fix(docs): correct two specReferences[].url strings that 404

[panyam]

Motivation and Context

Two specReferences[].url strings in the scenario source point at files that return HTTP 404 on github.com. Any downstream audit harness that renders these references to humans hits broken links. Verified with curl -sI returning HTTP 404 against both URLs.

This PR fixes both URLs to point at canonical, currently-existing locations. Fixes issue 313.

How Has This Been Tested?

Verified each new URL returns HTTP 200 with curl -sI:

$ curl -sI https://github.com/modelcontextprotocol/modelcontextprotocol/issues/986 | head -1
HTTP/2 200

$ curl -sI https://github.com/modelcontextprotocol/ext-auth/blob/main/specification/draft/enterprise-managed-authorization.mdx | head -1
HTTP/2 200

No code paths or assertions changed. The strings affected are display-only specReferences[].url fields that downstream tooling renders for humans.

Breaking Changes

None. The string keys (id fields) are unchanged; only the url values are corrected. Downstream tools that hardcode any of these URLs would need to update, but the deprecation is implicit because the old URLs already 404.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

SEP-986: the original URL pointed at SEP/SEP-986.md in modelcontextprotocol/modelcontextprotocol. That path was removed when the SEP merged into the spec. The new URL https://github.com/modelcontextprotocol/modelcontextprotocol/issues/986 matches the convention used by other SEPs in src/scenarios/server/tools.ts and src/scenarios/client/auth/spec-references.ts which link to their SEP issue or PR rather than to a file in the repo tree.

SEP-990 Enterprise-Managed-OAuth: a filename mismatch. The source cites enterprise-oauth.mdx; the actual file is enterprise-managed-authorization.mdx. Confirmed by listing specification/draft/ in modelcontextprotocol/ext-auth:

$ curl -s https://api.github.com/repos/modelcontextprotocol/ext-auth/contents/specification/draft | python3 -c 'import json,sys; print("\n".join(d["path"] for d in json.load(sys.stdin)))'
specification/draft/enterprise-managed-authorization.mdx
specification/draft/oauth-client-credentials.mdx

The "tests pass locally" box is unchecked because no test surface exercises these URL strings; they are emitted in specReferences[] arrays and consumed by downstream renderers, not by scenario assertions.

[panyam]

Hey @CaitieM20 - Thought of putting out a small docs fix that came out of the conformance audit work I've been doing. Two URLs in specReferences[] currently 404. #313 has the repro. Can I hassle you for a quick look when you have a moment.

Ive been building a way to run/track/prioritize conformance suites on SDKs (starting with my own so these URLs are quite valuble)