docs(apps): clarify mcp deployment needs no auth-oidc secret

apps/base/forte-drop-mcp/kustomization.yaml

@@ -3,4 +3,7 @@ kind: Kustomization
 resources:
 - forte-drop-mcp.yaml
 - keycloak-client-forte-drop-mcp.yaml
-# - auth-oidc-sealed.yaml                   # added in follow-up commit
+# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates
+# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates
+# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the
+# web deployment) covers PG + S3 creds.