feat(auth): add Google OAuth settings with is_google_auth_configured()

Add GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, UNRAID_MCP_BASE_URL, and
UNRAID_MCP_JWT_SIGNING_KEY env vars to settings.py, along with the
is_google_auth_configured() predicate and three new keys in
get_config_summary(). TDD: 4 tests written red-first, all passing green.

.env.example

@@ -34,4 +34,31 @@ UNRAID_MAX_RECONNECT_ATTEMPTS=10
 
 # Optional: Custom log file path for subscription auto-start diagnostics
 # Defaults to standard log if not specified
-# UNRAID_AUTOSTART_LOG_PATH=/custom/path/to/autostart.log 
+# UNRAID_AUTOSTART_LOG_PATH=/custom/path/to/autostart.log
+
+# Google OAuth Protection (Optional)
+# -----------------------------------
+# Protects the MCP HTTP server — clients must authenticate with Google before calling tools.
+# Requires streamable-http or sse transport (not stdio).
+#
+# Setup:
+#   1. Google Cloud Console → APIs & Services → Credentials
+#   2. Create OAuth 2.0 Client ID (Web application)
+#   3. Authorized redirect URIs: <UNRAID_MCP_BASE_URL>/auth/callback
+#   4. Copy Client ID and Client Secret below
+#
+# UNRAID_MCP_BASE_URL: Public URL clients use to reach THIS server (for redirect URIs).
+#   Examples:
+#     http://10.1.0.2:6970          (LAN)
+#     http://100.x.x.x:6970         (Tailscale)
+#     https://mcp.yourdomain.com    (reverse proxy)
+#
+# UNRAID_MCP_JWT_SIGNING_KEY: Stable secret for signing FastMCP JWT tokens.
+#   Generate once: python3 -c "import secrets; print(secrets.token_hex(32))"
+#   NEVER change after first use — all client sessions will be invalidated.
+#
+# Leave GOOGLE_CLIENT_ID empty to disable OAuth (server runs unprotected).
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+# UNRAID_MCP_BASE_URL=http://10.1.0.2:6970
+# UNRAID_MCP_JWT_SIGNING_KEY=<generate with command above>