Phoenix controller that serves RFC 9728 protected-resource metadata.

Routes mounted by AttestoMCP.Router.attesto_mcp_protected_resource_metadata/2 dispatch here. The controller reads the resource path and metadata options placed in conn.private by the route, builds the document with AttestoMCP.Metadata.protected_resource/3, and renders it as JSON. The resource identifier and default authorization_servers origin come from AttestoMCP.Metadata.resolve_origin/2: a :base_url/:origin/:issuer passed to the router macro pins it; otherwise it is the live request origin.

Because the resource identifier is resolved the same way AttestoMCP.Plug.ProtectResource resolves its WWW-Authenticate resource_metadata challenge, the discovered metadata URL and the served resource value match - provided both call sites receive the same origin (with no pin they both derive from the request; behind a proxy pass the same :base_url/:origin to the router macro and the plug).

The controller compiles only when Phoenix is available; Plug-only consumers do not pull it in.