mcp: add global runtime flag (#5604)

## Summary

Adds global runtime flag to enable/disable MCP support. (off by
default).

```yaml
runtime_flags:
  mcp: true
```

## Related issues

Fix:
https://linear.app/pomerium/issue/ENG-2367/place-mcp-support-behind-a-runtime-flag

## User Explanation

<!-- How would you explain this change to the user? If this
change doesn't create any user-facing changes, you can leave
this blank. If filled out, add the `docs` label -->

## Checklist

- [x] reference any related issues
- [ ] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

authorize/state.go

@@ -59,13 +59,17 @@ func newAuthorizeStateFromConfig(
 		previousEvaluator = previousState.evaluator
 	}
 
-	mcp, err := mcp.New(ctx, mcp.DefaultPrefix, cfg)
-	if err != nil {
-		return nil, fmt.Errorf("authorize: failed to create mcp handler: %w", err)
+	var evaluatorOptions []evaluator.Option
+	if cfg.Options.IsRuntimeFlagSet(config.RuntimeFlagMCP) {
+		mcp, err := mcp.New(ctx, mcp.DefaultPrefix, cfg)
+		if err != nil {
+			return nil, fmt.Errorf("authorize: failed to create mcp handler: %w", err)
+		}
+		state.mcp = mcp
+		evaluatorOptions = append(evaluatorOptions, evaluator.WithMCPAccessTokenProvider(mcp))
 	}
-	state.mcp = mcp
 
-	state.evaluator, err = newPolicyEvaluator(ctx, cfg.Options, store, previousEvaluator, evaluator.WithMCPAccessTokenProvider(mcp))
+	state.evaluator, err = newPolicyEvaluator(ctx, cfg.Options, store, previousEvaluator, evaluatorOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("authorize: failed to update policy with options: %w", err)
 	}