/.well-known/openid-configuration /.well-known/oauth-protected-resource /authorize (GET+POST) /token (POST)
/mcp/sse → SSE control /mcp/message → JSON-RPC
POST /invoke → {tool, args, stream} DELETE /invoke/{id} → cancel