Skip to content

Commit 1673508

Browse files
committed
fix(mcp): restore stateless HTTP transport config and add code field validation
- Restore sessionIdGenerator: undefined in StreamableHTTPServerTransport to maintain stateless behavior, matching the route design (POST only for MCP requests) - Add validation for the 'code' field in execute handler to prevent TypeError when code is undefined or not a string, returning a controlled error response instead
1 parent 110d42a commit 1673508

File tree

2 files changed

+8
-2
lines changed

2 files changed

+8
-2
lines changed

packages/mcp-server/src/code-tool.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,10 @@ export function codeTool(params: { blockedMethods: SdkMethod[] | undefined }): M
5757
},
5858
};
5959
const handler = async (client: Dedalus, args: any): Promise<ToolCallResult> => {
60-
const code = args.code as string;
60+
const code = args.code;
61+
if (typeof code !== 'string') {
62+
return asErrorResult('The "code" field is required and must be a string.');
63+
}
6164
const intent = args.intent as string | undefined;
6265

6366
// Do very basic blocking of code that includes forbidden method names.

packages/mcp-server/src/http.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,10 @@ const post =
5353
const server = await newServer({ ...options, req, res });
5454
// If we return null, we already set the authorization error.
5555
if (server === null) return;
56-
const transport = new StreamableHTTPServerTransport();
56+
const transport = new StreamableHTTPServerTransport({
57+
// Stateless server
58+
sessionIdGenerator: undefined,
59+
});
5760
await server.connect(transport as any);
5861
await transport.handleRequest(req, res, req.body);
5962
};

0 commit comments

Comments
 (0)