deps: bump go-sdk to v1.6.1 and drop CrossOriginProtection workaround

[SamMorrowDrums]

Summary

Bumps github.com/modelcontextprotocol/go-sdk from v1.6.0 to v1.6.1 and removes the CrossOriginProtection accommodation we added in #2359 — the SDK now does the right thing by default, so the workaround is no longer needed (and uses a deprecated API).

Goal: allow end users to connect via web MCP clients without us holding onto a deprecated escape hatch.

What changed in the SDK

SDK version	Behavior
≤ v1.5.0	Cross-origin check enabled by default; our AddInsecureBypassPattern("/") was required for browser clients
v1.6.0	Check became opt-in: nil CrossOriginProtection = no check (matches our intent)
v1.6.1	StreamableHTTPOptions.CrossOriginProtection deprecated (removed in v1.8.0); recommended pattern is to wrap the handler with middleware

v1.6.1 also adds an MCPGODEBUG=disablecontenttypecheck=1 escape hatch. We don't need it — the SDK already uses mime.ParseMediaType, so application/json; charset=utf-8 works (the NormalizeContentType workaround was already removed in 91d6465).

Diff highlights

• pkg/http/handler.go: drop http.NewCrossOriginProtection() + AddInsecureBypassPattern("/"); leave CrossOriginProtection unset so we don't depend on a deprecated field.
• go.mod / go.sum / third-party-licenses.*.md: bump go-sdk to v1.6.1 and regenerate licenses.

Regression coverage

Existing tests in pkg/http/handler_test.go already guard the browser-client scenario and continue to pass:

• TestCrossOriginProtection — POSTs with Sec-Fetch-Site: cross-site + Origin: https://example.com, same-origin, and no Sec-Fetch-Site (native client) — all assert 200 OK.
• TestContentTypeHandling — verifies application/json; charset=utf-8 (and friends) are accepted.

Plus: script/lint clean, script/test green, script/licenses regenerated.

Follow-up

Companion PR in github/github-mcp-server-remote will bump its own go-sdk dep to v1.6.1 and pick up the new github-mcp-server release. No code changes needed there — the remote consumes pkg/http and ossmiddleware.SetCorsHeaders from this repo, so all accommodations live here.

Supersedes #2541 (Dependabot).

[Copilot]

Pull request overview

Bumps the modelcontextprotocol/go-sdk dependency to v1.6.1 and removes the now-deprecated CrossOriginProtection workaround. Since v1.6.0, leaving CrossOriginProtection nil disables the check by default, which matches the desired behavior for bearer-token-authenticated browser MCP clients.

Changes:

• Drop http.NewCrossOriginProtection() + AddInsecureBypassPattern("/") in pkg/http/handler.go and replace with explanatory comment.
• Bump go-sdk to v1.6.1 in go.mod / go.sum.
• Regenerate third-party license files for the new version.

Show a summary per file

File	Description
pkg/http/handler.go	Removes deprecated CrossOriginProtection option; relies on SDK v1.6.0+ nil-default behavior.
go.mod	Bumps go-sdk to v1.6.1.
go.sum	Updated module hashes for v1.6.1.
third-party-licenses.darwin.md	Regenerated license reference for v1.6.1.
third-party-licenses.linux.md	Regenerated license reference for v1.6.1.
third-party-licenses.windows.md	Regenerated license reference for v1.6.1.

Copilot's findings

• Files reviewed: 5/6 changed files
• Comments generated: 0