GitHub Issue: MCP Endpoint Probe Lacks Critical CORS Misconfiguration Detection

A significant security gap has been identified in the `mcp probe` tool. The current verification process for MCP (Model Context Protocol) endpoints performs no analysis of Cross-Origin Resource Sharing (CORS) policies, leaving a critical vulnerability unaddressed. This omission is explicitly noted in the project's TODO documentation, which records that a permissive `Access-Control-Allow-Origin: *` header was observed on a Cloudflare MCP demo but was not flagged. The risk is acute because browser-based clients can connect to these servers, and a misconfigured CORS policy could allow any origin to interact with the endpoint, potentially with user credentials.

The issue highlights a disconnect between available infrastructure and its application. The shared CORS checking logic already exists within the `verify-shared.ts` module, including functions like `checkCorsOriginReflection` and the `CORS_PROBE_ORIGIN`. This infrastructure is actively used to secure other endpoints verified by `verify-agent.ts`, `verify-vector.ts`, and `verify-ai-api.ts`, but has not been integrated for MCP endpoint validation. This creates an inconsistent security posture where some services are protected from this class of web vulnerability while MCP servers are not.

The proposed fix mandates adding an OPTIONS preflight probe to the `verifyMcpEndpoint()` function. The probe would send a test request with a malicious origin header (`Origin: https://evil.example.com`) and an `Access-Control-Request-Method: POST` to simulate an attack. The core detection logic must identify the dangerous combination of a wildcard allowed origin (`Access-Control-Allow-Origin: *`) paired with credentials being permitted (`Access-Control-Allow-Credentials: true`), a configuration that fundamentally undermines browser security models for these API endpoints.