v1.2.4

A bug-fix release for a remote-connector regression introduced in 1.2.3. If you're on 1.2.3, upgrade — the claude.ai web/desktop/mobile connector can't connect on it. (stdio / Claude Code was unaffected.)

Fixed

• The claude.ai connector couldn't connect on 1.2.3. The 1.2.3 security pass set a Content-Security-Policy on every HTTP response. On the JSON OAuth-metadata responses Claude flagged it as a "server configuration issue"; on the consent (password) page the form-action 'self' directive blocked the OAuth redirect back to Claude, so submitting the password silently did nothing. The CSP is removed from the API/metadata responses and from the consent page — which keeps X-Frame-Options: DENY, the clickjacking control that page actually needs.
• Audience binding (RFC 8707) is now log-only, not enforced — a strict resource-claim check risked 401-ing a valid token. Returns as strict once verified against a live token.
• Reverted redirect: "error" on the Whoop API client to the default (follow).
• The consent endpoint now logs which check failed instead of always saying "incorrect password."

Upgrade: npm i -g @briangaoo/whoop-mcp@1.2.4, then re-deploy (whoop-mcp cloud) or just fly deploy your existing app.