Pin mcp<1.23 to avoid SDK breaking changes

Fix Azure provider OIDC scope handling (jlowin#2506)

* Fix Azure provider to handle OIDC scopes correctly

OIDC scopes (openid, profile, email, offline_access) were being
incorrectly prefixed with identifier_uri, causing Azure to reject
authorization requests. This fix:

- Detects OIDC scopes and sends them unprefixed to Azure
- Filters OIDC scopes from token validation (Azure doesn't include
  them in access token scp claims)
- Still advertises OIDC scopes to clients via valid_scopes
- Also handles dot-notation scopes (e.g., User.Read) correctly

Fixes jlowin#2451, jlowin#2420

* Fix dot-notation scopes to be prefixed (custom scopes can have dots)

* Improve Azure scope handling docs with clear examples

Merge pull request jlowin#2426 from jlowin/simplify-object-schema-check

Simplify _is_object_schema helper

Replace openapi-core with jsonschema-path (jlowin#2291)

Fix Azure scope validation (jlowin#2269)

* Update docs for required scopes

* add scopes

* Fix Azure scope validation

Azure returns unprefixed scopes in JWT tokens but requires prefixed scopes in authorization requests. The previous implementation incorrectly validated tokens against prefixed scopes, causing "invalid_token" errors.

Simplified AzureProvider to use standard JWTVerifier with unprefixed scopes for validation. Scopes are only prefixed when building the Azure authorization URL via _build_upstream_authorize_url() override.

Closes jlowin#2263

chore: Update SDK documentation (jlowin#2214)

Co-authored-by: marvin-context-protocol[bot] <225465937+marvin-context-protocol[bot]@users.noreply.github.com>

Remove redundant None checks from Context methods (jlowin#2251)

The fastmcp property already raises RuntimeError if None, making these checks unreachable.

allow non write users for marvin flows (jlowin#2161)

Progress replacing asyncio with anyio (jlowin#2143)

* Replace asyncio.sleep() with anyio.sleep()

- Replace asyncio.sleep() in error_handling.py retry middleware
- Replace asyncio.sleep() in oauth.py callback shutdown
- Keep asyncio.TimeoutError check for Python 3.10 compatibility
- Add anyio import to error_handling.py

All core library sleep calls now use anyio primitives. Tests and
example code still use asyncio where appropriate.

* Replace OAuth asyncio.Future with anyio.Event pattern

- Create OAuthCallbackResult dataclass for result storage
- Replace Future with Event + result container pattern
- Update oauth_callback.py to use anyio.Event coordination
- Update auth/oauth.py callback_handler to use Event pattern
- Remove asyncio imports from OAuth flow

OAuth callback now uses anyio primitives for async coordination
instead of asyncio.Future.

* Remove asyncio fire-and-forget task hack from Context

- Remove _try_flush_notifications() method entirely
- Update _queue_*_list_changed() to only queue notifications
- Remove asyncio import from context.py
- Keep _flush_notifications() for deferred sending on context exit

Notifications now flush reliably on request completion (__aexit__)
instead of attempting immediate delivery with asyncio.create_task().
Slight delay is acceptable - all notifications are deduplicated and
sent when the MCP request handler completes.

Pin MCP to <1.17 for 2.12.5 patch release