refactor and add new checks

Author: Yuan325

examples/servers/typescript/everything-server.ts

@@ -1061,24 +1061,17 @@ app.post('/mcp', async (req, res) => {
   const meta = params._meta;
   const metaVersion = meta?.['io.modelcontextprotocol/protocolVersion'];
 
-  // If it's a stateless request (no session ID, and has either _meta or MCP-Protocol-Version header indicating stateless mode)
   if (!sessionId && (reqVersion || meta)) {
-    if (process.env.STATELESS_NEGATIVE === 'true') {
-      return res.json({
-        jsonrpc: '2.0',
-        id,
-        result: {}
-      });
-    }
-
+    // Missing Transport Header Validation Check
     if (!reqVersion) {
       return res.status(400).json({
         jsonrpc: '2.0',
         id,
-        error: { code: -32600, message: 'Missing MCP-Protocol-Version header' }
+        error: { code: -32001, message: 'Missing MCP-Protocol-Version header' }
       });
     }
 
+    // Per-Request Metadata Integrity Checks (Fields verification)
     if (
       !meta ||
       !meta['io.modelcontextprotocol/protocolVersion'] ||
@@ -1095,6 +1088,7 @@ app.post('/mcp', async (req, res) => {
       });
     }
 
+    // Header Mismatch Verification (-32001, HTTP 400)
     if (reqVersion !== metaVersion) {
       return res.status(400).json({
         jsonrpc: '2.0',
@@ -1106,6 +1100,7 @@ app.post('/mcp', async (req, res) => {
       });
     }
 
+    // Protocol Version Negotiation Matrix (-32602, HTTP 400)
     if (metaVersion !== 'DRAFT-2026-v1') {
       return res.status(400).json({
         jsonrpc: '2.0',
@@ -1118,15 +1113,16 @@ app.post('/mcp', async (req, res) => {
       });
     }
 
-    res.setHeader('mcp-protocol-version', 'DRAFT-2026-v1');
-
     if (method === 'server/discover') {
       return res.json({
         jsonrpc: '2.0',
         id,
         result: {
           supportedVersions: ['DRAFT-2026-v1'],
-          capabilities: { tools: {} },
+          capabilities: {
+            tools: { listChanged: false }, // Explicitly declare capability flags to resolve check assertions
+            prompts: { listChanged: false }
+          },
           serverInfo: { name: 'everything-stateless-server', version: '1.0.0' }
         }
       });
@@ -1148,10 +1144,21 @@ app.post('/mcp', async (req, res) => {
       });
     }
 
+    // Mock fallbacks to answer prompts capability matches safely
+    if (method === 'prompts/list') {
+      return res.json({
+        jsonrpc: '2.0',
+        id,
+        result: { prompts: [] }
+      });
+    }
+
     if (method === 'tools/call') {
       const name = params.name;
       if (name === 'test_missing_capability') {
         const clientCaps = meta['io.modelcontextprotocol/clientCapabilities'];
+
+        // Missing Required Client Capability Check (-32003, HTTP 400)
         if (!clientCaps?.sampling) {
           return res.status(400).json({
             jsonrpc: '2.0',
@@ -1171,6 +1178,7 @@ app.post('/mcp', async (req, res) => {
       }
     }
 
+    // Removed Methods per SEP-2575 (Changed status from 200 to 400/404 per Transport Spec)
     if (
       [
         'initialize',
@@ -1180,7 +1188,7 @@ app.post('/mcp', async (req, res) => {
         'resources/unsubscribe'
       ].includes(method)
     ) {
-      return res.status(200).json({
+      return res.status(404).json({
         jsonrpc: '2.0',
         id,
         error: {
@@ -1190,6 +1198,7 @@ app.post('/mcp', async (req, res) => {
       });
     }
 
+    // Generic Fallback Unknown Method Handling (HTTP 404, -32601)
     return res.status(404).json({
       jsonrpc: '2.0',
       id,

src/scenarios/index.ts

@@ -82,10 +82,7 @@ const pendingClientScenariosList: ClientScenario[] = [
 
   // On hold until server-side SSE improvements are made
   // https://github.com/modelcontextprotocol/typescript-sdk/pull/1129
-  new ServerSSEPollingScenario(),
-
-  // Stateless MCP architecture (SEP-2575)
-  new ServerStatelessScenario()
+  new ServerSSEPollingScenario()
 ];
 
 // All client scenarios

src/scenarios/server/stateless.test.ts

@@ -1,112 +1,138 @@
-import { spawn, ChildProcess } from 'child_process';
-import path from 'path';
 import { ServerStatelessScenario } from './stateless';
+import { describe, test, expect } from 'vitest';
+import { ConformanceCheck } from '../../types';
 
-function startServer(
-  scriptPath: string,
-  port: number,
-  envOverrides?: Record<string, string>
-): Promise<ChildProcess> {
-  return new Promise((resolve, reject) => {
-    const isWindows = process.platform === 'win32';
-    const proc = spawn('npx', ['tsx', scriptPath], {
-      env: { ...process.env, PORT: port.toString(), ...envOverrides },
-      stdio: ['ignore', 'pipe', 'pipe'],
-      shell: isWindows
-    });
-    let stderr = '';
-    proc.stderr?.on('data', (d) => (stderr += d.toString()));
-    const timeout = setTimeout(() => {
-      proc.kill('SIGKILL');
-      reject(
-        new Error(`Server ${scriptPath} failed to start within 30s: ${stderr}`)
-      );
-    }, 30000);
-    proc.stdout?.on('data', (data) => {
-      if (data.toString().includes('running on')) {
-        clearTimeout(timeout);
-        resolve(proc);
+const findCheck = (checks: ConformanceCheck[], id: string) =>
+  checks.find((c) => c.id === id);
+
+describe('Stateless Server Scenario Negative Tests', () => {
+  // Inline network mocking helper
+  function mockFetchTarget(
+    handler: (reqBody: any, reqHeaders: Record<string, string>) => any
+  ) {
+    global.fetch = async (_url: any, init: any) => {
+      const body = JSON.parse(init.body);
+      const headers = init.headers || {};
+      const responseConfig = await handler(body, headers);
+
+      return {
+        status: responseConfig?.status ?? 404,
+        json: async () =>
+          responseConfig?.body ?? {
+            jsonrpc: '2.0',
+            id: body.id,
+            error: { code: -32601, message: 'Not found' }
+          }
+      } as Response;
+    };
+    return 'http://mock-stateless-mcp-server.local';
+  }
+
+  test('Fails validation if missing required fields in _meta are allowed to pass', async () => {
+    // This bad server completely ignores missing params/_meta fields and returns a fake success result
+    const mockUrl = mockFetchTarget((reqBody) => {
+      if (reqBody.method === 'server/discover') {
+        return {
+          status: 200,
+          body: {
+            jsonrpc: '2.0',
+            id: reqBody.id,
+            result: {
+              supportedVersions: ['DRAFT-2026-v1'],
+              capabilities: {},
+              serverInfo: { name: 'bad-meta-server', version: '1.0.0' }
+            }
+          }
+        };
       }
     });
-    proc.on('error', (err) => {
-      clearTimeout(timeout);
-      reject(err);
-    });
-  });
-}
 
-function stopServer(proc: ChildProcess | null): Promise<void> {
-  return new Promise((resolve) => {
-    if (!proc || proc.killed) return resolve();
-    const t = setTimeout(() => {
-      proc.kill('SIGKILL');
-      resolve();
-    }, 5000);
-    proc.once('exit', () => {
-      clearTimeout(t);
-      resolve();
-    });
-    proc.kill('SIGTERM');
-  });
-}
+    const scenario = new ServerStatelessScenario();
+    const checks = await scenario.run(mockUrl);
 
-describe('ServerStatelessScenario tests', () => {
-  describe('passing server', () => {
-    let serverProcess: ChildProcess | null = null;
-    const PORT = 3010;
+    // The test scenario should flag this server as a FAILURE for skipping meta validation
+    const missingMetaCheck = findCheck(
+      checks,
+      'sep-2575-request-meta-invalid-missing-meta'
+    );
+    const missingVersionCheck = findCheck(
+      checks,
+      'sep-2575-request-meta-invalid-missing-protocol-version'
+    );
 
-    beforeAll(async () => {
-      serverProcess = await startServer(
-        path.join(
-          process.cwd(),
-          'examples/servers/typescript/everything-server.ts'
-        ),
-        PORT
-      );
-    }, 35000);
+    expect(missingMetaCheck?.status).toBe('FAILURE');
+    expect(missingVersionCheck?.status).toBe('FAILURE');
+  });
 
-    afterAll(async () => {
-      await stopServer(serverProcess);
+  test('Fails validation if removed legacy RPCs do not return HTTP 404 Not Found', async () => {
+    // This bad server intercepts the removed 'ping' or 'initialize' methods but incorrectly returns HTTP 200
+    const mockUrl = mockFetchTarget((reqBody) => {
+      if (
+        [
+          'initialize',
+          'ping',
+          'logging/setLevel',
+          'resources/subscribe',
+          'resources/unsubscribe'
+        ].includes(reqBody.method)
+      ) {
+        return {
+          status: 200, // Spec Violation: Must be HTTP 404
+          body: {
+            jsonrpc: '2.0',
+            id: reqBody.id,
+            error: {
+              code: -32601,
+              message: 'Method removed but returning HTTP 200'
+            }
+          }
+        };
+      }
     });
 
-    it('emits SUCCESS for all checks against a compliant stateless server', async () => {
-      const scenario = new ServerStatelessScenario();
-      const checks = await scenario.run(`http://localhost:${PORT}/mcp`);
+    const scenario = new ServerStatelessScenario();
+    const checks = await scenario.run(mockUrl);
 
-      for (const check of checks) {
-        if (check.status !== 'SUCCESS') {
-          console.error('FAILED CHECK:', JSON.stringify(check, null, 2));
-        }
-        expect(check.status).toBe('SUCCESS');
-      }
-    }, 15000);
-  });
+    const pingRouteCheck = findCheck(
+      checks,
+      'sep-2575-http-server-method-not-found-404-ping'
+    );
+    const initializeRouteCheck = findCheck(
+      checks,
+      'sep-2575-http-server-method-not-found-404-initialize'
+    );
 
-  describe('negative server', () => {
-    let serverProcess: ChildProcess | null = null;
-    const PORT = 3012;
-
-    beforeAll(async () => {
-      serverProcess = await startServer(
-        path.join(
-          process.cwd(),
-          'examples/servers/typescript/everything-server.ts'
-        ),
-        PORT,
-        { STATELESS_NEGATIVE: 'true' }
-      );
-    }, 35000);
+    expect(pingRouteCheck?.status).toBe('FAILURE');
+    expect(initializeRouteCheck?.status).toBe('FAILURE');
+  });
 
-    afterAll(async () => {
-      await stopServer(serverProcess);
+  test('Fails validation when version negotiation returns mismatched supported versions data', async () => {
+    // This bad server returns an unexpected array of supported versions during negotiation
+    const mockUrl = mockFetchTarget((reqBody) => {
+      const meta = reqBody.params?._meta;
+      if (meta?.['io.modelcontextprotocol/protocolVersion'] === 'v999.0.0') {
+        return {
+          status: 400,
+          body: {
+            jsonrpc: '2.0',
+            id: reqBody.id,
+            error: {
+              code: -32602,
+              message: 'Unsupported version',
+              data: { supported: ['UNEXPECTED-VERSION-STRING-DRIFT'] } // Spec Violation: Mismatches actual versions
+            }
+          }
+        };
+      }
     });
 
-    it('emits FAILURE for checks against a broken stateless server', async () => {
-      const scenario = new ServerStatelessScenario();
-      const checks = await scenario.run(`http://localhost:${PORT}/mcp`);
+    const scenario = new ServerStatelessScenario();
+    const checks = await scenario.run(mockUrl);
 
-      const failures = checks.filter((c) => c.status === 'FAILURE');
-      expect(failures.length).toBeGreaterThan(0);
-    }, 15000);
+    const negotiationMatchCheck = findCheck(
+      checks,
+      'sep-2575-server-unsupported-version-error'
+    );
+    expect(negotiationMatchCheck?.status).toBe('FAILURE');
   });
 });