mcp: expose streamable HTTP request summaries#1101
Open
CaliLuke wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Streamable HTTP middleware can observe HTTP lifecycle information, but it cannot safely obtain JSON-RPC message metadata from the SDK-authoritative parse without reading and parsing the request body again. That duplicates buffering and risks retaining sensitive parameters.
This change adds a redacted
StreamableHTTPRequestSummaryand anOnRequestSummarycallback toStreamableHTTPOptions. The callback runs synchronously after the session transport decodes a POST body and before validation or dispatch of those decoded messages. It exposes only ordered method names, a single-call request ID, and call/notification/response counts. It adds no request-body reads, replacements, or buffering.The callback receives the HTTP request context for middleware correlation. Its documentation describes concurrency, early HTTP/session/connection rejection gaps, attacker-controlled method strings, panic behavior, and its relationship to
Server.AddReceivingMiddleware.Verification:
gofmt -l .go vet ./...go test ./...with Go 1.25 and Go 1.26.5go test -race ./...go generate ./...govulncheckwith Go 1.26.5Fixes #1076