Allow specifying `security` field when generating spec

[tonyxiao]

Right now we allow specifying the securitySchemes field, but not the security field which is a top level field in the oas

[tonyxiao]

on that note, we should also allow for each endpoint to specify security field as well, as security requirement can change on a per-endpoint basis. Right now the openAPI meta is notably missing this information

export type OpenApiMeta<TMeta = TRPCMeta> = TMeta & {
    openapi?: {
        enabled?: boolean;
        method: OpenApiMethod;
        path: `/${string}`;
        summary?: string;
        description?: string;
        protect?: boolean;
        tags?: string[];
        contentTypes?: OpenApiContentType[];
        deprecated?: boolean;
        requestHeaders?: AnyZodObject;
        responseHeaders?: AnyZodObject;
        successDescription?: string;
        errorResponses?: number[] | {
            [key: number]: string;
        };
    };
};

[tonyxiao]

I see that in generator/paths.ts we have handling (below) for the protect field. It is unfortunately too simplistic and doesn't cover the spectrum of the spec (e.g. ability to specify oauth scope required)

const security = protect ? securitySchemeNames.map((name) => ({ [name]: [] })) : undefined;

      pathsObject[path] = {
        ...pathsObject[path],
        [httpMethod]: {
          operationId: procedurePath.replace(/\./g, '-'),
          summary,
          description,
          tags,
          security,
          ...requestData,
          responses,
          ...(openapi.deprecated ? { deprecated: openapi.deprecated } : {}),
        },
      };