build(deps): bump go-sdk to 1.7.0-pre.2 and migrate OAuth to multi-round-trip elicitation#2870
Open
SamMorrowDrums wants to merge 2 commits into
Open
build(deps): bump go-sdk to 1.7.0-pre.2 and migrate OAuth to multi-round-trip elicitation#2870SamMorrowDrums wants to merge 2 commits into
SamMorrowDrums wants to merge 2 commits into
Conversation
…und-trip elicitation
The go-sdk 1.7.0-pre.2 bump defaults to MCP protocol 2026-07-28, which per
SEP-2322 forbids the server from initiating JSON-RPC requests (including
`elicitation/create`) while serving a request. The OAuth login flow presents
the authorization prompt via `ServerSession.Elicit`, so on 2026-07-28 sessions
it now errors ("cannot be sent while serving a request ... return an
InputRequests map instead"), which broke TestSessionPrompterPromptActions and
would break real 2026-07-28 clients (stdio included, since server/discover is
transport-agnostic).
Migrate the OAuth middleware to multi-round-trip requests (MRTR) while keeping
pre-2026-07-28 clients unchanged:
- Legacy clients (< 2026-07-28) keep presenting the prompt via server-initiated
elicitation exactly as before.
- Modern clients (>= 2026-07-28) receive the authorization prompt as an
`InputRequests` elicitation returned from the tool call; the client fulfills
it and retries, and the middleware then awaits the token and proceeds. This
keeps the authorization URL out of the model context.
oauth.Manager gains AwaitToken (resume half of MRTR) and Cancel (tear down on
decline). Tests cover the accept/decline/no-capability MRTR paths and assert
that server-initiated elicitation is reported undeliverable on 2026-07-28.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 18e70efa-1b2d-4290-ba51-b82998db4ff8
Contributor
There was a problem hiding this comment.
Pull request overview
Updates go-sdk and adapts OAuth for MCP 2026-07-28 multi-round-trip elicitation.
Changes:
- Bumps go-sdk to
v1.7.0-pre.2. - Adds OAuth resume/cancellation lifecycle support.
- Adds protocol-aware OAuth middleware and MRTR tests.
Show a summary per file
| File | Description |
|---|---|
go.mod |
Updates go-sdk dependency. |
go.sum |
Updates dependency checksums. |
internal/oauth/manager.go |
Adds token awaiting and flow cancellation. |
internal/ghmcp/oauth.go |
Implements protocol-specific MRTR authorization. |
internal/ghmcp/oauth_test.go |
Adds modern-protocol OAuth tests. |
third-party-licenses.linux.md |
Updates Linux license reference. |
third-party-licenses.darwin.md |
Updates macOS license reference. |
third-party-licenses.windows.md |
Updates Windows license reference. |
Review details
- Files reviewed: 7/8 changed files
- Comments generated: 4
- Review effort level: Medium
Move OAuth interception into tool-handler middleware so go-sdk finalizes multi-round-trip results with resultType input_required. Correlate responses to a per-flow ID, retire cancellations synchronously, and ignore late completions from stale flows. Also preserve actionable URLs for form-only clients and add wire-level, concurrency, and real manager lifecycle coverage. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: 18e70efa-1b2d-4290-ba51-b82998db4ff8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Supersedes the Dependabot bump #2869. Bumping
modelcontextprotocol/go-sdktov1.7.0-pre.2alone fails CI (TestSessionPrompterPromptActions) and would break OAuth for real clients.Root cause: pre.2 defaults to MCP protocol 2026-07-28, which (per SEP-2322) forbids the server from initiating JSON-RPC requests — including
elicitation/create— while serving a request. The OAuth login flow presents its authorization prompt viaServerSession.Elicit(...)duringtools/call, so on 2026-07-28 sessions it now errors:The new model requires returning an
InputRequestsmap from the tool call; the client fulfills it and retries (multi-round-trip / MRTR).This is not transport-specific: the legacy
initializehandshake is capped at2025-11-25, but the newserver/discover(SEP-2575) path — attempted by pre.2 clients on any transport, stdio included — negotiates2026-07-28, whereElicitis unconditionally blocked.What
Migrate the OAuth middleware to MRTR, without changing behavior for pre-2026-07-28 clients:
tools/callreturns the authorization prompt as anInputRequestselicitation; the client presents it (keeping the auth URL out of the model's context) and retries with the response, at which point the middleware awaits the token and proceeds. Clients without elicitation capability fall back to the existing tool-result instructions.The branch is required because our OAuth middleware is outermost while the SDK's
serverMultiRoundTripMiddleware(which transparently services legacy clients) is innermost, so it can't fulfill our middleware'sInputRequests— legacy clients therefore keep the directElicitpath.Changes
go.mod/go.sum+third-party-licenses.*.md: bump tov1.7.0-pre.2.internal/oauth/manager.go: addAwaitToken(resume half of MRTR) andCancel(tear down on decline); extractoutcomeAfterFlowshared withjoinWait. Existing flow behavior is unchanged.internal/ghmcp/oauth.go: branchcreateOAuthMiddlewareon negotiated protocol version; add the MRTR handler; keep the legacy handler identical.internal/ghmcp/oauth_test.go: assert server-initiated elicitation is undeliverable on 2026-07-28; add MRTR middleware tests (accept / decline / no elicitation capability).No tool schemas change, so no toolsnap/README regeneration.
Validation
script/lintandscript/test(race) pass. The MRTR round trip (elicit → fulfill → retry → proceed) was validated end-to-end against a real in-memory 2026-07-28 client.