fix(all): use WAF-friendly User-Agent headers for HTTP MCP server requests

CloudFront WAF blocks requests with non-browser User-Agent strings like
"DeployStack/1.0" and "DeployStack-Satellite/0.1.0", returning 403 HTML
instead of proper OAuth challenge responses. This caused OAuth detection
to fail for servers behind CloudFront (e.g., BigData MCP).

Update all User-Agent headers to follow the Googlebot/Slackbot convention:
- Backend: "Mozilla/5.0 (compatible; DeployStack/1.0; +https://deploystack.io)"
- Satellite: "Mozilla/5.0 (compatible; DeployStack-Satellite/1.0; +https://deploystack.io)"

Author: Lasim

services/backend/src/services/OAuthClientRegistrationService.ts

@@ -73,7 +73,7 @@ export class OAuthClientRegistrationService {
 				headers: {
 					'Content-Type': 'application/json',
 					Accept: 'application/json',
-					'User-Agent': 'DeployStack/1.0',
+					'User-Agent': 'Mozilla/5.0 (compatible; DeployStack/1.0; +https://deploystack.io)',
 				},
 				body: JSON.stringify(registrationBody),
 				signal: AbortSignal.timeout(10000), // 10 second timeout

services/backend/src/services/OAuthDiscoveryService.ts

@@ -23,6 +23,8 @@ export interface OAuthDetectionResult {
 }
 
 export class OAuthDiscoveryService {
+  private static readonly USER_AGENT = 'Mozilla/5.0 (compatible; DeployStack/1.0; +https://deploystack.io)';
+
   constructor(private logger: FastifyBaseLogger) {}
 
   /**
@@ -212,7 +214,7 @@ export class OAuthDiscoveryService {
   }> {
     const headers: Record<string, string> = {
       Accept: 'application/json',
-      'User-Agent': 'DeployStack/1.0'
+      'User-Agent': OAuthDiscoveryService.USER_AGENT
     };
 
     if (method === 'POST') {
@@ -378,7 +380,7 @@ export class OAuthDiscoveryService {
         method: 'GET',
         headers: {
           Accept: 'application/json',
-          'User-Agent': 'DeployStack/1.0'
+          'User-Agent': OAuthDiscoveryService.USER_AGENT
         },
         signal: AbortSignal.timeout(10000)
       });
@@ -455,7 +457,7 @@ export class OAuthDiscoveryService {
         method: 'GET',
         headers: {
           Accept: 'application/json',
-          'User-Agent': 'DeployStack/1.0'
+          'User-Agent': OAuthDiscoveryService.USER_AGENT
         },
         signal: AbortSignal.timeout(10000) // 10 second timeout
       });

services/backend/src/services/OAuthTokenService.ts

@@ -79,7 +79,7 @@ export class OAuthTokenService {
 			const headers: Record<string, string> = {
 				'Content-Type': 'application/x-www-form-urlencoded',
 				Accept: 'application/json',
-				'User-Agent': 'DeployStack/1.0',
+				'User-Agent': 'Mozilla/5.0 (compatible; DeployStack/1.0; +https://deploystack.io)',
 			};
 
 			// Handle authentication based on method
@@ -194,7 +194,7 @@ export class OAuthTokenService {
 			const headers: Record<string, string> = {
 				'Content-Type': 'application/x-www-form-urlencoded',
 				Accept: 'application/json',
-				'User-Agent': 'DeployStack/1.0',
+				'User-Agent': 'Mozilla/5.0 (compatible; DeployStack/1.0; +https://deploystack.io)',
 			};
 
 			// Handle authentication based on method

services/satellite/src/config/mcp-servers.ts

@@ -9,7 +9,7 @@ export const mcpServersConfig: McpServersConfig = {
   defaultTimeout: 30000, // 30 seconds
   defaultHeaders: {
     'Content-Type': 'application/json',
-    'User-Agent': 'DeployStack-Satellite/0.1.0'
+    'User-Agent': 'Mozilla/5.0 (compatible; DeployStack-Satellite/1.0; +https://deploystack.io)'
   },
 
   // External MCP servers configuration

services/satellite/src/lib/mcp-tool-executor.ts

@@ -244,6 +244,9 @@ export class McpToolExecutor {
     // OAuth token injection for HTTP/SSE MCP servers
     let headers: Record<string, string> = {};
 
+    // Always set WAF-friendly User-Agent for remote HTTP/SSE servers
+    headers['User-Agent'] = 'Mozilla/5.0 (compatible; DeployStack-Satellite/1.0; +https://deploystack.io)';
+
     // Add regular headers from config (API keys, custom headers, etc.)
     if (config.headers) {
       Object.assign(headers, config.headers);

services/satellite/src/services/dynamic-config-manager.ts

@@ -34,7 +34,7 @@ export class DynamicConfigManager {
       defaultTimeout: 30000,
       defaultHeaders: {
         'Content-Type': 'application/json',
-        'User-Agent': 'DeployStack-Satellite/0.1.0'
+        'User-Agent': 'Mozilla/5.0 (compatible; DeployStack-Satellite/1.0; +https://deploystack.io)'
       },
       servers: {}
     };

services/satellite/src/services/http-proxy-manager.ts

@@ -116,7 +116,7 @@ export class HttpProxyManager {
       const headers: Record<string, string> = {
         'Content-Type': 'application/json',
         'Accept': 'application/json, text/event-stream',
-        'User-Agent': 'DeployStack-Satellite/0.1.0',
+        'User-Agent': 'Mozilla/5.0 (compatible; DeployStack-Satellite/1.0; +https://deploystack.io)',
         'MCP-Protocol-Version': '2025-03-26',
         'X-Forwarded-By': 'deploystack-satellite',
         'X-Proxy-Server': serverName

services/satellite/src/services/remote-tool-discovery-manager.ts

@@ -378,6 +378,9 @@ export class RemoteToolDiscoveryManager {
     // OAuth: OAuth token injection for tool discovery
     let headers: Record<string, string> = {};
 
+    // Always set WAF-friendly User-Agent for remote HTTP/SSE servers
+    headers['User-Agent'] = 'Mozilla/5.0 (compatible; DeployStack-Satellite/1.0; +https://deploystack.io)';
+
     // Add regular headers from config (API keys, custom headers, etc.)
     if (config.headers) {
       Object.assign(headers, config.headers);