You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Release-prep sweep, part 1 (functional + hygiene):
- MRTR (SEP-2322) now covers all three permitted methods. Shared
handlers::input_required_to_result (capability gate -32003/400 +
InputRequiredResult construction) adopted by tools/call and wired into
resources/read and prompts/get. Resources surface retry
inputResponses/requestState via session extensions; prompts receive them
in render args under reserved io.modelcontextprotocol/* keys —
McpPrompt::render has no session parameter and changing it is a breaking
public trait change (stop condition respected; convention documented on
the trait; wire prompt arguments are plain strings so reserved keys cannot
collide). Tests: two-leg round trips for both methods + a resources/read
capability-gate case, all real-HTTP. Revert-and-fail: without the handler
conversion the sentinel escapes as -32603 (the pre-slice behavior).
- resources.subscribe advertises true on the 2026 lane at BOTH capability
construction sites (subscriptions/listen serves per-URI resources/updated);
2025 stays false (no resources/subscribe handler). Wire test on
server/discover; first run caught the second, unfixed site.
- completion/complete e2e: sessionless dispatch, CompleteResult wire shape,
capability advertisement (last zero-e2e core method on the 2026 path).
- Hygiene: 41 stale "0.3" dependency snippets across 15 non-frozen crate
docs -> "0.4" (frozen snapshots + terminal shim correctly keep 0.3);
legacy session/SSE prose in default-lane READMEs labeled 2025-11-25
opt-in; internal-phase tags and fix-history comment phrasing replaced
with present-tense spec-anchored descriptions.
Copy file name to clipboardExpand all lines: CHANGELOG.md
+12Lines changed: 12 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,6 +35,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
35
35
-**SEP-2577 deprecation annotations** on Roots / Sampling / Logging types and traits (`#[deprecated(since = "0.4.0", note = "...")]` with migration-path guidance and 2027-07-28+ earliest-removal date). Annotation-only this revision; types remain fully functional during the 12-month migration window. `LoggingLevel` (the value type for the non-deprecated `RequestMetaObject.log_level` replacement) is intentionally NOT deprecated.
36
36
-**ADR-028** — *Extensions strategy* (SEP-2133 / SEP-2663). Documents how the framework will host out-of-tree extensions including `turul-mcp-ext-tasks-2026-07-28` and `turul-mcp-ext-apps-2026-07-28`.
37
37
38
+
### Added (2026-06-10, release-prep sweep)
39
+
40
+
-**MRTR on `resources/read` and `prompts/get`** — completes the SEP-2322 triple (the only methods permitted to return `input_required`). The conversion + client-capability gate is now one shared helper (`handlers::input_required_to_result`, also adopted by `tools/call`). Resources surface the retry's `inputResponses`/`requestState` via the session extensions (same as tools); prompts receive them in the render args under reserved `io.modelcontextprotocol/*` keys, because `McpPrompt::render` has no session parameter and changing it would break the public trait (documented on the trait; reserved-namespace keys cannot collide with wire prompt arguments, which are plain strings). Tests: two-leg round trips for both methods + a `-32003`/400 capability-gate case on `resources/read` (all real-HTTP; the handlers previously leaked the sentinel to `-32603`).
41
+
-**`resources.subscribe` capability truthfulness** — with `subscriptions/listen` serving per-URI `resources/updated`, both capability-construction sites now advertise `subscribe: true` on the 2026 lane (still `false` on 2025, which has no `resources/subscribe` handler). Wire test asserts the `server/discover` advertisement.
42
+
-**`completion/complete` e2e coverage** — sessionless dispatch + `CompleteResult` wire shape (`completion.values`) + capability advertisement, closing the last zero-e2e core method on the 2026 path.
43
+
44
+
### Fixed (2026-06-10, release-prep sweep)
45
+
46
+
-**Stale crate-doc versions**: 41 dependency-snippet strings across 15 non-frozen crate READMEs/lib-docs said `"0.3"`; all now `"0.4"` (the frozen 2025 protocol snapshots and the terminal-0.3.x shim correctly keep `"0.3"`).
47
+
-**Legacy prose labeled in default-lane docs**: `turul-http-mcp-server` README's session/SSE-resumability features and curl examples, and `turul-mcp-server` README's strict-lifecycle note, are now explicitly marked *2025-11-25 opt-in lane* (the 2026 default is POST-only, non-resumable, handshake-free).
48
+
-**Comment hygiene in touched 2026 paths**: internal-phase tags, fix-history phrasing, and the `subscriptions.rs` module narrative replaced with present-tense, spec-anchored descriptions.
49
+
38
50
### Fixed (2026-06-10)
39
51
40
52
-**`turul-mcp-oauth` CIMD/DCR posture dispositioned (docs/tests-only by design).** Audited against the live draft authorization spec: Client ID Metadata Documents are a SHOULD for *authorization servers and MCP clients*; Dynamic Client Registration is deprecated upstream (MAY, AS back-compat; not removed — earliest removal 2027-07-28). This crate implements the resource-server role only — RFC 9728 Protected Resource Metadata and OAuth 2.1 §5.2/RFC 8707 token validation, both unchanged — so no CIMD or DCR surface belongs in it and none was invented. The role posture is now documented in the crate header, and a wire-shape test pins that the published RFC 9728 document carries no client-registration keys (`registration_endpoint`, `client_id*`, `redirect_uris`, …). Client-side CIMD belongs to a future full MCP OAuth client flow.
0 commit comments