fix(sdk): unify server/auth/* on server-auth-legacy; drop stdio from root; optional express/hono peers

- All five server/auth/* subpaths now re-export from @modelcontextprotocol/server-auth-legacy
  so OAuth error subclasses share the same OAuthError identity that the legacy router
  and requireBearerAuth check with instanceof. Previously errors.ts defined local
  subclasses extending core's OAuthError and bearerAuth.ts re-exported /express,
  causing instanceof to fail (HTTP 500 instead of 400/401).
- Drop @modelcontextprotocol/express dependency (no longer imported).
- Forward express and hono as optional peerDependencies so consumers who do not
  use the auth or hono-adapter subpaths get no unmet-peer warnings.
- Add top-level types field for legacy moduleResolution: node.
- Revert 87d4f17's stdio re-exports from the root barrel; stdio remains
  subpath-only to match the underlying client/server packages.

Author: felixweinberger

packages/sdk/package.json

@@ -264,6 +264,7 @@
             "import": "./dist/validation/ajv-provider.mjs"
         }
     },
+    "types": "./dist/index.d.ts",
     "files": [
         "dist"
     ],
@@ -279,11 +280,22 @@
     },
     "dependencies": {
         "@modelcontextprotocol/client": "workspace:^",
-        "@modelcontextprotocol/express": "workspace:^",
         "@modelcontextprotocol/node": "workspace:^",
         "@modelcontextprotocol/server": "workspace:^",
         "@modelcontextprotocol/server-auth-legacy": "workspace:^"
     },
+    "peerDependencies": {
+        "express": "^4.18.0 || ^5.0.0",
+        "hono": "*"
+    },
+    "peerDependenciesMeta": {
+        "express": {
+            "optional": true
+        },
+        "hono": {
+            "optional": true
+        }
+    },
     "devDependencies": {
         "@modelcontextprotocol/core": "workspace:^",
         "@modelcontextprotocol/eslint-config": "workspace:^",

packages/sdk/src/index.ts

@@ -88,5 +88,3 @@ export {
     withLogging,
     withOAuth
 } from '@modelcontextprotocol/client';
-export type { StdioServerParameters } from '@modelcontextprotocol/client/stdio';
-export { DEFAULT_INHERITED_ENV_VARS, getDefaultEnvironment, StdioClientTransport } from '@modelcontextprotocol/client/stdio';

packages/sdk/src/server/auth/errors.ts

@@ -1,54 +1,6 @@
 // v1 compat: `@modelcontextprotocol/sdk/server/auth/errors.js`
-// v2 consolidated 17 OAuth error subclasses into OAuthError + OAuthErrorCode.
-// These deprecated subclasses preserve `instanceof` and `throw new InvalidTokenError(msg)` patterns.
-
-import { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/server';
-
-/** @deprecated Construct-signature type for the v1 OAuth error subclasses below. */
-export type OAuthErrorSubclass = new (message: string, errorUri?: string) => OAuthError;
-
-function sub(code: OAuthErrorCode): OAuthErrorSubclass {
-    return class extends OAuthError {
-        constructor(message: string, errorUri?: string) {
-            super(code, message, errorUri);
-        }
-    };
-}
-
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InvalidRequest, ...)` */
-export const InvalidRequestError = sub(OAuthErrorCode.InvalidRequest);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InvalidClient, ...)` */
-export const InvalidClientError = sub(OAuthErrorCode.InvalidClient);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InvalidGrant, ...)` */
-export const InvalidGrantError = sub(OAuthErrorCode.InvalidGrant);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.UnauthorizedClient, ...)` */
-export const UnauthorizedClientError = sub(OAuthErrorCode.UnauthorizedClient);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.UnsupportedGrantType, ...)` */
-export const UnsupportedGrantTypeError = sub(OAuthErrorCode.UnsupportedGrantType);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InvalidScope, ...)` */
-export const InvalidScopeError = sub(OAuthErrorCode.InvalidScope);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.AccessDenied, ...)` */
-export const AccessDeniedError = sub(OAuthErrorCode.AccessDenied);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.ServerError, ...)` */
-export const ServerError = sub(OAuthErrorCode.ServerError);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.TemporarilyUnavailable, ...)` */
-export const TemporarilyUnavailableError = sub(OAuthErrorCode.TemporarilyUnavailable);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.UnsupportedResponseType, ...)` */
-export const UnsupportedResponseTypeError = sub(OAuthErrorCode.UnsupportedResponseType);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.UnsupportedTokenType, ...)` */
-export const UnsupportedTokenTypeError = sub(OAuthErrorCode.UnsupportedTokenType);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InvalidToken, ...)` */
-export const InvalidTokenError = sub(OAuthErrorCode.InvalidToken);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.MethodNotAllowed, ...)` */
-export const MethodNotAllowedError = sub(OAuthErrorCode.MethodNotAllowed);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.TooManyRequests, ...)` */
-export const TooManyRequestsError = sub(OAuthErrorCode.TooManyRequests);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InvalidClientMetadata, ...)` */
-export const InvalidClientMetadataError = sub(OAuthErrorCode.InvalidClientMetadata);
-/** @deprecated Use `new OAuthError(OAuthErrorCode.InsufficientScope, ...)` */
-export const InsufficientScopeError = sub(OAuthErrorCode.InsufficientScope);
-
-/** @deprecated Construct {@link OAuthError} directly. */
-export class CustomOAuthError extends OAuthError {}
-
-export { OAuthError, OAuthErrorCode } from '@modelcontextprotocol/server';
+// Re-exports the frozen v1 OAuth error classes from the legacy package so that
+// errors thrown from this subpath share the same `OAuthError` identity that
+// `mcpAuthRouter`/`requireBearerAuth` (re-exported by sibling subpaths) check
+// with `instanceof`.
+export * from '@modelcontextprotocol/server-auth-legacy';

packages/sdk/src/server/auth/middleware/bearerAuth.ts

@@ -1,2 +1,5 @@
 // v1 compat: `@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js`
-export * from '@modelcontextprotocol/express';
+// Re-exports from server-auth-legacy (not @modelcontextprotocol/express) so that
+// `requireBearerAuth`'s `instanceof OAuthError` check matches the error classes
+// re-exported by the sibling `server/auth/*` subpaths.
+export * from '@modelcontextprotocol/server-auth-legacy';

packages/sdk/test/compat.test.ts

@@ -6,11 +6,11 @@ import { McpError, ErrorCode, type CallToolRequest } from '../src/types.js';
 import { Server } from '../src/server/index.js';
 import { Client } from '../src/client/index.js';
 import { McpServer } from '../src/server/mcp.js';
-import { InvalidTokenError } from '../src/server/auth/errors.js';
+import { InvalidTokenError, OAuthError as LegacyOAuthError } from '../src/server/auth/errors.js';
 import { StreamableHTTPServerTransport } from '../src/server/streamableHttp.js';
 import type { Transport } from '../src/shared/transport.js';
 import type { RequestHandlerExtra } from '../src/shared/protocol.js';
-import { OAuthError, OAuthErrorCode, ProtocolError } from '../src/index.js';
+import { ProtocolError } from '../src/index.js';
 
 describe('@modelcontextprotocol/sdk meta-package', () => {
     let warnSpy: MockInstance;
@@ -31,10 +31,10 @@ describe('@modelcontextprotocol/sdk meta-package', () => {
         // ./server/mcp.js
         expect(typeof McpServer).toBe('function');
 
-        // ./server/auth/errors.js — OAuth subclasses
+        // ./server/auth/errors.js — v1 OAuth subclasses (legacy hierarchy, shared with sibling auth subpaths)
         const tokenErr = new InvalidTokenError('bad');
-        expect(tokenErr).toBeInstanceOf(OAuthError);
-        expect(tokenErr.code).toBe(OAuthErrorCode.InvalidToken);
+        expect(tokenErr).toBeInstanceOf(LegacyOAuthError);
+        expect(tokenErr.errorCode).toBe('invalid_token');
 
         // ./server/streamableHttp.js — alias to NodeStreamableHTTPServerTransport
         expect(typeof StreamableHTTPServerTransport).toBe('function');

packages/sdk/tsconfig.json

@@ -15,7 +15,6 @@
             "@modelcontextprotocol/server/validators/cf-worker": ["./node_modules/@modelcontextprotocol/server/src/validators/cfWorker.ts"],
             "@modelcontextprotocol/node": ["./node_modules/@modelcontextprotocol/node/src/index.ts"],
             "@modelcontextprotocol/node/sse": ["./node_modules/@modelcontextprotocol/node/src/sse.ts"],
-            "@modelcontextprotocol/express": ["./node_modules/@modelcontextprotocol/express/src/index.ts"],
             "@modelcontextprotocol/server-auth-legacy": ["./node_modules/@modelcontextprotocol/server-auth-legacy/src/index.ts"],
             "@modelcontextprotocol/client/_shims": ["./node_modules/@modelcontextprotocol/client/src/shimsNode.ts"],
             "@modelcontextprotocol/server/_shims": ["./node_modules/@modelcontextprotocol/server/src/shimsNode.ts"],