fix(client): let auth headers override request headers

[he-yufeng]

Summary

requestInit.headers.Authorization currently wins over the transport's auth-provider token in both HTTP client transports. That makes fallback auth awkward: a stale configured Authorization header keeps overriding the fresh OAuth or bearer token even after the transport has one.

This changes the common header merge order so user request headers are still included, but derived auth/session/protocol headers win when the transport has them.

Fixes #2208.

Tests

pnpm --filter @modelcontextprotocol/client test -- test/client/streamableHttp.test.ts test/client/sse.test.ts
pnpm --filter @modelcontextprotocol/client typecheck
pnpm --filter @modelcontextprotocol/client exec eslint src/client/streamableHttp.ts src/client/sse.ts
pnpm exec prettier --check .changeset/fresh-buses-auth.md packages/client/src/client/streamableHttp.ts packages/client/src/client/sse.ts packages/client/test/client/streamableHttp.test.ts packages/client/test/client/sse.test.ts
git diff --check

The repository pre-push hook also ran successfully:

pnpm sync:snippets --check && pnpm -r lint
pnpm -r build
pnpm -r typecheck

[changeset-bot]

🦋 Changeset detected

Latest commit: 8dd696b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@modelcontextprotocol/client	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[he-yufeng]

Closing this as a duplicate of #2209. I missed the existing same-topic branch during the first search; #2209 is already green and should remain the active path for #2208.