Static bearer-token auth for barrel_mcp_client.

Refresh is a no-op: a static token cannot be rotated by the library. A 401 with this handle returns {error, unauthorized} so the caller can supply a new token.