sourcemeta · jviotti · Jun 5, 2026 · Jun 5, 2026 · Jun 5, 2026
diff --git a/enterprise/server/include/sourcemeta/one/enterprise_server_actions.h b/enterprise/server/include/sourcemeta/one/enterprise_server_actions.h
@@ -181,6 +181,13 @@ class ActionMCP_v1 : public sourcemeta::one::RouterAction {
     response.write_status(status);
     response.write_header("Content-Type", "application/json");
     response.write_header("Access-Control-Allow-Origin", this->allowed_origin_);
+    // RFC 9110 §15.5.6: 405 responses MUST carry Allow listing supported
+    // methods. The MCP endpoint accepts POST and OPTIONS only.
+    // https://datatracker.ietf.org/doc/html/rfc9110#section-15.5.6
+    if (std::string_view{status} ==
+        sourcemeta::one::STATUS_METHOD_NOT_ALLOWED) {
+      response.write_header("Allow", "POST, OPTIONS");
+    }
     // Debuggability echo: not mandated by MCP, but lets clients confirm
     // which protocol revision the server interpreted. For error paths
     // where no negotiation succeeded, we echo the spec-default `2025-03-26`.

diff --git a/src/actions/action_default_v1.h b/src/actions/action_default_v1.h
@@ -106,7 +106,7 @@ class ActionDefault_v1 : public sourcemeta::one::RouterAction {
         sourcemeta::one::json_error(
             request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
             "method-not-allowed", "This HTTP method is invalid for this URL",
-            this->error_schema_);
+            this->error_schema_, "GET, HEAD");
         return;
       }
     }

diff --git a/src/actions/action_health_check_v1.h b/src/actions/action_health_check_v1.h
@@ -44,7 +44,7 @@ class ActionHealthCheck_v1 : public sourcemeta::one::RouterAction {
       sourcemeta::one::json_error(
           request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
           "method-not-allowed", "This HTTP method is invalid for this URL",
-          this->error_schema_);
+          this->error_schema_, "GET, HEAD");
       return;
     }
 

diff --git a/src/actions/action_jsonschema_evaluate_v1.h b/src/actions/action_jsonschema_evaluate_v1.h
@@ -150,7 +150,7 @@ class ActionJSONSchemaEvaluate_v1 : public sourcemeta::one::RouterAction {
       sourcemeta::one::json_error(
           request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
           "method-not-allowed", "This HTTP method is invalid for this URL",
-          error_schema);
+          error_schema, "POST, OPTIONS");
       return;
     }
 
@@ -170,11 +170,15 @@ class ActionJSONSchemaEvaluate_v1 : public sourcemeta::one::RouterAction {
     }
 
     if (!evaluation_enabled.has_value()) {
+      // RFC 9110 §15.5.6: Allow lists the methods this specific target
+      // resource currently supports. POST hits this very branch (returns
+      // 405) when the schema was not precompiled, so only OPTIONS is
+      // actually supported on this URL.
       sourcemeta::one::json_error(
           request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
           "no-schema-template",
-          "This schema was not precompiled for schema evaluation",
-          error_schema);
+          "This schema was not precompiled for schema evaluation", error_schema,
+          "OPTIONS");
       return;
     }
 

diff --git a/src/actions/action_mcp_v1.h b/src/actions/action_mcp_v1.h
@@ -261,6 +261,13 @@ class ActionMCP_v1 : public sourcemeta::one::RouterAction {
     response.write_status(status);
     response.write_header("Content-Type", "application/json");
     response.write_header("Access-Control-Allow-Origin", this->allowed_origin_);
+    // RFC 9110 §15.5.6: 405 responses MUST carry Allow listing supported
+    // methods. The MCP endpoint accepts POST and OPTIONS only.
+    // https://datatracker.ietf.org/doc/html/rfc9110#section-15.5.6
+    if (std::string_view{status} ==
+        sourcemeta::one::STATUS_METHOD_NOT_ALLOWED) {
+      response.write_header("Allow", "POST, OPTIONS");
+    }
     // Debuggability echo: not mandated by MCP, but lets clients confirm
     // which protocol revision the server interpreted. For error paths
     // where no negotiation succeeded, we echo the spec-default `2025-03-26`.

diff --git a/src/actions/action_schema_search_v1.h b/src/actions/action_schema_search_v1.h
@@ -61,7 +61,7 @@ class ActionSchemaSearch_v1 : public sourcemeta::one::RouterAction {
       sourcemeta::one::json_error(
           request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
           "method-not-allowed", "This HTTP method is invalid for this URL",
-          this->error_schema_);
+          this->error_schema_, "GET");
       return;
     }
 

diff --git a/src/actions/action_serve_static_v1.h b/src/actions/action_serve_static_v1.h
@@ -47,7 +47,7 @@ class ActionServeStatic_v1 : public sourcemeta::one::RouterAction {
         sourcemeta::one::json_error(
             request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
             "method-not-allowed", "This HTTP method is invalid for this URL",
-            this->error_schema_);
+            this->error_schema_, "GET, HEAD");
         return;
       }
 

diff --git a/src/http/include/sourcemeta/one/http_helpers.h b/src/http/include/sourcemeta/one/http_helpers.h
@@ -53,8 +53,8 @@ inline auto send_response(const char *const code, const HTTPRequest &request,
 // See https://www.rfc-editor.org/rfc/rfc7807
 inline auto json_error(const HTTPRequest &request, HTTPResponse &response,
                        const char *const code, std::string &&identifier,
-                       std::string &&message, const std::string_view schema)
-    -> void {
+                       std::string &&message, const std::string_view schema,
+                       const std::string_view allow = {}) -> void {
   auto object{sourcemeta::core::JSON::make_object()};
   object.assign("title", sourcemeta::core::JSON{"sourcemeta:one/" +
                                                 std::move(identifier)});
@@ -64,6 +64,11 @@ inline auto json_error(const HTTPRequest &request, HTTPResponse &response,
   response.write_status(code);
   response.write_header("Content-Type", "application/problem+json");
   response.write_header("Access-Control-Allow-Origin", "*");
+  // RFC 9110 §15.5.6: 405 responses MUST carry Allow listing supported methods.
+  // https://datatracker.ietf.org/doc/html/rfc9110#section-15.5.6
+  if (!allow.empty() && std::string_view{code} == STATUS_METHOD_NOT_ALLOWED) {
+    response.write_header("Allow", allow);
+  }
   if (!schema.empty()) {
     write_link_header(response, schema);
   }

diff --git a/src/router/artifact.cc b/src/router/artifact.cc
@@ -116,7 +116,7 @@ auto RouterAction::artifact_serve(
     sourcemeta::one::json_error(
         request, response, sourcemeta::one::STATUS_METHOD_NOT_ALLOWED,
         "method-not-allowed", "This HTTP method is invalid for this URL",
-        error_schema);
+        error_schema, "GET, HEAD");
     return;
   }
 

diff --git a/test/e2e/empty/hurl/mcp-2025-11-25.all.hurl b/test/e2e/empty/hurl/mcp-2025-11-25.all.hurl
@@ -2,6 +2,7 @@ GET {{base}}/self/v1/mcp
 HTTP 405
 Content-Type: application/json
 Access-Control-Allow-Origin: http://localhost:8000
+Allow: POST, OPTIONS
 Link: </self/v1/schemas/mcp/response>; rel="describedby"
 MCP-Protocol-Version: 2025-03-26
 [Captures]
@@ -33,6 +34,7 @@ DELETE {{base}}/self/v1/mcp
 HTTP 405
 Content-Type: application/json
 Access-Control-Allow-Origin: http://localhost:8000
+Allow: POST, OPTIONS
 Link: </self/v1/schemas/mcp/response>; rel="describedby"
 MCP-Protocol-Version: 2025-03-26
 [Captures]
@@ -64,6 +66,7 @@ PUT {{base}}/self/v1/mcp
 HTTP 405
 Content-Type: application/json
 Access-Control-Allow-Origin: http://localhost:8000
+Allow: POST, OPTIONS
 Link: </self/v1/schemas/mcp/response>; rel="describedby"
 MCP-Protocol-Version: 2025-03-26
 [Captures]

diff --git a/test/e2e/headless/hurl/fetch.all.hurl b/test/e2e/headless/hurl/fetch.all.hurl
@@ -215,6 +215,7 @@ POST {{base}}/test/schemas/string.json
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -228,6 +229,7 @@ DELETE {{base}}/test/schemas/string.json
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists

diff --git a/test/e2e/headless/hurl/health.all.hurl b/test/e2e/headless/hurl/health.all.hurl
@@ -23,6 +23,7 @@ POST {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -35,6 +36,7 @@ PUT {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -47,6 +49,7 @@ DELETE {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -59,6 +62,7 @@ PATCH {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -71,6 +75,7 @@ OPTIONS {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists

diff --git a/test/e2e/headless/hurl/no-static.all.hurl b/test/e2e/headless/hurl/no-static.all.hurl
@@ -25,6 +25,7 @@ POST {{base}}/self/v1/static/style.min.css
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -37,6 +38,7 @@ PUT {{base}}/self/v1/static/style.min.css
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -49,6 +51,7 @@ DELETE {{base}}/self/v1/static/style.min.css
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists

diff --git a/test/e2e/headless/hurl/schemas-dependencies.all.hurl b/test/e2e/headless/hurl/schemas-dependencies.all.hurl
@@ -144,6 +144,7 @@ POST {{base}}/self/v1/api/schemas/dependencies/test/schemas/no-id
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-dependents.all.hurl b/test/e2e/headless/hurl/schemas-dependents.all.hurl
@@ -162,6 +162,7 @@ POST {{base}}/self/v1/api/schemas/dependents/test/schemas/bundling-double
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-evaluate.all.hurl b/test/e2e/headless/hurl/schemas-evaluate.all.hurl
@@ -144,6 +144,7 @@ Content-Type: application/problem+json
 "Hello World"
 HTTP 405
 Access-Control-Allow-Origin: *
+Allow: OPTIONS
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-locations.all.hurl b/test/e2e/headless/hurl/schemas-locations.all.hurl
@@ -101,6 +101,7 @@ POST {{base}}/self/v1/api/schemas/locations/test/schemas/no-id
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-metadata.all.hurl b/test/e2e/headless/hurl/schemas-metadata.all.hurl
@@ -124,6 +124,7 @@ POST {{base}}/self/v1/api/schemas/metadata/test/schemas/no-id
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-positions.all.hurl b/test/e2e/headless/hurl/schemas-positions.all.hurl
@@ -69,6 +69,7 @@ POST {{base}}/self/v1/api/schemas/positions/test/schemas/no-id
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-search.all.hurl b/test/e2e/headless/hurl/schemas-search.all.hurl
@@ -122,6 +122,7 @@ POST {{base}}/self/v1/api/schemas/search?q=foo
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-stats.all.hurl b/test/e2e/headless/hurl/schemas-stats.all.hurl
@@ -52,6 +52,7 @@ POST {{base}}/self/v1/api/schemas/stats/test/schemas/no-id
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/headless/hurl/schemas-trace.all.hurl b/test/e2e/headless/hurl/schemas-trace.all.hurl
@@ -102,6 +102,7 @@ Content-Type: application/problem+json
 "Hello World"
 HTTP 405
 Access-Control-Allow-Origin: *
+Allow: OPTIONS
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/html/hurl/fetch.all.hurl b/test/e2e/html/hurl/fetch.all.hurl
@@ -364,6 +364,7 @@ POST {{base}}/test/schemas/string.json
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -390,6 +391,7 @@ DELETE {{base}}/test/schemas/string.json
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists

diff --git a/test/e2e/html/hurl/health.all.hurl b/test/e2e/html/hurl/health.all.hurl
@@ -23,6 +23,7 @@ POST {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -35,6 +36,7 @@ PUT {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -47,6 +49,7 @@ DELETE {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -59,6 +62,7 @@ PATCH {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists
@@ -71,6 +75,7 @@ OPTIONS {{base}}/self/v1/health
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists

diff --git a/test/e2e/html/hurl/html.all.hurl b/test/e2e/html/hurl/html.all.hurl
@@ -1,5 +1,8 @@
 OPTIONS {{base}}
 HTTP 405
+Content-Type: application/problem+json
+Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 [Asserts]
 header "Referrer-Policy" not exists
 header "Content-Security-Policy" not exists

diff --git a/test/e2e/html/hurl/schemas-dependencies.all.hurl b/test/e2e/html/hurl/schemas-dependencies.all.hurl
@@ -242,6 +242,7 @@ POST {{base}}/self/v1/api/schemas/dependencies/test/v2.0/schema
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/html/hurl/schemas-dependents.all.hurl b/test/e2e/html/hurl/schemas-dependents.all.hurl
@@ -260,6 +260,7 @@ POST {{base}}/self/v1/api/schemas/dependents/test/bundling/double
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/html/hurl/schemas-evaluate.all.hurl b/test/e2e/html/hurl/schemas-evaluate.all.hurl
@@ -144,6 +144,7 @@ Content-Type: application/problem+json
 "Hello World"
 HTTP 405
 Access-Control-Allow-Origin: *
+Allow: OPTIONS
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body

diff --git a/test/e2e/html/hurl/schemas-locations.all.hurl b/test/e2e/html/hurl/schemas-locations.all.hurl
@@ -101,6 +101,7 @@ POST {{base}}/self/v1/api/schemas/locations/test/v2.0/schema
 HTTP 405
 Content-Type: application/problem+json
 Access-Control-Allow-Origin: *
+Allow: GET, HEAD
 Link: </self/v1/schemas/api/error>; rel="describedby"
 [Captures]
 last_response: body