v1.8.0 - OAuth Auth Context + Three-Layer Middleware

🎉 v1.8.0 - OAuth Auth Context & Complete Middleware Architecture

🔐 BREAKING CHANGE: OAuth Auth Context Pass-Through

This release completes the production-ready OAuth authentication flow with full token pass-through from transport layer to tool execution.

✨ What's New

🎯 Production-Ready OAuth Flow:

• ✅ New Parameter: ProtocolHandler::handle_request() now accepts auth_context: Option<AuthContext>
• ✅ Transport Integration: StreamableHttpServer extracts and validates OAuth from Authorization headers
• ✅ Middleware Pattern: Tool middleware can inject tokens into RequestHandlerExtra metadata
• ✅ DRY Tools: No repetitive auth code - tools consume tokens from metadata
• ✅ Fine-Grained Access: ToolAuthorizer trait for per-tool authorization

🏗️ Three-Layer Middleware Architecture:

• 🔹 HTTP Layer (ServerHttpMiddleware) - Transport-level processing
• 🔹 Protocol Layer (EnhancedMiddleware) - JSON-RPC message processing
• 🔹 Tool Layer (ToolMiddleware) - Tool execution processing
• Full auth context pass-through across all layers

📚 New Examples & Tests

• Example 58: Complete OAuth flow from transport → middleware → tools
• Example 55: Server HTTP middleware demonstration
• Integration Tests: tests/auth_context_integration_test.rs with 3 scenarios
  • Auth context flows from transport to tools
  • Missing auth context fails in tool
  • Invalid token rejected at transport

⚠️ Migration Required

All ProtocolHandler::handle_request() calls must now include auth_context parameter:

// Update existing calls - add None for no authentication:
server.handle_request(id, request, None).await

// In transport layer (e.g., HTTP handlers):
let auth_context = auth_provider.validate_request(auth_header).await?;
server.handle_request(id, request, auth_context).await

Affected Files:

• All transport adapters (StdioAdapter, HttpAdapter, WebSocketAdapter)
• Custom ProtocolHandler implementations
• Test code calling handle_request()

🔨 Technical Details

Core Changes:

• src/server/core.rs: Added auth_context parameter to ProtocolHandler trait
• src/server/mod.rs: Updated Server wrapper with auth validation
• src/server/streamable_http_server.rs: OAuth extraction and validation
• src/server/adapters.rs: Updated all transport adapters

Quality Assurance:

• ✅ Zero clippy warnings
• ✅ All 439+ tests passing
• ✅ Integration tests for complete OAuth flow
• ✅ Example code demonstrates best practices
• ✅ Cognitive complexity reduced (≤25 per function)

🎯 Use Cases Enabled

1. Multi-tenant SaaS: Each tool call includes user context
2. Backend API Integration: Tools authenticate with third-party APIs using user tokens
3. Fine-grained Authorization: Per-user, per-tool access control
4. Audit Logging: Track which user called which tool with what token

📖 Documentation

• README updated with v1.8.0 migration guide
• All examples updated to pass auth_context
• API docs include auth_context usage patterns

---

Full Changelog: v1.7.0...v1.8.0

Contributors: @guyernest

Quality Gates: ✅ All passing (formatting, clippy, tests, benchmarks)

v1.7.0

🚨 BREAKING CHANGE

ClientCapabilities now correctly implements the MCP specification. Server-only capabilities (tools, prompts, resources, logging) have been removed from ClientCapabilities.

Summary

This release fixes two critical issues affecting compatibility with Cursor IDE and other spec-compliant MCP clients:

1. ClientCapabilities Schema Fix: Removes invalid server-only capabilities from ClientCapabilities struct
2. mcp-tester Accept Header: Adds proper Accept header to match Cursor IDE behavior

Major Changes

ClientCapabilities Schema (src/types/capabilities.rs)

• Removed: tools, prompts, resources, logging fields (these are SERVER capabilities)
• Added: Spec-compliant client capability fields:
  • sampling: Optional - Client can handle LLM sampling requests
  • elicitation: Optional - Client can provide user input
  • roots: Optional - Client supports roots notifications
  • experimental: Optional<HashMap<String, serde_json::Value>> - Experimental features
• Added helper methods: minimal(), supports_sampling(), supports_elicitation()

mcp-tester Accept Header Fix (examples/26-server-tester/src/tester.rs)

• Added Accept: application/json, text/event-stream header to match Cursor IDE v1.7.33
• Fixes 406 Not Acceptable errors with streamable HTTP servers
• Updated documentation to clarify test simulates Cursor IDE's exact behavior

Updated Examples, Tests, and Documentation

• 10 client examples updated to use spec-compliant ClientCapabilities
• Property tests updated for new capability fields
• State machine tests updated
• Book chapters (ch03, ch08, ch09) updated with correct capability examples
• README.md updated with migration guide
• Benchmarks updated for new schema

Fixes

• ✅ Cursor IDE now works correctly (tested with v1.7.33)
• ✅ Spec-compliant clients no longer receive "Method not found: initialize" errors
• ✅ mcp-tester accurately simulates real Cursor IDE behavior
• ✅ Streamable HTTP servers properly handle Accept headers

Migration Guide

Before (WRONG) ❌

let capabilities = ClientCapabilities {
    tools: Some(ToolCapabilities::default()),  // ❌ Wrong - this is server capability
    prompts: Some(PromptCapabilities::default()),  // ❌ Wrong
    resources: Some(ResourceCapabilities::default()),  // ❌ Wrong
    ..Default::default()
};

After (CORRECT) ✅

let capabilities = ClientCapabilities {
    sampling: Some(SamplingCapabilities::default()),  // ✅ Correct - client capability
    elicitation: Some(ElicitationCapabilities::default()),  // ✅ Correct
    roots: Some(RootsCapabilities::default()),  // ✅ Correct
    ..Default::default()
};

// Or use the minimal helper:
let capabilities = ClientCapabilities::minimal();

Steps to Migrate

1. Update ClientCapabilities initialization:

   • Remove: tools, prompts, resources, logging
   • Add (if needed): sampling, elicitation, roots, experimental

2. Use helper methods:

   • ClientCapabilities::minimal() for basic clients
   • ClientCapabilities::full() for clients with all features
   • Check capabilities with supports_sampling(), supports_elicitation()

3. Update Cargo.toml: Bump to pmcp = "1.7.0"

What's Changed

Full changelog: v1.6.2...v1.7.0

Testing

• ✅ All unit tests passing
• ✅ All integration tests passing
• ✅ All examples compile and run correctly
• ✅ Property-based tests updated and passing
• ✅ Benchmarks updated and passing
• ✅ mcp-tester now correctly simulates Cursor IDE v1.7.33
• ✅ Verified with real Cursor IDE (no more 406/method not found errors)

---

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

v1.6.2

🎉 Version 1.6.2 - Hybrid Workflow Execution & Server-Side Resource Fetching!

🚀 Prompts as Workflows - Built-in Support

• Hybrid Execution Model: Server executes deterministic steps, client continues with full context

  • 📈 Compliance Improvement: ~60-70% (instruction-only) → ~85-95% (hybrid execution)
  • 🔄 Server-Side Tool Execution: Tools execute during prompts/get, return conversation traces
  • 📚 Resource Embedding: Automatic fetch and embed of documentation/context
  • 🎯 Graceful Handoff: Server does deterministic work, hands off with guidance

• New Workflow Features:

  • ✨ .with_guidance(text): Assistant messages explaining what steps should do
  • 📦 .with_resource(uri): Server-side resource fetching and embedding
  • 🔄 Argument Substitution: {arg_name} placeholders in guidance replaced with actual values
  • 🤖 Client Autonomy Awareness: Designed for autonomous MCP clients that can follow, ignore, or modify instructions

• Complete Hybrid Execution:

  • Server creates user intent + assistant plan messages
  • Server executes steps with resolved parameters
  • Server fetches and embeds resources as user messages
  • Server stops when parameters need LLM reasoning (graceful handoff)
  • Client receives: tool results + resources + guidance → continues with complete context

📚 New Example:

• 54_hybrid_workflow_execution - Logseq task creation with fuzzy matching and resource embedding

📖 Documentation:

• Updated Chapter 7 with hybrid execution model, client autonomy, and compliance metrics

Installation

[dependencies]
pmcp = "1.6.2"

What's Changed

• feat: add server-side resource fetching for workflow steps
• docs: update Ch7 to document hybrid execution and client autonomy
• chore: bump version to v1.6.2
• feat: merge workflow resource fetching and hybrid execution

Full Changelog: v1.6.1...v1.6.2

v1.6.1

Release version 1.6.1

Enhanced prompt management with safer workflow integration for tools and resources.

v1.6.0

Release v1.6.0

Production-Ready Type-Safe Tools & Cross-Transport Support

- Type-safe schema generation with automatic JSON schemas from Rust types
- Configurable schema normalization to prevent huge expanded schemas
- Consistent validation error codes for client elicitation automation
- Cross-platform path validation with security constraints
- Full cross-transport support (HTTP, SSE, WebSocket)
- WASM-compatible typed tool API for browser and edge environments
- Ergonomic builder methods for typed tools

- TypedTool and TypedSyncTool for type-safe tool creation
- TypedToolV2 with optional output typing for better testing
- Comprehensive validation helpers (email, URL, regex, range, etc.)
- Path traversal protection with cross-platform support
- Elicitation-friendly error responses for UI automation
- New tool_typed() and tool_typed_sync() builder methods

- 32_typed_tools: Basic typed tool usage with automatic schemas
- 33_advanced_typed_tools: Complex validation and nested structures
- 34_serverbuilder_typed: Using the ergonomic builder methods
- 35_wasm_typed_tools: WASM-compatible typed tools for browser/edge

- Comprehensive E2E transport tests
- Full TypeScript SDK compatibility maintained
- Zero breaking changes
- Extensive documentation and examples

v1.5.5

Release v1.5.5

Critical bug fix release:
- Fixed SimpleTool.with_description() not properly serializing tool descriptions
- Tool descriptions now correctly appear in tools/list responses

Additional improvements:
- Fixed hanging test in transport_isolation_properties
- Added MCP Tester integration framework for better testing
- Simplified CI workflow for more reliable builds

This release addresses feedback from early adopters regarding missing tool descriptions.

v1.5.4

Release version 1.5.4

- Schema validation for tool definitions with detailed warnings
- Automatic scenario generation from server capabilities
- Comprehensive resource and prompt testing
- Smart value generation based on JSON schema types

- SimpleTool for streamlined tool creation
- SimplePrompt for easy prompt templates
- SimpleResource for resource management with MIME types
- Enhanced metadata support for prompts and resources

- Increased SIMD test timeout for CI stability
- Updated GitHub Actions to eliminate deprecation warnings
- Comprehensive documentation and test scenario examples
- Zero clippy warnings and improved test coverage

For full details, see the README and CHANGELOG.

v1.5.3

Release v1.5.3

- Fix package size issue (removed 96MB spin binary)
- Package now 2.5MB (was 98.2MB)
- Ready for successful crates.io publishing

v1.5.2

Release v1.5.2

- Clean release with proper version alignment
- Fixed release workflow for existing releases
- WASM MCP Server support
- Scenario testing framework
- Enhanced HTTP transport

🚀 PMCP v1.5.0: Write Once, Deploy Everywhere - WASM/WASI Universal MCP Servers

🚀 PMCP v1.5.0: Write Once, Deploy Everywhere - WASM/WASI Universal MCP Servers

🎯 Major Release: Platform-Agnostic MCP Architecture

✨ Headline Feature: Universal WASM Deployment

Write once in Rust, deploy everywhere - The same MCP server code now runs on Cloudflare Workers, Fermyon Spin, and any WASM/WASI-compliant platform, achieving true platform independence similar to the TypeScript SDK architecture.

🏗️ Architecture Revolution: Clean Separation of Logic and Transport

📐 New Architecture Design

Following the TypeScript SDK's successful pattern, v1.5.0 introduces a clean separation between:

• Core MCP Logic: Platform-agnostic business logic (WasmMcpServer)
• Transport Layer: Thin platform-specific adapters (Cloudflare, Fermyon, etc.)
• Universal API: Consistent interface across all deployment targets

🎯 Key Achievement

// Same code runs everywhere
let server = WasmMcpServer::builder()
    .name("my-mcp-server")
    .version("1.0.0")
    .tool("calculator", SimpleTool::new(...))
    .build();

// Deploy to Cloudflare, Fermyon, or any WASM platform

🌟 Major New Features

🔧 WasmMcpServer - Universal MCP Implementation

• Platform-agnostic core: Single implementation for all WASM targets
• Type-safe builder pattern: Compile-time validation of server configuration
• SimpleTool abstraction: Easy tool creation with automatic JSON-RPC handling
• Full MCP protocol compliance: Initialize, tools/list, tools/call, notifications
• Automatic error handling: Built-in validation and error responses

🌐 Multi-Platform Deployment Support

Cloudflare Workers

• Global edge deployment: 200+ locations worldwide
• V8 Isolates: Sub-millisecond cold starts
• KV & Durable Objects: Integrated state management
• Cost-effective: Pay-per-request pricing model

Fermyon Spin

• Standard WASI: Uses wasm32-wasip1 target
• Component Model: First-class WASI component support
• Built-in SQLite: Persistent storage capabilities
• Simple deployment: Single spin deploy command

🧪 Enhanced Testing Infrastructure

MCP Tester Improvements

• Scenario-based testing: YAML/JSON test definitions
• Comprehensive assertions: Success, failure, contains, equals, array operations
• Verbose mode support: Detailed test output with --verbose flag
• HTTP/JSON-RPC alignment: Full protocol compliance testing

Test Scenarios

• calculator-test.yaml: Comprehensive test suite with error cases
• calculator-simple.json: Basic operation validation
• minimal-test.json: Quick connectivity verification

🔄 Transport Layer Improvements

• JSON-RPC notification handling: Proper detection of requests without 'id' field
• Empty response support: Handle 200 OK with no Content-Type (notifications)
• Platform-specific adapters: Minimal boilerplate for each platform
• Error propagation: Consistent error handling across transports

📊 Performance & Scalability

🚀 Deployment Metrics

Platform	Cold Start	Global Scale	State Management	Cost Model
Cloudflare	50-200ms	200+ locations	KV, Durable Objects	Pay-per-request
Fermyon	100-300ms	Regional	SQLite	Instance-based
WASI Generic	Varies	Custom	Platform-specific	Flexible

⚡ Runtime Performance

• Zero overhead abstraction: No performance penalty for platform abstraction
• Compile-time optimization: WASM optimization at build time
• Minimal binary size: ~500KB WASM modules
• Memory efficient: Low memory footprint per request

🛠️ Developer Experience Improvements

📦 Simplified Development

# Build once
cargo build --target wasm32-unknown-unknown --release

# Deploy anywhere
wrangler deploy  # Cloudflare
spin deploy      # Fermyon
# ... any WASM platform

🔍 Testing Tools

# Test any deployment with scenarios
mcp-tester scenario https://<your-deployment> test-scenarios/calculator-test.yaml

# Verbose output for debugging
mcp-tester tools --verbose https://<your-deployment>

📚 Comprehensive Documentation

• Platform-specific deployment guides
• Scenario testing documentation
• Architecture overview with examples
• Migration guides from v1.4.x

🔧 Technical Improvements

Core SDK

• ServerCore refactoring: Clean separation of concerns
• Protocol version negotiation: Improved compatibility handling
• Type safety enhancements: Stronger compile-time guarantees
• Error recovery: Better error messages and recovery strategies

Quality & Testing

• 100% scenario test pass rate: All test scenarios passing
• Cross-platform validation: Tested on multiple WASM runtimes
• Backward compatibility: Full compatibility with existing MCP clients
• Toyota Way compliance: Zero tolerance for defects

🚀 Migration Guide

From v1.4.x to v1.5.0

1. Update dependency: pmcp = "1.5.0"
2. Choose deployment model:
   • Use WasmMcpServer for WASM deployments
   • Use existing Server for native deployments
3. Platform adapters: Add thin wrapper for your platform
4. Test with scenarios: Validate using mcp-tester

Example Migration

// Before (v1.4.x)
let server = Server::builder()
    .tool(my_tool_handler)
    .build();

// After (v1.5.0) - WASM deployment
let server = WasmMcpServer::builder()
    .tool("my_tool", SimpleTool::new(my_tool_handler))
    .build();

📈 What's Next

Roadmap

• Additional platform support (Wasmtime, WasmEdge, etc.)
• State management abstractions
• Cross-platform resource handlers
• Enhanced debugging tools

🙏 Acknowledgments

Special thanks to all contributors who made this release possible, especially the work on clean architecture separation and comprehensive testing infrastructure.

📦 Installation

[dependencies]
pmcp = "1.5.0"

🔗 Resources

• Documentation
• Examples
• WASM Deployment Guide
• MCP Protocol Specification

---

Breaking Changes: None - Full backward compatibility maintained

Minimum Rust Version: 1.70.0

License: MIT