Allow HTTP issuer URLs when MCP_DEV_MODE is enabled

When MCP_DEV_MODE=true or MCP_DEV_MODE=1, the HTTPS requirement for
issuer URLs is relaxed. This is useful for development and testing
scenarios where HTTPS is impractical, such as Docker environments
with custom hostnames.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jerome3o-anthropic

src/server/auth/router.ts

@@ -55,7 +55,9 @@ export type AuthRouterOptions = {
 
 const checkIssuerUrl = (issuer: URL): void => {
     // Technically RFC 8414 does not permit a localhost HTTPS exemption, but this will be necessary for ease of testing
-    if (issuer.protocol !== 'https:' && issuer.hostname !== 'localhost' && issuer.hostname !== '127.0.0.1') {
+    // Also allow HTTP in development mode for testing with non-localhost URLs (e.g., Docker environments)
+    const devMode = process.env.MCP_DEV_MODE === 'true' || process.env.MCP_DEV_MODE === '1';
+    if (issuer.protocol !== 'https:' && issuer.hostname !== 'localhost' && issuer.hostname !== '127.0.0.1' && !devMode) {
         throw new Error('Issuer URL must be HTTPS');
     }
     if (issuer.hash) {