Last 12 weeks · 78 commits
5 of 6 standards met
Motivation and Context On top of PR #915 that adds model types for SEP-2322, this PR wires up the behavior so servers can request input and clients can satisfy it without changing their call sites. Server tool/prompt/resource handlers can now return an , and the high-level client automatically fulfills the rounds through the already-registered sampling, elicitation, and roots handlers before retrying the original call. The methods remain as a manual escape hatch for callers that want to drive the rounds themselves. Native emission is gated on a negotiated protocol version of or newer so older peers never receive a result shape they cannot understand. It also adds an opt-in feature (, HMAC-SHA256) to safely round-trip the untrusted , plus a example and MRTR usage docs. How Has This Been Tested? Add tests Breaking Changes Server handler return types for , , and are widened to MRTR-aware response enums ( / / ) so a handler can return either a final result or an . The / proc macros, routers, conformance server, and existing tests are updated accordingly. Types of changes [ ] Bug fix (non-breaking change which fixes an issue) [x] New feature (non-breaking change which adds functionality) [x] Breaking change (fix or feature that would cause existing functionality to change) [ ] Documentation update Checklist [x] I have read the MCP Documentation [x] My code follows the repository's style guidelines [x] New and existing tests pass locally [x] I have added appropriate error handling [x] I have added or updated documentation as needed Additional context
Title: fix(auth): keep existing refresh token when refresh response omits it Motivation and Context This fixes token loss on refresh responses that omit . RFC 6749 §6 and the OAuth 2.1 draft make rotation optional, so when the server omits the field the client should keep the token it already holds; was persisting the response verbatim, wiping the stored refresh token and forcing full re-authorization on the next call. The same bug was fixed in the Python SDK (modelcontextprotocol/python-sdk#2270). Fixes #921. How Has This Been Tested? Added regression tests in covering both the omit case (server drops , client keeps the existing one) and the rotate case (server issues a new , client replaces). passes. Breaking Changes None. Public API is unchanged. The only behavior change is that a refresh response without a no longer wipes the stored refresh token. Types of changes [x] Bug fix (non-breaking change which fixes an issue) [ ] New feature (non-breaking change which adds functionality) [ ] Breaking change (fix or feature that would cause existing functionality to change) [ ] Documentation update Checklist [x] I have read the MCP Documentation [x] My code follows the repository's style guidelines [x] New and existing tests pass locally [x] I have added appropriate error handling [ ] I have added or updated documentation as needed
Summary Relax to accept any JSON Schema 2020-12 root type (arrays, primitives, compositions) for , while keeping enforcing . This implements SEP-2106, which was accepted May 18 2026. PR #860 (merged Jun 2 2026) added title/desc stripping and input validation. This PR covers the remaining work: decoupling the type gate so output schemas are no longer rejected for non-object types. Changes : Split into: — keeps check for inputSchema — strips title/desc, no type check (accepts any JSON Schema root type) : Updated doc comment to remove incorrect "root type object" panic reference Tests**: 17 new tests across 4 test files covering primitives, arrays, compositions (), unit type, macro path, trait path, cache correctness, and negative tests for input rejection Backward Compatibility return type unchanged () All existing tests for object output types still pass Change is strictly relaxing: types that were previously rejected are now accepted Verification : 424 passed, 0 failed : No issues found
Closes #886 Motivation and Context SEP-414 reserves the keys , , and for W3C trace context propagation. While the values could already be stored in , the SDK didn't provide typed support, which meant callers had to hardcode the key strings. This update adds and accessors on and includes matching helpers on and public key constants. How Has This Been Tested? Added integration tests Breaking Changes None. Types of changes [ ] Bug fix (non-breaking change which fixes an issue) [x] New feature (non-breaking change which adds functionality) [ ] Breaking change (fix or feature that would cause existing functionality to change) [x] Documentation update Checklist [x] I have read the MCP Documentation [x] My code follows the repository's style guidelines [x] New and existing tests pass locally [ ] I have added appropriate error handling [x] I have added or updated documentation as needed Additional context
SEP-414: W3C Trace Context propagation in — rust-sdk implementation Spec PR: https://github.com/modelcontextprotocol/modelcontextprotocol/pull/414 Track: Specification · Stage: final · Priority: P2 · Theme: Transport Evolution and Scalability Needs code changes:* Yes (Small) — additive (typed accessors + constants) Summary Formalizes three W3C Trace Context fields as standardized keys, enabling distributed tracing across MCP hops without inventing a parallel mechanism: — W3C Trace Context v1 trace parent header value — W3C Trace Context v1 trace state header value — W3C Baggage header value Servers and clients that emit or consume OpenTelemetry spans use these keys to propagate span context through the field of any MCP request. Why this needs code changes in rust-sdk in is a transparent (line 199), so the values can be stored today via raw map operations. But the SDK currently provides no typed support: No key-name constants analogous to No typed accessors (, , etc.) analogous to / No extractor/injector helpers for integration with the or ecosystems Without these, every caller must hardcode string literals, making the feature invisible to SDK users and impossible to test in isolation. Proposed work [ ] Add string constants in : [ ] Add typed read/write accessors on following the pattern: / / [ ] Add a feature-gated (e.g. ) helper module that implements the OpenTelemetry interface using these three fields, enabling: Injection: write span context from an active into Extraction: restore a from a received on an incoming request [ ] Add unit tests for round-trip set/get on all three fields, and for inject/extract when the feature flag is enabled. Affected areas (constants + typed accessors); optional new or for the propagator impl. for the optional dependency. Notes / risks The typed accessors are purely additive and carry no risk. The feature gate keeps the dependency optional so users who don't need distributed tracing don't pay the compile cost. Coordinate with SEP-2243 (#872) — the HTTP transport headers ( etc.) and the fields carry the same logical data; the propagator helper bridges both. Related existing issues #872 — Implement SEP-2243: HTTP Standardization — / headers; trace context flows through both HTTP headers and in the same request path
Motivation and Context This fixes a security issue where the default reqwest-backed streamable HTTP transport could follow redirects while preserving caller-provided custom headers. Disabling automatic redirects keeps secrets such as custom API key headers scoped to the intended MCP server instead of replaying them to an attacker-controlled redirect target. How Has This Been Tested? Added a regression test Breaking Changes No Types of changes [x] Bug fix (non-breaking change which fixes an issue) [ ] New feature (non-breaking change which adds functionality) [ ] Breaking change (fix or feature that would cause existing functionality to change) [ ] Documentation update Checklist [x] I have read the MCP Documentation [x] My code follows the repository's style guidelines [x] New and existing tests pass locally [x] I have added appropriate error handling [x] I have added or updated documentation as needed
Repository: modelcontextprotocol/rust-sdk. Description: The official Rust SDK for the Model Context Protocol Stars: 3586, Forks: 549. Primary language: Rust. Languages: Rust (98.8%), Shell (0.8%), JavaScript (0.3%), Python (0.1%), Just (0%). Latest release: rmcp-v2.0.0 (2d ago). Open PRs: 15, open issues: 32. Last activity: 6h ago. Community health: 87%. Top contributors: DaleSeo, 4t145, jokemanfire, github-actions[bot], dependabot[bot], alexhancock, jamadeo, glicht, tanish111, Z9RTM and others.