fix(mcp-server): align server card with spec

[kvz]

This PR fixes and hardens the new MCP server card endpoint.

Changes

• Align /.well-known/mcp/server-card.json payload with the current draft server-card shape (SEP-1649):
  • authentication.schemes is now a string array
  • capabilities.tools is now an object ({ listChanged: false })
  • tools now includes title + inputSchema
  • authentication.required is inferred from whether the server is configured with authKey + authSecret
• Add coverage:
  • HTTP handler e2e tests for GET/HEAD/OPTIONS
  • Express router unit test
• Add CORS + caching headers (Cache-Control, X-Content-Type-Options) to the server-card response.

Release

• Includes a patch changeset for @transloadit/mcp-server.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 027fcf9415

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Report authentication as required when mcpToken is set

authentication.required is currently computed only from authKey/authSecret, but request authentication is actually enforced by mcpToken in createMcpRequestHandler (packages/mcp-server/src/http-request-handler.ts). In typical self-hosted setups that provide both Transloadit credentials and TRANSLOADIT_MCP_TOKEN, this emits required: false while /mcp still returns 401 without a bearer token, so discovery clients that trust the card will attempt unauthenticated connections and fail.

Useful? React with 👍 / 👎.