modelcontextprotocol
diff --git a/‎docs/migration-SKILL.md‎
Lines changed: 118 additions & 10 deletions b/‎docs/migration-SKILL.md‎
Lines changed: 118 additions & 10 deletions
diff --git a/‎docs/migration.md‎
Lines changed: 202 additions & 0 deletions b/‎docs/migration.md‎
Lines changed: 202 additions & 0 deletions
diff --git a/‎examples/client/src/elicitationUrlExample.ts‎
Lines changed: 3 additions & 3 deletions b/‎examples/client/src/elicitationUrlExample.ts‎
Lines changed: 3 additions & 3 deletions
@@ -82,19 +82,127 @@ Notes:
 
 ## 5. Removed / Renamed Type Aliases and Symbols
 
-| v1 (removed)                             | v2 (replacement)                                 |
-| ---------------------------------------- | ------------------------------------------------ |
-| `JSONRPCError`                           | `JSONRPCErrorResponse`                           |
-| `JSONRPCErrorSchema`                     | `JSONRPCErrorResponseSchema`                     |
-| `isJSONRPCError`                         | `isJSONRPCErrorResponse`                         |
-| `isJSONRPCResponse`                      | `isJSONRPCResultResponse`                        |
-| `ResourceReference`                      | `ResourceTemplateReference`                      |
-| `ResourceReferenceSchema`                | `ResourceTemplateReferenceSchema`                |
-| `IsomorphicHeaders`                      | REMOVED (use Web Standard `Headers`)             |
-| `AuthInfo` (from `server/auth/types.js`) | `AuthInfo` (now in `@modelcontextprotocol/core`) |
+| v1 (removed)                             | v2 (replacement)                                         |
+| ---------------------------------------- | -------------------------------------------------------- |
+| `JSONRPCError`                           | `JSONRPCErrorResponse`                                   |
+| `JSONRPCErrorSchema`                     | `JSONRPCErrorResponseSchema`                             |
+| `isJSONRPCError`                         | `isJSONRPCErrorResponse`                                 |
+| `isJSONRPCResponse`                      | `isJSONRPCResultResponse`                                |
+| `ResourceReference`                      | `ResourceTemplateReference`                              |
+| `ResourceReferenceSchema`                | `ResourceTemplateReferenceSchema`                        |
+| `IsomorphicHeaders`                      | REMOVED (use Web Standard `Headers`)                     |
+| `AuthInfo` (from `server/auth/types.js`) | `AuthInfo` (now in `@modelcontextprotocol/core`)         |
+| `McpError`                               | `ProtocolError`                                          |
+| `ErrorCode`                              | `ProtocolErrorCode`                                      |
+| `ErrorCode.RequestTimeout`               | `SdkErrorCode.RequestTimeout`                            |
+| `ErrorCode.ConnectionClosed`             | `SdkErrorCode.ConnectionClosed`                          |
+| `StreamableHTTPError`                    | REMOVED (use `SdkError` with `SdkErrorCode.ClientHttp*`) |
 
 All other symbols from `@modelcontextprotocol/sdk/types.js` retain their original names (e.g., `CallToolResultSchema`, `ListToolsResultSchema`, etc.).
 
+### Error class changes
+
+Two error classes now exist:
+
+- **`ProtocolError`** (renamed from `McpError`): Protocol errors that cross the wire as JSON-RPC responses
+- **`SdkError`** (new): Local SDK errors that never cross the wire
+
+| Error scenario                   | v1 type                                      | v2 type                                                           |
+| -------------------------------- | -------------------------------------------- | ----------------------------------------------------------------- |
+| Request timeout                  | `McpError` with `ErrorCode.RequestTimeout`   | `SdkError` with `SdkErrorCode.RequestTimeout`                     |
+| Connection closed                | `McpError` with `ErrorCode.ConnectionClosed` | `SdkError` with `SdkErrorCode.ConnectionClosed`                   |
+| Capability not supported         | `new Error(...)`                             | `SdkError` with `SdkErrorCode.CapabilityNotSupported`             |
+| Not connected                    | `new Error('Not connected')`                 | `SdkError` with `SdkErrorCode.NotConnected`                       |
+| Invalid params (server response) | `McpError` with `ErrorCode.InvalidParams`    | `ProtocolError` with `ProtocolErrorCode.InvalidParams`            |
+| HTTP transport error             | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttp*`                        |
+| Failed to open SSE stream        | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToOpenStream`       |
+| 401 after auth flow              | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpAuthentication`           |
+| 403 after upscoping              | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpForbidden`                |
+| Unexpected content type          | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpUnexpectedContent`        |
+| Session termination failed       | `StreamableHTTPError`                        | `SdkError` with `SdkErrorCode.ClientHttpFailedToTerminateSession` |
+
+New `SdkErrorCode` enum values:
+
+- `SdkErrorCode.NotConnected` = `'NOT_CONNECTED'`
+- `SdkErrorCode.AlreadyConnected` = `'ALREADY_CONNECTED'`
+- `SdkErrorCode.NotInitialized` = `'NOT_INITIALIZED'`
+- `SdkErrorCode.CapabilityNotSupported` = `'CAPABILITY_NOT_SUPPORTED'`
+- `SdkErrorCode.RequestTimeout` = `'REQUEST_TIMEOUT'`
+- `SdkErrorCode.ConnectionClosed` = `'CONNECTION_CLOSED'`
+- `SdkErrorCode.SendFailed` = `'SEND_FAILED'`
+- `SdkErrorCode.ClientHttpNotImplemented` = `'CLIENT_HTTP_NOT_IMPLEMENTED'`
+- `SdkErrorCode.ClientHttpAuthentication` = `'CLIENT_HTTP_AUTHENTICATION'`
+- `SdkErrorCode.ClientHttpForbidden` = `'CLIENT_HTTP_FORBIDDEN'`
+- `SdkErrorCode.ClientHttpUnexpectedContent` = `'CLIENT_HTTP_UNEXPECTED_CONTENT'`
+- `SdkErrorCode.ClientHttpFailedToOpenStream` = `'CLIENT_HTTP_FAILED_TO_OPEN_STREAM'`
+- `SdkErrorCode.ClientHttpFailedToTerminateSession` = `'CLIENT_HTTP_FAILED_TO_TERMINATE_SESSION'`
+
+Update error handling:
+
+```typescript
+// v1
+if (error instanceof McpError && error.code === ErrorCode.RequestTimeout) { ... }
+
+// v2
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+if (error instanceof SdkError && error.code === SdkErrorCode.RequestTimeout) { ... }
+```
+
+Update HTTP transport error handling:
+
+```typescript
+// v1
+import { StreamableHTTPError } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+if (error instanceof StreamableHTTPError) {
+    console.log('HTTP status:', error.code);
+}
+
+// v2
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+if (error instanceof SdkError && error.code === SdkErrorCode.ClientHttpFailedToOpenStream) {
+    const status = (error.data as { status?: number })?.status;
+}
+```
+
+### OAuth error consolidation
+
+Individual OAuth error classes replaced with single `OAuthError` class and `OAuthErrorCode` enum:
+
+| v1 Class                       | v2 Equivalent                                              |
+| ------------------------------ | ---------------------------------------------------------- |
+| `InvalidRequestError`          | `OAuthError` with `OAuthErrorCode.InvalidRequest`          |
+| `InvalidClientError`           | `OAuthError` with `OAuthErrorCode.InvalidClient`           |
+| `InvalidGrantError`            | `OAuthError` with `OAuthErrorCode.InvalidGrant`            |
+| `UnauthorizedClientError`      | `OAuthError` with `OAuthErrorCode.UnauthorizedClient`      |
+| `UnsupportedGrantTypeError`    | `OAuthError` with `OAuthErrorCode.UnsupportedGrantType`    |
+| `InvalidScopeError`            | `OAuthError` with `OAuthErrorCode.InvalidScope`            |
+| `AccessDeniedError`            | `OAuthError` with `OAuthErrorCode.AccessDenied`            |
+| `ServerError`                  | `OAuthError` with `OAuthErrorCode.ServerError`             |
+| `TemporarilyUnavailableError`  | `OAuthError` with `OAuthErrorCode.TemporarilyUnavailable`  |
+| `UnsupportedResponseTypeError` | `OAuthError` with `OAuthErrorCode.UnsupportedResponseType` |
+| `UnsupportedTokenTypeError`    | `OAuthError` with `OAuthErrorCode.UnsupportedTokenType`    |
+| `InvalidTokenError`            | `OAuthError` with `OAuthErrorCode.InvalidToken`            |
+| `MethodNotAllowedError`        | `OAuthError` with `OAuthErrorCode.MethodNotAllowed`        |
+| `TooManyRequestsError`         | `OAuthError` with `OAuthErrorCode.TooManyRequests`         |
+| `InvalidClientMetadataError`   | `OAuthError` with `OAuthErrorCode.InvalidClientMetadata`   |
+| `InsufficientScopeError`       | `OAuthError` with `OAuthErrorCode.InsufficientScope`       |
+| `InvalidTargetError`           | `OAuthError` with `OAuthErrorCode.InvalidTarget`           |
+| `CustomOAuthError`             | `new OAuthError(customCode, message)`                      |
+
+Removed: `OAUTH_ERRORS` constant.
+
+Update OAuth error handling:
+
+```typescript
+// v1
+import { InvalidClientError, InvalidGrantError } from '@modelcontextprotocol/core';
+if (error instanceof InvalidClientError) { ... }
+
+// v2
+import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/core';
+if (error instanceof OAuthError && error.code === OAuthErrorCode.InvalidClient) { ... }
+```
+
 **Unchanged APIs** (only import paths changed): `Client` constructor and methods, `McpServer` constructor, `server.connect()`, `server.close()`, all client transports (`StreamableHTTPClientTransport`, `SSEClientTransport`, `StdioClientTransport`), `StdioServerTransport`, all Zod
 schemas, all callback return types.
 
 
@@ -344,6 +344,208 @@ import { JSONRPCError, ResourceReference, isJSONRPCError } from '@modelcontextpr
 import { JSONRPCErrorResponse, ResourceTemplateReference, isJSONRPCErrorResponse } from '@modelcontextprotocol/core';
 ```
 
+### Error hierarchy refactoring
+
+The SDK now distinguishes between two types of errors:
+
+1. **`ProtocolError`** (renamed from `McpError`): Protocol errors that cross the wire as JSON-RPC error responses
+2. **`SdkError`**: Local SDK errors that never cross the wire (timeouts, connection issues, capability checks)
+
+#### Renamed exports
+
+| v1                           | v2                              |
+| ---------------------------- | ------------------------------- |
+| `McpError`                   | `ProtocolError`                 |
+| `ErrorCode`                  | `ProtocolErrorCode`             |
+| `ErrorCode.RequestTimeout`   | `SdkErrorCode.RequestTimeout`   |
+| `ErrorCode.ConnectionClosed` | `SdkErrorCode.ConnectionClosed` |
+
+**Before (v1):**
+
+```typescript
+import { McpError, ErrorCode } from '@modelcontextprotocol/sdk/types.js';
+
+try {
+    await client.callTool({ name: 'test', arguments: {} });
+} catch (error) {
+    if (error instanceof McpError && error.code === ErrorCode.RequestTimeout) {
+        console.log('Request timed out');
+    }
+    if (error instanceof McpError && error.code === ErrorCode.InvalidParams) {
+        console.log('Invalid parameters');
+    }
+}
+```
+
+**After (v2):**
+
+```typescript
+import { ProtocolError, ProtocolErrorCode, SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+
+try {
+    await client.callTool({ name: 'test', arguments: {} });
+} catch (error) {
+    // Local timeout/connection errors are now SdkError
+    if (error instanceof SdkError && error.code === SdkErrorCode.RequestTimeout) {
+        console.log('Request timed out');
+    }
+    // Protocol errors from the server are still ProtocolError
+    if (error instanceof ProtocolError && error.code === ProtocolErrorCode.InvalidParams) {
+        console.log('Invalid parameters');
+    }
+}
+```
+
+#### New `SdkErrorCode` enum
+
+The new `SdkErrorCode` enum contains string-valued codes for local SDK errors:
+
+| Code                                              | Description                                |
+| ------------------------------------------------- | ------------------------------------------ |
+| `SdkErrorCode.NotConnected`                       | Transport is not connected                 |
+| `SdkErrorCode.AlreadyConnected`                   | Transport is already connected             |
+| `SdkErrorCode.NotInitialized`                     | Protocol is not initialized                |
+| `SdkErrorCode.CapabilityNotSupported`             | Required capability is not supported       |
+| `SdkErrorCode.RequestTimeout`                     | Request timed out waiting for response     |
+| `SdkErrorCode.ConnectionClosed`                   | Connection was closed                      |
+| `SdkErrorCode.SendFailed`                         | Failed to send message                     |
+| `SdkErrorCode.ClientHttpNotImplemented`           | HTTP POST request failed                   |
+| `SdkErrorCode.ClientHttpAuthentication`           | Server returned 401 after successful auth  |
+| `SdkErrorCode.ClientHttpForbidden`                | Server returned 403 after trying upscoping |
+| `SdkErrorCode.ClientHttpUnexpectedContent`        | Unexpected content type in HTTP response   |
+| `SdkErrorCode.ClientHttpFailedToOpenStream`       | Failed to open SSE stream                  |
+| `SdkErrorCode.ClientHttpFailedToTerminateSession` | Failed to terminate session                |
+
+#### `StreamableHTTPError` removed
+
+The `StreamableHTTPError` class has been removed. HTTP transport errors are now thrown as `SdkError` with specific `SdkErrorCode` values that provide more granular error information:
+
+**Before (v1):**
+
+```typescript
+import { StreamableHTTPError } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+
+try {
+    await transport.send(message);
+} catch (error) {
+    if (error instanceof StreamableHTTPError) {
+        console.log('HTTP error:', error.code); // HTTP status code
+    }
+}
+```
+
+**After (v2):**
+
+```typescript
+import { SdkError, SdkErrorCode } from '@modelcontextprotocol/core';
+
+try {
+    await transport.send(message);
+} catch (error) {
+    if (error instanceof SdkError) {
+        switch (error.code) {
+            case SdkErrorCode.ClientHttpAuthentication:
+                console.log('Auth failed after completing auth flow');
+                break;
+            case SdkErrorCode.ClientHttpForbidden:
+                console.log('Forbidden after upscoping attempt');
+                break;
+            case SdkErrorCode.ClientHttpFailedToOpenStream:
+                console.log('Failed to open SSE stream');
+                break;
+            case SdkErrorCode.ClientHttpNotImplemented:
+                console.log('HTTP request failed');
+                break;
+        }
+        // Access HTTP status code from error.data if needed
+        const httpStatus = (error.data as { status?: number })?.status;
+    }
+}
+```
+
+#### Why this change?
+
+Previously, `ErrorCode.RequestTimeout` (-32001) and `ErrorCode.ConnectionClosed` (-32000) were used for local timeout/connection errors. However, these errors never cross the wire as JSON-RPC responses - they are rejected locally. Using protocol error codes for local errors was
+semantically inconsistent.
+
+The new design:
+
+- `ProtocolError` with `ProtocolErrorCode`: For errors that are serialized and sent as JSON-RPC error responses
+- `SdkError` with `SdkErrorCode`: For local errors that are thrown/rejected locally and never leave the SDK
+
+### OAuth error refactoring
+
+The OAuth error classes have been consolidated into a single `OAuthError` class with an `OAuthErrorCode` enum.
+
+#### Removed classes
+
+The following individual error classes have been removed in favor of `OAuthError` with the appropriate code:
+
+| v1 Class                       | v2 Equivalent                                                     |
+| ------------------------------ | ----------------------------------------------------------------- |
+| `InvalidRequestError`          | `new OAuthError(OAuthErrorCode.InvalidRequest, message)`          |
+| `InvalidClientError`           | `new OAuthError(OAuthErrorCode.InvalidClient, message)`           |
+| `InvalidGrantError`            | `new OAuthError(OAuthErrorCode.InvalidGrant, message)`            |
+| `UnauthorizedClientError`      | `new OAuthError(OAuthErrorCode.UnauthorizedClient, message)`      |
+| `UnsupportedGrantTypeError`    | `new OAuthError(OAuthErrorCode.UnsupportedGrantType, message)`    |
+| `InvalidScopeError`            | `new OAuthError(OAuthErrorCode.InvalidScope, message)`            |
+| `AccessDeniedError`            | `new OAuthError(OAuthErrorCode.AccessDenied, message)`            |
+| `ServerError`                  | `new OAuthError(OAuthErrorCode.ServerError, message)`             |
+| `TemporarilyUnavailableError`  | `new OAuthError(OAuthErrorCode.TemporarilyUnavailable, message)`  |
+| `UnsupportedResponseTypeError` | `new OAuthError(OAuthErrorCode.UnsupportedResponseType, message)` |
+| `UnsupportedTokenTypeError`    | `new OAuthError(OAuthErrorCode.UnsupportedTokenType, message)`    |
+| `InvalidTokenError`            | `new OAuthError(OAuthErrorCode.InvalidToken, message)`            |
+| `MethodNotAllowedError`        | `new OAuthError(OAuthErrorCode.MethodNotAllowed, message)`        |
+| `TooManyRequestsError`         | `new OAuthError(OAuthErrorCode.TooManyRequests, message)`         |
+| `InvalidClientMetadataError`   | `new OAuthError(OAuthErrorCode.InvalidClientMetadata, message)`   |
+| `InsufficientScopeError`       | `new OAuthError(OAuthErrorCode.InsufficientScope, message)`       |
+| `InvalidTargetError`           | `new OAuthError(OAuthErrorCode.InvalidTarget, message)`           |
+| `CustomOAuthError`             | `new OAuthError(customCode, message)`                             |
+
+The `OAUTH_ERRORS` constant has also been removed.
+
+**Before (v1):**
+
+```typescript
+import { InvalidClientError, InvalidGrantError, ServerError } from '@modelcontextprotocol/core';
+
+try {
+    await refreshToken();
+} catch (error) {
+    if (error instanceof InvalidClientError) {
+        // Handle invalid client
+    } else if (error instanceof InvalidGrantError) {
+        // Handle invalid grant
+    } else if (error instanceof ServerError) {
+        // Handle server error
+    }
+}
+```
+
+**After (v2):**
+
+```typescript
+import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/core';
+
+try {
+    await refreshToken();
+} catch (error) {
+    if (error instanceof OAuthError) {
+        switch (error.code) {
+            case OAuthErrorCode.InvalidClient:
+                // Handle invalid client
+                break;
+            case OAuthErrorCode.InvalidGrant:
+                // Handle invalid grant
+                break;
+            case OAuthErrorCode.ServerError:
+                // Handle server error
+                break;
+        }
+    }
+}
+```
+
 ## Unchanged APIs
 
 The following APIs are unchanged between v1 and v2 (only the import paths changed):
 
@@ -21,10 +21,10 @@ import type {
 import {
     CallToolResultSchema,
     Client,
-    ErrorCode,
     getDisplayName,
     ListToolsResultSchema,
-    McpError,
+    ProtocolError,
+    ProtocolErrorCode,
     StreamableHTTPClientTransport,
     UnauthorizedError,
     UrlElicitationRequiredError
@@ -337,7 +337,7 @@ async function handleElicitationRequest(request: ElicitRequest): Promise<ElicitR
     } else {
         // Should not happen because the client declares its capabilities to the server,
         // but being defensive is a good practice:
-        throw new McpError(ErrorCode.InvalidParams, `Unsupported elicitation mode: ${mode}`);
+        throw new ProtocolError(ProtocolErrorCode.InvalidParams, `Unsupported elicitation mode: ${mode}`);
     }
 }