Enforce fail-closed startup when PAT/OAuth scope requirements are unmet

[davidahmann]

Problem
Insufficient scopes can lead to confusing partial functionality instead of explicit blocking.

Why now
Permission-scoped operation is a core safety expectation for the GitHub MCP server.

Current behavior is insufficient
Scope problems can surface late at tool-call time and appear as sporadic failures.

Expected behavior
At startup (or deterministic preflight), fail closed when required scope requirements for configured toolsets are unmet.

Acceptance criteria

• Deterministic scope validation result before normal operation.
• Explicit classification for scope/policy failures.
• Clear remediation guidance in machine-readable + human-readable error output.

Validation

• Add tests for scope-deficient and scope-sufficient configurations.
• Verify deterministic error class and output shape.

Codepaths

• pkg/scopes
• pkg/http/oauth
• cmd/github-mcp-server