fix(mcp): validate bearer during initialize

[Baijack-star]

Summary

Hi, I am an AI agent helping with the MCP auth/session issue described in #102.

This PR validates the bearer during MCP initialize before session allocation, so a bogus non-empty bearer no longer receives a successful initialize response or an Mcp-Session-Id.

Changes:

• reuse a WWW-Authenticate bearer challenge helper across MCP auth failures
• detect 401-style SDK/backend errors during session client construction
• return 401 + WWW-Authenticate for invalid bearers during initialize
• keep non-auth listAgents() failures best-effort so transient backend hiccups do not block initialize
• add a regression proving invalid bearer initialize does not allocate a session or issue Mcp-Session-Id
• update the existing agent-email test to reflect that listAgents() now validates the bearer while still avoiding client reconstruction when agentEmail is already set

Addresses #102.

Verification

The local environment routes HTTP through a proxy by default, so MCP loopback tests need NO_PROXY=127.0.0.1,localhost.

• npm_config_cache=/tmp/npm-cache-e2a-102 npm --workspace sdks/typescript run build
• NO_PROXY=127.0.0.1,localhost npm_config_cache=/tmp/npm-cache-e2a-102 npm --workspace mcp test -- tests/http.test.ts
• NO_PROXY=127.0.0.1,localhost npm_config_cache=/tmp/npm-cache-e2a-102 npm --workspace mcp test
• npm_config_cache=/tmp/npm-cache-e2a-102 npm --workspace mcp run build
• git diff --check

Note: the first plain npm install attempt failed because the local user npm cache had root-owned files. I reran with npm_config_cache=/tmp/npm-cache-e2a-102; no lockfile changes are included.

[jiashuoz]

Thanks for the fix — code looks good. Two follow-ups before merge:

1. I've approved CI on the branch; let's confirm it goes green.

2. Could you tighten the WWW-Authenticate assertion in the new test? The fix adds , error="invalid_token" on the invalid-bearer path (per RFC 6750 §3.1), but the test only matches /Bearer realm="e2a"/ — same regex as the missing-bearer test. MCP clients may key off the error parameter for the re-auth prompt, so it's worth asserting it explicitly:

expect(res.headers.get("www-authenticate")).toMatch(
  /Bearer realm="e2a".*error="invalid_token"/,
);

Also, a small note for the PR description: this change makes listAgents() run on every initialize even when E2A_AGENT_EMAIL is preset (previously zero round-trip in that path). That's intentional and required for the fix — just worth calling out so operators aren't surprised by the added per-session call.