feat(mcpclient): fail-fast on empty bearer token

mcpclient.New previously accepted an empty token and silently omitted
the Authorization header at request time. When the env var sourcing
the token was missing from a Kubernetes Secret (envFrom doesn't warn
on missing keys), this surfaced as an opaque 401 from the upstream
MCP server with no log trail — see hyperguild #13 and brain entry
"mcpclient-empty-token-silent-401-envfrom-missing-key".

mcpclient.New now returns ErrTokenRequired when token is empty.
The routing pod's project_create init checks the error and exits
with a clear message pointing at routing-secrets, turning a runtime
401 storm into a startup crashloop the operator can fix immediately.

Tests pass a dummy "test" token (httptest servers don't enforce
bearer auth, so any non-empty value works). Added a regression
test asserting empty-token construction returns ErrTokenRequired.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cmd/routing/main.go

@@ -103,12 +103,17 @@ func main() {
 	}))
 
 	if cfg.GiteaMCPURL != "" {
+		mcpC, err := mcpclient.New(cfg.GiteaMCPURL, cfg.GiteaMCPToken)
+		if err != nil {
+			logger.Error("mcpclient init for project_create — GITEA_MCP_URL is set but GITEA_MCP_TOKEN is empty (check routing-secrets)", "err", err)
+			os.Exit(1)
+		}
 		var ghClient *githubclient.Client
 		if cfg.GitHubPAT != "" {
 			ghClient = githubclient.New(cfg.GitHubPAT)
 		}
 		reg.Register(project.New(project.Config{
-			Client:      mcpclient.New(cfg.GiteaMCPURL, cfg.GiteaMCPToken),
+			Client:      mcpC,
 			GitHub:      ghClient,
 			GiteaOwner:  cfg.GiteaOwner,
 			GitHubOwner: cfg.GitHubOwner,