fix(mcp): disable OAuth auto-detection for built-in MCPs

OpenCode's OAuth auto-detection was causing context7 and grep_app MCPs
to be disabled despite having enabled: true. Only websearch was working.

Root cause: Remote MCP servers trigger OAuth detection by default in
OpenCode, which can mark MCPs as 'needs_auth' or 'disabled' status
even when they don't require OAuth.

Fix: Add oauth: false to all 3 built-in MCP configs to explicitly
disable OAuth auto-detection. These MCPs either:
- Use no auth (context7, grep_app)
- Use API key header auth (websearch with EXA_API_KEY)

src/mcp/context7.ts

@@ -2,4 +2,5 @@ export const context7 = {
   type: "remote" as const,
   url: "https://mcp.context7.com/mcp",
   enabled: true,
+  oauth: false as const,
 }

src/mcp/grep-app.ts

@@ -2,4 +2,5 @@ export const grep_app = {
   type: "remote" as const,
   url: "https://mcp.grep.app",
   enabled: true,
+  oauth: false as const,
 }

src/mcp/index.ts

@@ -10,6 +10,7 @@ type RemoteMcpConfig = {
   url: string
   enabled: boolean
   headers?: Record<string, string>
+  oauth?: false
 }
 
 const allBuiltinMcps: Record<McpName, RemoteMcpConfig> = {

src/mcp/websearch.ts

@@ -5,4 +5,6 @@ export const websearch = {
   headers: process.env.EXA_API_KEY
     ? { "x-api-key": process.env.EXA_API_KEY }
     : undefined,
+  // Disable OAuth auto-detection - Exa uses API key header, not OAuth
+  oauth: false as const,
 }