fix: preserve OAuth resource metadata URL across redirects

[jstar0]

Summary

Inspector can receive an explicit protected-resource metadata URL from an MCP server's OAuth challenge, but that URL is currently lost across the browser redirect. This causes mounted MCP servers to fall back to inferred metadata locations even when the server advertised the exact location to use.

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• Test updates

Changes Made

• Preserve resource_metadata from OAuth challenges while an authorization flow is in progress.
• Scope persisted metadata URLs by the complete configured MCP server URL and clear stale values before fresh connection attempts.
• Restore the persisted URL during the OAuth callback authorization-code exchange.
• Use proxy-forwarded upstream 401 challenge metadata during OAuth recovery, including 401 responses returned while an SSE transport is starting.
• Probe the configured MCP endpoint first in the guided OAuth flow so an advertised 401 or 403 metadata URL can be used before inferred locations.
• Add regression coverage for callback recovery, guided discovery, direct and proxy responses, proxy upstream 401 recovery, SSE startup 401 forwarding, cleanup, stale-state handling, and malformed challenges.

This builds on #924, which enabled transport-side challenge parsing. It is separate from #632's OAuth resource persistence, #1327's inferred subpath fallback, and #1342's callback proxy-fetch routing.

Related Issues

Fixes #576.

Testing

• Added/updated automated tests

Verification

npm run prettier-check
npm run lint
npm test
npm run build
npm --workspace=client exec playwright test e2e -- --project=chromium --workers=1

Checklist

• Code follows the style guidelines
• Self-review completed
• Code is commented where necessary
• Documentation updated or not required

Breaking Changes

None.