Skip to content

STDIO connection support improvements#2167

Open
vibegui wants to merge 3 commits intomainfrom
feat/stdio-connection-support
Open

STDIO connection support improvements#2167
vibegui wants to merge 3 commits intomainfrom
feat/stdio-connection-support

Conversation

@vibegui
Copy link
Contributor

@vibegui vibegui commented Jan 6, 2026
edited by cubic-dev-ai bot
Loading

Summary by cubic

Adds robust STDIO MCP connection support with environment-based credentials and stable process management. Improves hot-reload stability.

  • New Features

    • Issue infinite JWTs for STDIO and pass credentials via MESH_TOKEN, MESH_URL, MESH_STATE, and MESH_CONNECTION_ID; HTTP tokens remain 5 minutes.
    • Proxy exposes getConfigurationToken/getMeshUrl and includes mesh context in ON_MCP_CONFIGURATION for STDIO.
    • Stable STDIO transport: PID capture, process-tree kill, pool reset; app resets pool on startup/HMR; spawn_failed state with 5-minute cooldown to stop retry loops.
    • UI: “Refresh Tools” button in connection settings.
    • Docs: STDIO connection guide (EN/PT-BR), README updates, and AGENTS.md documentation requirements.

  • Bug Fixes

    • Persist JWT secret and ContextFactory via globalThis to survive HMR.
    • STDIO stability: detect dead clients on reuse, add spawn cooldown, and suppress noisy “Method not found” prompt errors with cleaner spawn failure logs.
    • Event bus reliability: process pending events published during a batch and support gateway subscriptions via subscriberId; validate subscriberId belongs to the same organization.
    • Tests updated to new issueMeshToken options API.

Written for commit 97e37b1. Summary will update on new commits.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 6, 2026

🧪 Benchmark

Should we run the MCP Gateway benchmark for this PR?

React with 👍 to run the benchmark.

Reaction Action
👍 Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 6, 2026

Release Options

Should a new version be published when this PR is merged?

React with an emoji to vote on the release type:

Reaction Type Next Version
👍 Prerelease 1.2.1-alpha.1
🎉 Patch 1.2.1
❤️ Minor 1.3.0
🚀 Major 2.0.0

Current version: 1.2.0

Deployment

  • Deploy to production (triggers ArgoCD sync after Docker image is published)

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 14 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/docs/client/src/content/pt-br/mcp-mesh/mcp-servers.mdx">

<violation number="1" location="apps/docs/client/src/content/pt-br/mcp-mesh/mcp-servers.mdx:64">
P2: The example uses `connectionId` but this variable is never defined. Consider adding a placeholder definition or a comment explaining where it comes from.</violation>
</file>

<file name="apps/docs/client/src/content/en/mcp-mesh/mcp-servers.mdx">

<violation number="1" location="apps/docs/client/src/content/en/mcp-mesh/mcp-servers.mdx:60">
P2: The code example references `connectionId` which is never defined or explained. Consider adding a comment explaining where this value comes from, or defining it (perhaps from `state`).</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

apps/docs/client/src/content/pt-br/mcp-mesh/mcp-servers.mdx
const state = process.env.MESH_STATE ? JSON.parse(process.env.MESH_STATE) : {};

// Usar token para chamadas à API mesh
const response = await fetch(`${meshUrl}/mcp/${connectionId}`, {
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Jan 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The example uses connectionId but this variable is never defined. Consider adding a placeholder definition or a comment explaining where it comes from.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At apps/docs/client/src/content/pt-br/mcp-mesh/mcp-servers.mdx, line 64:

<comment>The example uses `connectionId` but this variable is never defined. Consider adding a placeholder definition or a comment explaining where it comes from.</comment>

<file context>
@@ -1,24 +1,86 @@
+const state = process.env.MESH_STATE ? JSON.parse(process.env.MESH_STATE) : {};
+
+// Usar token para chamadas à API mesh
+const response = await fetch(`${meshUrl}/mcp/${connectionId}`, {
+  headers: { Authorization: `Bearer ${meshToken}` },
+  // ...
</file context>

✅ Addressed in 4e7fe45

apps/docs/client/src/content/en/mcp-mesh/mcp-servers.mdx
const state = process.env.MESH_STATE ? JSON.parse(process.env.MESH_STATE) : {};

// Use token for mesh API calls
const response = await fetch(`${meshUrl}/mcp/${connectionId}`, {
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Jan 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: The code example references connectionId which is never defined or explained. Consider adding a comment explaining where this value comes from, or defining it (perhaps from state).

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At apps/docs/client/src/content/en/mcp-mesh/mcp-servers.mdx, line 60:

<comment>The code example references `connectionId` which is never defined or explained. Consider adding a comment explaining where this value comes from, or defining it (perhaps from `state`).</comment>

<file context>
@@ -8,7 +8,69 @@ import Callout from &quot;../../../components/ui/Callout.astro&quot;;
+const state = process.env.MESH_STATE ? JSON.parse(process.env.MESH_STATE) : {};
+
+// Use token for mesh API calls
+const response = await fetch(`${meshUrl}/mcp/${connectionId}`, {
+  headers: { Authorization: `Bearer ${meshToken}` },
+  // ...
</file context>

✅ Addressed in 0c31351

@vibegui vibegui force-pushed the feat/stdio-connection-support branch 2 times, most recently from 525871e to fe66674 Compare January 8, 2026 18:11
@vibegui vibegui mentioned this pull request Jan 8, 2026
Closed
4 tasks
@vibegui vibegui force-pushed the feat/stdio-connection-support branch 5 times, most recently from 1d3989b to af27cb0 Compare January 10, 2026 09:30
@vibegui vibegui force-pushed the feat/stdio-connection-support branch 2 times, most recently from 72bd970 to 914afab Compare January 17, 2026 01:48
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 17, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 7 files (changes from recent commits).

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/mesh/src/tools/eventbus/subscribe.ts">

<violation number="1" location="apps/mesh/src/tools/eventbus/subscribe.ts:27">
P2: `subscriberId` from input is accepted without any authorization check, so a caller can subscribe on behalf of another connection. Gate the override to trusted gateway calls or verify access to the target connection before using it.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@vibegui
Enhance documentation and improve STDIO connection handling
86dc836 
- Added documentation requirements to ensure updates accompany code changes.
- Introduced a new section on STDIO connections in README.md, detailing environment variable usage for local MCPs.
- Expanded the MCP servers documentation to clarify connection types and token handling.
- Implemented a reset mechanism for STDIO connections to refresh credentials on app restart.
- Updated JWT handling to support infinite tokens for STDIO connections.
- Improved error handling and logging in connection management.

This commit aims to improve developer experience and maintain accurate documentation alongside code changes.
@vibegui
feat: improve STDIO connection handling and event bus reliability
a144a78 
- Add spawn_failed status with 5-minute cooldown to prevent retry loops
- Pass MESH_CONNECTION_ID env var to STDIO servers for event bus subscriptions
- Suppress noisy 'Method not found' errors for MCPs without prompts
- Add pendingProcessRequest to event-bus worker for events published during batch
- Add subscriberId option to EVENT_SUBSCRIBE for gateway subscriptions
- Improve concurrently to kill processes on SIGTERM (better HMR cleanup)
- Only log 'Connection closed unexpectedly' when previously connected
@vibegui vibegui force-pushed the feat/stdio-connection-support branch from 1c6113d to a144a78 Compare January 26, 2026 18:25
@vibegui
feat: add organization validation for subscriberId in event bus subsc…
97e37b1 
…riptions

- Implemented a check to verify that the provided subscriberId belongs to the same organization as the caller's connection.
- Added error handling to prevent subscriptions on behalf of connections outside the user's organization, enhancing security and integrity of event bus interactions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vibegui