Add new "mcp" access token scopes

What

Add new access token scope mcp that grants complete read/write access to MCP endpoint. MCP clients should have tokens with this scope, that can only be used with MCP tools. Not creatable in the GitLab UI or via the REST API.

Why

Reduce attack vector for token scopes.

Implementation plan

Add a new scope mcp - lib/gitlab/auth.rb handles these.
Assign any dynamically created OAuth application the mcp scope, and no others.

Edited Jul 12, 2025 by Chance Feick