Upgrade MCP SDK to latest (#848)

* fix: examples for stateless server

* changeset

* handler error out on bad stuff

* tests

* typo

* fix: expect server reuse error to throw rather than return 500

Developer misconfiguration errors (reusing a connected server across
requests) should fail loudly to be caught during development, not
return a 500 response that might go unnoticed.

Author: mattzcarey

.changeset/floppy-snakes-know.md

@@ -0,0 +1,5 @@
+---
+"agents": minor
+---
+
+Upgrade MCP SDK to 1.26.0 to prevent cross-client response leakage. Updated examples for stateless MCP Servers create new `McpServer` instance per request instead of sharing a single instance. A guard is added in this version of the MCP SDK which will prevent connection to a Server instance that has already been connected to a transport. Developers will need to modify their code if they declare their `McpServer` instance as a global variable.

examples/mcp-server/src/index.ts

@@ -2,31 +2,32 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 
-const server = new McpServer({
-  name: "Hello MCP Server",
-  version: "1.0.0"
-});
+const createServer = () => {
+  const server = new McpServer({
+    name: "Hello MCP Server",
+    version: "1.0.0"
+  });
 
-server.registerTool(
-  "hello",
-  {
-    description: "Returns a greeting message",
-    inputSchema: { name: z.string().optional() }
-  },
-  async ({ name }) => {
-    return {
-      content: [
-        {
-          text: `Hello, ${name ?? "World"}!`,
-          type: "text"
-        }
-      ]
-    };
-  }
-);
+  server.registerTool(
+    "hello",
+    {
+      description: "Returns a greeting message",
+      inputSchema: { name: z.string().optional() }
+    },
+    async ({ name }) => {
+      return {
+        content: [
+          {
+            text: `Hello, ${name ?? "World"}!`,
+            type: "text"
+          }
+        ]
+      };
+    }
+  );
 
-const transport = new WebStandardStreamableHTTPServerTransport();
-server.connect(transport);
+  return server;
+};
 
 const corsHeaders = {
   "Access-Control-Allow-Origin": "*",
@@ -49,6 +50,9 @@ export default {
     if (request.method === "OPTIONS") {
       return new Response(null, { headers: corsHeaders });
     }
+    const transport = new WebStandardStreamableHTTPServerTransport();
+    const server = createServer();
+    server.connect(transport);
     return withCors(await transport.handleRequest(request));
   }
 };

examples/mcp-worker-authenticated/src/index.ts

@@ -4,76 +4,82 @@ import { z } from "zod";
 import { OAuthProvider } from "@cloudflare/workers-oauth-provider";
 import { AuthHandler } from "./auth-handler";
 
-const server = new McpServer({
-  name: "Authenticated MCP Server",
-  version: "1.0.0"
-});
+function createServer() {
+  const server = new McpServer({
+    name: "Authenticated MCP Server",
+    version: "1.0.0"
+  });
 
-server.registerTool(
-  "hello",
-  {
-    description: "Returns a greeting message",
-    inputSchema: { name: z.string().optional() }
-  },
-  async ({ name }) => {
-    const auth = getMcpAuthContext();
-    const username = auth?.props?.username as string | undefined;
+  server.registerTool(
+    "hello",
+    {
+      description: "Returns a greeting message",
+      inputSchema: { name: z.string().optional() }
+    },
+    async ({ name }) => {
+      const auth = getMcpAuthContext();
+      const username = auth?.props?.username as string | undefined;
 
-    return {
-      content: [
-        {
-          text: `Hello, ${name ?? username ?? "World"}!`,
-          type: "text"
-        }
-      ]
-    };
-  }
-);
+      return {
+        content: [
+          {
+            text: `Hello, ${name ?? username ?? "World"}!`,
+            type: "text"
+          }
+        ]
+      };
+    }
+  );
+
+  server.registerTool(
+    "whoami",
+    {
+      description: "Returns information about the authenticated user"
+    },
+    async () => {
+      const auth = getMcpAuthContext();
 
-server.registerTool(
-  "whoami",
-  {
-    description: "Returns information about the authenticated user"
-  },
-  async () => {
-    const auth = getMcpAuthContext();
+      if (!auth) {
+        return {
+          content: [
+            {
+              text: "No authentication context available",
+              type: "text" as const
+            }
+          ]
+        };
+      }
 
-    if (!auth) {
       return {
         content: [
           {
-            text: "No authentication context available",
+            text: JSON.stringify(
+              {
+                userId: auth.props?.userId,
+                username: auth.props?.username,
+                email: auth.props?.email
+              },
+              null,
+              2
+            ),
             type: "text" as const
           }
         ]
       };
     }
+  );
 
-    return {
-      content: [
-        {
-          text: JSON.stringify(
-            {
-              userId: auth.props?.userId,
-              username: auth.props?.username,
-              email: auth.props?.email
-            },
-            null,
-            2
-          ),
-          type: "text" as const
-        }
-      ]
-    };
-  }
-);
+  return server;
+}
 
 /**
  * API Handler - handles authenticated MCP requests
  * This handler will receive requests that have a valid access token
  */
 const apiHandler = {
   async fetch(request: Request, env: unknown, ctx: ExecutionContext) {
+    //create the server instance every request
+    const server = createServer();
     return createMcpHandler(server)(request, env, ctx);
   }
 };

examples/mcp-worker/src/index.ts

@@ -2,32 +2,37 @@ import { createMcpHandler } from "agents/mcp";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 
-const server = new McpServer({
-  name: "Hello MCP Server",
-  version: "1.0.0"
-});
+function createServer() {
+  const server = new McpServer({
+    name: "Hello MCP Server",
+    version: "1.0.0"
+  });
 
-server.registerTool(
-  "hello",
-  {
-    description: "Returns a greeting message",
-    inputSchema: { name: z.string().optional() }
-  },
-  async ({ name }) => {
-    return {
-      content: [
-        {
-          text: `Hello, ${name ?? "World"}!`,
-          type: "text"
-        }
-      ]
-    };
-  }
-);
+  server.registerTool(
+    "hello",
+    {
+      description: "Returns a greeting message",
+      inputSchema: { name: z.string().optional() }
+    },
+    async ({ name }) => {
+      return {
+        content: [
+          {
+            text: `Hello, ${name ?? "World"}!`,
+            type: "text"
+          }
+        ]
+      };
+    }
+  );
+
+  return server;
+}
 
 export default {
   fetch: async (request: Request, env: Env, ctx: ExecutionContext) => {
-    const handler = createMcpHandler(server);
-    return handler(request, env, ctx);
+    //create the server instance every request
+    const server = createServer();
+    return createMcpHandler(server)(request, env, ctx);
   }
 };