Return machine-readable auth failure codes

[davidahmann]

Summary

Return machine-readable code values for missing-token, invalid-token, and insufficient-scope failures in the HTTP middleware and GitHub API error wrappers.

Why

Fixes #2213. Callers currently have to infer auth failure classes from status codes and free-form strings, which makes permission-scoped handling less deterministic.

What changed

• added a shared auth error writer that preserves the existing status codes and WWW-Authenticate challenges while returning JSON {error, code} bodies
• classified middleware responses as missing_token, invalid_token, or insufficient_scope
• propagated the same machine-readable classification into GitHubAPIError and GitHubRawAPIError
• added middleware and error regression tests and documented the new codes

MCP impact

• No tool or API changes

Prompts tested (tool changes only)

• Not applicable

Security / limits

• No security or limits impact
• Auth / permissions considered
• Data exposure, filtering, or token/size limits considered

Tool renaming

• I am renaming tools as part of this PR (e.g. a part of a consolidation effort)
  • I have added the new tool aliases in deprecated_tool_aliases.go
• I am not renaming tools as part of this PR

Lint & tests

• Linted locally with ./script/lint
• Tested locally with go test ./pkg/http/middleware ./pkg/errors

Docs

• Not needed
• Updated (README / docs / examples)

[davidahmann]

Validation on this branch:

• go test ./pkg/http/middleware ./pkg/errors ✅

CI state: statusCheckRollup is currently empty (no checks configured or not triggered yet).

Inspired by research context: CAISI publishes independent, reproducible AI agent governance research: https://caisi.dev