feat(mcp): MCP conformance test suites + two OAuth client fixes#1722
Merged
Conversation
🦋 Changeset detectedLatest commit: 50a900a The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
agents
@cloudflare/ai-chat
@cloudflare/codemode
create-think
hono-agents
@cloudflare/shell
@cloudflare/think
@cloudflare/voice
@cloudflare/worker-bundler
commit: |
threepointone
approved these changes
Jun 17, 2026
added 3 commits
June 17, 2026 11:31
…use bugs Runs the official @modelcontextprotocol/conformance suite (as used by the MCP TypeScript SDK) against the MCP client (Agent + MCPClientManager), McpAgent, and createMcpHandler + WorkerTransport - all hosted in workerd via wrangler dev so the implementations are tested as they run in production. The client suite found two real OAuth bugs in MCPClientConnection, fixed here: - finishAuth ran on a freshly created transport, losing the resource metadata URL captured from the WWW-Authenticate header, so token exchange fell back to the default /token endpoint - reconnecting after a mid-session 401 (scope step-up, token revocation) failed permanently with 'Already connected to a transport' Closes #1721
…er-sse-polling --suite runs scenarios in parallel against the worker, which makes the timing-sensitive server-sse-polling scenario record different results on fast vs slow machines (zero checks locally, SHOULD-level warnings on CI). Sequential single-scenario runs are deterministic. server-sse-polling is baselined: McpAgent's internal transport does not implement SEP-1699 priming events or the retry field (tracked in #1723), and the harness probes with protocol 2025-03-26 for which the pinned SDK deliberately suppresses priming on the WorkerTransport variant.
sse-retry flaked on CI: connection retry backoff plus the SDK's 5s SSE retry interval can exceed the worker's 25s waitForReady and the conformance CLI's default 30s scenario timeout on cold runners. Raise both (50s / 90s).
5e4190d to
50a900a
Compare
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1721
What
Adds the official MCP conformance suite (
@modelcontextprotocol/conformance, the same harness the MCP TypeScript SDK runs in CI) to this repo:clientAgent+MCPClientManager(+DurableObjectOAuthClientProviderfor OAuth)ConformanceHostinconformance/worker.tsserverMcpAgent/mcp-agentservercreateMcpHandler+WorkerTransportinside anAgent/mcp-handlerEverything under test runs inside workerd (
wrangler dev), not a Node approximation — Durable Object storage, the real OAuth callback route, real transports. For the client suite, the conformance CLI spawns a thin Node driver per scenario; the driver forwards the scenario to a fresh agent instance and plays the user's browser for OAuth (follows the authorization redirect into the worker's real/callbackroute). Both test servers register the same "everything server" feature set ported from the TypeScript SDK's conformance server.Bugs found and fixed
The client suite immediately caught two real OAuth bugs in
MCPClientConnection, fixed in this PR:auth/metadata-var3):finishAuthran on a freshly created transport, losing the resource metadata URL captured from theWWW-Authenticateheader on the 401. Discovery fell back to default endpoints, so the code was exchanged at/tokeneven when the authorization server advertised a different location. Fixed by finishing auth on the transport that received the 401.auth/scope-step-up): after a mid-session 401 (scope step-up, token revocation) and successful re-authorization,init()failed forever withAlready connected to a transportbecause the previous transport was never detached. Fixed by detaching it before reconnecting.Both ship with a changeset (patch).
Results
DurableObjectOAuthClientProvider; cross-app is baselined by the TypeScript SDK too).json-schema-2020-12(pinned SDK's zod→JSON Schema conversion doesn't preserve$schema/$defs/additionalPropertiesverbatim) anddns-rebinding-protection(localhost Host/Origin validation is a local-server concern).Baselines are documented per-gap in
conformance/baseline-*.yml— CI stays green while regressions and new failures are still caught.CI
New
conformance.ymlworkflow: one client job + a server matrix (mcp-agent, handler), triggered on changes topackages/agents/**.Running locally
Also verified:
pnpm vitest --run src/tests/mcp/...(188 tests) and typecheck pass with the library changes.