From d020af56be12e164258d7963f47ce55fb903c96b Mon Sep 17 00:00:00 2001
From: Ignacio Jimenez Rocabado <ignaciojimenezrocabado@gmail.com>
Date: Thu, 28 May 2026 15:37:31 -0700
Subject: [PATCH 1/3] stop rejecting http on byok

---
 mcpjam-inspector/server/routes/web/auth.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/mcpjam-inspector/server/routes/web/auth.ts b/mcpjam-inspector/server/routes/web/auth.ts
index 071b9b7581..6b9e185a4d 100644
--- a/mcpjam-inspector/server/routes/web/auth.ts
+++ b/mcpjam-inspector/server/routes/web/auth.ts
@@ -11,7 +11,7 @@ import type {
   RpcLogger,
   UnauthorizedRefreshHandler,
 } from "@mcpjam/sdk";
-import { WEB_CALL_TIMEOUT_MS } from "../../config.js";
+import { HOSTED_MODE, WEB_CALL_TIMEOUT_MS } from "../../config.js";
 import {
   attachHostedRpcLogs,
   createHostedRpcLogCollector,
@@ -397,6 +397,16 @@ export async function authorizeBatch(
         ...(typeof options?.accessVersion === "number"
           ? { accessVersion: options.accessVersion }
           : {}),
+        // Tell Convex this request came from a local Inspector (npx /
+        // desktop) so it can skip the hosted-mode HTTPS-only check on
+        // MCP server URLs. Convex never connects to the MCP server
+        // itself — the Inspector does — so an `http://localhost` URL
+        // here is harmless metadata. The flag is only honored when the
+        // request has no browser Origin (server-to-server fetch from
+        // this Hono backend); a hosted browser at app.mcpjam.com can't
+        // smuggle it in to bypass the policy. See `normalizeAuthorizeResult`
+        // in mcpjam-backend/convex/http.ts.
+        ...(!HOSTED_MODE ? { localRuntime: true } : {}),
       }),
     });
   } catch (error) {

From 9f29bacba1c9c207b806c3e54161b3bd265a1dd9 Mon Sep 17 00:00:00 2001
From: Ignacio Jimenez Rocabado <ignaciojimenezrocabado@gmail.com>
Date: Thu, 28 May 2026 16:10:31 -0700
Subject: [PATCH 2/3] comments

---
 mcpjam-inspector/server/routes/web/auth.ts | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/mcpjam-inspector/server/routes/web/auth.ts b/mcpjam-inspector/server/routes/web/auth.ts
index 6b9e185a4d..acb019454a 100644
--- a/mcpjam-inspector/server/routes/web/auth.ts
+++ b/mcpjam-inspector/server/routes/web/auth.ts
@@ -397,15 +397,17 @@ export async function authorizeBatch(
         ...(typeof options?.accessVersion === "number"
           ? { accessVersion: options.accessVersion }
           : {}),
-        // Tell Convex this request came from a local Inspector (npx /
-        // desktop) so it can skip the hosted-mode HTTPS-only check on
-        // MCP server URLs. Convex never connects to the MCP server
-        // itself — the Inspector does — so an `http://localhost` URL
-        // here is harmless metadata. The flag is only honored when the
-        // request has no browser Origin (server-to-server fetch from
-        // this Hono backend); a hosted browser at app.mcpjam.com can't
-        // smuggle it in to bypass the policy. See `normalizeAuthorizeResult`
-        // in mcpjam-backend/convex/http.ts.
+        // Skip Convex's hosted-mode HTTPS-only check on MCP server URLs
+        // when this Inspector instance is running locally. Convex doesn't
+        // open MCP server URLs itself (we do, from this Hono backend), so
+        // an `http://localhost` URL is harmless metadata in that case.
+        //
+        // Convex only honors `localRuntime` when the request has no
+        // browser Origin, so a hosted browser at app.mcpjam.com can't
+        // smuggle it in to bypass the policy. The flag itself isn't
+        // Inspector-specific — any non-browser caller can set it — see
+        // the docstring on `normalizeAuthorizeResult` in
+        // mcpjam-backend/convex/http.ts for the full rationale.
         ...(!HOSTED_MODE ? { localRuntime: true } : {}),
       }),
     });

From 0623853033a0fdccaeaa71f76ba444f4976ac1b2 Mon Sep 17 00:00:00 2001
From: Ignacio Jimenez Rocabado <ignaciojimenezrocabado@gmail.com>
Date: Thu, 28 May 2026 20:48:50 -0700
Subject: [PATCH 3/3] tests

---
 .../server/routes/web/__tests__/chat-v2.hosted.test.ts      | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/mcpjam-inspector/server/routes/web/__tests__/chat-v2.hosted.test.ts b/mcpjam-inspector/server/routes/web/__tests__/chat-v2.hosted.test.ts
index bb9bed7e72..e26f6d3e99 100644
--- a/mcpjam-inspector/server/routes/web/__tests__/chat-v2.hosted.test.ts
+++ b/mcpjam-inspector/server/routes/web/__tests__/chat-v2.hosted.test.ts
@@ -296,9 +296,15 @@ describe("web routes — chat-v2 hosted mode", () => {
       "https://example.convex.site/web/authorize-batch",
       expect.objectContaining({
         method: "POST",
+        // `localRuntime: true` is set whenever HOSTED_MODE is false (the
+        // default in tests — VITE_MCPJAM_HOSTED_MODE is not "true" here).
+        // Convex uses it to skip the HTTPS-only check on MCP server URLs
+        // for local Inspector callers; see normalizeAuthorizeResult in
+        // mcpjam-backend/convex/http.ts.
         body: JSON.stringify({
           projectId: "project-1",
           serverIds: ["server-1", "server-2"],
+          localRuntime: true,
         }),
       })
     );