update authorization for custom mcp tools

currently we are depending on the tool itself to do the authorization, for example: https://gitlab.com/gitlab-org/gitlab/-/blob/4839bc988e09f64a6064df24975dfcb395e3dc3d/ee/lib/ai/active_context/collections/code.rb#L57

but ideally we need a auth process before calling the tool:

1. depending on each tool doing the auth adding risk of not properly authorizing the requeset
2. auth early and reduce unnecessary delay and end early