Skip to content

Add HTTP Streamable protocol support#15

Merged
vitorfdl merged 28 commits intomasterfrom
TAGOAI-101_Http_Protocol_Support
Apr 14, 2026
Merged

Add HTTP Streamable protocol support#15
vitorfdl merged 28 commits intomasterfrom
TAGOAI-101_Http_Protocol_Support

Conversation

@bgelatti
Copy link
Copy Markdown
Collaborator

@bgelatti bgelatti commented Jan 6, 2026
edited by vitorfdl
Loading

Problem

The MCP server only supported STDIO transport, limiting usage to local CLI environments and preventing integration with web-based clients like OpenAI Agent Builder that require HTTP endpoints.

Investigation

  • MCP specification includes HTTP Streamable protocol as an alternative transport
  • Web clients need RESTful endpoints with proper authentication
  • Session management required for stateful HTTP connections
  • CORS support essential for browser-based MCP clients

Solution

Transport Architecture

  • Refactored entry point to CLI router supporting both stdio and http modes
  • Implemented HTTP server using MCP SDK's StreamableHTTPServerTransport
  • Added session-based architecture with UUID generation and lifecycle management

Authentication & Security

  • Bearer token authentication via Authorization header for HTTP mode
  • Session validation with mcp-session-id header for request correlation
  • CORS headers configured for cross-origin requests
  • Made TAGOIO_TOKEN environment variable optional (only required for STDIO)

Session Management

  • Configurable session expiration via SESSION_LIVE environment variable
  • Automatic cleanup of expired sessions to prevent memory leaks
  • Multi-tenant support: isolated Resources instances per session

Documentation

  • Comprehensive HTTP protocol guide (MCP_HTTP_README.md)
  • Detailed explanations of JSON-RPC 2.0 message formats
  • Testing workflows with cURL, MCP Inspector, and OpenAI Agent Builder
  • Session lifecycle and authentication flow diagrams

Dependencies

  • Updated @modelcontextprotocol/sdk to support Streamable HTTP transport
  • Added required peer dependencies for HTTP functionality

Closes #14

bgelatti and others added 7 commits November 4, 2025 08:10
@bgelatti
feat: add HTTP Streamable protocol support for MCP server
1221a96 
Implement dual-protocol architecture supporting both STDIO and HTTP transports. HTTP mode enables OpenAI Agent Builder integration with Bearer token authentication and session management.

- Create http-server.ts with StreamableHTTPServerTransport
- Extract stdio-server.ts from existing implementation
- Refactor index.ts to route between transport modes
- Add session-based architecture for multi-tenant support
- Implement CORS headers for web-based integrations
@bgelatti
refactor: convert index.ts to CLI router for transport selection
da3aeaf 
Replace monolithic implementation with router pattern that supports http, stdio, or default mode selection via CLI arguments.
@bgelatti
fix: make TAGOIO_TOKEN optional for HTTP mode
bda3168 
HTTP mode authenticates via Bearer token from request headers, not environment variables. TAGOIO_TOKEN now defaults to empty string for HTTP compatibility while STDIO mode explicitly validates token presence.
@bgelatti
chore: update dependencies for HTTP Streamable protocol
b94ff8c 
Update MCP SDK to support StreamableHTTPServerTransport and add node crypto types for session ID generation.
@bgelatti
docs: add comprehensive HTTP protocol documentation
952d517 
Add HTTP mode configuration examples to README and create MCP_HTTP_README.md with technical details on session management, Bearer authentication, OpenAI Agent Builder integration, and testing approaches.
@bgelatti
feat: add configurable session expiration to HTTP MCP server
d324232 
Implements automatic cleanup of inactive sessions based on configurable timeout. Sessions now track last activity timestamp and are automatically cleaned up after the configured inactivity period (default 60 minutes via SESSION_LIVE env var). Cleanup runs every 5 minutes to remove expired sessions and free resources.
@vitorfdl
chore: packages and formatting update
98d1ee2
@vitorfdl vitorfdl force-pushed the TAGOAI-101_Http_Protocol_Support branch from e1d9a6f to 98d1ee2 Compare February 6, 2026 18:51
bgelatti and others added 10 commits February 10, 2026 16:51
@bgelatti
fix: make TAGOIO_TOKEN optional for HTTP mode support
7752621 
In HTTP mode, authentication is handled via Bearer token in request headers
instead of environment variables, so TAGOIO_TOKEN should default to empty string.
@bgelatti
test: add HTTP server integration tests and npm scripts
7f35314 
Add integration test suite for the HTTP server covering session lifecycle,
authentication, CORS, SSE streams, and tool calls. Add start:http and test:http
npm scripts to run the server and tests end-to-end.
@bgelatti
docs: fix incorrect tool names and malformed curl examples in HTTP RE…
e20dcbb 
…ADME

Update tool references from device-list to device-operations with correct
argument structure. Fix unclosed JSON in curl examples and align capabilities
response and SessionData interface with actual implementation.
@bgelatti
test: add stdio server integration tests and extract shared JSON-RPC …
9374657 
…types

Add stdio-server.test.ts with 8 integration tests covering session init, tool calls, error handling, and concurrent requests. Extract JsonRpcRequest and JsonRpcResponse into shared types.ts used by both test files.
@bgelatti
fix: downgrade vitest to 3.x and zod to 3.x for CommonJS compatibility
72ae847 
Vitest 4.x is ESM-only and breaks CI with ERR_REQUIRE_ESM in CommonJS projects. Zod 4.x changed error messages breaking existing tests.
@bgelatti
fix: update CI Node.js version from 18.x to 20.x
ee5ce28 
The project requires Node.js >=20 as specified in package.json engines field.
@bgelatti
fix: update CI Node.js version from 20.x to 22.x
dd46def 
Align CI with the Node.js version used in development and production.
@vitorfdl
feat: added token and lambda support to http stream
47a6f9e
@bgelatti
feat: stateless HTTP transport with per-request region and CORS support
c011f3c 
Unified server config (name, version, instructions) across STDIO and HTTP
transports. Added per-request region support via x-tagoio-region header
(us-e1, eu-w1). Fixed CORS headers to allow mcp-protocol-version for MCP
Inspector compatibility. Removed token logging and delegated GET/DELETE
to SDK transport for proper stateless mode handling.
@bgelatti
docs: add AWS Lambda remote HTTP configuration to README
692360d
@vitorfdl vitorfdl self-requested a review April 9, 2026 03:34
vitorfdl added 7 commits April 14, 2026 07:03
@vitorfdl
fix: improve HTTP transport error handling, security, and test coverage
9e1d099 
- Extract shared CORS/auth/region utilities into server/shared.ts
- Differentiate auth failures from infrastructure errors in validateTagoToken
- Add 1MB body size limit to prevent DoS via unbounded request bodies
- Return proper 400/413 responses for malformed JSON and oversized payloads
- Close MCP server and transport after each request to prevent memory leaks
- Add try-catch with structured JSON-RPC error responses in Lambda handler
- Add server.on('error') handler for EADDRINUSE and MCP_PORT validation
- Add .catch() on main() to handle unhandled startup rejections
- Preserve original error details in stdio server connection failures
- Move path check before OPTIONS to restrict CORS preflight to /mcp
- Remove unused headersModel from config.model.ts
- Add vitest unit tests for shared utilities and Lambda handler (25 tests)
@vitorfdl
refactor: standardize token extraction and improve documentation
fb96412 
- Replaced `extractBearerToken` with `extractToken` to support both Bearer and raw token formats.
- Updated error messages in HTTP and Lambda handlers for clarity.
- Enhanced README with clearer instructions on token usage and server setup.
- Adjusted TypeScript configurations for consistency and improved type imports.
- Cleaned up code formatting and removed unused region validation logic.
@vitorfdl
chore: update CI Node.js version from 22.x to 24.x in workflows
3f076b2 
- Modified npm_publish.yml and tests.yml to use Node.js version 24.x for consistency across CI environments.
@vitorfdl
chore: update dependencies and Node.js version in package files
0605b62 
- Upgraded various dependencies in package.json and package-lock.json, including @modelcontextprotocol/sdk to ^1.29.0, @tago-io/sdk to ^12.2.2, zod to ^4.3.6, and typescript to ^6.0.2.
- Updated Node.js version requirement from >=20 to >=24 in package.json and README.md for consistency.
- Adjusted devDependencies to reflect the latest versions for @types/aws-lambda, aws-cdk-lib, constructs, vitest, and biome.
- Refactored import statements in several files to use zod from 'zod/v3' for compatibility with the updated version.
@vitorfdl
fix: migrate Vitest from SWC to Oxc transformer and fix mock constructor
5d16353 
Replace unplugin-swc with Vitest 4.x built-in Oxc transformer. Use
function expression instead of arrow function in mock constructor to
satisfy Vitest 4.x stricter new-target behavior.
@vitorfdl
chore: update Node.js version requirement and clean up package files
a8ba4fd 
- Changed Node.js version requirement from >=24 to >=22 in package.json and package-lock.json for compatibility.
- Removed unneeded dependency on unplugin-swc from package.json and package-lock.json.
- Enhanced README with additional installation instructions and health check endpoint details for improved clarity.
- Added health check endpoint to the HTTP server for better monitoring and status reporting.
@vitorfdl
chore: update version to 3.0.0 and adjust references in configuration…
b5d4e5d 
… files

- Bumped version from 2.1.4 to 3.0.0 in package.json, package-lock.json, server.json, and utils/server-config.ts.
- Updated README to reflect the new package name for CLI usage.
- Standardized server name in configuration to align with the new versioning.
vitorfdl
vitorfdl previously approved these changes Apr 14, 2026
View reviewed changes
@vitorfdl
feat: add logger utility with LOG_LEVEL support and SILENT mode
a9cecbf 
Replace all raw console.error calls with a centralized logger that
respects the LOG_LEVEL env var. Token validation failures are logged
at warn level to avoid flooding CloudWatch on public Lambda deployments.
vitorfdl added 3 commits April 14, 2026 15:44
@vitorfdl
fix: use regular function in mock to support constructor invocation
0dbfb89 
Arrow functions cannot be called with `new`, causing 4 test failures
in lambda-handler tests.
@vitorfdl
refactor: update server startup and shutdown logic for improved conne…
45517e0 
…ction handling

- Changed server startup to use `tsx` for better compatibility.
- Enhanced shutdown process to gracefully handle active connections, with a timeout for forced shutdown.
- Added connection tracking to ensure all sockets are properly closed during server shutdown.
@vitorfdl
chore: update installation badges in README for improved clarity and …
e3bb38b 
…accessibility

- Replaced placeholder comments with actual installation badges for VS Code, VS Code Insiders, Visual Studio, Cursor, and LM Studio.
- Updated links to direct users to the appropriate installation pages with configuration details.
@vitorfdl vitorfdl merged commit a62b50e into master Apr 14, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vitorfdl vitorfdl vitorfdl left review comments

Assignees

@bgelatti bgelatti

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement HTTP SSE (Server-Sent Events) Transport Layer for MCP

2 participants

@bgelatti @vitorfdl