docs(xaa): convert inline snippet to type-checked sourced region

The XAA example in docs/client.md was the only inline (un-typechecked)
ts block in the file — every other snippet uses the source= pattern.
That's why the /crossAppAccess subpath import broke silently.

- Add auth_crossAppAccess region to clientGuide.examples.ts, add
  CrossAppAccessProvider + discoverAndRequestJwtAuthGrant to the
  shared imports region.
- Replace inline markdown with sourced fence, run sync:snippets.
- Drop two @linkcode CrossAppAccessProvider refs in crossAppAccess.ts
  that TypeDoc can't resolve cross-module; use plain backticks.

Author: pcarleton

docs/client.md

@@ -19,6 +19,8 @@ import {
     Client,
     ClientCredentialsProvider,
     createMiddleware,
+    CrossAppAccessProvider,
+    discoverAndRequestJwtAuthGrant,
     PrivateKeyJwtProvider,
     ProtocolError,
     SdkError,
@@ -160,36 +162,27 @@ This provider handles a two-step OAuth flow:
 1. Exchange the user's ID Token from the enterprise IdP for a JWT Authorization Grant (JAG) via RFC 8693 token exchange
 2. Exchange the JAG for an access token from the MCP server via RFC 7523 JWT bearer grant
 
-```ts
-import { CrossAppAccessProvider, discoverAndRequestJwtAuthGrant } from '@modelcontextprotocol/client';
-
+```ts source="../examples/client/src/clientGuide.examples.ts#auth_crossAppAccess"
 const authProvider = new CrossAppAccessProvider({
-    // Callback to obtain JWT Authorization Grant
-    assertion: async (ctx) => {
+    assertion: async ctx => {
         // ctx provides: authorizationServerUrl, resourceUrl, scope, fetchFn
         const result = await discoverAndRequestJwtAuthGrant({
             idpUrl: 'https://idp.example.com',
-            audience: ctx.authorizationServerUrl,  // MCP auth server
-            resource: ctx.resourceUrl,              // MCP resource URL
-            idToken: await getMyIdToken(),          // Your ID token acquisition
+            audience: ctx.authorizationServerUrl,
+            resource: ctx.resourceUrl,
+            idToken: await getIdToken(),
             clientId: 'my-idp-client',
             clientSecret: 'my-idp-secret',
             scope: ctx.scope,
             fetchFn: ctx.fetchFn
         });
         return result.jwtAuthGrant;
     },
-    
-    // MCP server credentials
     clientId: 'my-mcp-client',
-    clientSecret: 'my-mcp-secret',
-    clientName: 'my-app'  // Optional
+    clientSecret: 'my-mcp-secret'
 });
 
-const transport = new StreamableHTTPClientTransport(
-    new URL('http://localhost:3000/mcp'),
-    { authProvider }
-);
+const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), { authProvider });
 ```
 
 The `assertion` callback receives a context object with:

examples/client/src/clientGuide.examples.ts

@@ -14,6 +14,8 @@ import {
     Client,
     ClientCredentialsProvider,
     createMiddleware,
+    CrossAppAccessProvider,
+    discoverAndRequestJwtAuthGrant,
     PrivateKeyJwtProvider,
     ProtocolError,
     SdkError,
@@ -135,6 +137,33 @@ async function auth_privateKeyJwt(pemEncodedKey: string) {
     return transport;
 }
 
+/** Example: Cross-App Access (SEP-990 Enterprise Managed Authorization). */
+async function auth_crossAppAccess(getIdToken: () => Promise<string>) {
+    //#region auth_crossAppAccess
+    const authProvider = new CrossAppAccessProvider({
+        assertion: async ctx => {
+            // ctx provides: authorizationServerUrl, resourceUrl, scope, fetchFn
+            const result = await discoverAndRequestJwtAuthGrant({
+                idpUrl: 'https://idp.example.com',
+                audience: ctx.authorizationServerUrl,
+                resource: ctx.resourceUrl,
+                idToken: await getIdToken(),
+                clientId: 'my-idp-client',
+                clientSecret: 'my-idp-secret',
+                scope: ctx.scope,
+                fetchFn: ctx.fetchFn
+            });
+            return result.jwtAuthGrant;
+        },
+        clientId: 'my-mcp-client',
+        clientSecret: 'my-mcp-secret'
+    });
+
+    const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3000/mcp'), { authProvider });
+    //#endregion auth_crossAppAccess
+    return transport;
+}
+
 // ---------------------------------------------------------------------------
 // Using server features
 // ---------------------------------------------------------------------------
@@ -513,6 +542,7 @@ void disconnect_streamableHttp;
 void serverInstructions_basic;
 void auth_clientCredentials;
 void auth_privateKeyJwt;
+void auth_crossAppAccess;
 void callTool_basic;
 void callTool_structuredOutput;
 void callTool_progress;

packages/client/src/client/crossAppAccess.ts

@@ -229,7 +229,7 @@ export async function discoverAndRequestJwtAuthGrant(options: DiscoverAndRequest
  * @throws {Error} If the exchange fails or returns an error response
  *
  * Defaults to `client_secret_basic` (HTTP Basic Authorization header), matching
- * {@linkcode CrossAppAccessProvider}'s declared `token_endpoint_auth_method` and the
+ * `CrossAppAccessProvider`'s declared `token_endpoint_auth_method` and the
  * SEP-990 conformance test requirements. Use `authMethod: 'client_secret_post'` only
  * when the authorization server explicitly requires it.
  *
@@ -252,7 +252,7 @@ export async function exchangeJwtAuthGrant(options: {
     clientSecret?: string;
     /**
      * Client authentication method. Defaults to `'client_secret_basic'` to align with
-     * {@linkcode CrossAppAccessProvider} and SEP-990 conformance requirements.
+     * `CrossAppAccessProvider` and SEP-990 conformance requirements.
      * Callers with no `clientSecret` should pass `'none'` for public-client auth.
      */
     authMethod?: ClientAuthMethod;