fix: validate registered redirect uris

[he-yufeng]

Summary

• validate DCR redirect_uris before registering the client
• allow HTTPS redirect URIs and HTTP loopback redirect URIs
• reject non-loopback HTTP, non-HTTP(S) schemes, and fragments with invalid_redirect_uri

Fixes #2629

To verify

• .\.venv\Scripts\python.exe -m pytest tests\server\mcpserver\auth\test_auth_integration.py -q -k "client_registration"
• .\.venv\Scripts\python.exe -m pytest tests\server\mcpserver\auth\test_auth_integration.py -q
• .\.venv\Scripts\python.exe -m ruff check src\mcp\server\auth\handlers\register.py tests\server\mcpserver\auth\test_auth_integration.py
• .\.venv\Scripts\python.exe -m ruff format --check src\mcp\server\auth\handlers\register.py tests\server\mcpserver\auth\test_auth_integration.py
• .\.venv\Scripts\pyright.exe src\mcp\server\auth\handlers\register.py tests\server\mcpserver\auth\test_auth_integration.py
• git diff --check upstream/main..HEAD

[he-yufeng]

Pushed a small test-only follow-up for the coverage gate: the new redirect URI branch now has an explicit redirect_uris: null registration case.

Verified locally:

• .\.venv\Scripts\python.exe -m pytest tests\server\mcpserver\auth\test_auth_integration.py -q -k "client_registration"
• .\.venv\Scripts\python.exe -m ruff check src\mcp\server\auth\handlers\register.py tests\server\mcpserver\auth\test_auth_integration.py
• .\.venv\Scripts\python.exe -m ruff format --check src\mcp\server\auth\handlers\register.py tests\server\mcpserver\auth\test_auth_integration.py
• .\.venv\Scripts\pyright.exe src\mcp\server\auth\handlers\register.py tests\server\mcpserver\auth\test_auth_integration.py
• git diff --check upstream/main..HEAD