|
2 | 2 |
|
3 | 3 | This roadmap tracks the path to SEP-1730 Tier 1 for the Rust MCP SDK. |
4 | 4 |
|
5 | | -Server conformance: 87.5% (28/32) · Client conformance: 80.0% (16/20) |
| 5 | +Spec 2025-11-25 (suite 0.1.16): Server 100% (30/30) · Client 100% (18/18) |
| 6 | +Spec 2026-07-28 (suite 0.2.0-alpha.9): Server 92.5% (37/40) · Client 75.0% (24/32) |
6 | 7 |
|
7 | 8 | --- |
8 | 9 |
|
9 | | -## Tier 2 → Tier 1 |
| 10 | +## Target spec: 2026-07-28 (release 2026-07-28) |
10 | 11 |
|
11 | | -### Conformance |
| 12 | +All 2026-07-28 work carries the `2026-07-28` label and the |
| 13 | +[`2026-07-28 spec` milestone](https://github.com/modelcontextprotocol/rust-sdk/milestone/3). |
| 14 | +Per-scenario conformance status is tracked in the epic issue: |
| 15 | +[#977 — Tracking: 2026-07-28 spec conformance](https://github.com/modelcontextprotocol/rust-sdk/issues/977). |
12 | 16 |
|
13 | | -#### Server (87.5% → 100%) |
| 17 | +### Conformance (baseline 2026-07-13, suite `0.2.0-alpha.9`) |
14 | 18 |
|
15 | | -- [ ] Fix `prompts-get-with-args` — prompt argument handling returns incorrect result (arg1/arg2 not substituted) |
16 | | -- [ ] Fix `prompts-get-embedded-resource` — embedded resource content in prompt responses (invalid content union) |
17 | | -- [ ] Fix `elicitation-sep1330-enums` — enum inference handling per SEP-1330 (missing enumNames for legacy titled enum) |
18 | | -- [ ] Fix `dns-rebinding-protection` — validate `Host` / `Origin` headers on Streamable HTTP transport (accepts invalid headers with 200) |
| 19 | +- Server: 3 scenarios (`tools-call-with-progress` stateless behavior, SEP-2243 server-side custom headers, and `server-stateless` — the SEP-2575 discovery/negotiation suite at 2/28 checks) |
| 20 | +- Client: 8 scenarios (SEP-2243 headers ×3, `request-metadata`, and 4 single-check auth failures: SEP-2350 step-up, pre-registration, SEP-2352 AS migration, SEP-2468 issuer validation); fixes for SEP-2350 (#888) and SEP-2352 (#965) are already in review |
| 21 | +- CI: run the full `--spec-version 2026-07-28` suites (stateless server) instead of hand-picked scenario lists; re-baseline on each draft-suite bump |
19 | 22 |
|
20 | | -#### Client (80.0% → 100%) |
| 23 | +### Spec features without conformance scenarios |
21 | 24 |
|
22 | | -- [ ] Fix `auth/metadata-var3` — AS metadata discovery variant 3 (no authorization support detected) |
23 | | -- [ ] Fix `auth/scope-from-www-authenticate` — use scope parameter from WWW-Authenticate header on 403 insufficient_scope |
24 | | -- [ ] Fix `auth/scope-step-up` — handle 403 `insufficient_scope` and re-authorize with upgraded scopes |
25 | | -- [ ] Fix `auth/2025-03-26-oauth-endpoint-fallback` — legacy OAuth endpoint fallback for pre-2025-06-18 servers (no authorization support detected) |
| 25 | +Conformance alone does not cover the full spec surface. Feature work tracked via the milestone: |
| 26 | + |
| 27 | +- SEP-2567 sessionless MCP via explicit state handles (#870) |
| 28 | +- SEP-2260 server requests must associate with a client request (#873) |
| 29 | +- SEP-2549 follow-up: client-side TTL-honoring cache (#974) |
| 30 | + |
| 31 | +(SEP-2575 discovery & negotiation is covered by the `server-stateless` conformance scenario; |
| 32 | +implementation is in review — #869, PRs #973, #943.) |
| 33 | + |
| 34 | +### Release |
| 35 | + |
| 36 | +The 2026-07-28 implementation ships as **v3.0.0** (release PR #964): MRTR, SEP-2549 cache hints, |
| 37 | +SEP-2243 standard headers, and the SEP-2106 relaxations are merged but unreleased — tiering and |
| 38 | +relegation are evaluated against the latest stable release, so cutting v3.0.0 with the remaining |
| 39 | +conformance fixes is on the critical path. Migration guide (draft, kept current until release): |
| 40 | +[discussion #969](https://github.com/modelcontextprotocol/rust-sdk/discussions/969). |
| 41 | + |
| 42 | +--- |
| 43 | + |
| 44 | +## Tier 1 (non-conformance requirements) |
26 | 45 |
|
27 | 46 | ### Governance & Policy |
28 | 47 |
|
29 | 48 | - [ ] Create `VERSIONING.md` — document semver scheme, what constitutes a breaking change, and how breaking changes are communicated |
| 49 | +- [ ] Publish a dependency update policy (Tier 1 requires a published policy) |
| 50 | +- [ ] Cut v3.0.0 (#964) including all conformance fixes (tier relegation is evaluated against the latest stable release) |
30 | 51 |
|
31 | 52 | ### Documentation (26/48 → 48/48 features with prose + examples) |
32 | 53 |
|
@@ -59,13 +80,25 @@ Server conformance: 87.5% (28/32) · Client conformance: 80.0% (16/20) |
59 | 80 |
|
60 | 81 | --- |
61 | 82 |
|
| 83 | +## Completed |
| 84 | + |
| 85 | +- [x] 2025-11-25 server conformance 100% (30 scenarios + pending `json-schema-2020-12`, `server-sse-polling`) |
| 86 | +- [x] 2025-11-25 client conformance 100% (18 scenarios + legacy `auth/2025-03-26-*`) |
| 87 | +- [x] SEP-2322 MRTR (14 server scenarios + `sep-2322-client-request-state`) |
| 88 | +- [x] SEP-2164 resource not found |
| 89 | +- [x] Cache hints (`caching`) |
| 90 | +- [x] `http-header-validation` |
| 91 | +- [x] Issue triage labels (bug, enhancement, needs confirmation, needs repro, ready for work, P0–P3) |
| 92 | + |
| 93 | +--- |
| 94 | + |
62 | 95 | ## Informational (not scored for tiering) |
63 | 96 |
|
64 | | -These draft/extension scenarios are tracked but do not count toward tier advancement: |
| 97 | +These extension scenarios are tracked but do not count toward tier advancement: |
65 | 98 |
|
66 | 99 | | Scenario | Tag | Status | |
67 | 100 | |---|---|---| |
68 | | -| `auth/resource-mismatch` | draft | ❌ Failed | |
69 | 101 | | `auth/client-credentials-jwt` | extension | ❌ Failed — JWT `aud` claim verification error | |
70 | 102 | | `auth/client-credentials-basic` | extension | ✅ Passed | |
71 | 103 | | `auth/cross-app-access-complete-flow` | extension | ❌ Failed — sends `authorization_code` grant instead of `jwt-bearer` | |
| 104 | +| `tasks-*` | extension | Not yet attempted | |
0 commit comments