fix(vmcp): remove WriteTimeout to prevent SSE connection drops

Go's http.Server.WriteTimeout sets an absolute deadline on the entire
response duration. For long-lived SSE connections used by the MCP
Streamable HTTP transport, this caused streams to be killed after 30s
regardless of write activity (see golang/go#16100).

Remove WriteTimeout from the http.Server config and replace it with a
writeTimeoutMiddleware that uses http.ResponseController.SetWriteDeadline
to apply a per-request 30s write deadline only to non-GET (non-SSE)
requests. GET requests remain exempt so SSE streams can stay open
indefinitely.

Tests added:
- Unit tests verifying SetWriteDeadline is called/not called by method
- Integration test over a real TCP connection confirming an SSE stream
  survives past the timeout without being cut

Fixes #3691

Author: taskbot

pkg/vmcp/server/server.go

@@ -47,7 +47,10 @@ const (
 	// defaultReadTimeout is the maximum duration for reading the entire request, including body.
 	defaultReadTimeout = 30 * time.Second
 
-	// defaultWriteTimeout is the maximum duration before timing out writes of the response.
+	// defaultWriteTimeout is the per-request write deadline applied to non-SSE requests via
+	// http.ResponseController. Note: this is NOT set as http.Server.WriteTimeout — that field
+	// applies to the entire response duration and would kill long-lived SSE (GET) streams after
+	// 30s regardless of write activity. See golang/go#16100.
 	defaultWriteTimeout = 30 * time.Second
 
 	// defaultIdleTimeout is the maximum amount of time to wait for the next request when keep-alive's are enabled.
@@ -557,6 +560,9 @@ func (s *Server) Handler(_ context.Context) (http.Handler, error) {
 	// Apply Accept header validation (rejects GET requests without Accept: text/event-stream)
 	mcpHandler = headerValidatingMiddleware(mcpHandler)
 
+	// Apply per-request write deadlines for non-SSE requests (SSE streams are exempt)
+	mcpHandler = writeTimeoutMiddleware(mcpHandler)
+
 	// Apply recovery middleware as outermost (catches panics from all inner middleware)
 	mcpHandler = recovery.Middleware(mcpHandler)
 	slog.Info("recovery middleware enabled for MCP endpoints")
@@ -604,9 +610,12 @@ func (s *Server) Start(ctx context.Context) error {
 		Handler:           handler,
 		ReadHeaderTimeout: defaultReadHeaderTimeout,
 		ReadTimeout:       defaultReadTimeout,
-		WriteTimeout:      defaultWriteTimeout,
-		IdleTimeout:       defaultIdleTimeout,
-		MaxHeaderBytes:    defaultMaxHeaderBytes,
+		// WriteTimeout is intentionally omitted: SSE (GET) connections must remain open
+		// indefinitely, and a global WriteTimeout would kill them after 30s regardless of
+		// write activity. Per-request write deadlines for non-SSE requests are enforced by
+		// writeTimeoutMiddleware using http.ResponseController. See golang/go#16100.
+		IdleTimeout:    defaultIdleTimeout,
+		MaxHeaderBytes: defaultMaxHeaderBytes,
 	}
 
 	// Create listener (allows port 0 to bind to random available port)
@@ -1247,6 +1256,28 @@ var notAcceptableBody = []byte(
 		`{"code":-32600,"message":"Not Acceptable: Client must accept text/event-stream"}}`,
 )
 
+// writeTimeoutMiddleware applies a per-request write deadline to non-SSE requests using
+// http.ResponseController. GET requests (SSE streams) are exempt because they must remain
+// open indefinitely; all other methods (POST, DELETE, etc.) are bounded by defaultNonSSEWriteTimeout.
+func writeTimeoutMiddleware(next http.Handler) http.Handler {
+	return writeTimeoutMiddlewareWithTimeout(next, defaultWriteTimeout)
+}
+
+// writeTimeoutMiddlewareWithTimeout is the parameterised implementation used by
+// writeTimeoutMiddleware and by tests that need a short timeout.
+func writeTimeoutMiddlewareWithTimeout(next http.Handler, timeout time.Duration) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodGet {
+			rc := http.NewResponseController(w)
+			deadline := time.Now().Add(timeout)
+			if err := rc.SetWriteDeadline(deadline); err != nil {
+				slog.Debug("failed to set per-request write deadline", "error", err)
+			}
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
 // headerValidatingMiddleware rejects GET requests that do not include
 // Accept: text/event-stream, as required by the MCP Streamable HTTP transport spec.
 func headerValidatingMiddleware(next http.Handler) http.Handler {

pkg/vmcp/server/write_timeout_middleware_test.go

@@ -0,0 +1,178 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package server
+
+import (
+	"bufio"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// deadlineTrackingResponseWriter wraps httptest.ResponseRecorder and implements
+// the SetWriteDeadline method so http.ResponseController can call it.
+// It records whether SetWriteDeadline was called and the deadline value passed.
+type deadlineTrackingResponseWriter struct {
+	*httptest.ResponseRecorder
+	deadlineSet bool
+	deadline    time.Time
+}
+
+func (d *deadlineTrackingResponseWriter) SetWriteDeadline(t time.Time) error {
+	d.deadlineSet = true
+	d.deadline = t
+	return nil
+}
+
+func newDeadlineTracker() *deadlineTrackingResponseWriter {
+	return &deadlineTrackingResponseWriter{
+		ResponseRecorder: httptest.NewRecorder(),
+	}
+}
+
+// noopHandler is a handler that does nothing — used to verify middleware call-through.
+var noopHandler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
+})
+
+func TestWriteTimeoutMiddleware_GETDoesNotSetDeadline(t *testing.T) {
+	t.Parallel()
+
+	w := newDeadlineTracker()
+	r := httptest.NewRequest(http.MethodGet, "/mcp", nil)
+
+	writeTimeoutMiddleware(noopHandler).ServeHTTP(w, r)
+
+	assert.False(t, w.deadlineSet, "GET (SSE) request must not have a write deadline set")
+	assert.Equal(t, http.StatusOK, w.Code)
+}
+
+func TestWriteTimeoutMiddleware_POSTSetsDeadline(t *testing.T) {
+	t.Parallel()
+
+	before := time.Now()
+	w := newDeadlineTracker()
+	r := httptest.NewRequest(http.MethodPost, "/mcp", nil)
+
+	writeTimeoutMiddleware(noopHandler).ServeHTTP(w, r)
+
+	require.True(t, w.deadlineSet, "POST request must have a write deadline set")
+	assert.Equal(t, http.StatusOK, w.Code)
+
+	// Deadline should be ~defaultWriteTimeout in the future.
+	expectedMin := before.Add(defaultWriteTimeout - time.Second)
+	expectedMax := before.Add(defaultWriteTimeout + time.Second)
+	assert.True(t, w.deadline.After(expectedMin), "deadline %v should be after %v", w.deadline, expectedMin)
+	assert.True(t, w.deadline.Before(expectedMax), "deadline %v should be before %v", w.deadline, expectedMax)
+}
+
+func TestWriteTimeoutMiddleware_DELETESetsDeadline(t *testing.T) {
+	t.Parallel()
+
+	w := newDeadlineTracker()
+	r := httptest.NewRequest(http.MethodDelete, "/mcp", nil)
+
+	writeTimeoutMiddleware(noopHandler).ServeHTTP(w, r)
+
+	assert.True(t, w.deadlineSet, "DELETE request must have a write deadline set")
+	assert.Equal(t, http.StatusOK, w.Code)
+}
+
+func TestWriteTimeoutMiddleware_HandlerIsAlwaysCalled(t *testing.T) {
+	t.Parallel()
+
+	for _, method := range []string{http.MethodGet, http.MethodPost, http.MethodDelete} {
+		t.Run(method, func(t *testing.T) {
+			t.Parallel()
+
+			called := false
+			handler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+				called = true
+				w.WriteHeader(http.StatusOK)
+			})
+
+			w := newDeadlineTracker()
+			r := httptest.NewRequest(method, "/mcp", nil)
+			writeTimeoutMiddleware(handler).ServeHTTP(w, r)
+
+			assert.True(t, called, "inner handler must be called for method %s", method)
+		})
+	}
+}
+
+// TestWriteTimeoutMiddleware_SSEStreamSurvivesTimeout verifies over a real TCP connection
+// that a GET SSE stream is NOT killed after the write timeout, while a POST IS bounded.
+//
+// This is the end-to-end proof of the fix for the SSE connection drop bug
+// (github.com/golang/go#16100): a global http.Server.WriteTimeout would terminate both,
+// but writeTimeoutMiddlewareWithTimeout only sets the deadline for non-GET requests.
+func TestWriteTimeoutMiddleware_SSEStreamSurvivesTimeout(t *testing.T) {
+	t.Parallel()
+
+	const shortTimeout = 100 * time.Millisecond
+	const streamDuration = 3 * shortTimeout // SSE stream stays open 3× longer than the timeout
+
+	// sseHandler streams SSE events for streamDuration then closes.
+	sseHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/event-stream")
+		w.Header().Set("Cache-Control", "no-cache")
+		w.WriteHeader(http.StatusOK)
+
+		flusher, ok := w.(http.Flusher)
+		require.True(t, ok, "ResponseWriter must implement http.Flusher")
+
+		ticker := time.NewTicker(shortTimeout / 5)
+		defer ticker.Stop()
+		deadline := time.NewTimer(streamDuration)
+		defer deadline.Stop()
+
+		for {
+			select {
+			case <-r.Context().Done():
+				return
+			case <-deadline.C:
+				return
+			case <-ticker.C:
+				fmt.Fprintf(w, "data: ping\n\n")
+				flusher.Flush()
+			}
+		}
+	})
+
+	ts := httptest.NewServer(writeTimeoutMiddlewareWithTimeout(sseHandler, shortTimeout))
+	t.Cleanup(ts.Close)
+
+	// Open a GET SSE stream and read all events until the server closes it.
+	req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, ts.URL+"/mcp", nil)
+	require.NoError(t, err)
+	req.Header.Set("Accept", "text/event-stream")
+
+	resp, err := ts.Client().Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	// Read SSE lines until EOF. If the TCP write deadline fires the connection
+	// is cut mid-stream and we'd get an error before the server's streamDuration
+	// elapses. A clean EOF means the stream lived its full intended lifetime.
+	scanner := bufio.NewScanner(resp.Body)
+	var events []string
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "data:") {
+			events = append(events, line)
+		}
+	}
+	// bufio.Scanner returns nil error on clean EOF.
+	assert.NoError(t, scanner.Err(), "SSE stream must not be cut by a write deadline")
+	assert.NotEmpty(t, events, "should have received at least one SSE event")
+}
+