Jerome/fix/dev oauth server required scopes change

[jerome3o-anthropic]

Removing required scope from the shttp dev oauth server. admittedly I don't know the best behaviour here:

• Should the MCP client already know about the mcp:tools scope, and be requesting it?
• Should the MCP client discover all available scopes and request all of them?
  • Should the user filter down the scopes to what they're comfortable (from the list of all available scopes) - is this something that should be handled MCP client side, or MCP server (& auth server) side
• Or is this oauth server misconfigured - where requiring bespoke scopes to enable MCP connection is unadvised

As it currently stands, the inspector does both - guided flow requests all scopes, quick flow requests no scopes. I'm using this to test the inspector, and confused as to whether this oauth server is configured poorly (having required scopes for the MCP connection to function at all), or if the inspector quick flow is not functioning correctly (i.e. it should be requesting all available scopes)

Motivation and Context

How Has This Been Tested?

Breaking Changes

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[jerome3o-anthropic]

unrelated change to just get git blame working well in gitlens+vscode.

[jerome3o-anthropic]

Also an unrelated change, just updating the lock to the latest version.

[cliffhall]

LGTM! 👍 Fixes stubborn issue with inspector's OAuth reconnect problem when not going through debugger. That should get fixed as well, but arguably this works as well in the near term.