fix(client): accumulate scopes across 401/403 auth challenges

[stakeswky]

Summary

• fix StreamableHTTPClientTransport scope handling to merge (union) scopes from new WWW-Authenticate challenges instead of overwriting existing scope
• apply this for both 401 auth challenges and 403 insufficient_scope upscoping
• add/adjust tests to verify progressive scope accumulation behavior

Why

Servers with per-operation scopes may return only the scope needed for the current resource (RFC 6750). Overwriting client scope causes previously granted scopes to be dropped and can lead to re-authorization loops.

Fixes #1582.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 544c07b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1618

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1618

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1618

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1618

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1618

commit: 62d946a

[pcarleton]

hi thanks for this, going to close this in favor of #1604

[pcarleton]

hi thanks for this, going to close this in favor of #1604