Skip to content

build(deps): bump go-sdk to 1.7.0-pre.2 and migrate OAuth to multi-round-trip elicitation#2870

Open
SamMorrowDrums wants to merge 2 commits into
mainfrom
sammorrowdrums-go-sdk-upgrade-fix
Open

build(deps): bump go-sdk to 1.7.0-pre.2 and migrate OAuth to multi-round-trip elicitation#2870
SamMorrowDrums wants to merge 2 commits into
mainfrom
sammorrowdrums-go-sdk-upgrade-fix

Conversation

@SamMorrowDrums

Copy link
Copy Markdown
Collaborator

Why

Supersedes the Dependabot bump #2869. Bumping modelcontextprotocol/go-sdk to v1.7.0-pre.2 alone fails CI (TestSessionPrompterPromptActions) and would break OAuth for real clients.

Root cause: pre.2 defaults to MCP protocol 2026-07-28, which (per SEP-2322) forbids the server from initiating JSON-RPC requests — including elicitation/create — while serving a request. The OAuth login flow presents its authorization prompt via ServerSession.Elicit(...) during tools/call, so on 2026-07-28 sessions it now errors:

"elicitation/create" cannot be sent while serving a request on protocol version 2026-07-28: return an InputRequests map instead (multi round-trip requests, SEP-2322)

The new model requires returning an InputRequests map from the tool call; the client fulfills it and retries (multi-round-trip / MRTR).

This is not transport-specific: the legacy initialize handshake is capped at 2025-11-25, but the new server/discover (SEP-2575) path — attempted by pre.2 clients on any transport, stdio included — negotiates 2026-07-28, where Elicit is unconditionally blocked.

What

Migrate the OAuth middleware to MRTR, without changing behavior for pre-2026-07-28 clients:

  • Legacy clients (< 2026-07-28): unchanged — the server presents the prompt via server-initiated elicitation and blocks until the token arrives.
  • Modern clients (≥ 2026-07-28): the first tools/call returns the authorization prompt as an InputRequests elicitation; the client presents it (keeping the auth URL out of the model's context) and retries with the response, at which point the middleware awaits the token and proceeds. Clients without elicitation capability fall back to the existing tool-result instructions.

The branch is required because our OAuth middleware is outermost while the SDK's serverMultiRoundTripMiddleware (which transparently services legacy clients) is innermost, so it can't fulfill our middleware's InputRequests — legacy clients therefore keep the direct Elicit path.

Changes

  • go.mod/go.sum + third-party-licenses.*.md: bump to v1.7.0-pre.2.
  • internal/oauth/manager.go: add AwaitToken (resume half of MRTR) and Cancel (tear down on decline); extract outcomeAfterFlow shared with joinWait. Existing flow behavior is unchanged.
  • internal/ghmcp/oauth.go: branch createOAuthMiddleware on negotiated protocol version; add the MRTR handler; keep the legacy handler identical.
  • internal/ghmcp/oauth_test.go: assert server-initiated elicitation is undeliverable on 2026-07-28; add MRTR middleware tests (accept / decline / no elicitation capability).

No tool schemas change, so no toolsnap/README regeneration.

Validation

script/lint and script/test (race) pass. The MRTR round trip (elicit → fulfill → retry → proceed) was validated end-to-end against a real in-memory 2026-07-28 client.

…und-trip elicitation

The go-sdk 1.7.0-pre.2 bump defaults to MCP protocol 2026-07-28, which per
SEP-2322 forbids the server from initiating JSON-RPC requests (including
`elicitation/create`) while serving a request. The OAuth login flow presents
the authorization prompt via `ServerSession.Elicit`, so on 2026-07-28 sessions
it now errors ("cannot be sent while serving a request ... return an
InputRequests map instead"), which broke TestSessionPrompterPromptActions and
would break real 2026-07-28 clients (stdio included, since server/discover is
transport-agnostic).

Migrate the OAuth middleware to multi-round-trip requests (MRTR) while keeping
pre-2026-07-28 clients unchanged:

- Legacy clients (< 2026-07-28) keep presenting the prompt via server-initiated
  elicitation exactly as before.
- Modern clients (>= 2026-07-28) receive the authorization prompt as an
  `InputRequests` elicitation returned from the tool call; the client fulfills
  it and retries, and the middleware then awaits the token and proceeds. This
  keeps the authorization URL out of the model context.

oauth.Manager gains AwaitToken (resume half of MRTR) and Cancel (tear down on
decline). Tests cover the accept/decline/no-capability MRTR paths and assert
that server-initiated elicitation is reported undeliverable on 2026-07-28.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 18e70efa-1b2d-4290-ba51-b82998db4ff8
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner July 13, 2026 21:15
Copilot AI review requested due to automatic review settings July 13, 2026 21:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates go-sdk and adapts OAuth for MCP 2026-07-28 multi-round-trip elicitation.

Changes:

  • Bumps go-sdk to v1.7.0-pre.2.
  • Adds OAuth resume/cancellation lifecycle support.
  • Adds protocol-aware OAuth middleware and MRTR tests.
Show a summary per file
File Description
go.mod Updates go-sdk dependency.
go.sum Updates dependency checksums.
internal/oauth/manager.go Adds token awaiting and flow cancellation.
internal/ghmcp/oauth.go Implements protocol-specific MRTR authorization.
internal/ghmcp/oauth_test.go Adds modern-protocol OAuth tests.
third-party-licenses.linux.md Updates Linux license reference.
third-party-licenses.darwin.md Updates macOS license reference.
third-party-licenses.windows.md Updates Windows license reference.

Review details

  • Files reviewed: 7/8 changed files
  • Comments generated: 4
  • Review effort level: Medium

Comment thread internal/ghmcp/oauth.go
Comment thread internal/ghmcp/oauth.go Outdated
Comment thread internal/ghmcp/oauth.go Outdated
Comment thread internal/oauth/manager.go Outdated
Move OAuth interception into tool-handler middleware so go-sdk finalizes
multi-round-trip results with resultType input_required. Correlate responses to
a per-flow ID, retire cancellations synchronously, and ignore late completions
from stale flows.

Also preserve actionable URLs for form-only clients and add wire-level,
concurrency, and real manager lifecycle coverage.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 18e70efa-1b2d-4290-ba51-b82998db4ff8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants