fix(mcp): make MCP Apps render in browser clients (basic-host, claude.ai)

[jklaassenjc]

Summary

• MCP Apps (shipped in KLA-360) was returning tool data fine but the UI never rendered when driven from a browser-based host
• Five independent bugs in the handshake / CORS / transport chain all had to land together for the iframe render to kick in
• Confirmed end-to-end against the reference basic-host: the JumpCloud dashboard renders correctly with stat cards, MFA ring, OS bars, and connectivity segments

The five fixes

#	Problem	Fix
1	Client skipped MCP Apps render because server never declared the io.modelcontextprotocol/ui extension in initialize capabilities	ServerCapabilities.AddExtension("io.modelcontextprotocol/ui", ...)
2	Browser EventSource can't send custom headers → TS SDK's GET SSE stream failed 400 "GET requires Mcp-Session-Id"	StreamableHTTPOptions.Stateless: true
3	Cross-origin POSTs got 403 "cross-origin request detected from Sec-Fetch-Site" (Go 1.25 http.CrossOriginProtection)	AddInsecureBypassPattern("/mcp"), only when CORSOrigin is set
4	Subsequent POSTs got net::ERR_FAILED because request carried Mcp-Protocol-Version header not in Access-Control-Allow-Headers	Wildcard * on Allow-Headers when CORS is configured
5	Clients couldn't read Mcp-Session-Id from the initialize response	Added it to Access-Control-Expose-Headers

Each on its own was a silent failure with a different symptom. The HAR captures made it tractable.

Security note

The `http` transport is deliberately permissive after these changes (wide-open CORS, cross-origin checks disabled) so browser MCP clients work. The help text now explicitly recommends `--api-key` when exposing the server through a tunnel, since the auth middleware is the only remaining gate against anonymous tool calls.

Stateless mode means server→client requests are rejected, but MCP Apps are client-initiated (tool call + resource read) so this doesn't regress the intended use.

Test plan

• `go test ./...` — new/updated assertions for extension capability and CORS header shape
• `go vet ./...` — clean
• Basic-host end-to-end: dashboard renders with live JumpCloud data (screenshot on request)
• claude.ai custom connector end-to-end — connector now reaches the server without 403/ERR_FAILED, but whether claude.ai renders MCP Apps for custom connectors appears to be a separate rollout on Anthropic's side
• Claude Desktop - same situation as claude.ai

Related

• KLA-360 — original MCP Apps ticket (shipped but the handshake was broken for browser hosts)

🤖 Generated with Claude Code

---

Note

Medium Risk
Modifies the Streamable HTTP transport to be more permissive for browser clients (stateless mode, cross-origin bypass, broader CORS), which could increase exposure if operators bind publicly without enabling auth. Adds an explicit --require-auth gate and new tests to reduce the chance of accidentally running unauthenticated.

Overview
Fixes browser-based MCP Apps rendering by advertising the io.modelcontextprotocol/ui extension in server capabilities and adjusting Streamable HTTP behavior to work with EventSource and cross-origin requests.

Streamable HTTP now runs in stateless mode, conditionally bypasses Go’s cross-origin protection on /mcp when CORS is enabled, and expands CORS headers (methods, wildcard allow-headers plus explicit Authorization, and exposes Mcp-Session-Id).

Adds jc mcp serve --require-auth to optionally enforce API-key auth for the http transport (and refuse startup without a configured key), emits warnings for non-loopback unauthenticated binds, and adds regression tests for HTTP auth plus updated CORS/header assertions.

^{Reviewed by Cursor Bugbot for commit a8a3d0f. Bugbot is set up for automated code reviews on this repo. Configure here.}

[jklaassenjc]

Addressed the Bugbot high-severity finding in 2b58387:

• http transport now reads config.APIKey() and passes it through to SSEConfig, mirroring the sse case
• Startup log discloses auth state; warns when binding a non-loopback address without auth
• Help text updated to point at the actual configuration paths ('jc auth login', JC_API_KEY, or --api-key global flag) rather than vaguely suggesting --api-key
• 3 regression tests: rejects without auth, accepts with correct key, stays permissive when no key configured (preserves local dev flow)

Stacked PRs #18 and #19 rebased onto the updated base.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Reviewed by Cursor Bugbot for commit 2b58387. Configure here.}

[jklaassenjc]

Follow-up to the Bugbot fix: the previous commit wired config.APIKey() into the http transport's SSEConfig unconditionally, which silently required auth whenever anyone had run jc auth login — breaking the basic-host / local MCP Apps dev path the transport was meant for.

8833f9e gates auth behind an explicit --require-auth flag:

• Off by default → local dev works, basic-host connects without credentials
• On (jc mcp serve --transport http --require-auth) → refuses to start without a configured API key, enforces x-api-key / Authorization: Bearer on every request

Startup log discloses the mode. The three regression tests still hold: request without auth is accepted when off, rejected with 401 when on, accepted when on with matching key.

Stacks #18 and #19 rebased on the updated base.

[jklaassenjc]

Addressed the Bugbot medium finding in a8a3d0f: Access-Control-Allow-Headers is now *, Authorization since * doesn't cover the Authorization header per the Fetch spec. Bearer-token clients (custom connectors configured with a bearer) can now pass preflight.