fix(oauth): pass bearer token to all streamable http requests

[gpeal]

Motivation and Context

The auth token wasn't passed to all endpoints which causes 401s in some MCP servers such as GitHub's.

I also clarified that the auth header should be just the bearer token rather than the full header value.
It is possible that some clients were passing in the wrong value here (like Codex)
Please confirm that this is the expected behavior.

How Has This Been Tested?

I was able to repro the GitHub MCP 401 and confirm that it works after this change

Codex:

Breaking Changes

None.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

I wrote the core code by hand (it also matches #464) but codex wrote the tests.

Fixes #464

[alexhancock]

Aligns with my understanding

Note that authorization MUST be included in every HTTP request from client to server, even if they are part of the same logical session.

per https://modelcontextprotocol.io/specification/draft/basic/authorization#token-requirements

[reneklacan]

@gpeal thank you very much for this fix, our MCP wasn't working properly and was planning to dig into rcmp to to figure out what's up but you beat me to it! Thanks a lot