fix: accept null introspection_endpoint in OAuthMetadataSchema

Some OAuth authorization servers (e.g. Dotdigital's MCP server) return
introspection_endpoint: null in their .well-known/oauth-authorization-server
metadata rather than omitting the field entirely.

The current schema uses z.string().optional() which accepts undefined but
rejects null, causing OAuth flow initiation to fail with:
  "Invalid input: expected string, received null"

Changing to z.string().nullish() accepts both undefined and null, which
aligns with RFC 7662 where introspection_endpoint is optional and a server
returning null should be treated the same as not including it.

Author: billyriaz

packages/core/src/shared/auth.ts

@@ -62,7 +62,7 @@ export const OAuthMetadataSchema = z.looseObject({
     revocation_endpoint: SafeUrlSchema.optional(),
     revocation_endpoint_auth_methods_supported: z.array(z.string()).optional(),
     revocation_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
-    introspection_endpoint: z.string().optional(),
+    introspection_endpoint: z.string().nullish(),
     introspection_endpoint_auth_methods_supported: z.array(z.string()).optional(),
     introspection_endpoint_auth_signing_alg_values_supported: z.array(z.string()).optional(),
     code_challenge_methods_supported: z.array(z.string()).optional(),