Validate that an auth-enabled ResourceServerConfig can publish a
spec-compliant Protected Resource Metadata document before the transport
starts serving it. basic/authorization §Authorization Server Location (all
of 2025-06-18 / 2025-11-25 / draft) makes RFC 9728 a MUST: "The Protected
Resource Metadata document returned by the MCP server MUST include the
authorization_servers field containing at least one authorization server."
An operator who sets auth.validator but forgets auth.authorizationServers
would otherwise publish "authorization_servers": [], a silent MUST
violation. We fail loudly here (at mount time) rather than serve it.
Validate that an auth-enabled ResourceServerConfig can publish a spec-compliant Protected Resource Metadata document before the transport starts serving it. basic/authorization §Authorization Server Location (all of 2025-06-18 / 2025-11-25 / draft) makes RFC 9728 a MUST: "The Protected Resource Metadata document returned by the MCP server MUST include the authorization_servers field containing at least one authorization server." An operator who sets auth.validator but forgets auth.authorizationServers would otherwise publish "authorization_servers": [], a silent MUST violation. We fail loudly here (at mount time) rather than serve it.