feature(auth): Allow delegating OAuth authorization to existing app-level implementations

[m-paternostro]

An optional method that clients can use whenever the authorization should be delegated to an existing implementation.

This PR introduces a new optional method delegateAuthorization to the OAuthClientProvider interface. It allows clients to short-circuit the standard OAuth flow when they already manage authorization through another mechanism (e.g. platform tokens, ambient credentials, preexisting identity systems). When implemented, this method gives control back to the host application to determine whether it considers the session authorized - if so, the SDK skips its internal flow entirely.

Motivation and Context

Some applications embedding the MCP SDK already have fully functional authorization systems. In such cases, the SDK’s built-in OAuth flow can be redundant or even problematic - especially when the app simply needs to know when authorization is required, not how to perform it.

Prior to this change, the only way to hook into the authorization process was by subclassing StreamableHTTPClientTransport or SSEClientTransport and overriding enough methods to reimplement _authThenStart. However, because the relevant methods are private and deeply interwoven (e.g. send, _startOrAuthSse), doing so required replicating a significant amount of transport code - leading to maintenance burden and fragile overrides.

This change introduces a clean, focused mechanism for opting into externally-managed auth without needing to reimplement large portions of the transport logic.

How Has This Been Tested?

The design was validated by subclassing SSEClientTransport and making the necessary changes to use this new hook.

Breaking Changes

No: the new method is purely opt-in, backward-compatible, and safely ignored if unimplemented. It’s designed to be as simple and low-friction as possible while avoiding the need to subclass transports or bypass internal behavior.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Notes about the changes:

• The auth function in src/client/auth.ts now checks for delegateAuthorization (if provided) before entering the standard flow.
• Comprehensive unit tests were added to verify:
  • The hook is invoked when present.
  • Returning "AUTHORIZED" short-circuits the flow.
  • Returning undefined falls back to the built-in behavior.
  • The hook is not called when authorizationCode is already present.
• The implementation follows existing conventions, including how auth.ts handles errors and fallback behavior when attempting refresh or token exchange.

[Mizommz]

افتح فئة DebugTree : Timber.Tree