docs(mcp): Phase 1 — auth sandbox model

[erishforG]

무엇

• Add docs/mcp/auth.md with the MCP auth delegation contract, scope matrix, sandbox rules, threat model, and initial error codes.
• Update docs/mcp/spec.md next-phase wording to include sandbox rules.

왜

Refs #294 for the v1.0 MCP auth and sandbox track. This keeps the contract explicit before later implementation phases wire credential checks into src/mcp.

변경

• Document delegated PAT flow through McpContext instead of ambient environment credentials.
• Define per-tool GitHub token requirements and scope intent.
• Define repository-bound sandbox rules and threat mitigations.
• Add auth/sandbox error code seeds for future tools/call responses.

다음 Phase 힌트

• Add redacted credential helper types and scope metadata inside src/mcp/.
• Validate required auth before GitHub-backed tool dispatch.
• Add fixture scrub rules when tests/mcp recordings arrive.

리스크

Low: docs-only change under docs/mcp plus one spec wording update.

롤백

Revert this commit to remove the draft auth model and restore the previous phase wording.

Test plan

• cargo build --quiet
• cargo fmt --check
• cargo clippy --all-targets -- -D warnings
• cargo test --quiet

@erishforG