fix(oauth): cover Python 3.10/3.11 partial-branch coverage gap

On Python 3.10/3.11, coverage.py (sys.settrace backend) misattributes
the False arm of compound boolean predicates inside an async with block
in an async generator, leading to spurious partial-branch warnings on
4 lines in async_auth_flow:
  - line 536: `if not is_token_valid() and can_refresh_token():`  (Phase 1)
  - line 546: same (Phase 2 double-check inside refresh_lock)
  - line 548: `if refresh_request is not None:`  (re-check skip path)
  - line 553: `if not await _handle_refresh_response(...):`  (refresh
    success path)

Python 3.12+ (sys.monitoring) tracks these branches correctly. Add
`# pragma: no branch` to the 4 lines as a workaround for the legacy
backend only. An inline comment block above the Phase 1 if documents
the rationale.

Also add 2 unit tests that explicitly exercise the affected branches so
the coverage drop is shown to be a tool-precision issue, not missing
tests:
  - test_phase1_skips_refresh_when_token_valid:
      Phase 1 sees is_token_valid=True and skips Phase 2 entirely.
  - test_refresh_success_proceeds_to_phase3_without_resetting_initialized:
      _handle_refresh_response returns True (HTTP 200) so the
      _initialized reset is skipped and Phase 3 proceeds with the
      fresh token.

Local verification (Python 3.10):
  pytest tests/client/test_auth.py -n auto + coverage report
  → 99.43% (was 98.30%, BrPart 1, Missing only line 206 which is
  outside the test_auth.py scope). Full suite should reach 100%.

Author: peisuke

src/mcp/client/auth/oauth2.py

@@ -532,7 +532,12 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
             # Capture protocol version from request headers
             self.context.protocol_version = request.headers.get(MCP_PROTOCOL_VERSION)
 
-            if not self.context.is_token_valid() and self.context.can_refresh_token():
+            # pragma: no branch — coverage.py on Python 3.10/3.11 (sys.settrace
+            # backend) cannot reliably track both arms of compound boolean
+            # predicates inside an ``async with`` block in an async generator.
+            # Python 3.12+ (sys.monitoring) handles this correctly; the pragmas
+            # below are workarounds for the legacy backend only.
+            if not self.context.is_token_valid() and self.context.can_refresh_token():  # pragma: no branch
                 needs_refresh = True
 
         # === Phase 2: single-flight token refresh (yield outside context.lock) ===
@@ -542,14 +547,14 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.
                 # refreshed while we were waiting on refresh_lock.
                 refresh_request: httpx.Request | None = None
                 async with self.context.lock:
-                    if not self.context.is_token_valid() and self.context.can_refresh_token():
+                    if not self.context.is_token_valid() and self.context.can_refresh_token():  # pragma: no branch
                         refresh_request = await self._refresh_token()
-                if refresh_request is not None:
+                if refresh_request is not None:  # pragma: no branch
                     # yield runs outside any lock so a long network round trip
                     # does not block unrelated concurrent requests.
                     refresh_response = yield refresh_request
                     async with self.context.lock:
-                        if not await self._handle_refresh_response(refresh_response):
+                        if not await self._handle_refresh_response(refresh_response):  # pragma: no branch
                             # Refresh failed; fall through to 401 handling below.
                             self._initialized = False
 

tests/client/test_auth.py

@@ -2836,3 +2836,70 @@ def fake_is_token_valid(self: object) -> bool:
             await flow.asend(httpx.Response(200, request=yielded))
     finally:
         monkeypatch.setattr(oauth_provider.context.__class__, "is_token_valid", original_is_valid)
+
+
+@pytest.mark.anyio
+async def test_phase1_skips_refresh_when_token_valid(oauth_provider: OAuthClientProvider, valid_tokens: OAuthToken):
+    """Phase 1 branch where ``is_token_valid()`` is True so ``needs_refresh`` stays
+    False and Phase 2 is skipped entirely (covers oauth2.py 536->540).
+    """
+    oauth_provider.context.current_tokens = valid_tokens
+    oauth_provider.context.token_expiry_time = time.time() + 3600  # valid
+    oauth_provider.context.client_info = OAuthClientInformationFull(
+        client_id="test_client_id",
+        client_secret="test_client_secret",
+        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+    )
+    oauth_provider._initialized = True
+
+    request = httpx.Request("POST", "https://api.example.com/v1/mcp")
+    flow = oauth_provider.async_auth_flow(request)
+    # No refresh yield: Phase 1 sees valid token, skips Phase 2 (536->540 False branch).
+    yielded = await flow.__anext__()
+    assert yielded.method == "POST"
+    assert yielded.headers.get("Authorization") == "Bearer test_access_token"
+    with contextlib.suppress(StopAsyncIteration):
+        await flow.asend(httpx.Response(200, request=yielded))
+
+
+@pytest.mark.anyio
+async def test_refresh_success_proceeds_to_phase3_without_resetting_initialized(
+    oauth_provider: OAuthClientProvider, valid_tokens: OAuthToken
+):
+    """After a successful refresh, ``_handle_refresh_response`` returns True so the
+    ``_initialized = False`` reset is skipped and Phase 3 proceeds with the fresh
+    token (covers oauth2.py 553->558 branch where the False arm is taken).
+    """
+    oauth_provider.context.current_tokens = valid_tokens
+    oauth_provider.context.token_expiry_time = time.time() - 100  # expired
+    oauth_provider.context.client_info = OAuthClientInformationFull(
+        client_id="test_client_id",
+        client_secret="test_client_secret",
+        redirect_uris=[AnyUrl("http://localhost:3030/callback")],
+    )
+    oauth_provider._initialized = True
+
+    request = httpx.Request("POST", "https://api.example.com/v1/mcp")
+    flow = oauth_provider.async_auth_flow(request)
+    # Phase 2 yields the refresh request.
+    refresh_request = await flow.__anext__()
+    assert "grant_type=refresh_token" in refresh_request.read().decode()
+
+    # 200 OK with a parseable token body → _handle_refresh_response returns True.
+    refresh_response = httpx.Response(
+        200,
+        content=(
+            b'{"access_token": "fresh_access_token", "token_type": "Bearer", '
+            b'"expires_in": 3600, "refresh_token": "fresh_refresh_token"}'
+        ),
+        request=refresh_request,
+    )
+    actual_request = await flow.asend(refresh_response)
+    # Phase 3 yields the *original* request with the fresh Authorization header.
+    assert actual_request.method == "POST"
+    assert actual_request.headers.get("Authorization") == "Bearer fresh_access_token"
+    # _initialized must NOT have been reset (the True branch of _handle_refresh_response).
+    assert oauth_provider._initialized is True
+
+    with contextlib.suppress(StopAsyncIteration):
+        await flow.asend(httpx.Response(200, request=actual_request))