Use shim pattern for CORS detection instead of globalThis.document check

Per review feedback, replace the runtime feature-sniff (globalThis.document)
with the package's existing _shims export-conditions pattern.

Adds CORS_IS_POSSIBLE constant to the client shims:
- shimsNode.ts    -> false (Node has no CORS)
- shimsWorkerd.ts -> false (Cloudflare Workers has no CORS)
- shimsBrowser.ts -> true  (new file; browser condition now resolves here)

This also fixes the Web Worker / Service Worker gap noted in the PR
description: bundlers resolve those to the 'browser' condition, so
CORS_IS_POSSIBLE is correctly true there — unlike the document check
which would have returned false in workers.

Tests now mock the shim module rather than stubbing globalThis.document.

Author: felixweinberger

packages/client/package.json

@@ -30,8 +30,8 @@
                 "import": "./dist/shimsWorkerd.mjs"
             },
             "browser": {
-                "types": "./dist/shimsWorkerd.d.mts",
-                "import": "./dist/shimsWorkerd.mjs"
+                "types": "./dist/shimsBrowser.d.mts",
+                "import": "./dist/shimsBrowser.mjs"
             },
             "node": {
                 "types": "./dist/shimsNode.d.mts",

packages/client/src/client/auth.ts

@@ -1,3 +1,4 @@
+import { CORS_IS_POSSIBLE } from '@modelcontextprotocol/client/_shims';
 import type {
     AuthorizationServerMetadata,
     FetchLike,
@@ -844,13 +845,10 @@ export async function discoverOAuthProtectedResourceMetadata(
  * error object alone, so the swallow-and-fallthrough heuristic is preserved there.
  */
 async function fetchWithCorsRetry(url: URL, headers?: Record<string, string>, fetchFn: FetchLike = fetch): Promise<Response | undefined> {
-    // CORS only exists in browsers. In Node.js/Workers/etc., a TypeError from fetch is always a
-    // real network or configuration error, never CORS.
-    const corsIsPossible = (globalThis as { document?: unknown }).document !== undefined;
     try {
         return await fetchFn(url, { headers });
     } catch (error) {
-        if (!(error instanceof TypeError) || !corsIsPossible) {
+        if (!(error instanceof TypeError) || !CORS_IS_POSSIBLE) {
             throw error;
         }
         if (headers) {

packages/client/src/shimsBrowser.ts

@@ -0,0 +1,13 @@
+/**
+ * Browser runtime shims for client package
+ *
+ * This file is selected via package.json export conditions when running in a browser.
+ */
+export { CfWorkerJsonSchemaValidator as DefaultJsonSchemaValidator } from '@modelcontextprotocol/core';
+
+/**
+ * Whether `fetch()` may throw `TypeError` due to CORS. Only true in browser contexts
+ * (including Web Workers / Service Workers). In Node.js and Cloudflare Workers, a
+ * `TypeError` from `fetch` is always a real network/configuration error.
+ */
+export const CORS_IS_POSSIBLE = true;

packages/client/src/shimsNode.ts

@@ -4,3 +4,10 @@
  * This file is selected via package.json export conditions when running in Node.js.
  */
 export { AjvJsonSchemaValidator as DefaultJsonSchemaValidator } from '@modelcontextprotocol/core';
+
+/**
+ * Whether `fetch()` may throw `TypeError` due to CORS. CORS is a browser-only concept —
+ * in Node.js, a `TypeError` from `fetch` is always a real network/configuration error
+ * (DNS resolution, connection refused, invalid URL), never a CORS error.
+ */
+export const CORS_IS_POSSIBLE = false;

packages/client/src/shimsWorkerd.ts

@@ -4,3 +4,10 @@
  * This file is selected via package.json export conditions when running in workerd.
  */
 export { CfWorkerJsonSchemaValidator as DefaultJsonSchemaValidator } from '@modelcontextprotocol/core';
+
+/**
+ * Whether `fetch()` may throw `TypeError` due to CORS. CORS is a browser-only concept —
+ * in Cloudflare Workers, a `TypeError` from `fetch` is always a real network/configuration
+ * error, never a CORS error.
+ */
+export const CORS_IS_POSSIBLE = false;

packages/client/test/client/auth.test.ts

@@ -34,25 +34,32 @@ const mockFetch = vi.fn();
 globalThis.fetch = mockFetch;
 
 /**
- * fetchWithCorsRetry gates its CORS-swallowing heuristic on running in a browser (where `document`
- * exists). CORS doesn't apply in Node.js, so there a fetch TypeError is always a real network error
- * and is thrown instead of swallowed. Tests that specifically exercise the CORS retry logic call
- * this helper to simulate a browser environment. Cleanup is done by `restoreBrowserLikeEnvironment`
- * in an `afterEach` hook so a failed assertion can't leak the `document` stub into later tests.
+ * fetchWithCorsRetry gates its CORS-swallowing heuristic on the `CORS_IS_POSSIBLE` shim constant.
+ * Tests run under the Node shim (`false`), so a fetch TypeError is treated as a real network error
+ * and thrown instead of swallowed. Tests that specifically exercise the browser CORS retry path
+ * call `withBrowserLikeEnvironment()` to flip the mocked constant to `true`. The `afterEach` hook
+ * resets it so a failed assertion can't leak the override into later tests.
  */
+let mockedCorsIsPossible = false;
+vi.mock('@modelcontextprotocol/client/_shims', async importOriginal => {
+    const actual = await importOriginal<typeof import('@modelcontextprotocol/client/_shims')>();
+    return {
+        ...actual,
+        get CORS_IS_POSSIBLE() {
+            return mockedCorsIsPossible;
+        }
+    };
+});
 function withBrowserLikeEnvironment(): void {
-    (globalThis as { document?: unknown }).document = {};
-}
-function restoreBrowserLikeEnvironment(): void {
-    delete (globalThis as { document?: unknown }).document;
+    mockedCorsIsPossible = true;
 }
 
 describe('OAuth Authorization', () => {
     beforeEach(() => {
         mockFetch.mockReset();
     });
     afterEach(() => {
-        restoreBrowserLikeEnvironment();
+        mockedCorsIsPossible = false;
     });
 
     describe('extractWWWAuthenticateParams', () => {

packages/client/tsdown.config.ts

@@ -3,7 +3,7 @@ import { defineConfig } from 'tsdown';
 export default defineConfig({
     // 1. Entry Points
     //    Directly matches package.json include/exclude globs
-    entry: ['src/index.ts', 'src/shimsNode.ts', 'src/shimsWorkerd.ts'],
+    entry: ['src/index.ts', 'src/shimsNode.ts', 'src/shimsWorkerd.ts', 'src/shimsBrowser.ts'],
 
     // 2. Output Configuration
     format: ['esm'],