lefthook merge commit

Author: KKonstantinov

.changeset/add-hono-peer-dep.md

@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/node': patch
+---
+
+Add missing `hono` peer dependency to `@modelcontextprotocol/node`. The package already depends on `@hono/node-server` which requires `hono` at runtime, but `hono` was only listed in the workspace root, not as a peer dependency of the package itself.

.changeset/config.json

@@ -7,5 +7,11 @@
     "access": "public",
     "baseBranch": "main",
     "updateInternalDependencies": "patch",
-    "ignore": ["@modelcontextprotocol/examples-client", "@modelcontextprotocol/examples-server", "@modelcontextprotocol/examples-shared"]
+    "ignore": [
+        "@modelcontextprotocol/examples-client",
+        "@modelcontextprotocol/examples-client-quickstart",
+        "@modelcontextprotocol/examples-server",
+        "@modelcontextprotocol/examples-server-quickstart",
+        "@modelcontextprotocol/examples-shared"
+    ]
 }

.changeset/expose-auth-server-discovery.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/client': minor
+---
+
+Add `discoverOAuthServerInfo()` function and unified discovery state caching for OAuth
+
+- New `discoverOAuthServerInfo(serverUrl)` export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server URL outside of `auth()`.
+- New `OAuthDiscoveryState` type and optional `OAuthClientProvider` methods `saveDiscoveryState()` / `discoveryState()` allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost.
+- New `'discovery'` scope for `invalidateCredentials()` to clear cached discovery state.
+- New `OAuthServerInfo` type exported for the return value of `discoverOAuthServerInfo()`.

.changeset/fix-task-session-isolation.md

@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/core': patch
+---
+
+Fix InMemoryTaskStore to enforce session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes.

.changeset/quick-islands-occur.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/express': patch
+'@modelcontextprotocol/hono': patch
+'@modelcontextprotocol/node': patch
+'@modelcontextprotocol/client': patch
+'@modelcontextprotocol/server': patch
+'@modelcontextprotocol/core': patch
+---
+
+remove npm references, use pnpm

.changeset/rich-hounds-report.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/express': patch
+'@modelcontextprotocol/hono': patch
+'@modelcontextprotocol/node': patch
+'@modelcontextprotocol/client': patch
+'@modelcontextprotocol/server': patch
+'@modelcontextprotocol/core': patch
+---
+
+clean up package manager usage, all pnpm

.changeset/twelve-dodos-taste.md

@@ -0,0 +1,5 @@
+---
+"@modelcontextprotocol/express": patch
+---
+
+Add jsonLimit option to createMcpExpressApp

.changeset/use-scopes-supported-in-dcr.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/client': minor
+---
+
+Apply resolved scope consistently to both DCR and the authorization URL (SEP-835)
+
+When `scopes_supported` is present in the protected resource metadata (`/.well-known/oauth-protected-resource`), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request body, ensuring both use a consistent value.
+
+- `registerClient()` now accepts an optional `scope` parameter that overrides `clientMetadata.scope` in the registration body.
+- `auth()` now computes the resolved scope once (WWW-Authenticate → PRM `scopes_supported` → `clientMetadata.scope`) and passes it to both DCR and the authorization request.