Merge main into pkce-conformance-tests

Author: pcarleton

README.md

@@ -5,6 +5,8 @@ A framework for testing MCP (Model Context Protocol) client and server implement
 > [!WARNING]
 > This repository is a work in progress and is unstable. Join the conversation in the #conformance-testing-wg in the MCP Contributors discord.
 
+**For SDK maintainers:** See [SDK Integration Guide](./SDK_INTEGRATION.md) for a streamlined guide on integrating conformance tests into your SDK repository.
+
 ## Quick Start
 
 ### Testing Clients

SDK_INTEGRATION.md

@@ -0,0 +1,208 @@
+# Using MCP Conformance Tests in SDK Repositories
+
+This guide explains how to integrate the MCP conformance test suite into your language SDK repository. The conformance framework tests your MCP implementation against the protocol specification to ensure compatibility.
+
+## Quick Start
+
+Install and run conformance tests:
+
+```bash
+# Client testing (framework starts a test server, runs your client against it)
+npx @modelcontextprotocol/conformance client --command "your-client-command" --scenario initialize
+
+# Server testing (your server must already be running)
+npx @modelcontextprotocol/conformance server --url http://localhost:3000/mcp --scenario server-initialize
+```
+
+## Two Testing Modes
+
+### Client Testing
+
+The framework **starts a test server** and spawns your client against it. Your client receives the server URL as its final command-line argument.
+
+```bash
+# Run a single scenario
+npx @modelcontextprotocol/conformance client \
+  --command "python tests/conformance/client.py" \
+  --scenario initialize
+
+# Run a suite of tests
+npx @modelcontextprotocol/conformance client \
+  --command "python tests/conformance/client.py" \
+  --suite auth
+```
+
+**Available client suites:** `all`, `core`, `extensions`, `auth`, `metadata`, `sep-835`
+
+Your client should:
+
+1. Accept the server URL as its last argument
+2. Read `MCP_CONFORMANCE_SCENARIO` env var to determine which scenario is being tested
+3. Read `MCP_CONFORMANCE_CONTEXT` env var for scenario-specific data (e.g., OAuth credentials)
+
+### Server Testing
+
+Your server must be **running before** invoking the conformance tool. The framework connects to it as an MCP client.
+
+```bash
+# Start your server first
+your-server --port 3001 &
+
+# Then run conformance tests
+npx @modelcontextprotocol/conformance server \
+  --url http://localhost:3001/mcp \
+  --suite active
+```
+
+**Available server suites:** `active` (default), `all`, `pending`
+
+**Note:** Server testing requires you to manage server lifecycle (start, health-check, cleanup) yourself.
+
+---
+
+## Expected Failures (Baseline) File
+
+The expected-failures feature lets your CI pass while you work on fixing known issues. It catches regressions by failing when:
+
+- A previously passing test starts failing (regression)
+- A previously failing test starts passing (stale baseline - remove the entry)
+
+### File Format
+
+Create a YAML file (e.g., `conformance-baseline.yml`):
+
+```yaml
+server:
+  - tools-call-with-progress
+  - resources-subscribe
+client:
+  - auth/client-credentials-jwt
+```
+
+### Usage
+
+```bash
+npx @modelcontextprotocol/conformance server \
+  --url http://localhost:3000/mcp \
+  --expected-failures ./conformance-baseline.yml
+```
+
+### Exit Code Behavior
+
+| Scenario Result | In Baseline? | Exit Code | Meaning                       |
+| --------------- | ------------ | --------- | ----------------------------- |
+| Fails           | Yes          | 0         | Expected failure              |
+| Fails           | No           | 1         | Unexpected regression         |
+| Passes          | Yes          | 1         | Stale baseline - remove entry |
+| Passes          | No           | 0         | Normal pass                   |
+
+---
+
+## GitHub Action
+
+The conformance repo provides a reusable GitHub Action that handles Node.js setup and conformance execution.
+
+### Client Testing Example
+
+```yaml
+name: Conformance Tests
+on: [push, pull_request]
+
+jobs:
+  conformance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up your SDK
+        run: |
+          # Your SDK setup (pip install, npm install, etc.)
+          pip install -e .
+
+      - uses: modelcontextprotocol/[email protected]
+        with:
+          mode: client
+          command: 'python tests/conformance/client.py'
+          suite: auth
+          expected-failures: ./conformance-baseline.yml
+```
+
+### Server Testing Example
+
+```yaml
+name: Conformance Tests
+on: [push, pull_request]
+
+jobs:
+  conformance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up and start server
+        run: |
+          pip install -e .
+          python -m myserver --port 3001 &
+          # Wait for server to be ready
+          timeout 15 bash -c 'until curl -s http://localhost:3001/mcp; do sleep 0.5; done'
+
+      - uses: modelcontextprotocol/[email protected]
+        with:
+          mode: server
+          url: http://localhost:3001/mcp
+          suite: active
+          expected-failures: ./conformance-baseline.yml
+```
+
+### Action Inputs
+
+| Input               | Required    | Description                                     |
+| ------------------- | ----------- | ----------------------------------------------- |
+| `mode`              | Yes         | `server` or `client`                            |
+| `url`               | Server mode | URL of the server to test                       |
+| `command`           | Client mode | Command to run the client                       |
+| `expected-failures` | No          | Path to YAML baseline file                      |
+| `suite`             | No          | Test suite to run                               |
+| `scenario`          | No          | Run a single scenario by name                   |
+| `timeout`           | No          | Timeout in ms for client tests (default: 30000) |
+| `verbose`           | No          | Show verbose output (default: false)            |
+| `node-version`      | No          | Node.js version (default: 20)                   |
+
+---
+
+## Writing Conformance Clients/Servers
+
+### Example Client Pattern
+
+See [`src/conformance/everything-client.ts`](https://github.com/modelcontextprotocol/typescript-sdk/blob/main/src/conformance/everything-client.ts) in the TypeScript SDK for a reference implementation. The recommended pattern is a single client that routes behavior based on the scenario:
+
+```python
+import os
+import sys
+import json
+
+def main():
+    server_url = sys.argv[-1]  # URL passed as last argument
+    scenario = os.environ.get("MCP_CONFORMANCE_SCENARIO", "")
+    context = json.loads(os.environ.get("MCP_CONFORMANCE_CONTEXT", "{}"))
+
+    if scenario.startswith("auth/"):
+        run_auth_scenario(server_url, scenario, context)
+    else:
+        run_default_scenario(server_url)
+
+if __name__ == "__main__":
+    main()
+```
+
+### Example Server Pattern
+
+See [`src/conformance/everything-server.ts`](https://github.com/modelcontextprotocol/typescript-sdk/blob/main/src/conformance/everything-server.ts) in the TypeScript SDK for a reference implementation that handles all server scenarios.
+
+---
+
+## Additional Resources
+
+- [Conformance README](./README.md)
+- [Design documentation](./src/runner/DESIGN.md)
+- [TypeScript SDK conformance examples](https://github.com/modelcontextprotocol/typescript-sdk/tree/main/src/conformance)

examples/clients/typescript/auth-test-attempts-dcr.ts

@@ -0,0 +1,50 @@
+#!/usr/bin/env node
+
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
+
+/**
+ * Non-compliant client that ignores pre-registered credentials and attempts DCR.
+ *
+ * This client intentionally ignores the client_id and client_secret passed via
+ * MCP_CONFORMANCE_CONTEXT and instead attempts to do Dynamic Client Registration.
+ * When run against a server that does not support DCR (no registration_endpoint),
+ * this client will fail.
+ *
+ * Used to test that conformance checks detect clients that don't properly
+ * use pre-registered credentials when server doesn't support DCR.
+ */
+export async function runClient(serverUrl: string): Promise<void> {
+  const client = new Client(
+    { name: 'test-auth-client-attempts-dcr', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  // Non-compliant: ignores pre-registered credentials from context
+  // and creates a fresh provider that will attempt DCR
+  const oauthFetch = withOAuthRetry(
+    'test-auth-client-attempts-dcr',
+    new URL(serverUrl)
+  )(fetch);
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    fetch: oauthFetch
+  });
+
+  await client.connect(transport);
+  logger.debug('Connected to MCP server (attempted DCR instead of pre-reg)');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await client.callTool({ name: 'test-tool', arguments: {} });
+  logger.debug('Successfully called tool');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+runAsCli(runClient, import.meta.url, 'auth-test-attempts-dcr <server-url>');

examples/clients/typescript/everything-client.ts

@@ -21,7 +21,12 @@ import {
 } from '@modelcontextprotocol/sdk/client/auth-extensions.js';
 import { ElicitRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import { ClientConformanceContextSchema } from '../../../src/schemas/context.js';
-import { withOAuthRetry, handle401 } from './helpers/withOAuthRetry.js';
+import {
+  withOAuthRetry,
+  withOAuthRetryWithProvider,
+  handle401
+} from './helpers/withOAuthRetry.js';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
 import { logger } from './helpers/logger.js';
 
 /**
@@ -300,6 +305,69 @@ export async function runClientCredentialsBasic(
 
 registerScenario('auth/client-credentials-basic', runClientCredentialsBasic);
 
+// ============================================================================
+// Pre-registration scenario
+// ============================================================================
+
+/**
+ * Pre-registration: client uses pre-registered credentials (no DCR).
+ *
+ * Server does not advertise registration_endpoint, so client must use
+ * pre-configured client_id and client_secret passed via context.
+ */
+export async function runPreRegistration(serverUrl: string): Promise<void> {
+  const ctx = parseContext();
+  if (ctx.name !== 'auth/pre-registration') {
+    throw new Error(`Expected pre-registration context, got ${ctx.name}`);
+  }
+
+  const client = new Client(
+    { name: 'conformance-pre-registration', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  // Create provider with pre-registered credentials
+  const provider = new ConformanceOAuthProvider(
+    'http://localhost:3000/callback',
+    {
+      client_name: 'conformance-pre-registration',
+      redirect_uris: ['http://localhost:3000/callback']
+    }
+  );
+
+  // Pre-set the client information so the SDK won't attempt DCR
+  provider.saveClientInformation({
+    client_id: ctx.client_id,
+    client_secret: ctx.client_secret,
+    redirect_uris: ['http://localhost:3000/callback']
+  });
+
+  // Use the provider-based middleware
+  const oauthFetch = withOAuthRetryWithProvider(
+    provider,
+    new URL(serverUrl),
+    handle401
+  )(fetch);
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    fetch: oauthFetch
+  });
+
+  await client.connect(transport);
+  logger.debug('Successfully connected with pre-registered credentials');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await client.callTool({ name: 'test-tool', arguments: {} });
+  logger.debug('Successfully called tool');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+registerScenario('auth/pre-registration', runPreRegistration);
+
 // ============================================================================
 // Main entry point
 // ============================================================================

examples/clients/typescript/helpers/withOAuthRetry.ts

@@ -45,6 +45,7 @@ export const handle401 = async (
     }
   }
 };
+
 /**
  * Creates a fetch wrapper that handles OAuth authentication with retry logic.
  *
@@ -53,8 +54,10 @@ export const handle401 = async (
  * - Does not throw UnauthorizedError on redirect, but instead retries
  * - Calls next() instead of throwing for redirect-based auth
  *
- * @param provider - OAuth client provider for authentication
+ * @param clientName - Client name for OAuth registration
  * @param baseUrl - Base URL for OAuth server discovery (defaults to request URL domain)
+ * @param handle401Fn - Custom 401 handler function
+ * @param clientMetadataUrl - Optional CIMD URL for URL-based client IDs
  * @returns A fetch middleware function
  */
 export const withOAuthRetry = (
@@ -71,6 +74,18 @@ export const withOAuthRetry = (
     },
     clientMetadataUrl
   );
+  return withOAuthRetryWithProvider(provider, baseUrl, handle401Fn);
+};
+
+/**
+ * Creates a fetch wrapper using a pre-configured OAuth provider.
+ * Use this when you need to pre-set client credentials (e.g., for pre-registration tests).
+ */
+export const withOAuthRetryWithProvider = (
+  provider: ConformanceOAuthProvider,
+  baseUrl?: string | URL,
+  handle401Fn: typeof handle401 = handle401
+): Middleware => {
   return (next: FetchLike) => {
     return async (
       input: string | URL,