chore: add SEP-2207 requirement-traceability YAML (OIDC refresh tokens)

[pcarleton]

Adds the SEP-2484 requirement-traceability file for SEP-2207: OIDC-flavored refresh token guidance, mapping each normative sentence from the new ## Refresh Tokens section of authorization.mdx to a check ID or an exclusion reason.

Requirements

check: rows (2)

• sep-2207-client-metadata-grant-types — Clients SHOULD include refresh_token in grant_types client metadata. Already implemented in src/scenarios/client/auth/offline-access.ts (from feat (auth): add sep-2207 client checks #166); the YAML check ID matches.
• sep-2207-server-no-offline-access — Servers SHOULD NOT include offline_access in WWW-Authenticate scope or PRM scopes_supported. Not yet implemented — the server suite has no PRM/WWW-Authenticate scenario, so this needs a new server-side scenario (follow-up).

excluded: rows (2)

• Clients MUST keep refresh tokens confidential in transit/storage — storage is client-internal state; in-transit (TLS) confidentiality isn't exercised by the harness over localhost HTTP. Not protocol-observable.
• Clients MUST NOT assume refresh tokens will be issued — mental-state phrasing; only manifests as general flow completion, already covered elsewhere. Not directly observable.

Skipped: the "Clients MAY add offline_access to scope" sentence is MAY-level, so it gets no traceability row (the scenario's INFO-level offline-access-requested check stays as-is).

Severity classification follows the spec text per AGENTS.md.

[pkg-pr-new]

Open in StackBlitz

npx https://pkg.pr.new/@modelcontextprotocol/conformance@294

commit: 3cdaec1