Enforce scoped auth for EPCIS MCP tools

[zsculac]

Add withRequiredMcpScope support in @dkg/plugins and apply it to EPCIS MCP handlers while preserving the standard mcp.registerTool flow. Expand integration tests and documentation to cover MCP transport scope plus tool-level epcis.read/epcis.write requirements.

[github-actions]

This PR adds EPCIS scope enforcement across API and MCP, plus new integration coverage, but there is a security-critical fail-open path in the new MCP scope guard. The test suite moves in the right direction, yet key newly-guarded read paths are still untested and a couple of assertions are too weak to catch real regressions. Maintainability in the touched auth boundary is somewhat worsened by duplicating EPCIS route-scope mapping outside the plugin, which increases drift risk.

[github-actions]

This PR adds EPCIS scope enforcement primitives and a strong integration test matrix for read/write authorization across HTTP and MCP paths. The extraction of route constants and reusable scope-guard helpers improves maintainability in the touched EPCIS/plugin areas. I did not find a clear runtime blocker in the changed auth logic, but there are two reliability/maintainability gaps in the integration test setup that should be fixed before merge. Overall direction is good, with minor cleanup needed to keep tests deterministic and dependency wiring explicit.