feat(mercata): add active-session Griphook MCP assistant UI + backend proxy

[bobsummerwill]

Summary

This PR introduces a first-party Mercata AI Assistant flow that reuses the user's active OAuth session and removes manual Griphook token copy/paste.

Scope

Backend (mercata/backend)

• Added POST /api/chat/mcp proxy endpoint.
• Proxy forwards authenticated req.accessToken as Authorization: Bearer <token> to Griphook MCP.
• Preserves MCP session continuity by forwarding mcp-session-id header in both directions.
• Added env config:
  • GRIPHOOK_MCP_URL (default: https://griphook.strato.nexus/mcp)
  • GRIPHOOK_MCP_TIMEOUT_MS (default: 30000)

Frontend (mercata/ui)

• Added new dashboard page: /dashboard/assistant.
• Added chat text window with:
  • MCP initialize flow
  • tool listing (/tools)
  • explicit tool calls (/call <tool> <json-args>)
  • simple read-only intent-to-tool mapping for quick UX.
• Added navigation entry in desktop sidebar and mobile More menu.

Why

• Removes user friction (no manual token handling).
• Keeps auth and token flow server-side.
• Uses existing Mercata auth middleware and session model.

Security / Auth Notes

• Endpoint is protected by existing authorizeRequest() middleware.
• Browser never stores/handles a separate Griphook refresh token.
• Session token is injected server-side at request time.

Testing

• Verified route/controller wiring and MCP request flow in code.
• Build checks attempted in this environment:
  • mercata/backend: npm run build failed because tsc is not installed in this runtime.
  • mercata/ui: npm run build fails due unrelated existing import issue (@stripe/crypto in OnrampPage.tsx).

Follow-ups

• Add server-side allowlist/guardrails for tool invocation policy.
• Improve conversational orchestration/summarization layer above direct tool calls.