@mctx-ai/mcp-dev 1.0.1 → 1.0.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mctx-ai/mcp-dev",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "Local development server for @mctx-ai/mcp-server with hot reload",
   "type": "module",
   "main": "./src/cli.js",

package/src/server.js

@@ -117,14 +117,16 @@ function formatError(error, rpcRequest) {
 }
 
 /**
- * Create Request-like object compatible with app's fetch handler
+ * Create Request-like object compatible with app's fetch handler.
+ * headers must be a Headers instance (not a plain object) so that
+ * request.headers.get(...) works in packages/server/src/server.js.
  */
 function createRequest(body) {
   return {
     method: "POST",
-    headers: {
+    headers: new Headers({
       "content-type": "application/json",
-    },
+    }),
     async json() {
       return body;
     },
@@ -247,6 +249,21 @@ export async function startDevServer(entryUrl, port) {
       return;
     }
 
+    // Return 404 for OAuth discovery paths so MCP clients (e.g. Claude Code) do not
+    // trigger an auth flow. Without this, non-POST requests fall through to the
+    // method check below and return 405, which some clients interpret as "auth
+    // endpoint exists but wrong method".
+    if (req.method === "GET" && req.url && req.url.startsWith("/.well-known/")) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          error: "Not Found",
+          message: "OAuth discovery is not supported by this server",
+        }),
+      );
+      return;
+    }
+
     // Fix #2: If app failed to load initially, return error
     if (!app) {
       res.writeHead(503, { "Content-Type": "application/json" });