ToolHive MCP proxy endpoint does not support CORS

[milichev]

Description

The ToolHive MCP HTTP proxy (/mcp) lacks CORS support, blocking web-based clients (e.g., MCP Inspector). The server returns 405 Method Not Allowed on OPTIONS preflight and misses Access-Control-Allow-Origin.

Steps to Reproduce

1. Add an MCP to thv.
2. Configure a client, e.g. OpenCode.
3. Get the proxy MCP URL from the client config, e.g. http://localhost:43969/mcp and paste it in MCP inspector.
4. Attempt to connect.
5. Connection fails due to 405 error and CORS.

Request URL http://localhost:43969/mcp
Request Method OPTIONS
Status Code 405 Method Not Allowed
Remote Address 127.0.0.1:43969
Referrer Policy strict-origin-when-cross-origin

GET http://localhost:43969/mcp net::ERR_FAILED
Access to fetch at 'http://localhost:43969/mcp' from origin 'http://localhost:6274' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Expected Behavior

• OPTIONS handles preflight with 200/204.
• Proper Access-Control-Allow-* headers present on the /mcp route.

Actual Behavior

• OPTIONS request: 405 Method Not Allowed.
• Console error: net::ERR_FAILED (missing Access-Control-Allow-Origin).

Environment

• OS: macOS M4.
• ToolHive: Version 0.24.0 (0.24.0)