fix(examples): expose mcp-session-id header for CORS requests

Without exposedHeaders in the CORS config, browsers block JavaScript
from reading the mcp-session-id response header. This caused the SDK's
StreamableHTTPClientTransport to never capture the session ID, breaking
all subsequent requests with "Bad request: not initialized" errors.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: ochafik

examples/shared/server-utils.ts

@@ -42,7 +42,9 @@ export async function startServer(
 
   // Express app - bind to all interfaces for development/testing
   const app = createMcpExpressApp({ host: "0.0.0.0" });
-  app.use(cors());
+  app.use(cors({
+    exposedHeaders: ["mcp-session-id"],
+  }));
 
   // Streamable HTTP (stateful)
   app.all("/mcp", async (req: Request, res: Response) => {