chore: refresh SEP traceability manifest after SEP-2322 (#188) (#301)

* chore: refresh SEP traceability manifest (typescript-sdk@main)

Regenerated from a client+server suite run against typescript-sdk@5fc42e9be115
following the recipe in .github/workflows/traceability.yml.

New entries since the last refresh (typescript-sdk@22595b96):
- SEP-2322 (MRTR, #188): 17 tested, 0 untested, 16 excluded, 3 untracked
- SEP-2549 (TTL for list results, #275): 7 tested, 0 untested, 13 excluded
- SEP-2260: 12 excluded rows, no checks
- SEP-2207: yaml rows added since the last refresh now appear
  (1 tested, 1 untested: sep-2207-server-no-offline-access)

No previously-tested requirement regressed.

* Exclude sep-2207 server offline_access guidance until RS auth scenarios exist

sep-2207-server-no-offline-access was declared in the yaml but no scenario
emits it, so it surfaced as the only untested requirement in the refreshed
manifest. The check needs to probe the SDK server's Protected Resource
Metadata scopes_supported and WWW-Authenticate challenge scope, and the
server suite does not yet exercise the SDK server as an OAuth protected
resource at all.

Mark the requirement excluded with a pointer to #116 (server-side
authorization baseline) rather than leaving it as a permanently-untested
row; revisit when server-side authorization scenarios land.

Author: pcarleton

src/seps/sep-2207.yaml

@@ -3,9 +3,10 @@ spec_url: https://modelcontextprotocol.io/specification/draft/basic/authorizatio
 requirements:
   - check: sep-2207-client-metadata-grant-types
     text: 'MCP Clients that desire refresh tokens SHOULD include `refresh_token` in their `grant_types` client metadata'
-  - check: sep-2207-server-no-offline-access
-    text: 'MCP Servers (Protected Resources) SHOULD NOT include `offline_access` in `WWW-Authenticate` scope or Protected Resource Metadata `scopes_supported`, as refresh tokens are not a resource requirement'
 
+  - text: 'MCP Servers (Protected Resources) SHOULD NOT include `offline_access` in `WWW-Authenticate` scope or Protected Resource Metadata `scopes_supported`, as refresh tokens are not a resource requirement'
+    excluded: 'The server suite does not yet exercise the SDK server as an OAuth protected resource (no Protected Resource Metadata or WWW-Authenticate probing); revisit once server-side authorization scenarios exist'
+    issue: 'https://github.com/modelcontextprotocol/conformance/issues/116'
   - text: 'MCP Clients that desire refresh tokens MUST keep refresh tokens confidential in transit and storage as specified in OAuth 2.1 Section 4.3'
     excluded: 'Confidentiality of refresh tokens in storage is client-internal state, and in-transit (TLS) confidentiality is not exercised by the harness over localhost HTTP; not protocol-observable'
   - text: 'MCP Clients that desire refresh tokens MUST NOT assume refresh tokens will be issued; the AS retains discretion'