McpContext exposes the authenticated session's authorisation scopes
via getScopes(): array and hasScope(string): bool.
Resolution order:
1. Explicit scope source passed to constructor
2. Session-like object linked to an API key
3. Authenticated Laravel request context (mcp_workspace_context,
agent_api_key, api_key)
4. Empty array (default) — never null
Dedupes scope strings, normalises separators in hasScope() matching.
Closes the OFM MCP tool gap where scope-gated tools currently return
empty/incorrect handling. No call-site stubs found needing update in
this worktree — call sites pick up the new method directly.
Pest covers: session scopes returned, hasScope present/missing, empty
session defaults to [], request-context regression against real MCP
auth shape.
Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=1014
599544010e