From a01476b64089d9868d680d408a446cb5e5aeeae3 Mon Sep 17 00:00:00 2001
From: Paul Carleton <paulc@anthropic.com>
Date: Tue, 17 Feb 2026 19:07:39 +0000
Subject: [PATCH] fix: don't leak escalated scopes in PRM scopes_supported for
 step-up test

---
 src/scenarios/client/auth/scope-handling.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scenarios/client/auth/scope-handling.ts b/src/scenarios/client/auth/scope-handling.ts
index 166a9c3..32db087 100644
--- a/src/scenarios/client/auth/scope-handling.ts
+++ b/src/scenarios/client/auth/scope-handling.ts
@@ -418,7 +418,7 @@ export class ScopeStepUpAuthScenario implements Scenario {
       {
         prmPath: '/.well-known/oauth-protected-resource/mcp',
         requiredScopes: escalatedScopes,
-        scopesSupported: escalatedScopes,
+        scopesSupported: [initialScope],
         includeScopeInWwwAuth: true,
         authMiddleware: stepUpMiddleware,
         tokenVerifier