for now (no token exchange).
Dependencies
Depends on #47