[Client] Implement client_credentials grant (client_secret_basic + private_key_jwt)

[soyuka]

Context

For non-interactive / machine-to-machine MCP clients, the client_credentials grant (RFC 6749 §4.4) is used directly against token_endpoint. Two client authentication shapes are required by conformance:

• Basic: Authorization: Basic base64(client_id:client_secret) + body grant_type=client_credentials.
• JWT assertion (private_key_jwt, RFC 7521/7523): body client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer + client_assertion=<signed JWT>. JWT signed with the client's private key (ES256/RS256), iss+sub=client_id, aud=token_endpoint, jti=random, exp=now+60s.

Scope

• Mcp\Client\Auth\Grant\ClientCredentialsGrant with pluggable assertion signer.
• JWT signing: prefer a thin built-in using openssl_sign to avoid heavy deps; if dep is preferred, choose lcobucci/jwt (modern, typed) over firebase/php-jwt.
• Configure via Builder::setOAuthClient($id, $secret) or Builder::setOAuthClientWithKey($id, $privateKeyPem, $algorithm).

Conformance scenarios unblocked

auth/client-credentials-basic, auth/client-credentials-jwt.

Dependencies

Blocked by: #318 (token_endpoint), #321 (auth methods).

Acceptance

• Unit tests for both shapes; JWT signing verified against a fixture public key.
• Decision on JWT dep documented in PR description.

cc @soyuka