Support --header flag for ad-hoc HTTP servers (--http-url)

[lxw322]

Problem

When using --http-url to connect to ad-hoc StreamableHTTP MCP servers, there is no way to pass custom HTTP headers (e.g., Authorization, X-API-Key, X-Tenant). Many private/internal MCP servers require authentication headers to accept connections.

Currently, --header is only supported by mcporter config add, not by the ephemeral ad-hoc flags (--http-url). The EphemeralServerSpec interface lacks a headers field, and extractEphemeralServerFlags() does not parse --header.

This forces users into a two-step workflow:

# Cannot do this today:
npx mcporter list --http-url https://internal.example.com/mcp --header "Authorization=Bearer sk-xxx"

# Must do this instead:
npx mcporter config add my-service https://internal.example.com/mcp --header "Authorization=Bearer sk-xxx"
npx mcporter list my-service

Proposed Solution

Add --header KEY=value (repeatable) support to the ephemeral server flags, consistent with how --env already works in ad-hoc mode.

Changes needed

1. EphemeralServerSpec (adhoc-server.ts): add headers?: Record<string, string>
2. extractEphemeralServerFlags() (ephemeral-flags.ts): parse --header KEY=value, same as --env
3. resolveEphemeralServer() (adhoc-server.ts): pass spec.headers into the HttpCommand.headers field (merged with ensureHttpAcceptHeader)
4. persistEphemeralServer(): include headers in the persisted entry when --persist is used

Example usage

# Quick exploration with auth
npx mcporter list --http-url https://api.example.com/mcp \
  --header "Authorization=Bearer sk-xxx" \
  --header "X-Tenant=biz-unit-01"

# Call with headers
npx mcporter call --http-url https://api.example.com/mcp \
  --header "Authorization=Bearer sk-xxx" \
  my-tool param1=value1

# Persist for future use
npx mcporter list --http-url https://api.example.com/mcp \
  --header 'Authorization=$env:MY_TOKEN' \
  --name my-service \
  --persist config/mcporter.json

Environment variable placeholders

Should support the same $env:VAR / ${VAR} / ${VAR:-default} syntax already used in config file headers, so sensitive values don't leak into shell history:

export MY_TOKEN="Bearer eyJhbG..."
npx mcporter list --http-url https://api.example.com/mcp --header 'Authorization=$env:MY_TOKEN'

Context

This gap was discovered while evaluating MCPorter for calling internal StreamableHTTP MCP servers that require multi-header authentication. The config add workaround works but breaks the "just try it" philosophy that makes ad-hoc mode great.

The implementation should be small — --env already follows the exact same pattern in extractEphemeralServerFlags(), so --header can mirror it directly.