From 3d4b7fad1267f726e3d444ff072158db23dda165 Mon Sep 17 00:00:00 2001
From: Matthieu <mtholot19@gmail.com>
Date: Tue, 17 Mar 2026 09:15:29 +0100
Subject: [PATCH] fix(mcp) : allow unauthenticated GET on /_mcp for SSE
 streaming

Claude Code MCP HTTP client sends GET SSE requests without the
Authorization header, breaking the streamable HTTP transport.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 config/packages/security.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index c885372..2d2cac6 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -59,6 +59,7 @@ security:
         - { path: ^/api/docs, roles: PUBLIC_ACCESS }
         # Version de l'application en public
         - { path: ^/api/version, roles: PUBLIC_ACCESS, methods: [ GET ] }
+        - { path: ^/_mcp, roles: PUBLIC_ACCESS, methods: [ GET ] }
         - { path: ^/_mcp, roles: IS_AUTHENTICATED_FULLY }
         - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }