feat(oauth): expose RFC 9728 protected resource metadata endpoint

Same fix as obsidian-mcp: Claude.ai needs PRM to know the resource
identifier and send RFC 8707 `resource` in /authorize requests.

Adds /.well-known/oauth-protected-resource. ResourceUrl is configurable
via Mcp__OAuthDiscovery__ResourceUrl, falling back to request authority
when unset.

Endpoints/DiscoveryEndpoints.cs

@@ -4,9 +4,11 @@ using Microsoft.Extensions.Options;
 namespace GiteaMcp.Endpoints;
 
 /// <summary>
-/// OAuth 2.0 Authorization Server Metadata（RFC 8414）端点。
-/// Claude.ai 在接入 custom connector 时会先访问 /.well-known/oauth-authorization-server，
-/// 根据返回的元数据找到 nas-auth 的 authorize / token / register 端点。
+/// 两个 well-known 端点：
+/// 1. /.well-known/oauth-authorization-server (RFC 8414)：指向 nas-auth。
+/// 2. /.well-known/oauth-protected-resource (RFC 9728)：声明本资源的 identifier
+///    + 指向哪个 AS。Claude.ai 读到 PRM 后会在 /authorize 请求里带
+///    resource=<identifier>，满足 nas-auth 的 RFC 8707 校验。
 /// </summary>
 public static class DiscoveryEndpoints
 {
@@ -28,6 +30,21 @@ public static class DiscoveryEndpoints
             });
         });
 
+        app.MapGet("/.well-known/oauth-protected-resource", (HttpContext ctx, IOptions<McpDiscoveryOptions> opts) =>
+        {
+            var o = opts.Value;
+            var resourceUrl = string.IsNullOrWhiteSpace(o.ResourceUrl)
+                ? $"{ctx.Request.Scheme}://{ctx.Request.Host}"
+                : o.ResourceUrl;
+            return Results.Ok(new
+            {
+                resource = resourceUrl,
+                authorization_servers = new[] { o.Issuer },
+                scopes_supported = new[] { "read:gitea" },
+                bearer_methods_supported = new[] { "header" },
+            });
+        });
+
         return app;
     }
 }