Skip to content

MCP specification alignment #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
kentcdodds wants to merge 3 commits into
base: main
Choose a base branch
from
+389 −0
Draft

MCP specification alignment #24

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5836af5
docs: add MCP spec and SDK upgrade research plan
cursoragent Feb 27, 2026
47fbea9
docs: add current-spec policy and draft impact watchlist
cursoragent Feb 27, 2026
9baf871
docs: add breaking changes and rerecord impact section
cursoragent Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
389 changes: 389 additions & 0 deletions docs/upgrade-research.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,389 @@
# MCP Upgrade Research for `advanced-mcp-features` (Spec `2025-11-25` + SDK releases since Oct 2025)

## Executive summary

- Product direction for this refresh: **do not optimize for backwards compatibility**. Teach MCP as it is now, using current protocol semantics and current SDK behavior.
- This workshop still teaches and links to MCP spec `2025-06-18` in many places, while current MCP is `2025-11-25`.
- The **highest-impact new concepts not currently represented here** are:
1. **Sampling with tools** (`tools` + `toolChoice`),
2. **URL-mode elicitation** (including `URLElicitationRequiredError` and completion notifications),
3. **Tasks** (durable async request lifecycle: `tasks/get`, `tasks/result`, `tasks/list`, `tasks/cancel`),
4. **Icons metadata** across tools/resources/resource templates/prompts,
5. **Updated capability negotiation** (`sampling.tools`, `elicitation.form/url`, `tasks.*`),
6. **JSON Schema 2020-12 as default dialect** expectations.
- Workshop code currently pins `@modelcontextprotocol/sdk` to `^1.24.3`; latest is `v1.27.1`.
- Recommended target baseline for this refresh: **latest `@modelcontextprotocol/sdk` (`v1.27.1`) + current dated spec (`2025-11-25`)** until a newer dated spec is published.

## Scope and evidence used

### Spec evidence

- MCP spec changelog for `2025-11-25`:
- https://modelcontextprotocol.io/specification/2025-11-25/changelog
- MCP source repo tag comparison basis:
- tags: `2025-06-18`, `2025-11-25` in `modelcontextprotocol/modelcontextprotocol`
- no newer dated protocol revision tags after `2025-11-25` at time of research
- File-level review focused on:
- `client/elicitation`
- `client/sampling`
- `server/tools`, `server/resources`, `server/prompts`
- `basic/transports`, `basic/authorization`, `basic/index`
- `basic/utilities/tasks`

### SDK evidence (requested via `gh`)

- Release list and notes from:
- `gh release list --repo modelcontextprotocol/typescript-sdk --limit 100`
- `gh api repos/modelcontextprotocol/typescript-sdk/releases?per_page=100`
- Time window reviewed: **all releases since 2025-10-01** through current (`v1.27.1`).

### Workshop-specific evidence

- Current workshop docs and code in this repo:
- Root and exercise READMEs
- Elicitation, sampling, long-running tasks, and changes module source/tests
- Series context from Epic AI site:
- Four-workshop lineup links found on the series page:
- `/workshops/mcp-fundamentals-mtezq`
- `/workshops/advanced-mcp-features-flccv`
- `/workshops/mcp-ui-aubv9`
- `/workshops/mcp-auth-ddk2h`

---

## Update policy for this refresh (explicit)

This update should be done with a **current-spec-only** posture:

1. **No backwards-compatibility teaching burden** in exercises.
- Teach modern capability shapes and modern request structures directly.
1. **Do not center deprecated or legacy APIs** in workshop code.
- Legacy behavior may be mentioned briefly in notes, but not used as core implementation patterns.
1. **Prefer explicit modern protocol usage**, even where older fallbacks remain legal.
- Example: use explicit elicitation mode semantics and modern capability negotiation.
1. **Track draft only as a short-horizon release risk**, not as main curriculum baseline.
- Baseline remains latest dated release unless/until draft is promoted.

---

## What changed in MCP spec `2025-11-25` that affects this workshop

### Added (directly relevant)

1. **Sampling tool use support**
- Added `tools` and `toolChoice` to `sampling/createMessage`.
- Added `sampling.tools` capability negotiation.
- This is a direct expansion of the existing Sampling module and should be taught here.

2. **URL-mode elicitation**
- Elicitation now supports `mode: "url"` in addition to form mode.
- Added URL completion notification (`notifications/elicitation/complete`).
- Added `URLElicitationRequiredError` (`-32042`) for blocked flows.
- This is a direct expansion of the existing Elicitation module.

3. **Tasks utility (experimental)**
- New task lifecycle and methods:
- `tasks/get`
- `tasks/result`
- `tasks/list`
- `tasks/cancel`
- `notifications/tasks/status`
- Adds durable async patterns beyond progress/cancellation notifications.
- Strong fit for the Long Running Tasks module.

4. **Icons metadata support**
- Tools/resources/resource templates/prompts can now expose `icons`.
- Relevant to how capabilities are presented in clients and in dynamic update flows.
- Belongs partly here, but likely deeper treatment in MCP UI workshop.

### Changed (directly relevant)

1. **Elicitation schema model expanded**
- `EnumSchema`/`ElicitResult` evolved for:
- titled/untitled enums
- single-select and multi-select enum patterns
- primitive default values support
- Existing elicitation examples in this workshop are form-only boolean confirmations, so this is currently underrepresented.

2. **JSON Schema dialect expectations**
- Default dialect is now **JSON Schema 2020-12** when `$schema` is omitted.
- Affects tool input/output schema teaching in Advanced Tools and Sampling.

3. **Tool naming guidance formalized**
- Naming format guidance now explicitly documented.
- Current workshop names are generally compatible, but the rule should be taught.

4. **Tool validation error guidance**
- Clarified: input validation errors should be surfaced as **tool execution errors** (self-correctable) rather than protocol errors.
- Important for exercises that teach robust tool UX and model correction loops.

5. **Transport behavior clarifications**
- Streamable HTTP/SSE polling and disconnection semantics were clarified.
- This workshop is mostly stdio-oriented, so this is lower priority here, higher priority for Fundamentals/Remote transport teaching.

### Added/changed but mostly for other workshops

1. **Authorization and discovery upgrades**
- OpenID Connect discovery support
- Incremental scope consent via `WWW-Authenticate`
- OAuth Client ID Metadata Documents
- RFC9728 alignment/fallback behavior
- This maps primarily to MCP Auth workshop.

### Removed (impact check)

- No major removals in the `2025-11-25` changelog materially impacting this workshop’s current scope.
- Main impact is additive + behavior clarifications.

---

## Draft-spec watchlist (if draft became the next release next week)

Based on draft changelog + schema/doc diffs against `2025-11-25`, these are the meaningful items to pre-account for:

1. **Capabilities gain optional `extensions` field**
- Added to both `ClientCapabilities` and `ServerCapabilities`.
- Impact: low-to-medium. Mostly additive, but examples/teaching that show capability objects should be updated to avoid looking stale immediately.

2. **`_meta` reserves OpenTelemetry trace context keys**
- Draft explicitly reserves `traceparent`, `tracestate`, and `baggage` for trace propagation.
- Impact: low. Mainly docs/teaching guidance, but important to avoid using these keys for custom metadata.

3. **Sampling section adds stronger operational clarifications**
- Tools passed via `sampling.createMessage` are request-scoped (not necessarily registered server tools).
- Additional normative clarity around message sequencing, tool result matching, and result fields.
- Impact: medium for this workshop because Sampling is a core module.

4. **No protocol method churn detected vs `2025-11-25`**
- No added/removed RPC method names in schema diff.
- Impact: low risk of immediate rewrite for method inventory.

5. **Tasks still experimental in draft**
- Semantics remain potentially fluid.
- Impact: medium. We should teach tasks as powerful but evolving, with explicit “experimental” framing.

6. **Security-best-practices references are moving toward tutorials/docs paths**
- Link targets in draft docs reference `/docs/tutorials/security/security_best_practices` rather than dated spec-local paths.
- Impact: low-to-medium. Use stable URLs in workshop text to avoid another round of link churn.

---

## BREAKING CHANGES (video re-record required)

Definition used for this section (per request):

- **Counts as breaking:** any change to exercise step solution code, added exercises, removed/replaced exercises, or changed code path demonstrated in videos.
- **Does not count as breaking:** instruction wording updates, link updates, and other docs-only edits with no solution code changes.

Assumption: this follows the current-spec-only policy above (no legacy compatibility path in teaching).

### Confirmed breaking changes for this repo update

1. **Elicitation capability and API usage updates across solution code**
- Current solution code uses form-only patterns (`capabilities?.elicitation` and `elicitInput` form flow) in multiple solution tracks.
- Moving to current-spec teaching (mode-aware elicitation and URL-mode coverage) changes solution code behavior and shape.
- **Video impact:** re-record all affected walkthroughs where these solution files are explained or exercised (not just the dedicated elicitation module).

2. **Sampling step solutions must change to teach tool-enabled sampling**
- Current sampling solutions call `createMessage` without `tools`/`toolChoice`.
- Current-spec curriculum requires explicit sampling-with-tools flows and capability gating (`sampling.tools`).
- **Video impact:** re-record Sampling module videos for steps whose solution code changes (simple + advanced tracks).

3. **Long-running tasks module requires solution-code redesign for tasks**
- Current module teaches progress + cancellation; current-spec advanced coverage should include task lifecycle (`task` metadata, `tasks/get`, `tasks/result`, `tasks/list`, `tasks/cancel`).
- This is a code-path change, not just a narration change.
- **Video impact:** re-record long-running-task videos for any updated/replaced steps; new task-focused steps require new videos.

4. **Exercise topology changes (added/replaced steps) are breaking by definition**
- Adding URL-mode elicitation step(s), sampling-with-tools step(s), and task lifecycle step(s) creates net-new recording requirements.
- Replacing/removing existing steps (if done) also forces re-records for affected module intros/transitions.

### Likely non-breaking (no re-record required)

1. Pure spec-link/date updates.
2. Wording-only clarifications in README/exercise instructions.
3. Draft watchlist additions that are additive-only and not reflected in solution code yet.

### If draft became official a week later: additional re-record risk

1. **Low additional break risk** if we already implement this update as proposed.
- Draft deltas are mostly additive/clarifying (`extensions` capabilities, trace-context `_meta` reservations, sampling clarifications).
2. **Potential re-record trigger** only if videos hard-code now-stale capability object examples and omit additive fields entirely as “complete schema.”
- Mitigation: narrate capability objects as extensible and reserve `_meta` trace keys from day one.

---

## What is currently missing in this workshop

### New concepts that should be represented

1. **Sampling with tools loop**
- Current Sampling exercises call `createMessage` without `tools`/`toolChoice`.
- Missing: capability checks for `sampling.tools`, iterative tool-use flow, and tool result constraints.

2. **URL elicitation**
- Current elicitation exercises are form-only and use `elicitation: {}` capability style.
- Missing: mode-specific capability negotiation (`form`/`url`), URL safety model, and `URLElicitationRequiredError` handling.

3. **Tasks-based async lifecycle**
- Current long-running module teaches progress notifications + cancellation tokens.
- Missing: durable request lifecycle with tasks APIs and retrieval semantics.

4. **Icons and richer implementation metadata**
- Workshop discusses annotations/title, but not icon metadata for tool/resource/prompt/template discovery.
- Missing UI-facing metadata strategy.

5. **Updated capability granularity**
- Missing explicit teaching for:
- `sampling.tools`
- `sampling.context` behavior constraints
- `elicitation.form` / `elicitation.url`
- `tasks.*` capabilities and tool-level task support.

6. **JSON Schema 2020-12 implications**
- Structured output and schema exercises do not currently frame dialect expectations.

---

## TypeScript SDK releases since Oct 2025: significant changes to represent

Below are the notable changes from `typescript-sdk` releases since 2025-10 that materially affect workshop content/design.

### Core alignment releases (most curriculum-relevant)

1. **1.21.0 (2025-10-30)**
- Tool error behavior fix aligns with spec intent:
- return `CallToolResult` with `isError: true` instead of protocol-level failure for invalid tool/schema situations.
- Add pluggable JSON schema validator providers (advanced infra relevance).

2. **1.22.0 (2025-11-13)**
- SEP-986 tool naming support.
- SEP-1034/SEP-1330 elicitation defaults + enum compatibility.
- SEP-1319 request payload decoupling (typing/schema architecture shift).
- `registerTool` accepts `ZodType<object>` for input/output.

3. **1.23.0 (2025-11-25)**
- SEP-1036 URL elicitation.
- SEP-1577 sampling with tools.
- SEP-1613 JSON Schema 2020-12 handling.
- SEP-1699 SSE polling support.
- URL client metadata registration + insufficient scope upscoping/auth updates.
- Marks old `elicitInput` overload deprecated.

4. **1.24.0 (2025-12-02)**
- SEP-1686 tasks implementation.
- SEP-1046 client credentials (auth-focused).
- Additional SSE/task handling utilities.

5. **1.24.1 / 1.24.2 / 1.24.3**
- Protocol version update to `2025-11-25`.
- Optional resource annotations.
- Backward-compatibility fixes around SSE priming behavior.

### Post-1.24.3 updates (important if this workshop upgrades to latest SDK)

1. **1.25.x**
- Spec compliance tightening (removal of loose/passthrough types).
- Added fetch transport.
- Protocol date validation.
- Security fix: UriTemplate ReDoS backport (`v1.25.2`).

2. **1.26.0**
- Security advisory fix:
- cross-client response data leak risk when sharing server/transport instances.

3. **1.27.x**
- Tasks streaming methods for elicitation/sampling.
- OAuth discovery caching utilities.
- Conformance-focused improvements.
- Example command-injection hardening fix (`v1.27.1`).

---

## Placement recommendations across the 4-workshop series

### A) Keep/add in **Advanced MCP Features** (this repo)

1. **Sampling with tools** (new lesson or extension of Sampling advanced step)
2. **URL elicitation** (extend Elicitation module beyond form mode)
3. **Tasks for long-running operations** (expand/replace part of current long-running strategy)
4. **Capability granularity updates** (elicitation modes, sampling tools, tasks)
5. **Tool execution error semantics and model self-correction loops**
6. **Spec-date refresh to `2025-11-25` and SDK upgrade notes**

### B) Better in **MCP Auth**

1. OIDC discovery integration details
2. `WWW-Authenticate` scope challenge and step-up flow
3. OAuth Client ID Metadata Documents
4. Client credentials updates (M2M)
5. Protected Resource Metadata fallback mechanics

### C) Better in **MCP UI**

1. Icon metadata design and rendering strategies
2. Metadata-driven affordances (`title`, `description`, `icons`) in UI clients
3. URL elicitation consent UX patterns (shared with Advanced Features)

### D) Better in **MCP Fundamentals**

1. JSON Schema 2020-12 baseline expectations
2. Tool naming guidance as foundational convention
3. Transport-level Streamable HTTP/SSE polling semantics

---

## Recommended actions to take (clear checklist)

These are ordered and intended to be executed as-is.

### 1) Lock the update policy (decision)

1. Declare in the workshop repo that this refresh is **current-spec-only** and **not backwards-compatibility-focused**.
2. Set baseline to:
- MCP dated spec: `2025-11-25`
- SDK: latest stable (`@modelcontextprotocol/sdk` `v1.27.1`)

### 2) Do immediate alignment edits (same PR batch)

1. Update all workshop links from `2025-06-18` to `2025-11-25`.
2. Add a brief “what changed since 2025-06-18” section to workshop intro.
3. Remove/replace legacy capability examples where they imply old-style patterns as the default.

### 3) Implement the 3 curriculum-critical upgrades (separate PRs)

1. **Sampling module:** add tool-enabled sampling (`tools` + `toolChoice`) with explicit capability gating.
2. **Elicitation module:** add URL mode + `URLElicitationRequiredError` + completion notification flow.
3. **Long-running module:** add task lifecycle (`task` request metadata, `tasks/get`, `tasks/result`, `tasks/list`, `tasks/cancel`) and compare against progress/cancellation notifications.

### 4) Make the content draft-resilient now (small cost, high payoff)

1. Add a short note in capability sections that `extensions` may appear (and should be treated as additive/optional).
2. Add `_meta` guidance that custom metadata must avoid reserved trace keys (`traceparent`, `tracestate`, `baggage`).
3. Use stable security best-practices links (`/docs/tutorials/security/security_best_practices`) where possible.

### 5) Add verification gates before release

1. Add/adjust tests for:
- `sampling.tools` negotiation and constraints,
- elicitation mode handling (`form`/`url`),
- task method flows and task metadata handling.
2. Run module-scoped tests for all changed exercises.
3. Run one end-to-end smoke pass in MCP Inspector for each upgraded module path.

### 6) Release sequencing

1. Ship docs/spec-link alignment first.
2. Ship module upgrades incrementally (Sampling -> Elicitation -> Tasks) to keep review and rollback simple.
3. Publish a short “what changed” note to learners stating this is a current-spec refresh, not a legacy compatibility release.

---

## Repo-specific observations to address in the update

1. Exercise docs currently point to old spec date (`2025-06-18`) in many modules.
2. Elicitation code/tests use form-only patterns and generic `elicitation: {}` capability checks.
3. Sampling exercises use plain `createMessage` requests and do not cover tool-enabled sampling.
4. Long-running exercises currently focus on progress/cancel notifications; no tasks API coverage.
5. Package dependencies pin `@modelcontextprotocol/sdk` around `^1.24.3` and `zod` v3.