refactor: restore original fallback behavior in discovery

Moves fallback logic back to individual functions instead of
generating "fake" metadata during discovery. Discovery now returns
undefined on 404 like the original code, maintaining the existing
architectural pattern where functions handle their own URL fallbacks.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: pcarleton

src/client/auth.test.ts

@@ -908,7 +908,7 @@ describe("OAuth Authorization", () => {
       expect(url.toString()).toBe("https://mcp.example.com/.well-known/oauth-authorization-server");
     });
 
-    it("returns fallback metadata when legacy MCP server returns 404", async () => {
+    it("returns undefined when legacy MCP server returns 404", async () => {
       mockFetch.mockResolvedValueOnce({
         ok: false,
         status: 404,
@@ -919,14 +919,7 @@ describe("OAuth Authorization", () => {
         undefined
       );
 
-      expect(metadata).toEqual({
-        issuer: "https://mcp.example.com",
-        authorization_endpoint: "https://mcp.example.com/authorize",
-        token_endpoint: "https://mcp.example.com/token",
-        registration_endpoint: "https://mcp.example.com/register",
-        response_types_supported: ["code"],
-        code_challenge_methods_supported: ["S256"],
-      });
+      expect(metadata).toBeUndefined();
     });
 
     it("throws on non-404 errors in legacy mode", async () => {

src/client/auth.ts

@@ -721,7 +721,7 @@ export async function discoverAuthorizationServerMetadata(
  * @param options - Configuration options
  * @param options.fetchFn - Optional fetch function for making HTTP requests, defaults to global fetch
  * @param options.protocolVersion - MCP protocol version to use (required)
- * @returns Promise resolving to OAuth metadata
+ * @returns Promise resolving to OAuth metadata, or undefined if discovery fails
  */
 async function retrieveOAuthMetadataFromMcpServer(
   serverUrl: string | URL,
@@ -732,7 +732,7 @@ async function retrieveOAuthMetadataFromMcpServer(
     fetchFn?: FetchLike;
     protocolVersion: string;
   }
-): Promise<OAuthMetadata> {
+): Promise<OAuthMetadata | undefined> {
   const serverOrigin = typeof serverUrl === 'string' ? new URL(serverUrl).origin : serverUrl.origin;
 
   const metadataEndpoint = new URL(buildWellKnownPath('oauth-authorization-server'), serverOrigin);
@@ -745,19 +745,7 @@ async function retrieveOAuthMetadataFromMcpServer(
 
   if (!response.ok) {
     if (response.status === 404) {
-      /**
-       * The MCP server does not implement OAuth 2.0 Authorization Server Metadata
-       *
-       * Return fallback OAuth 2.0 Authorization Server Metadata
-       */
-      return {
-        issuer: serverOrigin,
-        authorization_endpoint: new URL('/authorize', serverOrigin).href,
-        token_endpoint: new URL('/token', serverOrigin).href,
-        registration_endpoint: new URL('/register', serverOrigin).href,
-        response_types_supported: ['code'],
-        code_challenge_methods_supported: ['S256'],
-      };
+      return undefined;
     }
 
     throw new Error(`HTTP ${response.status} trying to load OAuth metadata from ${metadataEndpoint}`);