fix: security hardening and CI/CD reliability improvements

claude · claude · commit 3abbb6ec1074 · 2026-03-25T11:40:12.000Z
- CODEOWNERS: update auth-team paths to match v2 monorepo layout (old paths referenced /src/... which no longer exist, causing all auth-related PRs to skip required auth-team review) - ci: align actions/checkout and actions/setup-node to @v6 in the publish job of main.yml (was @v4, inconsistent with build/test jobs) - ci: add typecheck+lint gate to publish.yml before building preview packages (broken code could previously be published on every push) - ci: remove continue-on-error from conformance jobs; expected-failures is empty so real regressions were silently swallowed - security: remove internal error detail (String(error)) from the JSON-RPC parse-error response body in streamableHttp — stack traces and file paths should not be forwarded to clients - refactor: convert tasks/result polling handler from unbounded recursion to an explicit while-loop, eliminating deep promise-chain accumulation for long-running tasks https://claude.ai/code/session_01CCxV9DvdS7Bf7bck3R9FJs
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -4,8 +4,11 @@
 * @modelcontextprotocol/typescript-sdk
 
 # Auth team owns all auth-related code
-/src/server/auth/ @modelcontextprotocol/typescript-sdk-auth
-/src/client/auth* @modelcontextprotocol/typescript-sdk-auth
-/src/shared/auth* @modelcontextprotocol/typescript-sdk-auth
-/src/examples/client/simpleOAuthClient.ts @modelcontextprotocol/typescript-sdk-auth
-/src/examples/server/demoInMemoryOAuthProvider.ts @modelcontextprotocol/typescript-sdk-auth
+/packages/client/src/client/auth* @modelcontextprotocol/typescript-sdk-auth
+/packages/client/src/client/authExtensions* @modelcontextprotocol/typescript-sdk-auth
+/packages/client/src/client/crossAppAccess* @modelcontextprotocol/typescript-sdk-auth
+/packages/core/src/shared/auth* @modelcontextprotocol/typescript-sdk-auth
+/packages/core/src/auth/ @modelcontextprotocol/typescript-sdk-auth
+/examples/shared/src/auth* @modelcontextprotocol/typescript-sdk-auth
+/examples/shared/src/authServer* @modelcontextprotocol/typescript-sdk-auth
+/examples/client/src/simpleOAuthClient* @modelcontextprotocol/typescript-sdk-auth
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -16,7 +16,7 @@ permissions:
 jobs:
     client-conformance:
         runs-on: ubuntu-latest
-        continue-on-error: true
+        continue-on-error: false
         steps:
             - uses: actions/checkout@v4
             - name: Install pnpm
@@ -34,7 +34,7 @@ jobs:
 
     server-conformance:
         runs-on: ubuntu-latest
-        continue-on-error: true
+        continue-on-error: false
         steps:
             - uses: actions/checkout@v4
             - name: Install pnpm
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -105,14 +105,14 @@ jobs:
             id-token: write
 
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@v6
 
             - name: Install pnpm
               uses: pnpm/action-setup@v4
               id: pnpm-install
               with:
                   run_install: false
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@v6
               with:
                   node-version: 24
                   cache: pnpm
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -34,6 +34,9 @@ jobs:
             - name: Install dependencies
               run: pnpm install
 
+            - name: Type-check and lint
+              run: pnpm run check:all
+
             - name: Build packages
               run: pnpm run build:all
 
diff --git a/packages/core/src/shared/protocol.ts b/packages/core/src/shared/protocol.ts
@@ -474,9 +474,12 @@ export abstract class Protocol<ContextT extends BaseContext> {
             });
 
             this.setRequestHandler('tasks/result', async (request, ctx) => {
-                const handleTaskResult = async (): Promise<Result> => {
-                    const taskId = request.params.taskId;
+                const taskId = request.params.taskId;
 
+                // Iterative poll loop: drain the queue and wait for the task to reach a terminal
+                // state. Using an explicit loop (rather than recursion) avoids building up a
+                // deep promise chain for long-running tasks.
+                while (true) {
                     // Deliver queued messages
                     if (this._taskMessageQueue) {
                         let queuedMessage: QueuedMessage | undefined;
@@ -528,15 +531,6 @@ export abstract class Protocol<ContextT extends BaseContext> {
                         throw new ProtocolError(ProtocolErrorCode.InvalidParams, `Task not found: ${taskId}`);
                     }
 
-                    // Block if task is not terminal (we've already delivered all queued messages above)
-                    if (!isTerminal(task.status)) {
-                        // Wait for status change or new messages
-                        await this._waitForTaskUpdate(taskId, ctx.mcpReq.signal);
-
-                        // After waking up, recursively call to deliver any new messages or result
-                        return await handleTaskResult();
-                    }
-
                     // If task is terminal, return the result
                     if (isTerminal(task.status)) {
                         const result = await this._taskStore!.getTaskResult(taskId, ctx.sessionId);
@@ -554,10 +548,9 @@ export abstract class Protocol<ContextT extends BaseContext> {
                         } as Result;
                     }
 
-                    return await handleTaskResult();
-                };
-
-                return await handleTaskResult();
+                    // Task is not yet terminal — wait for the next poll interval, then loop again
+                    await this._waitForTaskUpdate(taskId, ctx.mcpReq.signal);
+                }
             });
 
             this.setRequestHandler('tasks/list', async (request, ctx) => {
diff --git a/packages/server/src/server/streamableHttp.ts b/packages/server/src/server/streamableHttp.ts
@@ -806,9 +806,10 @@ export class WebStandardStreamableHTTPServerTransport implements Transport {
 
             return new Response(readable, { status: 200, headers });
         } catch (error) {
-            // return JSON-RPC formatted error
+            // return JSON-RPC formatted error — do NOT include raw error details in the response
+            // to avoid leaking internal implementation information to clients.
             this.onerror?.(error as Error);
-            return this.createJsonErrorResponse(400, -32_700, 'Parse error', { data: String(error) });
+            return this.createJsonErrorResponse(400, -32_700, 'Parse error');
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -806,9 +806,10 @@ export class WebStandardStreamableHTTPServerTransport implements Transport {`
`806`	`806`
`807`	`807`	`return new Response(readable, { status: 200, headers });`
`808`	`808`	`} catch (error) {`
`809`		`- // return JSON-RPC formatted error`
	`809`	`+ // return JSON-RPC formatted error — do NOT include raw error details in the response`
	`810`	`+ // to avoid leaking internal implementation information to clients.`
`810`	`811`	`this.onerror?.(error as Error);`
`811`		`- return this.createJsonErrorResponse(400, -32_700, 'Parse error', { data: String(error) });`
	`812`	`+ return this.createJsonErrorResponse(400, -32_700, 'Parse error');`
`812`	`813`	`}`
`813`	`814`	`}`
`814`	`815`