You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The project uses server.AddTool (the instance method on *sdk.Server) instead of the package-level sdk.AddTool function to bypass JSON Schema validation for third-party tool input schemas. This is correctly documented in tool_registry.go:
// NOTE: ... must be re-verified on every SDK upgrade.// Verified correct for go-sdk v1.5.0 (see server.go:Server.AddTool vs AddTool[In,Out]).funcregisterToolWithoutValidation(server*sdk.Server, tool*sdk.Tool, handler...) {
server.AddTool(tool, ...) // instance method β no arg validation
}
This is a silent contract with the SDK internals that could break silently on upgrade.
Research Findings
Version Status
In use: v1.5.0
Latest available: v1.6.0 (detected; content filtered by integrity policy)
The project is 1 minor version behind and should investigate v1.6.0 changes
Recent Updates (v1.5.0 features already adopted β )
sdk.ErrSessionMissing typed sentinel β already used correctly with errors.Is
sdk.StreamableHTTPOptions.SessionTimeout β already configured in both routed and unified modes
sdk.ClientOptions.KeepAlive β already enabled for HTTP backend connections
Best Practices Observed β
Proper errors.Is wrapping for ErrSessionMissing
slog logger bridge (logger.NewSlogLoggerWithHandler) connecting project's debug logger to SDK
sdk.NewInMemoryTransports() in test harness β idiomatic testing approach
sdk.StreamableHTTPOptions{Stateless: false} β correct for session-aware gateway
Improvement Opportunities
π Quick Wins
Remove the plain JSON-RPC transport fallback β There's an explicit TODO(tech-debt) at internal/mcp/http_transport.go:88:
// TODO(tech-debt): remove this string-matching fallback once the plain JSON-RPC// transport (HTTPTransportPlainJSON) is retired.
This is dead weight if all production backends now support 2024-11-05 MCP spec. Assess if HTTPTransportPlainJSON is still needed and schedule removal.
Unify duplicate session-not-found detection β isSessionNotFoundHTTPResponse and isSessionNotFoundError both detect "session not found" conditions with duplicated string-matching logic. Extract a shared sessionNotFoundMessage constant or helper.
β¨ Feature Opportunities
Upgrade to v1.6.0 β The project is 1 minor version behind. Review the v1.6.0 changelog/release notes at https://github.com/modelcontextprotocol/go-sdk/releases for new features, performance improvements, or deprecations that could benefit this project.
Use typed sdk.AddTool[In, Out] for first-party tools β The sys tools (DIFC-related) are implemented directly in this project and have known schemas. These could benefit from the compile-time type safety of sdk.AddTool[In, Out] rather than the bypass-validation pattern.
π Best Practice Alignment
Add a regression test for the bypass-validation pattern β The comment in tool_registry.go says the behavior "must be re-verified on every SDK upgrade." Add an automated test that asserts server.AddTool does NOT validate tool arguments against the input schema. This prevents a silent regression if the SDK changes this behavior.
funcTestRegisterToolWithoutValidation_SkipsArgValidation(t*testing.T) {
// Register a tool with a strict schema requiring "name: string"// Then call it with missing args β should NOT return a schema validation error
}
Consider a CI alert for SDK releases β Given how central this dependency is, it's worth adding a Dependabot entry or a release-watch workflow to get notified of new go-sdk releases promptly.
π§ General Improvements
Verify sdk.Shutdown is wired into graceful shutdown β sdk.Shutdown appears in the codebase, but it's worth auditing that all connection types (stdio, SSE, streamable HTTP) go through the SDK's shutdown path during gateway shutdown.
Recommendations (Prioritized)
Priority
Action
Effort
π΄ High
Upgrade to v1.6.0 and review changelog
Low
π΄ High
Add regression test for bypass-validation pattern
Low
π‘ Medium
Assess and remove HTTPTransportPlainJSON fallback
Medium
π‘ Medium
Unify duplicate session-not-found detection
Low
π’ Low
Switch sys tools to typed sdk.AddTool[In, Out]
Medium
π’ Low
Add Dependabot/release watch for go-sdk
Low
Next Steps
Run go get github.com/modelcontextprotocol/go-sdk@latest and review the diff
Audit HTTPTransportPlainJSON usage in production to determine if it can be retired
Add regression test for registerToolWithoutValidation behavior
Verify graceful shutdown path covers all SDK transport types
Generated by Go Fan πΉ Module analysis: specs/mods/go-sdk.md (workspace read-only; saved to session artifacts) Run: Β§26084942494
Note
π Integrity filter blocked 7 items
The following items were blocked because they don't meet the GitHub integrity level.
πΉ Go Fan Report: modelcontextprotocol/go-sdk
Module Overview
The official Go SDK for the Model Context Protocol (MCP) β the central dependency that makes this project tick. It provides:
sdk.NewStreamableHTTPHandler)This is arguably the most important direct dependency in the project: virtually every user-facing feature routes through the SDK.
Current Usage in gh-aw-mcpg
Version:
v1.5.0Files: 34 files (10 production, 24 test/integration)
Distinct SDK symbols used: 42
Key APIs Used
sdk.NewServer/sdk.NewStreamableHTTPHandlersdk.NewClient+ClientOptions{KeepAlive}sdk.ErrSessionMissingerrors.Is)sdk.NewInMemoryTransports()mcptestpackagesdk.CommandTransport,sdk.SSEClientTransport,sdk.StreamableClientTransportsdk.TextContent,sdk.ImageContent,sdk.AudioContent,sdk.EmbeddedResourcesdk.CallToolParamsRawNotable Pattern: Bypass-Validation Tool Registration
The project uses
server.AddTool(the instance method on*sdk.Server) instead of the package-levelsdk.AddToolfunction to bypass JSON Schema validation for third-party tool input schemas. This is correctly documented intool_registry.go:This is a silent contract with the SDK internals that could break silently on upgrade.
Research Findings
Version Status
Recent Updates (v1.5.0 features already adopted β )
sdk.ErrSessionMissingtyped sentinel β already used correctly witherrors.Issdk.StreamableHTTPOptions.SessionTimeoutβ already configured in both routed and unified modessdk.ClientOptions.KeepAliveβ already enabled for HTTP backend connectionsBest Practices Observed β
errors.Iswrapping forErrSessionMissinglogger.NewSlogLoggerWithHandler) connecting project's debug logger to SDKsdk.NewInMemoryTransports()in test harness β idiomatic testing approachsdk.StreamableHTTPOptions{Stateless: false}β correct for session-aware gatewayImprovement Opportunities
π Quick Wins
Remove the plain JSON-RPC transport fallback β There's an explicit
TODO(tech-debt)atinternal/mcp/http_transport.go:88:This is dead weight if all production backends now support 2024-11-05 MCP spec. Assess if
HTTPTransportPlainJSONis still needed and schedule removal.Unify duplicate session-not-found detection β
isSessionNotFoundHTTPResponseandisSessionNotFoundErrorboth detect "session not found" conditions with duplicated string-matching logic. Extract a sharedsessionNotFoundMessageconstant or helper.β¨ Feature Opportunities
Upgrade to v1.6.0 β The project is 1 minor version behind. Review the v1.6.0 changelog/release notes at https://github.com/modelcontextprotocol/go-sdk/releases for new features, performance improvements, or deprecations that could benefit this project.
Use typed
sdk.AddTool[In, Out]for first-party tools β The sys tools (DIFC-related) are implemented directly in this project and have known schemas. These could benefit from the compile-time type safety ofsdk.AddTool[In, Out]rather than the bypass-validation pattern.π Best Practice Alignment
Add a regression test for the bypass-validation pattern β The comment in
tool_registry.gosays the behavior "must be re-verified on every SDK upgrade." Add an automated test that assertsserver.AddTooldoes NOT validate tool arguments against the input schema. This prevents a silent regression if the SDK changes this behavior.Consider a CI alert for SDK releases β Given how central this dependency is, it's worth adding a Dependabot entry or a release-watch workflow to get notified of new go-sdk releases promptly.
π§ General Improvements
sdk.Shutdownis wired into graceful shutdown βsdk.Shutdownappears in the codebase, but it's worth auditing that all connection types (stdio, SSE, streamable HTTP) go through the SDK's shutdown path during gateway shutdown.Recommendations (Prioritized)
HTTPTransportPlainJSONfallbacksdk.AddTool[In, Out]Next Steps
go get github.com/modelcontextprotocol/go-sdk@latestand review the diffHTTPTransportPlainJSONusage in production to determine if it can be retiredregisterToolWithoutValidationbehaviorGenerated by Go Fan πΉ
Module analysis: specs/mods/go-sdk.md (workspace read-only; saved to session artifacts)
Run: Β§26084942494
Note
π Integrity filter blocked 7 items
The following items were blocked because they don't meet the GitHub integrity level.
get_commit: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".get_commit: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".get_commit: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".get_latest_release: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".get_latest_release: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".get_latest_release: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".To allow these resources, lower
min-integrityin your GitHub frontmatter: