Skip to content

docs(community): add Primitive Grouping Interest Group charter#2942

Merged
olaservo merged 3 commits into
modelcontextprotocol:mainfrom
SamMorrowDrums:sammorrowdrums/primitive-grouping-ig-charter
Jun 24, 2026
Merged

docs(community): add Primitive Grouping Interest Group charter#2942
olaservo merged 3 commits into
modelcontextprotocol:mainfrom
SamMorrowDrums:sammorrowdrums/primitive-grouping-ig-charter

Conversation

@SamMorrowDrums

@SamMorrowDrums SamMorrowDrums commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Summary

Publishes the charter for the Primitive Grouping Interest Group in the Interest Group Charters section, so the group is discoverable from the MCP docs.

The charter is ported from the group's incubation repo — specifically the long-open experimental-ext-grouping#6 ("Update IG charter, approaches, and grouping spec") — into the canonical format used by the other IG charters (e.g. Tool Annotations, Security).

Changes

  • New charter at docs/community/interest-groups/primitive-grouping.mdx
  • Registered the page under Interest Group Charters in docs/docs.json

The charter carries the source content — mission, scoped problem statement (within/beyond scope), goals, organization strategies, IG principles, facilitators/leadership, lifecycle, work tracking, and success criteria — restructured to match the canonical IG charter layout. Group-wide governance rules are intentionally not repeated, per the charter template.

Checks

npm run check:docs passes (formatting, MDX comments, and no broken links).

Port the charter for the Primitive Grouping Interest Group from the
experimental-ext-grouping incubation repo into the canonical Interest
Group Charters section, and register it in docs.json navigation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SamMorrowDrums SamMorrowDrums requested review from a team as code owners June 18, 2026 14:07
SamMorrowDrums and others added 2 commits June 18, 2026 16:10
Port the updated charter from modelcontextprotocol/experimental-ext-grouping#6:
add the #primitive-grouping-ig Discord channel, the within/beyond-scope
problem statement, and the Goals, Organization Strategies, and IG Principles
sections.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@olaservo olaservo enabled auto-merge (squash) June 23, 2026 03:01
@olaservo olaservo merged commit d37097f into modelcontextprotocol:main Jun 24, 2026
4 checks passed
localden added a commit that referenced this pull request Jul 10, 2026
* Update Kotlin SDK tier to Tier 3 in SDK documentation

* docs: fix broken links to client/sampling and spec landing

The "Sampling" link in each architecture overview pointed at
/specification/<version>/client, which has no index page and is not a route
(only /client/sampling, /client/roots, /client/elicitation exist). Point it at
/specification/<version>/client/sampling, matching the link text. Applied across
all five spec versions (2024-11-05, 2025-03-26, 2025-06-18, 2025-11-25, draft).

Also fix two extension overviews (apps, tasks) that linked the "core MCP
specification" to /specification, which has no index/redirect. Point them at
/specification/latest, the version-agnostic spec landing redirect.

* Add Authorization Interest Group charter

Codifies the existing #auth-ig as a chartered Interest Group following
the community charter template. Documents scope, facilitators, biweekly
cadence, the WG-incubation process, and the six Working Groups proposed
to date.

* Re-organize message patterns pages

* Update links to message patterns pages after move from utilities/

* Fix typos in changelog

* make server/discover support caching

* fix formatting

* update caching intro

* removing caching specific fields from server discovery data fields

* clarify that ttlMs is an integer value in milliseconds in the docs

* fix formatting

* Mark SEPs as final

* Split auth spec

* Update metadata

* Update ASM discovery into its own doc

* Update docs

* Update docs split

* Structure updates

* Structure updates

* Structure updates

* Update docs/specification/draft/server/utilities/caching.mdx

* Restore Transports group to draft spec navigation

The message patterns reorg (ea7c32a) accidentally dropped the
Transports group from the draft Base Protocol navigation, orphaning
the stdio and Streamable HTTP transport pages.

* Split auth spec

* Update metadata

* Update ASM discovery into its own doc

* Update docs

* Update docs split

* Structure updates

* Structure updates

* Structure updates

* Bundle client registration into one page, split out AS discovery

- Merge Client ID Metadata Documents and Dynamic Client Registration
  pages (plus preregistration and authorization server binding) into a
  single Client Registration page
- Move Authorization Server Discovery into its own page with a short
  pointer from the authorization overview
- Update navigation and cross-references accordingly

* Update page split

* Fix markdown format in server/prompts doc

* Update for consistency

* Pulling things out of the table as normative verbiage

* Need to go through PR not direct to main for this change

* Add Rust MCP client tutorial

* Make Messages Pattern a sub-heading under Messages

* fix(docs): replace dead Python auth sample link in authorization tutorial

Signed-off-by: Hugues Clouâtre <hugues@linux.com>

* (chore): sep-to-spec consistency pass (#2863)

* Pulling things out of the table as normative verbiage

* JSON schema security considerations from SEP

* Update tiering per missing SEP callout

* Update SEP guidelines with extension track

* Extension naming, per SEP-2133

* SEP-2164 consistency - MUST for errors

* SEP-2243 consistency, and resolves self-contradiction

* Update changelog.mdx

* Update sdk-tiers.mdx

* Consistency with 2549

* 2575 consistency

* 2575 verbiage

* I don't think this is used anywhere

* Update feature-lifecycle.mdx

* Update feature-lifecycle.mdx

* Update feature-lifecycle.mdx

* Update changelog.mdx

* Update docs/community/feature-lifecycle.mdx

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

* Update docs/community/feature-lifecycle.mdx

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

* Update docs/extensions/overview.mdx

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

* Use dsp's suggestion consistently

---------

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

* fix(schema): extract ElicitationCompleteNotificationParams to extend NotificationParams (#2866)

Signed-off-by: Hugues Clouâtre <hugues@linux.com>

* Align client feature pages with MRTR and per-request capabilities

- Show client capability declarations in their real shape: the value of
  _meta["io.modelcontextprotocol/clientCapabilities"] is the
  ClientCapabilities object, not a top-level "capabilities" wrapper
  (which belonged to the removed initialize request).
- Relabel embedded Request/Response example pairs on elicitation,
  sampling, and roots pages to make the MRTR envelope clear: input
  requests are delivered inside InputRequiredResult.inputRequests, and
  client results are returned inside inputResponses on the retried
  request. Strip the leftover JSON-RPC result wrappers from those
  examples.
- Replace the dangling URLElicitationRequiredError reference (the error
  no longer exists) with the InputRequiredResult/requestState retry flow.
- Remove the unsupported pattern property from the StringSchema example
  in the restricted elicitation schema subset.

* Fix server page examples for required _meta, resultType, and caching fields

- Add a note to tools, resources, prompts, completion, and pagination
  pages stating that request examples omit the required _meta request
  metadata for brevity, with a link to the _meta documentation.
- Add the missing resultType: "complete" field to result examples on
  the tools, completion, and pagination pages.
- Remove a stray top-level resultType field from a completion/complete
  request example (the field belongs on results, not requests).
- Add ttlMs and cacheScope to the pagination resources/list response
  example, matching the caching requirements for list results.
- Add resultType, ttlMs, and cacheScope rows to the server/discover
  Response Fields table.

* Restore request timeout guidance, updated for transport-specific cancellation

The Timeouts section from the 2025-11-25 lifecycle page was dropped in
the draft restructure. Re-add it to the cancellation page: senders
SHOULD establish per-request timeouts, cancel on expiry (closing the
response stream on Streamable HTTP, sending notifications/cancelled on
stdio), MAY reset the clock on progress notifications, and SHOULD
enforce a maximum timeout regardless.

* Scope caching requirements to complete results and define the cache key

- Scope the caching-hints MUST to results with resultType "complete":
  interim input_required results from multi round-trip requests are not
  CacheableResults and carry no caching hints.
- Define what identifies a cached response (method plus the request
  parameters that affect the result) and forbid caching results produced
  via MRTR retries carrying inputResponses or requestState.

* Add changelog entries for required resultType and SSE resumability removal

- New major-changes entry: all results carry a required resultType
  field ("complete" or "input_required"); clients treat an absent
  field from earlier-protocol servers as "complete".
- Reword the MRTR entry so resultType is not described as something
  only InputRequiredResult carries.
- New major-changes entry: SSE stream resumability and redelivery
  (Last-Event-ID) are removed; a broken response stream loses the
  request and clients re-issue it as a new request.

* Align draft schema with spec docs

- Declare the reserved io.modelcontextprotocol/subscriptionId _meta key
  via a new NotificationMetaObject type, including the rule for deriving
  the value from the subscriptions/listen request's JSON-RPC ID
- Rewrite the three list_changed notification doc comments to reflect
  the opt-in subscriptions model instead of unsolicited delivery
- Add the HEADER_MISMATCH (-32001) error code and HeaderMismatchError
  type required by the Streamable HTTP transport's header validation
- Update cacheScope JSDoc to the authorization-context caching model
  used by the caching utility doc
- Make CancelledNotificationParams.requestId required
- Describe cancellation as client-initiated, with one server-side use:
  on stdio a server sends notifications/cancelled solely to terminate a
  subscriptions/listen stream
- Give ListRootsRequest a minimal params shape instead of RequestParams,
  matching other server-initiated input requests
- Remove ProgressNotification from ClientNotification: only clients
  issue requests, so only servers report progress

Regenerated schema.json and schema.mdx.

* Fix direction language and subscription ID rule in pattern docs

- Cancellation: describe cancellation as client-to-server, with the
  server-side exception for subscriptions/listen stream teardown on
  stdio
- Progress: describe progress notifications as server-to-client only,
  and use Client/Server in the sequence diagram
- Subscriptions: state how io.modelcontextprotocol/subscriptionId is
  derived from the subscriptions/listen request's JSON-RPC ID (decimal
  string for numeric IDs, verbatim for string IDs)

* Add repository links to Registry, Server Card, and Triggers & Events charters (#2887)

Add a `## Resources` section linking each group to its modelcontextprotocol
org repository, matching the convention already used by the Interceptors,
Tool Annotations, and Skills Over MCP charters.

- registry -> modelcontextprotocol/registry
- server-card -> modelcontextprotocol/experimental-ext-server-card
- triggers-events -> modelcontextprotocol/experimental-ext-triggers-events

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Move Rust client tab after Ruby

* Address review feedback on cancellation wording, subscriptionId docs, and error example

- Make the server-to-client direction of the stdio cancellation exception
  explicit in cancellation.mdx
- Document why io.modelcontextprotocol/subscriptionId is optional on
  NotificationMetaObject (the type covers all notifications, not just
  subscription-stream deliveries)
- Add a HeaderMismatchError example so -32001 renders in the schema
  Error section

* Apply suggestions from code review

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

* Make subscriptionId carry the JSON-RPC ID verbatim as string or number

The _meta value is now typed as RequestId (string | number) instead of
string, so no numeric-to-string conversion rule is needed. Update the
subscriptions and resources doc examples to show a numeric ID passed
through unchanged, and fix a verb agreement typo in cancellation.mdx.

* Simplify subscriptionId description to just the request ID

* fix extensions page nesting header names (#2895)

The Extension Page Tab layout does not match the rest of the site.
Currently it's Extension Name -> Extension Name. This PR switches it to be
Extension Name -> Overview

Also rename MCP Tasks to just Tasks, no need to have the MCP prefix.

This was discussed as a docs issue in Core Maintainers meeting on 6/3

* Replace discover.mdx Response Fields table with a Data Types section

Match the pattern used by the Tools, Prompts, and Resources pages: describe
only the concept-specific DiscoverResult fields, leaving envelope fields
(resultType, ttlMs, cacheScope) to the JSON example and the caching page.
This keeps the page from needing updates whenever the message envelope
changes.

* Retrigger CI

* Define error code allocation policy and renumber draft error codes

JSON-RPC 2.0 reserves -32000..-32099 for implementation-defined server
errors, and existing SDKs already use the low end of that range (request
timeouts, connection closed, session not found). The error codes introduced
in this draft collided with that usage: -32001 (HeaderMismatch) is also used
by SDKs for request timeouts and session-not-found responses.

Partition the range instead: -32000..-32009 stays implementation-defined
(existing usage grandfathered, no new codes), -32010..-32099 is reserved for
the MCP specification, with allocations recorded in schema.ts and starting
at -32020. Renumber the draft-introduced codes accordingly:

- HeaderMismatch: -32001 -> -32020
- MissingRequiredClientCapability: -32003 -> -32021
- UnsupportedProtocolVersion: -32004 -> -32022

Also add HeaderMismatchError to the schema (it previously existed only in
transport prose) with an example, and document the policy in the Error Codes
section of the base protocol overview.

* Extend implementation-defined sub-range to -32019

Simpler boundary: implementation-defined space is -32000..-32019, the MCP
specification reserves -32020..-32099. Drops the reserved-but-unallocated
buffer concept in favor of a single clean split.

* Update docs/specification/draft/basic/index.mdx

Co-authored-by: Peter Alexander <pja@anthropic.com>

* Update docs/specification/draft/basic/index.mdx

Co-authored-by: Peter Alexander <pja@anthropic.com>

* Update docs/specification/draft/basic/index.mdx

Co-authored-by: Peter Alexander <pja@anthropic.com>

* Leave room for future spec-defined local error codes

Per review feedback: the spec may want to standardize what clients receive
for common local conditions (e.g. request timeouts) in the future, so the
note no longer steers implementations away from numeric codes entirely.

* build(deps-dev): bump esbuild (#2910)

Bumps the npm_and_yarn group with 1 update in the / directory: [esbuild](https://github.com/evanw/esbuild).


Updates `esbuild` from 0.28.0 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.28.0...v0.28.1)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump esbuild (#2911)

Bumps the npm_and_yarn group with 1 update in the /tools/sep-automation directory: [esbuild](https://github.com/evanw/esbuild).


Updates `esbuild` from 0.27.2 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2025.md)
- [Commits](evanw/esbuild@v0.27.2...v0.28.1)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Remove obsolete docs/community/seps/2243-http-standardization.mdx

* build(deps-dev): bump eslint from 10.4.1 to 10.5.0

Bumps [eslint](https://github.com/eslint/eslint) from 10.4.1 to 10.5.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.4.1...v10.5.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-version: 10.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump typescript-eslint from 8.60.1 to 8.61.0

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.60.1 to 8.61.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.61.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump prettier from 3.8.3 to 3.8.4

Bumps [prettier](https://github.com/prettier/prettier) from 3.8.3 to 3.8.4.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.3...3.8.4)

---
updated-dependencies:
- dependency-name: prettier
  dependency-version: 3.8.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Tighten error code policy wording per review

Reframe -32000..-32019 as legacy allocations, state the emit/meaning rules
for the spec-reserved sub-range explicitly, and list the historical codes
as a bulleted MUST NOT emit list.

* Add Security IG charter; move all charters under working-groups/ and interest-groups/

:house: Remote-Dev: homespace

* build(deps-dev): bump markdown-it

Bumps the npm_and_yarn group with 1 update in the / directory: [markdown-it](https://github.com/markdown-it/markdown-it).


Updates `markdown-it` from 14.1.1 to 14.2.0
- [Changelog](https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md)
- [Commits](markdown-it/markdown-it@14.1.1...14.2.0)

---
updated-dependencies:
- dependency-name: markdown-it
  dependency-version: 14.2.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

* Apply review feedback on range guidance

Advise new implementations against using the legacy sub-range, and replace
the applications clause with a uniform statement that does not depend on
distinguishing applications from implementations.

* charter

* Format EMA interest group charter with prettier

* Add Lead Maintainer sponsor and fix facilitator name in EMA IG charter

* Add Discord channel link to EMA IG charter

* Add Discord invite link alongside channel link in EMA IG charter

* Add Ola Hungerford as Lead for Interceptors

* docs: fix SEP-2243 base64 sentinel case-sensitivity contradiction

* Extend Base64 sentinel encoding to the Mcp-Name header

Tool and prompt names are only SHOULD-constrained to header-safe
characters, so a name outside the safe set previously made the tool
uncallable over Streamable HTTP: Mcp-Name is required, but no encoding
was defined for it.

- Allow the =?base64?...?= sentinel encoding (already defined for
  Mcp-Param-{Name} headers) for the Mcp-Name header value.
- Require servers to decode encoded Mcp-Name and Mcp-Param-{Name}
  values before comparing them to the request body during server
  validation.

* Restrict x-mcp-header to statically reachable properties

The x-mcp-header extraction rule was undefined for properties nested
under array 'items', inside composition or conditional keywords
(oneOf/anyOf/allOf/not, if/then/else), or behind $ref: such properties
have no single static location in the call arguments.

- x-mcp-header annotations are now only valid on properties reachable
  from the schema root via a chain consisting solely of 'properties'
  keys. Annotations anywhere else make the tool definition invalid,
  triggering the existing client rejection rules.
- Define extraction as reading the instance value at the annotated
  property's exact path; if the value is absent, the header is omitted.
- Mirror the rule in the Tool.inputSchema schema documentation.

* Add elicitationComplete to the subscriptions/listen filter

notifications/elicitation/complete had no legal delivery channel: the
HTTP GET stream is gone, response-stream notifications must relate to
the in-flight request, and the subscriptions/listen filter had no field
covering elicitation completion — while servers must not send
notification types the client has not requested.

- Add an opt-in elicitationComplete boolean to SubscriptionFilter;
  when true, the server may deliver notifications/elicitation/complete
  on that subscription's stream.
- Document on ElicitationCompleteNotification that it is only sent to
  clients that opted in via elicitationComplete and is delivered on
  that subscription's stream (with the subscription ID in _meta).
- Document the URL-mode elicitation flow: the client subscribes via
  subscriptions/listen with elicitationComplete: true, waits for the
  completion notification, then retries the original request.
- Regenerate schema.json and the schema reference.

* Clarify that core client notifications do not occur over Streamable HTTP

In this revision, the only client-sent notification in the core
protocol is notifications/cancelled, and it is used only on the stdio
transport: on Streamable HTTP, closing the SSE response stream is
itself the cancellation signal and no notifications/cancelled message
is expected.

- Note this in the Sending Messages section, cross-linking the
  cancellation pattern; the notification POST rules remain as transport
  mechanics, with header requirements for notification POSTs left
  undefined by this revision.
- Scope the protocol-version header-body match requirement and the
  Mcp-Method header requirement to requests. Request-side rules are
  unchanged.

* Remove notifications/elicitation/complete from draft spec

With the multi round-trip request pattern, clients learn the outcome of an
out-of-band URL mode elicitation by retrying the original request, so a
server-initiated completion signal no longer has a place in the flow.

- Drop ElicitationCompleteNotification and its params from the draft schema
- Drop the elicitationComplete subscription filter field
- Remove the completion notifications section from the elicitation page and
  update the URL mode flow diagram
- Note the removal in the draft changelog

* Remove elicitationId from URL mode elicitation requests

The completion notification was the only consumer of this identifier. With
notifications/elicitation/complete gone, servers correlate an elicitation
across retries via requestState instead, so the field has no remaining
protocol-level purpose.

* Deduplicate x-mcp-header rules and drop redundant notification note

The full reachability and extraction rules live in the Streamable HTTP
transport spec; tools.mdx and the Tool schema comment now reference them
instead of restating them. Also remove the protocol-version section's note
about notification POSTs: the core protocol defines no client-to-server
notifications over Streamable HTTP, so nobody will look for that answer
there, and the Sending Messages note already covers it.

* Only carve out -32002 in the legacy sub-range receiver rule

-32042 falls in the spec-reserved sub-range, not the legacy one, so it does
not belong in that bullet's exception; it stays listed with the codes from
earlier protocol versions below.

* Add Enterprise-Managed Authorization blog post

:house: Remote-Dev: homespace

* docs: mark Archestra.AI as supporting OAuth Client Credentials (#2950)

* Update link to stable enterprise-managed authorization spec (#2949)

Spec was updated to stable, so the link was broken. Fixed the link and pointed it to the new stable url.

* Add PostHog Code to client-matrix documentation (#2946)

Co-authored-by: Ola Hungerford <olahungerford@gmail.com>

* docs: add Microsoft 365 Copilot to extension support matrix and MCP Apps client list (#2637)

* docs: add Microsoft 365 Copilot to extension support matrix and MCP Apps client list

* docs: apply Prettier formatting to client-matrix.mdx

* fix: resolve prettier formatting issues in client-matrix.mdx

* fix: restore Archestra.AI and PostHog Code rows dropped during merge

The previous merge of main inadvertently removed the Archestra.AI
(including its Enterprise Auth support) and PostHog Code entries from
the client matrix, and dropped Archestra.AI from the MCP Apps overview
client list. Restore them so this PR only adds Microsoft 365 Copilot.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Ola Hungerford <olahungerford@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* build(deps-dev): bump undici

Bumps the npm_and_yarn group with 1 update in the / directory: [undici](https://github.com/nodejs/undici).


Updates `undici` from 7.24.1 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.1...v7.28.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>

* docs: complete account linking guidance in enterprise-managed authorization docs

* build(deps): bump actions/checkout from 6 to 7

Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps-dev): bump typescript-eslint from 8.61.0 to 8.61.1

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.61.0 to 8.61.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.61.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* docs: recommend SSE comment-line keep-alive for listen streams (#2954)

Add a non-normative note to the Streamable HTTP transport recommending
servers periodically emit an SSE comment line (:\r\n) as a keep-alive on
long-lived subscriptions/listen response streams, and stating that
clients must ignore SSE comment lines rather than treat them as malformed
input.

* Move AI contribution policy to AI_POLICY.md

:house: Remote-Dev: homespace

* feat(schema): add subscriptions/listen response (#2953)

* feat(schema): add subscriptions/listen response

subscriptions/listen was the only request without a response object. Add an
empty SubscriptionsListenResult, sent by the server to signal a graceful end of
the subscription (e.g. during shutdown), distinct from an abrupt transport drop
which carries no response. Like other stream messages it carries the
subscriptionId in _meta.

Also add the subscriptionId to the stream notification examples that were
missing it, matching the spec requirement that all stream messages carry it.

* Update schema/draft/schema.ts

Co-authored-by: Peter Alexander <pja@anthropic.com>

* Update schema/draft/schema.ts

Co-authored-by: Peter Alexander <pja@anthropic.com>

* chore(schema): regenerate draft schema after listen result _meta change

---------

Co-authored-by: Peter Alexander <pja@anthropic.com>

* docs(community): add Primitive Grouping Interest Group charter (#2942)

* docs(community): add Primitive Grouping Interest Group charter

Port the charter for the Primitive Grouping Interest Group from the
experimental-ext-grouping incubation repo into the canonical Interest
Group Charters section, and register it in docs.json navigation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* docs(community): sync Primitive Grouping charter with group repo PR #6

Port the updated charter from modelcontextprotocol/experimental-ext-grouping#6:
add the #primitive-grouping-ig Discord channel, the within/beyond-scope
problem statement, and the Goals, Organization Strategies, and IG Principles
sections.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Ola Hungerford <olahungerford@gmail.com>

* spec: decouple Mcp-Param-* header emission from schema TTL

The Client Behavior note for custom Mcp-Param-* headers previously said
clients SHOULD omit headers when the cached inputSchema is stale. With
ttlMs: 0 this creates a loop: the schema is always stale, so the client
always omits the header, the server rejects (header missing but value in
body), the client refreshes tools/list, and the refreshed schema is still
stale.

Reframe the rule: clients use the most recently obtained inputSchema to
construct headers, omit only when no schema has ever been obtained, and
refresh-and-retry on reject (now covering both missing and mismatched
headers). TTL governs re-fetch cadence for tools/list; it is not a gate
on emitting routing headers. Server-side header/body validation is the
freshness check.

* fix links from docs to Enterprise Managed Auth spec (#2945)

* fix link to Enterprise Managed Auth spec

* Update link text to reflect EMA spec is now stable

---------

Co-authored-by: Ola Hungerford <olahungerford@gmail.com>

* docs: reframe server/discover version-selection bullet (#2955)

* Apply suggestions from code review

Co-authored-by: Paul Carleton <paulcarletonjr@gmail.com>

* Update seps/2243-http-standardization.md

* Update docs/seps/2243-http-standardization.mdx

* (docs): Update documentation for MCP security best practices (#1554)

* Update security_best_practices.mdx

* Update security_best_practices.mdx

* Update security_best_practices.mdx

* Update security_best_practices.mdx

* Move OAuth URL validation content to relocated SBP doc

The Security Best Practices document was moved out of the spec
(specification/draft/basic/ -> docs/tutorials/security/) in 3a147cb.
During merge, git's rename detection applied this PR's additions to
the 2025-11-25 versioned spec instead of the new tutorials location.

This moves the OAuth Authorization URL Validation and stdio Transport
Security in Proxy Scenarios sections to their intended home in
docs/docs/tutorials/security/security_best_practices.mdx and restores
the 2025-11-25 spec to its released state.

:house: Remote-Dev: homespace

* Update docs/docs/tutorials/security/security_best_practices.mdx

Co-authored-by: Sam Morrow <sammorrowdrums@github.com>

* Clarify http:// scope and fix stdio section anchor

- Restrict http:// to loopback addresses during local development,
  addressing review feedback that production authorization servers
  must use https://
- Fix broken anchor link to the stdio Transport Security in Proxy
  Scenarios section

:house: Remote-Dev: homespace

* Wrap stdio escalation paragraph at 100 chars

:house: Remote-Dev: homespace

---------

Co-authored-by: Sam Morrow <sammorrowdrums@github.com>

* docs: fix elicitation example to use requestedSchema

The learn/client-concepts elicitation/create example used 'schema', but the
specification and JSON schema define the field as 'requestedSchema'.

Signed-off-by: FenjuFu <fufenjupku@gmail.com>

* Add SDK vulnerability disclosure process and stdio trust boundary to SECURITY.md (#2973)

* Add SDK vulnerability disclosure process and security policy docs

:house: Remote-Dev: homespace

* Update docs/community/security.mdx

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

---------

Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>

* Add Financial Services Interest Group charter

Adds docs/community/interest-groups/financial-services.mdx in the current
charter template format and registers it under Interest Group Charters in
docs.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix the ordering of the dprecated features table

The dperecated features table was not ordered. We are now ordereding
it by the spec versions it was first deprecated in, in descending order.

* build(deps-dev): bump typescript-eslint from 8.61.1 to 8.62.0 (#2985)

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.61.1 to 8.62.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.0/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.62.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump eslint from 10.5.0 to 10.6.0 (#2986)

Bumps [eslint](https://github.com/eslint/eslint) from 10.5.0 to 10.6.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v10.5.0...v10.6.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-version: 10.6.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump prettier from 3.8.4 to 3.9.3 (#2987)

* build(deps-dev): bump prettier from 3.8.4 to 3.9.3

Bumps [prettier](https://github.com/prettier/prettier) from 3.8.4 to 3.9.3.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.8.4...3.9.3)

---
updated-dependencies:
- dependency-name: prettier
  dependency-version: 3.9.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Reformat schema and SEP files for prettier 3.9

:house: Remote-Dev: homespace

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Den Delimarsky <den@anthropic.com>

* docs: add Code of Conduct appeals channel

Add an Appeals section to CODE_OF_CONDUCT.md pointing to the new
appeals@modelcontextprotocol.io Google Group, an out-of-band email
channel for appealing enforcement actions (including org-level GitHub
bans). The group was stood up in modelcontextprotocol/access#123.

* Update CODE_OF_CONDUCT.md

* docs: fix typo (contraints -> constraints) in appeals section

* Add blog post announcing SDK betas for 2026-07-28 (#2988)

* Add blog post announcing Python and TypeScript SDK betas for 2026-07-28

:house: Remote-Dev: homespace

* Tighten blog post wording

:house: Remote-Dev: homespace

* Correct validation window and mention upcoming Go and C# SDK betas

:house: Remote-Dev: homespace

* Make SDK betas post developer-focused

Rework the announcement around what server implementers need: a
compatibility section up front, runnable install and migration steps
for both SDKs, links to the RC and transports posts for context, and
pointers to the SDK documentation sites and migration guides. Correct
the SEP-2577 deprecation scope and clarify the TypeScript wire opt-in.

:house: Remote-Dev: homespace

* Cover Go and C# betas alongside Python and TypeScript

All four Tier 1 SDKs now have pre-releases implementing 2026-07-28:
Go v1.7.0-pre.1 and C# 2.0.0-preview.1 join the Python and TypeScript
betas. Add a section with install commands, the Go stateless HTTP
opt-in, and links to release notes and docs sites; update the title,
intro, issue trackers, and pinning advice accordingly.

:house: Remote-Dev: homespace

* Add Felix Weinberger and Max Isbey to byline

:house: Remote-Dev: homespace

* Update blog/content/posts/2026-06-29-sdk-betas-for-2026-07-28.md

Co-authored-by: kfang-ant <kfang@anthropic.com>

* Update blog/content/posts/2026-06-29-sdk-betas-for-2026-07-28.md

Co-authored-by: kfang-ant <kfang@anthropic.com>

* Update blog/content/posts/2026-06-29-sdk-betas-for-2026-07-28.md

Co-authored-by: kfang-ant <kfang@anthropic.com>

* Restructure compatibility section and move protocol summary before SDK details

Address review feedback: frame the betas as test-and-feedback releases
with stable versions recommended for production, spell out why trying a
beta is safe (opt-in at install and on the wire), and end with concrete
steps for library authors. Move the SEP summary ahead of the per-SDK
sections so readers see what changed before the language-specific
install instructions.

:house: Remote-Dev: homespace

* Add stack diagram and align SDK betas post with amplification messaging

- Add stack.svg showing spec -> SDKs -> clients/servers layering
- Lead intro with 'stateless' and Python/TypeScript v2
- Standardize on 'v2' (drop mixed '2.0' in prose)
- Rename feedback section to 'Tell us what breaks'
- Reflow prose to ~100 chars and fix typos

* Refine SDK betas post title and feedback section

- Retitle to 'Beta SDKs for the 2026-07-28 MCP Spec Release Candidate Are Here'
- Restore 'Give us your feedback' section heading
- Separate spec-repo pointer from the C# issue-tracker bullet

* Style "+ more" SDK tile as full-size hatched block

* Update author bylines to per-SDK lead titles

---------

Co-authored-by: kfang-ant <kfang@anthropic.com>

* Correct several claims in the SDK betas blog post (#2997)

* Correct several claims in the SDK betas post

- Scope the "resolves to a stable version" install claim to Python, Go,
  and C#: the TypeScript v2 packages are new package names with no
  stable release, so installing them is itself the beta opt-in.
- State that Python and C# servers pick up the new revision on upgrade,
  in contrast to the TypeScript/Go transport-level opt-in.
- Note that the v2 SDK lines are new major versions with breaking
  changes, separate from anything that happens on July 28.
- Python: the decorator API carries over from v1's FastMCP; drop the
  "API got smaller" and "can now be implemented" framing.
- Mcp-Name rides only on requests that name a tool, resource, or
  prompt, not on every request.
- Soften the claim that every release's notes list exactly which SEPs
  are covered.
- Use https for the MRTR link.
- Move the post date to the actual publish date.

* Keep the original post date

* workflows: enable Dependabot auto-approve in slash-commands (#3018)

Wire up the slash-commands action's new dependabot-auto-approve mode:

- Add pull_request_target types opened/reopened and a check_suite
  completed trigger (gated to dependabot/ branches at the job level so
  suites on other branches don't start a run)
- Pass dependabot-auto-approve: dev-patch-minor and the explicit file
  allow-list (package.json, package-lock.json)

Dependabot PRs that update direct dev dependencies by patch/minor
versions, touch only the lockfile pair, carry verified
dependabot-authored commits, and have green CI get approved and
auto-merged by mcp-commander. Everything else still requires /lgtm.


Claude-Session: https://claude.ai/code/session_019ygNtiNcAaqTRnQjHCDkVS

Co-authored-by: Claude <noreply@anthropic.com>

* build(deps-dev): bump tsx from 4.22.4 to 4.23.0 (#3015)

Bumps [tsx](https://github.com/privatenumber/tsx) from 4.22.4 to 4.23.0.
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](privatenumber/tsx@v4.22.4...v4.23.0)

---
updated-dependencies:
- dependency-name: tsx
  dependency-version: 4.23.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump prettier from 3.9.3 to 3.9.4 (#3012)

Bumps [prettier](https://github.com/prettier/prettier) from 3.9.3 to 3.9.4.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.9.3...3.9.4)

---
updated-dependencies:
- dependency-name: prettier
  dependency-version: 3.9.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump typescript-eslint from 8.62.0 to 8.62.1 (#3013)

Bumps [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint) from 8.62.0 to 8.62.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.62.1/packages/typescript-eslint)

---
updated-dependencies:
- dependency-name: typescript-eslint
  dependency-version: 8.62.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps-dev): bump typedoc from 0.28.19 to 0.28.20 (#3014)

* build(deps-dev): bump typedoc from 0.28.19 to 0.28.20

Bumps [typedoc](https://github.com/TypeStrong/TypeDoc) from 0.28.19 to 0.28.20.
- [Release notes](https://github.com/TypeStrong/TypeDoc/releases)
- [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md)
- [Commits](TypeStrong/typedoc@v0.28.19...v0.28.20)

---
updated-dependencies:
- dependency-name: typedoc
  dependency-version: 0.28.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Regenerate schema docs for typedoc 0.28.20

typedoc 0.28.20's updated JSX renderer emits whitespace between adjacent
block-level HTML tags, changing the generated schema.mdx output. Regenerated
via npm run generate:schema:md so check:schema:md passes.

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

* docs: update Goose documentation links (#3019)

* docs: update Goose documentation links

* docs: format Goose links table

* Add AI agent contribution policy to AGENTS.md (#3009)

:house: Remote-Dev: homespace

---------

Signed-off-by: Hugues Clouâtre <hugues@linux.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: FenjuFu <fufenjupku@gmail.com>
Co-authored-by: devcrocod <devcrocod@gmail.com>
Co-authored-by: Felix Weinberger <3823880+felixweinberger@users.noreply.github.com>
Co-authored-by: Sri Ujwal <sbeeredd04@users.noreply.github.com>
Co-authored-by: Paul Carleton <paulc@anthropic.com>
Co-authored-by: Clare Liguori <liguori@amazon.com>
Co-authored-by: David Soria Parra <davidsp@anthropic.com>
Co-authored-by: John Warwick <john_warwick@rapid7.com>
Co-authored-by: David Soria Parra <167242713+dsp-ant@users.noreply.github.com>
Co-authored-by: Caitie McCaffrey <caitiem20@github.com>
Co-authored-by: Den Delimarsky <53200638+localden@users.noreply.github.com>
Co-authored-by: amikai <amikai.chuang@gmail.com>
Co-authored-by: Hugues Clouâtre <hugues@linux.com>
Co-authored-by: Hugues Clouâtre <15008125+clouatre@users.noreply.github.com>
Co-authored-by: Peter Alexander <pja@anthropic.com>
Co-authored-by: Ola Hungerford <olahungerford@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Felix Weinberger <fweinberger@anthropic.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mike Kistler <mikekistler@microsoft.com>
Co-authored-by: Den Delimarsky <den@anthropic.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Paul Carleton <paulcarletonjr@gmail.com>
Co-authored-by: Dale Seo <5466341+DaleSeo@users.noreply.github.com>
Co-authored-by: Alex Akimov <alexeyakimov@gmail.com>
Co-authored-by: Joey Orlando <joseph.t.orlando@gmail.com>
Co-authored-by: garciasces <garciasces@madrid.es>
Co-authored-by: Rafael Audibert <32079912+rafaeelaudibert@users.noreply.github.com>
Co-authored-by: SuryaMSFT <116728747+SuryaMSFT@users.noreply.github.com>
Co-authored-by: Karan Raina <karanraina1996@gmail.com>
Co-authored-by: Kurtis Van Gent <31518063+kurtisvg@users.noreply.github.com>
Co-authored-by: Sam Morrow <info@sam-morrow.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Chris Concannon <chris@concannon.tech>
Co-authored-by: Sam Morrow <sammorrowdrums@github.com>
Co-authored-by: FenjuFu <fufenjupku@gmail.com>
Co-authored-by: Peder <pederhp@hotmail.com>
Co-authored-by: Agent Orchestrator <sam@tadasant.com>
Co-authored-by: Tadas Antanavicius <tadas@tadasant.com>
Co-authored-by: kfang-ant <kfang@anthropic.com>
Co-authored-by: Max <224885523+maxisbey@users.noreply.github.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: LiuHanZhi <liuhanzhi514@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants