fix: use InvalidTokenError instead of generic Error in MockTokenVerifier (#138)

The SDK's `requireBearerAuth` middleware only converts `InvalidTokenError`
instances to HTTP 401 responses. Generic `Error` instances fall through
as HTTP 500, which prevents clients from detecting authentication failures
and initiating the OAuth refresh/re-auth flow.

This was discovered while building token refresh conformance scenarios —
the mock server was returning 500 for expired/invalid tokens instead of
the expected 401.

Co-authored-by: JD Maturen <70791+jdmaturen@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: jdmaturen

src/scenarios/client/auth/helpers/mockTokenVerifier.ts

@@ -1,5 +1,6 @@
 import { OAuthTokenVerifier } from '@modelcontextprotocol/sdk/server/auth/provider.js';
 import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import { InvalidTokenError } from '@modelcontextprotocol/sdk/server/auth/errors.js';
 import type { ConformanceCheck } from '../../../../types';
 import { SpecReferences } from '../spec-references';
 
@@ -53,6 +54,6 @@ export class MockTokenVerifier implements OAuthTokenVerifier {
         token: token ? token.substring(0, 10) + '...' : 'missing'
       }
     });
-    throw new Error('Invalid token');
+    throw new InvalidTokenError('Invalid token');
   }
 }