Address comments from Copilot review

Author: RossTarrant

pkg/http/handler.go

@@ -427,13 +427,13 @@ func SetCorsHeaders(h http.Handler) http.Handler {
 		w.Header().Set("Access-Control-Max-Age", "86400")
 		w.Header().Set("Access-Control-Expose-Headers", "Mcp-Session-Id")
 		w.Header().Set("Access-Control-Allow-Headers", fmt.Sprintf(
-			"Content-Type, Authorization, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, %s, %s, %s, %s, %s, %s",
+			"Content-Type, Mcp-Session-Id, Mcp-Protocol-Version, Last-Event-ID, %s, %s, %s, %s, %s, %s",
+			headers.AuthorizationHeader,
 			headers.MCPReadOnlyHeader,
 			headers.MCPToolsetsHeader,
 			headers.MCPToolsHeader,
 			headers.MCPExcludeToolsHeader,
 			headers.MCPFeaturesHeader,
-			headers.AuthorizationHeader,
 		))
 
 		if r.Method == http.MethodOptions {

pkg/http/handler_test.go

@@ -783,8 +783,7 @@ func TestCrossOriginProtection(t *testing.T) {
 			expectedStatusCode: http.StatusOK,
 		},
 		{
-			// Mirrors RunHTTPServer's auto-bypass: nil config → create bypass.
-			name: "server default allows cross-site request (nil triggers auto-bypass)",
+			name: "bypass allows cross-site request (same pattern RunHTTPServer applies for nil config)",
 			crossOriginProtection: func() *http.CrossOriginProtection {
 				p := http.NewCrossOriginProtection()
 				p.AddInsecureBypassPattern("/")

pkg/http/server.go

@@ -88,7 +88,8 @@ type ServerConfig struct {
 	InsidersMode bool
 
 	// CrossOriginProtection configures the SDK's cross-origin request protection.
-	// If nil, the SDK default (reject cross-origin POSTs) is used.
+	// If nil and using RunHTTPServer, cross-origin requests are allowed (auto-bypass).
+	// If nil and using the handler as a library, the SDK default (reject) applies.
 	CrossOriginProtection *http.CrossOriginProtection
 }