Skip to content

feat: upgrade mcp-go to v0.43.2 with streamable HTTP transport#38

Open
danielheringers wants to merge 8 commits intooisee:mainfrom
danielheringers:feat/mcp-go-0.43.2-http-streamable
Open

feat: upgrade mcp-go to v0.43.2 with streamable HTTP transport#38
danielheringers wants to merge 8 commits intooisee:mainfrom
danielheringers:feat/mcp-go-0.43.2-http-streamable

Conversation

@danielheringers
Copy link
Copy Markdown

@danielheringers danielheringers commented Feb 25, 2026

Summary

  • Upgrade github.com/mark3labs/mcp-go from v0.17.0 to v0.43.2
  • Migrate MCP tool handlers from request.Params.Arguments to request.GetArguments()
  • Add Streamable HTTP as an alternative MCP transport (--transport http-streamable)
  • Keep backward compatibility with stdio as the default transport

Changes

  • go.mod, go.sum
    • bump mcp-go and update transitive deps
  • internal/mcp/handlers_*.go
    • migrate handler argument reads to request.GetArguments()
  • internal/mcp/server.go
    • add transport routing (Serve, ServeStdio, ServeStreamableHTTP)
    • add default HTTP bind/path constants
  • cmd/vsp/main.go
    • add --transport flag and SAP_TRANSPORT env support
    • normalize and validate transport values (stdio, http-streamable)
  • Added tests:
    • internal/mcp/arguments_migration_test.go
    • internal/mcp/server_transport_test.go
    • cmd/vsp/main_test.go
  • Docs:
    • README.md, ARCHITECTURE.md, CLAUDE.md

Test plan

  • go test -run TestHandlersUseGetArgumentsAPI ./internal/mcp -v
  • go test -run "TestServe_|TestServeStreamableHTTP_" ./internal/mcp -v
  • go test -run "TestValidateConfig_Transport|TestResolveConfig_Transport|TestRootCmdHasTransportFlag" ./cmd/vsp -v
  • go test ./internal/mcp ./cmd/vsp
  • go test -cover ./internal/mcp ./cmd/vsp
    • internal/mcp: 9.1%
    • cmd/vsp: 15.1%
  • Manual HTTP Streamable smoke test on /mcp
    • initialize: OK
    • notifications/initialized: OK
    • tools/list: OK (non-empty list)

Notes

  • go test ./... currently fails in pkg/cache (Example_withSQLite) due CGO/SQLite runtime constraint (CGO_ENABLED=0), which is outside this PR scope.
  • Kept GetDependencyZIP compatibility behavior in embedded/deps/embed.go to avoid regressions while related upstream discussion is ongoing.

Fixes #21

marianfoo
marianfoo requested changes Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@marianfoo marianfoo left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your PR, we will review it

marianfoo and others added 2 commits March 13, 2026 14:12
@marianfoo @claude
fix: address PR oisee#38 reviewer suggestions
2d91e6d 
- Revert embedded/deps/embed.go GetDependencyZIP to main branch's
  switch-based implementation (resolves conflict per reviewer request)
- Revert server.go formatting-only changes: struct field alignment,
  map entry alignment, tool count comment (81 tools, not 41)
- Add Origin header validation middleware to ServeStreamableHTTP per
  MCP spec (prevents DNS rebinding attacks):
  https://modelcontextprotocol.io/specification/2025-03-26/basic/transports
  - originValidationMiddleware wraps the MCP handler
  - isSameOriginHost normalizes 127.0.0.1/::1/localhost as equivalent
  - Adds listenAndServeFunc var for testability
  - Updates streamableHTTPStarter interface to include http.Handler
  - Adds 3 new Origin validation tests + updates existing transport tests
- Update report to note GetDependencyZIP test is resolved (commit 5317105)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@marianfoo @claude
fix: resolve merge conflicts with main branch
ebf5e99 
- CLAUDE.md: keep correct tool count (81/122) + add SAP_TRANSPORT row
- README.md: keep correct tool count (122) + add --transport example

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@marianfoo marianfoo requested review from oisee March 13, 2026 13:26
@marianfoo marianfoo mentioned this pull request Mar 13, 2026
Closed
5 tasks
@marianfoo
feat: add --http-addr / SAP_HTTP_ADDR to configure HTTP listen address
3f9dc4e 
- Config struct: add HTTPAddr field for http-streamable listen address
- Serve(): use Config.HTTPAddr when set, falls back to DefaultStreamableHTTPAddr
  (127.0.0.1:8080) so local usage remains safe by default
- main.go: add --http-addr flag and SAP_HTTP_ADDR env var; update verbose log
  to print the actual resolved address
- server_transport_test.go: add TestServe_UsesConfigHTTPAddr covering the
  Config.HTTPAddr override path

Made-with: Cursor
@marianfoo
feat: add W disabled-group to hide all write tools from context
4be1605 
Use SAP_DISABLED_GROUPS=W (or --disabled-groups W) to remove all
create/update/delete/execute tools from the MCP tool list entirely,
giving a clean read-only context with no write tools visible to the LLM.

Covered tools: WriteSource, EditSource, UpdateSource, WriteProgram,
WriteClass, UpdateClassInclude, CreateObject, DeleteObject, RenameObject,
MoveObject, CloneObject, CreatePackage, CreateTable, CreateTestInclude,
CreateAndActivateProgram, CreateClassWithTests, LockObject, UnlockObject,
Activate, ActivatePackage, PrettyPrint, SetPrettyPrinterSettings,
SetTextElements, ImportFromFile, DeployFromFile, ExecuteABAP, CallRFC,
SetBreakpoint, DeleteBreakpoint, AMDPSetBreakpoint, PublishServiceBinding,
UnpublishServiceBinding, CreateTransport, ReleaseTransport, DeleteTransport,
InstallZADTVSP, InstallAbapGit, InstallDummyTest, UI5UploadFile,
UI5DeleteFile, UI5CreateApp, UI5DeleteApp

Combine with SAP_READ_ONLY=true for defence-in-depth:
  SAP_DISABLED_GROUPS=W  — tools not shown to LLM
  SAP_READ_ONLY=true     — runtime block if a write is attempted anyway

Made-with: Cursor
marianfoo added a commit to marianfoo/vibing-steampunk that referenced this pull request Mar 23, 2026
@marianfoo @claude
fix: address PR oisee#38 reviewer suggestions
ff50e27 
- Revert embedded/deps/embed.go GetDependencyZIP to main branch's
  switch-based implementation (resolves conflict per reviewer request)
- Revert server.go formatting-only changes: struct field alignment,
  map entry alignment, tool count comment (81 tools, not 41)
- Add Origin header validation middleware to ServeStreamableHTTP per
  MCP spec (prevents DNS rebinding attacks):
  https://modelcontextprotocol.io/specification/2025-03-26/basic/transports
  - originValidationMiddleware wraps the MCP handler
  - isSameOriginHost normalizes 127.0.0.1/::1/localhost as equivalent
  - Adds listenAndServeFunc var for testability
  - Updates streamableHTTPStarter interface to include http.Handler
  - Adds 3 new Origin validation tests + updates existing transport tests
- Update report to note GetDependencyZIP test is resolved (commit 5317105)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marianfoo marianfoo marianfoo requested changes

@oisee oisee Awaiting requested review from oisee

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Streaming HTTP support

2 participants

@danielheringers @marianfoo