feat: MCP user-scope and team-scope resource providers

[poxet]

Summary

Extends the Tharga.Platform.Mcp bridge beyond the system slice (PR #51) with two always-on resource providers that surface the authenticated caller's own Platform data. Closes most of the deferred work tracked in Requests.md → "Tharga.Platform — MCP / MCP Provider for Team/User data".

• PlatformUserResourceProvider (McpScope.User) — platform://me returns the caller's IUser plus a memberships array (teamKey, teamName, accessLevel, state).
• PlatformTeamResourceProvider (McpScope.Team) — platform://team, platform://team/members, platform://team/apikeys rooted at the caller's current team via the TeamKey claim. Raw ApiKey values are redacted (the apiKey property is omitted entirely).
• New ITeamService.GetMembersAsync(teamKey) returning IAsyncEnumerable<ITeamMember> so providers can enumerate members without knowing the consumer-specific TMember type. Default TeamServiceBase implementation reuses the existing reflection helper; AuditingTeamServiceDecorator forwards.

Both providers register automatically in AddPlatform() — no new opt-in option. They self-gate on principal claims, so anonymous and system-only callers see no resources.

Behaviour change for consumers

• AddPlatform() now registers two additional IMcpResourceProvider instances. Consumers don't need to touch their wiring.
• ITeamService adds GetMembersAsync. Consumers subclassing TeamServiceBase (the common path) get the default automatically. Consumers implementing ITeamService directly (rare) need to add the method.
• No new scope constants. No new options. No new package references.

Out of scope (deferred)

• Cross-tenant platform://teams listing in System scope — requires a new ITeamService.GetAllTeamsAsync(). The Requests.md MCP entry stays open for this last piece.
• Tool providers (IMcpToolProvider) — read-only resources only in this feature; mutating operations are not exposed.
• User-level personal API keys — Tharga.Team doesn't model these.

Test plan

• `dotnet build -c Release` — 0 warnings, 0 errors
• `dotnet test -c Release` — 313 / 313 passing (17 new)
• `PlatformUserResourceProviderTests` (5) — empty list for anonymous; descriptor for authenticated; throws on no current user; JSON shape (user + memberships)
• `PlatformTeamResourceProviderTests` (10) — list gates on TeamKey; ApiKey resource conditional on service registration; reads for all three URIs including the invited-flag projection and raw-key redaction
• `TeamServiceBaseGetMembersAsyncTests` (2) — yields ordered members via the reflection default; unknown team yields empty

Documentation

• `Tharga.Platform.Mcp/README.md` — new "User and team resources" section documenting both scopes and the three team URIs.
• `Tharga.Team/README.md` — one-line addition for the new `GetMembersAsync` on `ITeamService`.

[codecov]

Codecov Report

❌ Patch coverage is 92.89617% with 13 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...harga.Platform.Mcp/PlatformTeamResourceProvider.cs	94.54%	1 Missing and 5 partials ⚠️
...harga.Platform.Mcp/PlatformUserResourceProvider.cs	90.62%	2 Missing and 4 partials ⚠️
...Team.Service/Audit/AuditingTeamServiceDecorator.cs	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!