refactor: nest spec-version range under source: ScenarioSource union

The flat `introducedIn`/`removedIn`/`extension?` shape forced extension
scenarios to set a placeholder `introducedIn` that was never read. Nesting
the version-range fields inside a `source` property typed as a union lets
the compiler enforce introducedIn XOR extensionId — no runtime invariant
test needed.

  type ScenarioSource =
    | { introducedIn: SpecVersion; removedIn?: SpecVersion }
    | { extensionId: ExtensionId };

A class can't `implements` a union type directly, so the union lives inside
a property and `Scenario` stays a plain interface — `class implements
Scenario` keeps working everywhere. `EXTENSION_IDS` is a const array
mirroring the `DATED_SPEC_VERSIONS` pattern.

Also renames the cross-app-access scenario to enterprise-managed-auth to
match the extension's canonical name: file, class, slug, context schema
literal, and the everything-client runner.

Author: pcarleton

examples/clients/typescript/everything-client.ts

@@ -375,20 +375,20 @@ registerScenario('auth/pre-registration', runPreRegistration);
 // ============================================================================
 
 /**
- * Cross-app access: Complete Flow (SEP-990)
+ * Enterprise Managed Auth (SEP-990)
  * Tests the complete flow: IDP ID token -> authorization grant -> access token -> MCP access.
  */
-export async function runCrossAppAccessCompleteFlow(
+export async function runEnterpriseManagedAuth(
   serverUrl: string
 ): Promise<void> {
   const ctx = parseContext();
-  if (ctx.name !== 'auth/cross-app-access-complete-flow') {
+  if (ctx.name !== 'auth/enterprise-managed-auth') {
     throw new Error(
-      `Expected cross-app-access-complete-flow context, got ${ctx.name}`
+      `Expected enterprise-managed-auth context, got ${ctx.name}`
     );
   }
 
-  logger.debug('Starting complete cross-app access flow...');
+  logger.debug('Starting enterprise managed auth flow...');
   logger.debug('IDP Issuer:', ctx.idp_issuer);
   logger.debug('IDP Token Endpoint:', ctx.idp_token_endpoint);
 
@@ -494,7 +494,7 @@ export async function runCrossAppAccessCompleteFlow(
   // Step 3: Use access token to access MCP server
   logger.debug('Step 3: Accessing MCP server with access token...');
   const client = new Client(
-    { name: 'conformance-cross-app-access', version: '1.0.0' },
+    { name: 'conformance-enterprise-managed-auth', version: '1.0.0' },
     { capabilities: {} }
   );
 
@@ -516,13 +516,10 @@ export async function runCrossAppAccessCompleteFlow(
   logger.debug('Successfully called tool');
 
   await transport.close();
-  logger.debug('Complete cross-app access flow completed successfully');
+  logger.debug('Enterprise managed auth flow completed successfully');
 }
 
-registerScenario(
-  'auth/cross-app-access-complete-flow',
-  runCrossAppAccessCompleteFlow
-);
+registerScenario('auth/enterprise-managed-auth', runEnterpriseManagedAuth);
 
 // ============================================================================
 // Main entry point

src/scenarios/authorization-server/authorization-server-metadata.ts

@@ -3,16 +3,15 @@
  */
 import {
   ClientScenarioForAuthorizationServer,
-  ConformanceCheck,
-  DatedSpecVersion
+  ConformanceCheck
 } from '../../types';
 import { request } from 'undici';
 
 type Status = 'SUCCESS' | 'FAILURE';
 
 export class AuthorizationServerMetadataEndpointScenario implements ClientScenarioForAuthorizationServer {
   name = 'authorization-server-metadata-endpoint';
-  introducedIn: DatedSpecVersion = '2025-03-26';
+  readonly source = { introducedIn: '2025-03-26' } as const;
   description = `Test authorization server metadata endpoint.
 
 **Authorization Server Implementation Requirements:**

src/scenarios/client/auth/basic-cimd.ts

@@ -1,5 +1,5 @@
 import type { Scenario, ConformanceCheck } from '../../../types';
-import { ScenarioUrls, DatedSpecVersion } from '../../../types';
+import { ScenarioUrls } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { ServerLifecycle } from './helpers/serverLifecycle';
@@ -22,7 +22,7 @@ export const CIMD_CLIENT_METADATA_URL =
  */
 export class AuthBasicCIMDScenario implements Scenario {
   name = 'auth/basic-cimd';
-  introducedIn: DatedSpecVersion = '2025-11-25';
+  readonly source = { introducedIn: '2025-11-25' } as const;
   description =
     'Tests OAuth flow with Client ID Metadata Documents (SEP-991/URL-based client IDs). Server advertises client_id_metadata_document_supported=true and client should use URL as client_id instead of DCR.';
   private authServer = new ServerLifecycle();

src/scenarios/client/auth/client-credentials.ts

@@ -1,12 +1,6 @@
 import * as jose from 'jose';
 import type { CryptoKey } from 'jose';
-import type {
-  Scenario,
-  ConformanceCheck,
-  ScenarioUrls,
-  SpecVersion
-} from '../../../types';
-import { LATEST_SPEC_VERSION } from '../../../types';
+import type { Scenario, ConformanceCheck, ScenarioUrls } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { ServerLifecycle } from './helpers/serverLifecycle';
@@ -38,8 +32,7 @@ async function generateTestKeypair(): Promise<{
  */
 export class ClientCredentialsJwtScenario implements Scenario {
   name = 'auth/client-credentials-jwt';
-  extension = true;
-  introducedIn: SpecVersion = LATEST_SPEC_VERSION;
+  readonly source = { extensionId: 'client-credentials' } as const;
   description =
     'Tests OAuth client_credentials flow with private_key_jwt authentication (SEP-1046)';
 
@@ -258,8 +251,7 @@ export class ClientCredentialsJwtScenario implements Scenario {
  */
 export class ClientCredentialsBasicScenario implements Scenario {
   name = 'auth/client-credentials-basic';
-  extension = true;
-  introducedIn: SpecVersion = LATEST_SPEC_VERSION;
+  readonly source = { extensionId: 'client-credentials' } as const;
   description =
     'Tests OAuth client_credentials flow with client_secret_basic authentication';
 

src/scenarios/client/auth/discovery-metadata.ts

@@ -7,7 +7,7 @@
  */
 
 import type { Scenario, ConformanceCheck } from '../../../types';
-import { ScenarioUrls, DatedSpecVersion } from '../../../types';
+import { ScenarioUrls } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { ServerLifecycle } from './helpers/serverLifecycle';
@@ -87,7 +87,7 @@ function createMetadataScenario(config: MetadataScenarioConfig): Scenario {
 
   return {
     name: `auth/${config.name}`,
-    introducedIn: '2025-11-25' as DatedSpecVersion,
+    source: { introducedIn: '2025-11-25' },
     description: `Tests Basic OAuth metadata discovery flow.
 
 **PRM:** ${config.prmLocation}${config.inWwwAuth ? '' : ' (not in WWW-Authenticate)'}

…cenarios/client/auth/cross-app-access.ts …s/client/auth/enterprise-managed-auth.tssrc/scenarios/client/auth/cross-app-access.ts renamed to src/scenarios/client/auth/enterprise-managed-auth.ts src/scenarios/client/auth/cross-app-access.ts renamed to src/scenarios/client/auth/enterprise-managed-auth.ts

@@ -1,13 +1,7 @@
 import * as jose from 'jose';
 import type { CryptoKey } from 'jose';
 import express, { type Request, type Response } from 'express';
-import type {
-  Scenario,
-  ConformanceCheck,
-  ScenarioUrls,
-  SpecVersion
-} from '../../../types';
-import { LATEST_SPEC_VERSION } from '../../../types';
+import type { Scenario, ConformanceCheck, ScenarioUrls } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { MockTokenVerifier } from './helpers/mockTokenVerifier';
@@ -54,15 +48,14 @@ async function createIdpIdToken(
 }
 
 /**
- * Scenario: Complete Cross-App Access Flow
+ * Scenario: Enterprise Managed Auth (SEP-990)
  *
  * Tests the complete SEP-990 flow: IDP ID token -> authorization grant -> access token
  * This scenario combines both RFC 8693 token exchange and RFC 7523 JWT bearer grant.
  */
-export class CrossAppAccessCompleteFlowScenario implements Scenario {
-  name = 'auth/cross-app-access-complete-flow';
-  extension = true;
-  introducedIn: SpecVersion = LATEST_SPEC_VERSION;
+export class EnterpriseManagedAuthScenario implements Scenario {
+  name = 'auth/enterprise-managed-auth';
+  readonly source = { extensionId: 'enterprise-managed-auth' } as const;
   description =
     'Tests complete SEP-990 flow: token exchange + JWT bearer grant (Enterprise Managed OAuth)';
 

src/scenarios/client/auth/index.ts

@@ -23,7 +23,7 @@ import {
 } from './client-credentials';
 import { ResourceMismatchScenario } from './resource-mismatch';
 import { PreRegistrationScenario } from './pre-registration';
-import { CrossAppAccessCompleteFlowScenario } from './cross-app-access';
+import { EnterpriseManagedAuthScenario } from './enterprise-managed-auth';
 import {
   OfflineAccessScopeScenario,
   OfflineAccessNotSupportedScenario
@@ -54,7 +54,7 @@ export const backcompatScenariosList: Scenario[] = [
 export const extensionScenariosList: Scenario[] = [
   new ClientCredentialsJwtScenario(),
   new ClientCredentialsBasicScenario(),
-  new CrossAppAccessCompleteFlowScenario()
+  new EnterpriseManagedAuthScenario()
 ];
 
 // Draft scenarios (informational - not scored for tier assessment)

src/scenarios/client/auth/march-spec-backcompat.ts

@@ -1,5 +1,5 @@
 import type { Scenario, ConformanceCheck } from '../../../types';
-import { ScenarioUrls, DatedSpecVersion } from '../../../types';
+import { ScenarioUrls } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { ServerLifecycle } from './helpers/serverLifecycle';
@@ -8,8 +8,10 @@ import { SpecReferences } from './spec-references';
 
 export class Auth20250326OAuthMetadataBackcompatScenario implements Scenario {
   name = 'auth/2025-03-26-oauth-metadata-backcompat';
-  introducedIn: DatedSpecVersion = '2025-03-26';
-  removedIn: DatedSpecVersion = '2025-06-18';
+  readonly source = {
+    introducedIn: '2025-03-26',
+    removedIn: '2025-06-18'
+  } as const;
   description =
     'Tests 2025-03-26 spec OAuth flow: no PRM (Protected Resource Metadata), OAuth metadata at root location';
   private server = new ServerLifecycle();
@@ -70,8 +72,10 @@ export class Auth20250326OAuthMetadataBackcompatScenario implements Scenario {
 
 export class Auth20250326OEndpointFallbackScenario implements Scenario {
   name = 'auth/2025-03-26-oauth-endpoint-fallback';
-  introducedIn: DatedSpecVersion = '2025-03-26';
-  removedIn: DatedSpecVersion = '2025-06-18';
+  readonly source = {
+    introducedIn: '2025-03-26',
+    removedIn: '2025-06-18'
+  } as const;
   description =
     'Tests OAuth flow with no metadata endpoints, relying on fallback to standard OAuth endpoints at server root (2025-03-26 spec behavior)';
   private server = new ServerLifecycle();

src/scenarios/client/auth/offline-access.ts

@@ -1,9 +1,5 @@
 import type { Scenario, ConformanceCheck } from '../../../types';
-import {
-  ScenarioUrls,
-  SpecVersion,
-  DRAFT_PROTOCOL_VERSION
-} from '../../../types';
+import { ScenarioUrls, DRAFT_PROTOCOL_VERSION } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { ServerLifecycle } from './helpers/serverLifecycle';
@@ -27,7 +23,7 @@ import { MockTokenVerifier } from './helpers/mockTokenVerifier';
  */
 export class OfflineAccessScopeScenario implements Scenario {
   name = 'auth/offline-access-scope';
-  introducedIn: SpecVersion = DRAFT_PROTOCOL_VERSION;
+  readonly source = { introducedIn: DRAFT_PROTOCOL_VERSION } as const;
   description =
     'Tests that a client that wants a refresh token handles offline_access scope and refresh_token grant type when AS supports them (SEP-2207)';
 
@@ -231,7 +227,7 @@ export class OfflineAccessScopeScenario implements Scenario {
  */
 export class OfflineAccessNotSupportedScenario implements Scenario {
   name = 'auth/offline-access-not-supported';
-  introducedIn: SpecVersion = DRAFT_PROTOCOL_VERSION;
+  readonly source = { introducedIn: DRAFT_PROTOCOL_VERSION } as const;
   description =
     'Tests that client does not request offline_access when AS does not list it in scopes_supported (SEP-2207)';
 

src/scenarios/client/auth/pre-registration.ts

@@ -1,9 +1,4 @@
-import type {
-  Scenario,
-  ConformanceCheck,
-  ScenarioUrls,
-  DatedSpecVersion
-} from '../../../types';
+import type { Scenario, ConformanceCheck, ScenarioUrls } from '../../../types';
 import { createAuthServer } from './helpers/createAuthServer';
 import { createServer } from './helpers/createServer';
 import { ServerLifecycle } from './helpers/serverLifecycle';
@@ -24,7 +19,7 @@ const PRE_REGISTERED_CLIENT_SECRET = 'pre-registered-secret';
  */
 export class PreRegistrationScenario implements Scenario {
   name = 'auth/pre-registration';
-  introducedIn: DatedSpecVersion = '2025-11-25';
+  readonly source = { introducedIn: '2025-11-25' } as const;
   description =
     'Tests OAuth flow with pre-registered client credentials. Server does not support DCR.';