feat(oauth): expose RFC 9728 protected resource metadata endpoint

Same fix as obsidian-mcp: Claude.ai needs PRM to know the resource
identifier and send RFC 8707 `resource` in /authorize requests.

Adds /.well-known/oauth-protected-resource. ResourceUrl is configurable
via Mcp__OAuthDiscovery__ResourceUrl, falling back to request authority
when unset.

Config/McpDiscoveryOptions.cs

@@ -1,8 +1,8 @@
 namespace GiteaMcp.Config;
 
 /// <summary>
-/// /.well-known/oauth-authorization-server 端点返回的静态元数据，
-/// 字段由 Mcp:OAuthDiscovery:* 配置项驱动。
+/// /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource
+/// 端点返回的元数据，字段由 Mcp:OAuthDiscovery:* 配置项驱动。
 /// </summary>
 public class McpDiscoveryOptions
 {
@@ -12,4 +12,11 @@ public class McpDiscoveryOptions
     public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize";
     public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token";
     public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register";
+
+    /// <summary>
+    /// 本资源服务的标识符（RFC 9728 PRM 的 `resource` 字段，必须与 nas-auth
+    /// resources.json 里 gitea 条目的 resource_url 完全一致）。
+    /// 留空时 PRM 端点回退用请求的 `scheme://host`。
+    /// </summary>
+    public string ResourceUrl { get; set; } = string.Empty;
 }