Pull Requests

Volume

Open PRs

↑ 4.63%

113

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

272

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

194

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

12d

Median

↑ 7.74%

17h

P90

—

29d

P95

—

64d

Merge Time

Average

—

15d

Median

—

18h

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 13.11%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#678	Remove references to enumNames	stickeegreg	+0 -9	0	350d
#813	fix: deduplicate title definition in tools	connor4312	+0 -9	0	338d
#1336	SEP-1336: User Agent Guidance for Client Implementations	LucaButBoring	+184 -0	1	285d
#1515	docs: add STDIO, SSE, and Streamable HTTP columns to clients matrix	theailanguage	+86 -83	0	245d
#1695	Recommend 128 bits of entropy	loganaden	+1 -1	0	215d
#1803	SEP-1803: Event Subscriptions	caseychow-oai	+184 -0	0	193d
#1822	SEP-1821: Add dynamic tool search support	truehazker	+66 -4	1	189d
#1831	chore: Add BizContext, extensions, and context support for task	He-Pin	+30 -3	2	188d
#1834	chore: Add pending status to task	He-Pin	+6 -3	0	187d
#1862	SEP-1862: Tool Resolution	SamMorrowDrums	+1723 -0	0	185d
#1904	SEP-1904 : Add filtering support for tasks/list	He-Pin	+153 -2	0	180d
#1905 (draft)	SEP-1905: Task Result Streaming and Immediate Result Acceptance	He-Pin	+709 -2	0	180d
#1913	SEP-1913: Trust and Sensitivity Annotations	SamMorrowDrums	+2347 -0	16	178d
#1921	SEP-1921: Add Context Headers (Tool, Prompt, Resources) to MCP Requests for Fine-Grained Rate Limiting	Rajesh-Narayanappa87	+75 -0	0	174d
#1975	SEP-1975: Conversation Event Subscriptions	varun29ankuS	+172 -0	0	163d
#1984	SEP-1984: Comprehensive Tool Annotations for Enhanced Governance and UX	sambhav	+488 -0	0	160d
#2001	SEP-2001: Optional High Availability Patterns for Stateful Streaming in MCP Deployments	jizhuozhi	+138 -0	0	155d
#2007	SEP-2007: Add MCP Payment Support Specification	shivankgoel	+1969 -0	43	153d
#2028	SEP-2028: Automatic _meta to HTTP header forwarding for distributed tracing	monahk	+861 -0	12	146d
#2053	SEP-2053: Server Variants extension	sambhav	+1613 -0	0	139d
#2061 (draft)	SEP-2061: Action Security Metadata for MCP Tools	rreichel3	+292 -0	0	137d
#2072	SEP-2072: Memory Portals	comradenala	+601 -0	0	133d
#2166	SEP-2166: Out-of-Band Resource Access via HTTPS URLs	abrookins	+595 -0	1	116d
#2188	SEP-2188: Add elicitation timeout coordination via notifications/elicitation/pe…	ArsalanShakil	+463 -0	0	112d
#2268 (draft)	SEP-2268: Subtasks	LucaButBoring	+317 -0	0	96d
#2282	SEP-2282: Server-Declared Behavioural Hooks	heyhayes	+871 -2	0	93d
#2317	SEP-2290: Content Negotiation Extension	schlpbch	+104 -0	0	87d
#2325	SEP-2325: SSH Custom Transport	tobert	+1017 -0	0	84d
#2355	docs(spec): add internationalization guidance for Streamable HTTP	SamMorrowDrums	+25 -0	0	81d
#2357	SEP-2357: Dedicated structured media type for MCP HTTP transport	rvmillett	+365 -0	0	80d
#2385	SEP-2385: Tool Auth Manifest	lececo	+167 -0	0	74d
#2391 (draft)	[WIP] Add spec annotator plugin to Claude Code marketplace	LucaButBoring	+3061 -3	0	73d
#2419	SEP-2419: cache_hint well-known key in CallToolResult._meta	clouatre	+454 -0	0	68d
#2417	SEP-2417: Model Preferences for Tools	ProductOfAmerica	+3043 -1	0	68d
#2433	SEP-2433: Transfer Descriptors — Out-of-Band Data Transfer Negotiation	bhanquier	+1172 -47	0	64d
#2448	SEP-2448: MCP server execution telemetry	savula15	+564 -16	5	62d
#2487 (draft)	SEP-2487: Add execution.requirements field to Tool for preconditions	ZachGerman	+127 -4	0	58d
#2495	SEP: Event-Driven Tool Invocation (Server-Push to LLM Re-entry)	hf75	+119 -0	2	57d
#2532	SEP-2532: Resource Streaming for Binary Content Delivery	patrick-rodgers	+1249 -0	0	48d
#2528	docs: Add deployment guidelines for proxying MCP servers	jeffyaw	+153 -1	0	48d
#2564	SEP-2564: Server-Side Filtering for List Methods	anagh96	+385 -0	0	41d
#2571	SEP: Resource Submission — client-to-server resource creation for agent coordination	cswelker	+193 -0	0	40d
#2601	docs: define uriTemplate as unique identifier for resource templates	rohitg00	+13 -1	0	36d
#2602	docs: add server instructions guide	rohitg00	+146 -0	0	36d
#2614	SEP-2614: Add optional keywords field to Implementation for server routing	Vijaynw	+595 -6	0	35d
#2607	docs(clients): add Burnish (explorer-first MCP client)	danfking	+24 -0	0	35d
#2618	docs: add AgentOne to the MCP clients list	The-Best-Codes	+22 -0	1	34d
#2624	SEP-2624: Interceptors for the Model Context Protocol	Degiorgio	+3536 -1	0	33d
#2636	SEP-2636: Progressive Tool Disclosure	SylonZero	+759 -0	0	32d
#2637	docs: add Microsoft 365 Copilot to extension support matrix and MCP Apps client list	SuryaMSFT	+12 -11	0	32d
#2631 (draft)	SEP-2631: File Objects and Transfer	caseychow-oai	+2584 -88	0	32d
#2626	docs(community): Add Enterprise Interest Group charter	raghu-chandra-mcp	+102 -0	1	32d
#2632	SEP-2632: Structured Content for Progress Notifications	stevehaertel	+477 -5	0	32d
#2643	SEP-2643: Structured Authorization Denials	monmohan	+743 -2	41	31d
#2657	Add HiveMind OS to list of clients supporting MCP Apps	danielgerlag	+1 -0	0	28d
#2665	docs: add `filter` URL parameter to `/clients` page to pre-filter clients with specific capabilities	jancurn	+20 -1	0	26d
#2667	Add Ontheia as MCP client	Ontheia	+19 -0	0	25d
#2669	SEP-2669: Task Interaction Methods (steer, pause, resume)	prezaei	+624 -0	0	24d
#2672	SEP-2672: Per-Call Passkey Verified Approval for MCP Tool Calls	pinialt	+1475 -0	0	23d
#2678	SEP-2678: Introduce additional error codes to protocol	MatthewKhouzam	+582 -0	0	21d
#2679	SEP-2679: Task streaming partial results	morozow	+775 -0	0	20d
#2684	docs: clarify HTTP log stream routing	EfeDurmaz16	+14 -0	0	19d
#2690 (draft)	Change error response status from 400 to 404 for invalid sessions	tmshkr	+1 -1	0	19d
#2694	SEP-2694: Resumable Task Event Streams	rynowak	+816 -2	0	18d
#2697	docs: clarify server description and instructions	looooown2006	+24 -0	0	17d
#2702	SEP: MCP Client Silent Refresh on 401 Invalid Token	waddah12alhajar	+152 -0	0	17d
#2707	docs: add Archestra.AI to MCP Apps and Enterprise Auth client matrix	Matvey-Kuk	+2 -1	0	14d
#2710	fix: NumberSchema min/max/default should be number, not integer	gsdv	+24 -6	0	14d
#2732	Clarify initialize version header precedence	AIandI0x1	+10 -0	0	9d
#2737	build(deps-dev): bump eslint from 10.3.0 to 10.4.0	dependabot	+9 -9	0	7d
#2747	Fix typos and clarify error handling for missing ttlMs	spacewander	+4 -2	2	6d
#2752	SEP: HTTP Message Signing for MCP Client Authentication	njdawn	+813 -2	0	5d
#2756	fix(SEP-2663): specify -32003 error for missing client capability	LucaButBoring	+16 -12	1	4d
#2781	docs: add deployment guide for proxying MCP servers	founder-OmniPA	+265 -0	0	2d
#2773	fix(SEP-2322): Explicitly support extending ResultType	LucaButBoring	+49 -50	0	2d
#2778	SEP-XXX: Adding constraints to thr MCP	schlpbch	+260 -18	0	2d
#2786	build(deps-dev): bump typescript-eslint from 8.59.3 to 8.59.4	dependabot	+66 -66	0	0d
#2785	build(deps-dev): bump tsx from 4.22.1 to 4.22.3	dependabot	+5 -5	0	0d
#2784	build(deps-dev): bump typescript-json-schema from 0.67.1 to 0.67.4	dependabot	+87 -241	0	0d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Actionable vs target

↑ 9.70%

147

Auth

—

Actioned (7d)

↑ 33.33%

83 in last 30d

Merged (7d)

—

17 in last 30d

Hours to clear

↑ 9.59%

~48.0

1st review > 7d

—

of 91 eligible

Re-review > 24h

—

of 11 eligible

Maintainer > 24h

—

of 19 eligible

Stats — volume, timing, size distribution

Volume

Open PRs

↑ 15.82%

205

Draft PRs

—

Opened

—

last 7 days

Opened

—

156

last 30 days

Opened

—

467

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

131

last 90 days

Closed Unmerged

—

258

last 90 days

Time to First Review

Average

—

15d

Median

↑ 9.69%

P90

—

50d

P95

—

69d

Merge Time

Average

—

17d

Median

↑ 8.57%

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Breakdown by tier

Tier	Count	Auth	Maint.	~Time
1 — We're blocking someone	26	4	16	8.5h
2 — High leverage	26	7	3	3.9h
3 — Intake	69	7	0	34.2h
4 — Hygiene	23	4	3	1.2h
5 — Close candidates	3	0	0	3m
total actionable	147	22	22	48.0h
not our move	26	—	—	—

We're blocking someone (26) ⊕ ⊖

Author did what we asked and is waiting on us. Longest-waiting first.

1 SLA author-pinged-after-procedural (1) — Author addressed maintainer feedback and pinged — awaiting response.

#1861

ravyg

re-reviewmcp: convert tool/prompt schemas eagerly at registration time

author pinged @felixweinberger 35d ago

+362-7

47d

9 SLA1 auth needs-re-review (9) — Author pushed changes after review feedback — needs re-review.

#1521	LucaButBoring	re-reviewfix(client): retry SSE stream after receiving session ID	author pushed after CHANGES_REQUESTED (42d waiting)	+417-0	104d
#1563	gogakoreli	re-reviewfix: inline local $ref in tool inputSchema for LLM consumption	author pushed after CHANGES_REQUESTED (35d waiting)	+654-1	94d
#1627	nielskaspers	re-reviewdocs(server): add unit testing guide using InMemoryTransport	author pushed after CHANGES_REQUESTED (53d waiting)	+110-3	82d
#1657	rechedev9	re-reviewauthfix: accumulate OAuth scopes on 401/403 instead of overwriting	author pushed after CHANGES_REQUESTED (53d waiting)	+618-50	76d
#1712	travisbreaks	re-reviewfeat(server): add host process watchdog to StdioServerTransport	author pushed after CHANGES_REQUESTED (24d waiting)	+57-1	67d
#1726	rcdailey	re-reviewfeat(server): add keepAliveInterval for standalone GET SSE stream	author pushed after CHANGES_REQUESTED (3d waiting)	+211-19	65d
#1814	MayCXC	re-reviewfix: async onclose, stdin EOF detection, SIGTERM in examples	author pushed after CHANGES_REQUESTED (38d waiting)	+210-40	57d
#1830	claygeo	re-reviewfix(server): sanitize internal error details in tool error responses	author pushed after CHANGES_REQUESTED (41d waiting)	+192-5	55d
#1862	sid293	re-reviewfix:close transport on connection failure	author pushed after CHANGES_REQUESTED (1d waiting)	+37-10	47d

15 SLA3 auth maintainer-intake (16) — Maintainer-authored PR awaiting review from another maintainer.

#1764	felixweinberger	maintainer[v2] Make ToolTaskHandler.getTask/getTaskResult optional and actually invoke them	61d, no maintainer has looked yet	+340-315	61d
#1785	felixweinberger	maintainerfix: UriTemplate.match() handles optional, out-of-order, and encoded query parameters	59d, community reviewed (mgyarmathy)	+162-7	59d
#1828	felixweinberger	maintainerfix(client): allow transport restart after close()	55d, no maintainer has looked yet	+113-5	55d
#1893	KKonstantinov	maintainerfeat: add class decorators example	40d, no maintainer has looked yet	+564-15	40d
#1902	felixweinberger	maintainerfeat(compat): add deprecated flat ctx.* fields + RequestHandlerExtra type alias	40d, no maintainer has looked yet	+147-6	40d
#1903	felixweinberger	maintainerauthfeat(compat): McpError/ErrorCode/JSONRPCError/StreamableHTTPError + OAuth subclass aliases	40d, no maintainer has looked yet	+319-21	40d
#1908	felixweinberger	maintainerauthfeat(server-auth-legacy): add frozen v1 Authorization-Server package	40d, no maintainer has looked yet	+4976-13	40d
#1909	felixweinberger	maintainerfeat(node): restore SSEServerTransport under /node/sse, @deprecated	40d, no maintainer has looked yet	+387-11	40d
#1910	felixweinberger	maintainerdocs: reframe migration guide as 'most servers: just bump' + 21 doc gaps	40d, no maintainer has looked yet	+142-2	40d
#1939	pcarleton	maintainerbuild: exclude src/examples from published dist (v1.x)	34d, no maintainer has looked yet	+2-2	34d
#2088	mattzcarey	maintainerBundle automatic validator defaults in client/server shims	11d, no maintainer has looked yet	+384-297	11d
#2095	mattzcarey	maintainerchore: switch to module ESNext + moduleResolution bundler	10d, no maintainer has looked yet	+506-681	10d
#2125	dsp-ant	maintainerfix(client): treat HTTP 404 with session ID as session expiry	5d, no maintainer has looked yet	+202-19	5d
#2128	felixweinberger	maintainer[SEP-2663] refactor!: remove 2025-11 experimental tasks	5d, no maintainer has looked yet	+272-17461	5d
#2137	KKonstantinov	maintainerauthv2: SdkError tests	4d, no maintainer has looked yet	+72-2	4d
#2156	KKonstantinov	codemod improvements	0d, no maintainer has looked yet	+364-63	0d

High leverage (26) ⊕ ⊖

One decision unblocks or closes multiple things.

15 SLA16 auth duplicate-cluster (20 clusters, 52 PRs) — Multiple PRs address the same issue — one will be picked, others closed as duplicates.

Issue #1132 — 2 PRs ⭐ #1857 (Both PRs have unknown CI status, so the tiebreakers apply in order. #1857 touches 2 files vs #2147's 5 files (smaller, more focused diff). #1857 is also older (lower PR number), meaning it reached the queue first. A targeted docs change (2 files) carries less merge-conflict surface area and review overhead than an example addition (5 files), making #1857 the lower-risk choice under the stated criteria.)

#1857	nielskaspers	1st-reviewdocs: document tool list changed notifications	cluster primary for issue #1132 (2 PRs)	+79-31	49d
#2147	Nishant-Chaudhary5338	feat(example): add tool list changed notification example	shares linked issue #1132 with #1857	+133-9	2d

Issue #1211 — 2 PRs ⭐ #1827 (Without CI data for either PR, the tiebreakers favor #1827: it is older (higher priority per the stated criteria), and its 3-file diff suggests it includes a test file alongside the fix, whereas #2124's 2-file diff likely has no tests. The approaches also differ in scope: #1827 targets the client-side error-handling path (suppressing `onerror` when the reconnect loop will already handle the disconnect), which addresses the root cause of the race condition. #2124 targets the server-side idle stream keepalive, which appears to treat a symptom rather than the underlying SSE disconnect/error-handling logic described in #1211. Smallest focused diff favors #2124 (2 vs 3 files), but the age and likely test coverage tip the balance to #1827.)

#1827	felixweinberger	maintainerfix(client): suppress onerror when SSE disconnect will be handled by reconnect	cluster primary for issue #1211 (2 PRs)	+49-13	55d
#2124	he-yufeng	fix(server): keep idle GET SSE streams alive	shares linked issue #1211 with #1827	+40-0	5d

Issue #1471 — 3 PRs ⭐ #2009 (All three PRs have unknown CI, so that criterion does not differentiate them. The key distinction is file count: #2009 touches 4 files while #1509 and #1975 each touch 2. A no-schema handler fix realistically requires 1–2 implementation files; the extra 2 files in #2009 strongly indicate added test coverage, which ranks above "smallest diff" in the stated priority. Between the 2-file PRs, #1509 and #1975 show no evidence of tests and differ mainly in title framing ("pass empty args" vs "pass both args"), so neither has a test-coverage edge. #2009's title ("support two-arg no-schema task handlers") also suggests a more complete fix — handling both one-arg and two-arg call signatures rather than patching a single call site — which reduces the risk of a partial fix. On the available evidence, #2009 is the best candidate: most likely to carry test coverage and the most comprehensive scope.)

#1509	corvid-agent	fix: pass empty args to registerToolTask handler when no inputSchema	shares issue #1471; #2009 is the pick	+8-3	105d
#1975	nanookclaw	fix: pass both args when inputSchema omitted in task handler executor	shares linked issue #1471 with #1509	+7-5	27d
#2009	Genmin	1st-reviewfix(server): support two-arg no-schema task handlers	[llm pick] cluster primary for issue #1471: All three PRs have unknown CI, so that criterion does not differentiate them. The key distinction is file count: #2009 touches 4 files while #1509 and #1975 each touch 2. A no-schema handler fix realistically requires 1–2 implementation files; the extra 2 files in #2009 strongly indicate added test coverage, which ranks above "smallest diff" in the stated priority. Between the 2-file PRs, #1509 and #1975 show no evidence of tests and differ mainly in title framing ("pass empty args" vs "pass both args"), so neither has a test-coverage edge. #2009's title ("support two-arg no-schema task handlers") also suggests a more complete fix — handling both one-arg and two-arg call signatures rather than patching a single call site — which reduces the risk of a partial fix. On the available evidence, #2009 is the best candidate: most likely to carry test coverage and the most comprehensive scope.	+112-7	24d

Issue #1658 — 2 PRs ⭐ #1912 (Both PRs have unknown CI status, so that criterion is a wash. The decisive factor is that #1786 carries an [RFC] prefix — by convention, RFC-tagged PRs are explicit discussion/proposal vehicles, not merge-ready implementations; keeping it as the fix for #1658 would require a follow-up PR anyway. PR #1912 is a straightforward implementation PR with no RFC caveat and a precise, scoped title ("add replayInitialization for stateless serverless sessions") that maps directly to the issue's ask. Its larger diff (7 files vs 4) is actually a point in its favour under the "has tests" criterion: with 7 changed files there is more room for test coverage, whereas a 4-file RFC diff is unlikely to include comprehensive tests. On the "oldest" tiebreaker #1786 wins, but that is the lowest-priority criterion and is outweighed by the RFC-vs-implementation distinction.)

#1786	felixweinberger	[RFC] feat(server): multi-node session hydration (C# SDK parity)	shares issue #1658; #1912 is the pick	+268-11	59d
#1912	kev-flex	1st-reviewfeat(server): add replayInitialization for stateless serverless sessions	[llm pick] cluster primary for issue #1658: Both PRs have unknown CI status, so that criterion is a wash. The decisive factor is that #1786 carries an [RFC] prefix — by convention, RFC-tagged PRs are explicit discussion/proposal vehicles, not merge-ready implementations; keeping it as the fix for #1658 would require a follow-up PR anyway. PR #1912 is a straightforward implementation PR with no RFC caveat and a precise, scoped title ("add replayInitialization for stateless serverless sessions") that maps directly to the issue's ask. Its larger diff (7 files vs 4) is actually a point in its favour under the "has tests" criterion: with 7 changed files there is more room for test coverage, whereas a 4-file RFC diff is unlikely to include comprehensive tests. On the "oldest" tiebreaker #1786 wins, but that is the lowest-priority criterion and is outweighed by the RFC-vs-implementation distinction.	+535-9	40d

Issue #1708 — 2 PRs ⭐ #1718 (Both PRs have unknown CI status and touch 3 files each, so no differentiation there. PR #1718 is older (lower PR number), which is the final tiebreaker per the stated criteria. Note: full diff analysis was not possible due to GitHub access restrictions, so this decision relies solely on PR age as the deciding factor.)

#1718	Maverick-666	1st-reviewfix(client): recover streamable HTTP session on 404 for session-bound requests	cluster primary for issue #1708 (2 PRs)	+238-3	66d
#2086	Christian-Sidak	fix: clear session ID on HTTP 404 per MCP spec §Session Management	shares linked issue #1708 with #1718	+107-0	11d

Issue #1864 — 5 PRs ⭐ #1881 (All five PRs have unknown CI. Among the two 4-file PRs (#1881 and #1977), a 4-file diff is the most likely to include a test file alongside the implementation, types, and any schema change — making either preferable over the 2-file #1879 (almost certainly no tests) or the 3-file #1873/#1934. Between the two 4-file candidates, #1881 is older, satisfying the "oldest" tiebreaker. #1934 is also penalized for using the incorrect "feat" prefix on a bug fix. Recommendation is contingent on CI and test-file presence, which could not be verified from available metadata.)

#1873	nielskaspers	fix(server): add icons field to registerTool and registerToolTask	shares issue #1864; #1881 is the pick	+21-2	45d
#1879	Yanhu007	fix: support icons in registerTool config and tools/list response	shares linked issue #1864 with #1873	+14-3	44d
#1881	sainathreddyb	1st-reviewfix(server): add icons field to registerTool and registerToolTask	[llm pick] cluster primary for issue #1864: All five PRs have unknown CI. Among the two 4-file PRs (#1881 and #1977), a 4-file diff is the most likely to include a test file alongside the implementation, types, and any schema change — making either preferable over the 2-file #1879 (almost certainly no tests) or the 3-file #1873/#1934. Between the two 4-file candidates, #1881 is older, satisfying the "oldest" tiebreaker. #1934 is also penalized for using the incorrect "feat" prefix on a bug fix. Recommendation is contingent on CI and test-file presence, which could not be verified from available metadata.	+168-2	44d
#1934	Jim1874	feat(server): add icons field to registerTool()	shares linked issue #1864 with #1873	+20-2	36d
#1977	Genmin	fix(server): include registered tool icons	shares linked issue #1864 with #1873	+74-2	27d

Issue #1872 — 2 PRs ⭐ #1933 (Both PRs have unknown CI status and unknown test coverage, so the deciding criteria are diff size and age. PR #1933 touches 2 files vs. #2087's 3 files, making it the more focused fix. It is also older (lower PR number), confirming it as the earlier submission. With all else equal, the smaller, more targeted diff carries less risk of unintended side-effects and is preferred per the stated tiebreaker order.)

#1933	Jim1874	1st-reviewauthfix(client): prevent duplicate Auth headers in SSE transport	cluster primary for issue #1872 (2 PRs)	+8-1	36d
#2087	Christian-Sidak	authfix: prevent duplicate Authorization header in SSEClientTransport	shares linked issue #1872 with #1933	+49-4	11d

Issue #1944 — 2 PRs ⭐ #2142 (Both PRs have unknown CI status, so that criterion is a tie. Without diff access, test coverage cannot be confirmed for either. Falling to the next tiebreaker — diff size — #2142 touches 2 files versus #1952's 3 files, making it the more focused change. The title of #2142 also explicitly references closing #1944, indicating intentional scoping. #1952 is older, but diff size takes priority over age in the stated criteria.)

#1952	Zelys-DFKH	fix(server): loosen Accept validation when enableJsonResponse is true	shares issue #1944; #2142 is the pick	+34-8	32d
#2142	adityachilka1	fix(server): allow application/json-only Accept in JSON response mode (closes #1944)	[llm pick] cluster primary for issue #1944: Both PRs have unknown CI status, so that criterion is a tie. Without diff access, test coverage cannot be confirmed for either. Falling to the next tiebreaker — diff size — #2142 touches 2 files versus #1952's 3 files, making it the more focused change. The title of #2142 also explicitly references closing #1944, indicating intentional scoping. #1952 is older, but diff size takes priority over age in the stated criteria.	+38-3	4d

Issue #1954 — 3 PRs ⭐ #1955 (All three PRs have unknown CI status, so CI cannot differentiate them. Test coverage is also unknown from the metadata provided. On diff size, #1955 touches 1 file vs. 3 files for #1962 and 5 files for #1981 — the smallest focused diff carries less merge-conflict risk and is easiest to review. As a tiebreaker, #1955 is also the oldest of the three, meaning it has had the most time for any issues to surface in review. #1962 and #1981's larger file counts suggest they may include refactors or additional scope beyond the minimal fix.)

#1955	daksh-goyal	1st-reviewauth fix(client): check token expiry in adaptOAuthProvider before returning expired tokens	cluster primary for issue #1954 (3 PRs)	+11-1	32d
#1962	Christian-Sidak	authfix: adaptOAuthProvider returns expired tokens on long-running connections	shares linked issue #1954 with #1955	+233-2	29d
#1981	Genmin	authfix(client): avoid expired OAuth access tokens	shares linked issue #1954 with #1955	+145-13	26d

Issue #1968 — 2 PRs ⭐ #1989 (CI is unknown for both PRs and both touch exactly 3 files. #1989 has a smaller total diff (68 additions + 14 deletions = 82 lines) versus #1991 (75 additions + 12 deletions = 87 lines), giving it the edge on "smallest focused diff." It was also opened ~3 hours earlier the same day (2026-04-30T05:32Z vs 08:27Z), satisfying the "oldest" tiebreaker as well. No test-coverage difference could be determined from available data.)

#1989	Genmin	1st-reviewauthfix(client): preserve OAuth resource metadata indicator	cluster primary for issue #1968 (2 PRs)	+68-14	26d
#1991	Christian-Sidak	authfix: preserve exact resource URI from protected resource metadata	shares linked issue #1968 with #1989	+75-12	25d

Issue #2012 — 2 PRs ⭐ #2013 (Both PRs touch 4 files and CI status is unknown for both, so the tiebreaker is age (oldest wins). PR #2013 is also the older submission. Additionally, its title explicitly calls out returning -32602 (JSON-RPC Invalid Params) for validation errors, indicating it handles the error path more completely than #2139, which only mentions accepting null arguments. PR #2139 appears to be a narrower fix that omits the proper error-code response behavior described in #2013.)

#2013	blackwell-systems	1st-reviewfix: accept null arguments in tools/call and return -32602 for validation errors	cluster primary for issue #2012 (2 PRs)	+63-2	23d
#2139	2830500285	fix: accept null tool call arguments	shares linked issue #2012 with #2013	+74-1	4d

Issue #2034 — 6 PRs ⭐ #2081 (CI is unknown for all six PRs. Test coverage cannot be confirmed from available data for any PR — #2110's 4-file diff could include tests but also carries a substantially larger +157/-48 scope. With those two criteria unable to differentiate, the tiebreaker is smallest focused diff: #2081 has the most surgical change at +20/-6 across 2 files (26 total lines), compared to #2035 (+54/-5, 59 lines), #2053 (+83/-4), #2121 (+74/-4), #2149 (+76/-4), and #2110 (+157/-48). The minimal diff reduces merge-conflict risk and limits blast radius to exactly the propagation fix.)

#2035	jbsky	authfix(auth): propagate saveTokens errors during token refresh	shares issue #2034; #2081 is the pick	+54-5	17d
#2053	SAY-5	authfix(client/auth): propagate saveTokens errors after refresh	shares linked issue #2034 with #2035	+83-4	14d
#2081	Jefsky	1st-reviewauthfix(client): let saveTokens I/O errors propagate in auth()	[llm pick] cluster primary for issue #2034: CI is unknown for all six PRs. Test coverage cannot be confirmed from available data for any PR — #2110's 4-file diff could include tests but also carries a substantially larger +157/-48 scope. With those two criteria unable to differentiate, the tiebreaker is smallest focused diff: #2081 has the most surgical change at +20/-6 across 2 files (26 total lines), compared to #2035 (+54/-5, 59 lines), #2053 (+83/-4), #2121 (+74/-4), #2149 (+76/-4), and #2110 (+157/-48). The minimal diff reduces merge-conflict risk and limits blast radius to exactly the propagation fix.	+20-6	12d
#2110	pragnyanramtha	authfix(client): propagate refreshed token save errors	shares linked issue #2034 with #2035	+157-48	9d
#2121	he-yufeng	authfix(client): surface OAuth token persistence failures	shares linked issue #2034 with #2035	+74-4	7d
#2149	he-yufeng	authfix: propagate refresh token persistence errors	shares linked issue #2034 with #2035	+76-4	1d

Issue #2115 — 2 PRs ⭐ #2138 (Both PRs have unknown CI status, so that criterion does not differentiate them. #2138 is preferred on diff size: it touches 2 files versus #2116's 3 files, making it the more focused fix with less surface area for merge conflicts. If the third file in #2116 is a test and #2138 lacks test coverage, that criterion would reverse the decision — but on the available metadata, #2138 is the smaller, more targeted change.)

#2116	nacim-coder	fix: handle cancelled notifications for request id zero	shares issue #2115; #2138 is the pick	+43-1	8d
#2138	he-yufeng	fix: handle cancellation for request id zero	[llm pick] cluster primary for issue #2115: Both PRs have unknown CI status, so that criterion does not differentiate them. #2138 is preferred on diff size: it touches 2 files versus #2116's 3 files, making it the more focused fix with less surface area for merge conflicts. If the third file in #2116 is a test and #2138 lacks test coverage, that criterion would reverse the decision — but on the available metadata, #2138 is the smaller, more targeted change.	+36-2	4d

Issue #2117 — 3 PRs ⭐ #2141 (All three PRs have unknown CI status, so the tiebreaker is diff size. #2141 touches 2 files versus 3 files for both #2120 and #2135, making it the most focused change. Its title also explicitly references "closes #2117" and describes the fix semantically precisely ("treat relatedRequestId 0 as present"), which indicates the author identified the root cause (falsy zero bypassing the guard) rather than just patching the symptom. The two 3-file PRs likely include additional changes beyond the minimal fix.)

#2120	he-yufeng	fix: keep related request id zero from debouncing	shares issue #2117; #2141 is the pick	+21-1	7d
#2135	kiranmagic7	fix(core): preserve relatedRequestId 0 in debounce guard	shares linked issue #2117 with #2120	+24-1	5d
#2141	adityachilka1	fix(core): treat relatedRequestId 0 as present in debounce guard (closes #2117)	[llm pick] cluster primary for issue #2117: All three PRs have unknown CI status, so the tiebreaker is diff size. #2141 touches 2 files versus 3 files for both #2120 and #2135, making it the most focused change. Its title also explicitly references "closes #2117" and describes the fix semantically precisely ("treat relatedRequestId 0 as present"), which indicates the author identified the root cause (falsy zero bypassing the guard) rather than just patching the symptom. The two 3-file PRs likely include additional changes beyond the minimal fix.	+20-1	4d

Issue #2126 — 2 PRs ⭐ #2127 (Both PRs have unknown CI status and the same file count (2). Unable to verify test coverage or diff size from available data. Falling back to the final tiebreaker: oldest PR. #2127 predates #2140 by PR number, meaning it was opened first and has had more time for review. No concrete technical advantage was found to favor the newer #2140 over it.)

#2127	he-yufeng	authfix: continue OAuth discovery after non-JSON metadata	cluster primary for issue #2126 (2 PRs)	+33-3	5d
#2140	he-yufeng	authfix: continue auth discovery after invalid JSON metadata	shares linked issue #2126 with #2127	+37-4	4d

Issue #2151 — 2 PRs ⭐ #2153 (Both PRs have unknown CI status, so that criterion is a tie. Neither PR's test coverage is confirmed from available metadata. Applying the next tiebreaker — smallest focused diff — PR #2153 touches 2 files versus PR #2152's 3 files, making #2153 the more minimal, targeted change. The title of #2153 ("replay request-scoped terminal response") is also more precise about the scope of the fix than #2152's broader "replay request SSE responses," suggesting a tighter change. On the final tiebreaker (oldest), #2152 has the lower PR number and was likely opened first, but diff size takes precedence in the stated criteria, so #2153 is selected.)

#2152	fallintoplace	fix(server): replay request SSE responses after closeSSEStream	shares issue #2151; #2153 is the pick	+180-20	1d
#2153	adityasingh2400	authfix(server): replay request-scoped terminal response after closeSSEStream	[llm pick] cluster primary for issue #2151: Both PRs have unknown CI status, so that criterion is a tie. Neither PR's test coverage is confirmed from available metadata. Applying the next tiebreaker — smallest focused diff — PR #2153 touches 2 files versus PR #2152's 3 files, making #2153 the more minimal, targeted change. The title of #2153 ("replay request-scoped terminal response") is also more precise about the scope of the fix than #2152's broader "replay request SSE responses," suggesting a tighter change. On the final tiebreaker (oldest), #2152 has the lower PR number and was likely opened first, but diff size takes precedence in the stated criteria, so #2153 is selected.	+107-4	1d

Issue #740 — 4 PRs ⭐ #2021 (CI is unknown for all four PRs. With no test signal distinguishable from titles, the next criterion is smallest focused diff: #2021 touches 2 files versus 6–8 for the others, indicating a tighter, more targeted change. The docs(client) scope prefix also signals intentional minimal footprint. #1691 is older but its 8-file diff is the largest of the group, so the oldest tiebreaker is not reached.)

#1691	travisbreaks	feat: add multi-server routing example	shares issue #740; #2021 is the pick	+211-1	70d
#2021	EfeDurmaz16	1st-reviewdocs(client): add multi-server chatbot example	[llm pick] cluster primary for issue #740: CI is unknown for all four PRs. With no test signal distinguishable from titles, the next criterion is smallest focused diff: #2021 touches 2 files versus 6–8 for the others, indicating a tighter, more targeted change. The docs(client) scope prefix also signals intentional minimal footprint. #1691 is older but its 8-file diff is the largest of the group, so the oldest tiebreaker is not reached.	+253-0	20d
#2103	lil-goat	docs: add multi-server chatbot quickstart example	shares linked issue #740 with #1691	+9422-9091	10d
#2148	Nishant-Chaudhary5338	feat(examples): multi-server chatbot with tool routing (closes #740)	shares linked issue #740 with #1691	+493-12	2d

Issue #943 — 2 PRs ⭐ #1978 (Both PRs have unknown CI status and touch the same number of files (3). The title of #1978 ("make in-memory event replay use stored stream ids") describes the fix in terms of the underlying mechanism (storing and reusing stream ids), while #1984 ("resume in-memory event streams with underscored ids") scopes the fix narrowly to underscore-formatted ids, which may be a subset of the problem. With all other criteria equal, #1978 is the older PR and gets the tiebreaker on the "oldest" preference. I was unable to fetch diff content or CI details due to sandbox permission restrictions; if those become available, the decision should be revisited against actual test coverage and diff size.)

#1978	Genmin	1st-reviewfix: make in-memory event replay use stored stream ids	cluster primary for issue #943 (2 PRs)	+37-10	27d
#1984	Genmin	fix: resume in-memory event streams with underscored ids	shares linked issue #943 with #1978	+47-17	26d

Semantic: Both PRs fix the same bug: explicit `listChanged: false` capability settings being ignored, causing unwanted list-change notifications to be sent. Both share an identical `getCapabilities()` visibility change in `src/server/index.ts` and both modify `src/server/mcp.ts`. (2 PRs) — 2 PRs ⭐ #1948 (PR #1948 adds explicit capability guards directly on `sendResourceListChanged`, `sendToolListChanged`, and `sendPromptListChanged` in `index.ts`, making the `Server` class self-enforcing regardless of how capabilities are set upstream. PR #1937's `index.ts` change is identical but its fix relies solely on `mcp.ts` behavior; #1948 includes the same `mcp.ts` changes plus the additional notification-layer guards, making #1937 a strict subset.)

#1937	Zelys-DFKH	[v1.x backport] fix(server): respect explicit listChanged: false in McpServer	[llm] duplicates #1948: Both PRs fix the same bug: explicit `listChanged: false` capability settings being ignored, causing unwanted list-change notifications to be sent. Both share an identical `getCapabilities()` visibility change in `src/server/index.ts` and both modify `src/server/mcp.ts`.	+102-4	35d
#1948	paulelliotco	1st-reviewfix: respect disabled listChanged capabilities on v1.x	[llm] cluster primary: Both PRs fix the same bug: explicit `listChanged: false` capability settings being ignored, causing unwanted list-change notifications to be sent. Both share an identical `getCapabilities()` visibility change in `src/server/index.ts` and both modify `src/server/mcp.ts`. (2 PRs)	+221-9	32d

Semantic: Both PRs add an explicit vite@7.3.2 dependency to package.json to resolve a high-severity vulnerability in vite <7.3.2. (2 PRs) — 2 PRs ⭐ #2089 (PR #2089 uses an exact pin (`7.3.2`) rather than the range (`^7.3.2`) in #2050, which is safer for a security fix since a range could resolve to a future version that reintroduces a regression. PR #2089 also covers additional audit findings via `resolutions` for `defu`, `fast-uri`, and `kysely`, making it a superset of #2050's changes.)

#2050	raashish1601	fix: pin vite to patched version	[llm] duplicates #2089: Both PRs add an explicit vite@7.3.2 dependency to package.json to resolve a high-severity vulnerability in vite <7.3.2.	+36-32	14d
#2089	ya-nsh	1st-reviewfix: clear high severity audit findings	[llm] cluster primary: Both PRs add an explicit vite@7.3.2 dependency to package.json to resolve a high-severity vulnerability in vite <7.3.2. (2 PRs)	+108-98	11d

3 SLA1 auth needs-decision (3) — Maintainer discussed but hasn't approved or requested changes yet.

#1826	felixweinberger	maintainerauthfix(client): remove redundant onerror in _startOrAuthSse catch	maintainer COMMENTED but took no stance	+122-59	55d
#1906	felixweinberger	maintainerfeat(compat): add /server/zod-schemas subpath re-exporting *Schema constants	maintainer COMMENTED but took no stance	+94-5	40d
#1717	travisbreaks	re-reviewfeat(core): add opt-in periodic ping for connection health monitoring	maintainer COMMENTED but took no stance	+383-1	67d

3 SLA backport-follows-primary (3) — v1.x sibling of a main-branch PR. Review together — backport diff is usually mechanical.

#1083	mgyarmathy	1st-review[v1.x] fix: Update UriTemplate implementation to handle optional/omitted, out-of-order, and encoded query parameters	follows #1785 (same issue #149, different branch)	+164-11	201d
#1520	LucaButBoring	1st-review[1.x] fix(client): retry SSE stream after receiving session ID	follows #1521	+419-0	104d
#1926	tonxxd	1st-reviewfix(sse): escape U+2028 / U+2029 in SSE data lines (V1)	follows #1925	+61-2	38d

Intake (69) ⊕ ⊖

PRs not yet reviewed by a maintainer. Oldest first.

61 SLA7 auth needs-first-review (66) — Not yet reviewed by a maintainer.

#1876	JosephDoUrden	1st-reviewfix: use getLiteralValue for Zod v3 method literal extraction	45d	+4-42	45d
#1889	app/dependabot	1st-reviewchore(deps): bump actions/upload-pages-artifact from 4 to 5	42d	+1-1	42d
#1894	app/dependabot	1st-reviewchore(deps): bump the npm_and_yarn group across 1 directory with 2 updates	40d	+27-11	40d
#1911	langverse2023	1st-reviewfix(express): add CJS exports to resolve ERR_PACKAGE_PATH_NOT_EXPORTED	40d	+7-3	40d
#1923	billyriaz	1st-reviewauthfix: accept null introspection_endpoint in OAuthMetadataSchema	38d	+1-1	38d
#1925	tonxxd	1st-reviewfix(server): escape U+2028 / U+2029 in SSE data lines (v2)	38d	+59-1	38d
#1932	ameenalkhaldi	1st-reviewfix(core): skip cancellation notification for initialize requests	36d	+79-13	36d
#1935	Jim1874	1st-reviewfix(server): handle undefined args in prompts handler	36d	+8-1	36d
#1940	harshkatakwar	1st-reviewfeat: add beforeToolCall and afterToolCall lifecycle hooks to McpServer	34d	+451-24	34d
#1945	bokelley	1st-reviewfix(client): skip outputSchema validation when result is an error	33d	+153-3	33d
#1949	Zelys-DFKH	1st-reviewfix(core): allow extra JSON Schema keywords on elicitation primitive schemas	32d	+104-25	32d
#1951	Zelys-DFKH	1st-reviewauthfix(client): preserve resource_metadata URL across non-Bearer WWW-Authenticate challenges	32d	+160-22	32d
#1953	Jim1874	1st-reviewfix(server): disable listChanged capability in V1x protocol mode (closes #1819)	32d	+47-2	32d
#1958	mhegazy	1st-reviewauthfix(client/auth): use .set() for prompt=consent instead of .append() to avoid duplicating	31d	+22-1	31d
#1961	MukundaKatta	1st-reviewfix(client/sse): release reader lock on disconnect to prevent ~50MB leak	30d	+100-27	30d
#1966	MukundaKatta	1st-reviewfix(server): return Tool Execution Errors for input validation failures (SEP-1303)	29d	+154-8	29d
#1967	MukundaKatta	1st-reviewauthdocs(examples): add external auth resource server example (closes #658)	29d	+361-0	29d
#1969	nanookclaw	1st-reviewfix: handle 404 and 406 gracefully in SSE stream initialization	28d	+5-3	28d
#1971	MukundaKatta	1st-reviewfix(server): handle ZodObject in RegisteredTool.update (#1960)	28d	+77-6	28d
#1972	MukundaKatta	1st-reviewauthfix(auth): preserve resource URI without trailing slash (#1968)	28d	+78-13	28d
#1980	AP3X-Dev	1st-reviewfix(server): accept empty {} annotations in tool() overload	26d	+59-2	26d
#1982	Genmin	1st-reviewfix: enforce monotonic progress notifications	26d	+86-7	26d
#1983	Genmin	1st-reviewfix(server): debounce list changed notifications	26d	+50-1	26d
#1985	Genmin	1st-reviewfix: align zod object schemas with stripped properties	26d	+36-1	26d
#1986	Genmin	1st-reviewfix: avoid duplicate SSE close callbacks	26d	+42-2	26d
#1990	Genmin	1st-reviewfix(server): accept structurally compatible Zod v4 schemas	25d	+57-6	26d
#1995	Genmin	1st-reviewfix(server): surface stateless transport reuse errors	25d	+75-1	25d
#1996	Genmin	1st-reviewfix(server): allow JSON Accept in JSON response mode	25d	+89-8	25d
#1997	Genmin	1st-reviewauthfix(server): validate OAuth code redirect URI	25d	+210-16	25d
#1998	Genmin	1st-reviewfix(client): release SSE reader locks	25d	+111-27	25d
#1999	Genmin	1st-reviewfix: preserve elicit string pattern constraints	25d	+24-1	25d
#2000	Genmin	1st-reviewFix invalid JSON-RPC request errors	25d	+105-9	25d
#2001	Genmin	1st-reviewfix(server): validate wrapped output schemas on v1	25d	+78-3	25d
#2014	fengfeng-zi	1st-reviewfix(core): remove duplicate zod dependency declaration	21d	+6-2	21d
#2017	ankitvirdi4	1st-reviewfix(server): preserve inputSchema for z.discriminatedUnion / z.union	21d	+179-14	21d
#2026	Zelys-DFKH	1st-reviewtest(@modelcontextprotocol/node): cover pre-read body pattern in stateless mode	19d	+60-15	19d
#2027	app/github-actions	1st-reviewchore: update spec.types.ts from upstream	18d	+383-695	18d
#2028	sfrangulov	1st-reviewfix(client): stop propagating transport AbortController to POST/DELETE	18d	+82-6	18d
#2030	cyphercodes	1st-reviewfix: add root package export barrel	18d	+19-0	18d
#2033	lppedd	1st-reviewbuild: configure tsdown to output both ESM and CJS	17d	+263-64	17d
#2039	navalerakesh	1st-reviewfix: use constant-time comparison for session ID validation	16d	+23-1	16d
#2043	ChrisJr404	1st-reviewfix(client): add missing Windows env vars to DEFAULT_INHERITED_ENV_VARS	14d	+42-2	14d
#2044	raashish1601	1st-reviewfix: replay in-memory events for underscore stream ids	14d	+37-2	14d
#2045	raashish1601	1st-reviewfix: accept omitted optional prompt and tool arguments	14d	+114-2	14d
#2046	raashish1601	1st-reviewfix: accept JSON-only Accept in streamable JSON mode	14d	+37-8	14d
#2052	app/dependabot	1st-reviewchore(deps): bump changesets/action from 1.7.0 to 1.8.0	14d	+2-2	14d
#2079	Zelys-DFKH	1st-reviewfix(test): extend cloudflare workers retry to cover full request cycle	13d	+16-15	13d
#2085	rsalus	1st-review[v1.x] fix(server): emit JSON Schema 2020-12 in tools/list (SEP-1613)	11d	+87-2	12d
#2091	RomKadria	1st-reviewfix(node): reuse getRequestListener instead of creating one per request	11d	+22-27	11d
#2092	bishnubista	1st-reviewauthfix(client,core): tighten OAuth PRM resource validation per RFC 8707 §2	11d	+147-4	10d
#2099	he-yufeng	1st-reviewfix(client): fail fast after SSE reconnect exhaustion	10d	+82-17	10d
#2102	pragnyanramtha	1st-reviewPass request context to completion callbacks	10d	+173-11	10d
#2104	pragnyanramtha	1st-reviewfix(server): allow streamable HTTP JSON without content type	10d	+49-23	10d
#2105	pragnyanramtha	1st-reviewfix: tighten request handler result types on v1.x	10d	+295-40	10d
#2106	pragnyanramtha	1st-reviewfix: validate wrapped Zod output schemas	9d	+54-2	9d
#2107	pragnyanramtha	1st-reviewfix: accept omitted prompt arguments	9d	+59-1	9d
#2109	leehpham	1st-reviewfix(server): derive standalone SSE streamId per-session to prevent EventStore collisions	9d	+76-1	9d
#2111	dparikh79	1st-reviewfix(server): reject initialize with mismatched MCP-Protocol-Version header	9d	+82-0	9d
#2113	sceran	1st-reviewdocs(README): add `@modelcontextprotocol/fastify` to middleware listing	9d	+6-2	9d
#2114	pragnyanramtha	1st-reviewfix(server): track renamed registered item keys	9d	+104-16	9d
#2119	abdulmunimj	1st-reviewfix(core): inline reused Zod subschemas in tools/list JSON Schema	7d	+124-3	7d
#2122	he-yufeng	fix(server): reject requests before initialization	7d	+90-4	7d
#2123	app/dependabot	chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.8	7d	+10-10	6d
#2136	malventano	fix: resetTimeoutOnProgress does nothing without onprogress callback	5d	+10-6	5d
#2150	he-yufeng	fix: reinitialize expired streamable sessions	1d	+160-43	1d
#2154	cyq1017	Align Streamable HTTP onclose type with Transport contract	1d	+14-3	1d

3 SLA community-reviewed (3) — Community members have reviewed, but no maintainer has engaged yet.

#1870	techtoboggan	1st-reviewfix: inject progressToken when resetTimeoutOnProgress is set (not only onprogress)	46d, reviewed by travisbreaks (SLA breach)	+4-2	46d
#2003	ElliotDrel	1st-reviewfix(server): exit when MCP client closes stdin pipe	25d, reviewed by stomde (SLA breach)	+84-0	25d
#2015	morozow	1st-reviewfeat(tasks): add task streaming with partial result notifications	21d, reviewed by stomde (SLA breach)	+3021-7	21d

Hygiene (23) ⊕ ⊖

Batchable procedural ops — pings, rebases, peer reviews.

2 auth stale-awaiting-author (13) — Changes requested over two weeks ago with no author response.

#1769	felixweinberger	fix(server): align ProtocolError re-throw with spec error classification	53d since feedback	+220-58	60d
#1776	KKonstantinov	v2 remove console warns on middleware	53d since feedback	+135-116	60d
#1283	evalstate	Fix/onprogress error handling	55d since feedback	+23-1	166d
#1493	TheodorNEngoy	hono: add maxBodyBytes guard for JSON parsing	56d since feedback	+88-3	107d
#1496	TheodorNEngoy	server: add maxBodyBytes guard to WebStandardStreamableHTTPServerTransport	56d since feedback	+132-2	107d
#1500	TheodorNEngoy	ci: retry pkg-pr-new publish on transient 5xx	56d since feedback	+30-3	107d
#1664	Vadaski	fix: surface input validation errors for task-augmented tool calls	59d since feedback	+107-0	74d
#1666	Vadaski	fix: allow registering tools/resources/prompts after connect when capabilities pre-declared (#893)	53d since feedback	+218-19	74d
#1669	Vadaski	authfix: include scope parameter in OAuth authorization code token exchange	56d since feedback	+122-6	74d
#1681	meirk-brd	fix(server): stop replay cleanly when streamable HTTP replay stream c…	59d since feedback	+131-23	71d
#1813	Aboudjem	authfix(auth): deduplicate concurrent token refresh requests	53d since feedback	+386-0	57d
#1854	haydenrear	Added default mcp tool call timeout from env	46d since feedback	+133-2	50d
#1865	pch007	fix(server): handle ZodEffects in normalizeObjectSchema and getObjectShape	45d since feedback	+246-0	47d

2 auth ci-red-silent (10) — CI failing, not yet flagged to the author.

#2129	felixweinberger	chore: sync schemas to spec @142b3c3c; segregate pre-2026 wire schemas	red CI 5d	+1266-1165	5d
#1963	MukundaKatta	feat(client): add idle timeout to SSE stream reader	red CI 29d	+192-0	29d
#1964	MukundaKatta	feat(deps): make HTTP/SSE transport deps optional for stdio-only consumers	red CI 29d	+154-13	29d
#1965	MukundaKatta	feat(client): honor Retry-After on HTTP 429 responses	red CI 29d	+383-8	29d
#2010	aayushbaluni	fix: detect plain JSON Schema objects in tool() overload resolution	red CI 24d	+335-2	24d
#2019	blackwell-systems	fix: check AbortSignal in handleAutomaticTaskPolling to stop cancelled requests	red CI 20d	+8-0	20d
#2024	JoannaaKL	fix: kill process tree on StdioClientTransport.close()	red CI 19d	+174-6	19d
#2080	Jefsky	fix(server): preserve icons in registerPrompt()	red CI 12d	+12-1	12d
#2082	Jefsky	authdocs(core): clarify resetTimeoutOnProgress requires onprogress	red CI 12d	+25-7	12d
#2118	nielskaspers	authdocs(client): clarify private_key_jwt reserved-claim behavior	red CI 7d	+7-0	7d

Close candidates (3) ⊕ ⊖

Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.

stale-ci-abandoned (3) — CI has been failing for over a month with no activity.

#1335	LucaButBoring	[v1.x] Fix registerToolTask's getTask and getTaskResult handlers not being invoked	red CI 153d, no activity	+311-167	153d
#1878	dagangtj	feat(hono): add generic Env type support to createMcpHonoApp	red CI 44d, no activity	+68-3	44d
#1884	vrv	Reject standalone GET in stateless streamable HTTP mode	red CI 43d, no activity	+11-0	43d

Not our move (26) ⊕ ⊖

Clock is on the author or blocked externally. No action owed today.

4 auth parked (12) — Maintainer draft >30d, intentionally shelved.

#1292	ochafik	feat: generate schemas from types, improve type definitions	maintainer draft, 164d	+9663-3551	164d
#1463	mattzcarey	fix: tighten setRequestHandler types for Client and Server	maintainer draft, 111d	+44-15	111d
#1492	ochafik	Add request/response compression support for HTTP transports	maintainer draft, 108d	+1253-10	108d
#1531	pcarleton	authAlternative: XAA as OAuthClientProvider with Layer 2 utilities	maintainer draft, 101d	+441-140	101d
#1597	pcarleton	examples: MRTR backwards-compatibility exploration demos	maintainer draft, 87d	+1185-0	87d
#1633	ochafik	[SEP-2356] File input support for tools and elicitation	maintainer draft, 81d	+147-4	81d
#1701	felixweinberger	examples: MRTR dual-path options for 2025-11 client compat	maintainer draft, 68d	+1727-0	68d
#1721	pcarleton	authfix(xaa): address review nits from #1593 & use discoveryState	maintainer draft, 66d	+55-153	66d
#1722	pcarleton	auth[v1.x backport] SEP-990 Cross-App Access	maintainer draft, 66d	+874-3	66d
#1913	felixweinberger	feat(sdk): @modelcontextprotocol/sdk meta-package with v1 deep-import subpaths	maintainer draft, 39d	+1152-6	39d
#1942	felixweinberger	[DO NOT MERGE] RFC reference: request-first SDK architecture	maintainer draft, 34d	+14447-5183	34d
#1957	pcarleton	authfeat(client/auth): RFC 9207 iss parameter validation (SEP-2468 reference impl)	maintainer draft, 31d	+6790-907	31d

3 auth stale-draft (8) — Draft with no activity for over a week.

#872	LucaButBoring	feat: use informative user agent in HTTP requests	draft idle 286d	+407-142	286d
#1169	domdomegg	fix: allow any JSON Schema type for outputSchema	draft idle 181d	+6-17	181d
#1416	maxisbey	ci: use conformance composite action	draft idle 124d	+68-41	124d
#1624	SamMorrowDrums	authfeat(server): OAuth scope challenge support (step-up auth)	draft idle 82d	+1243-3	82d
#1973	felixweinberger	authfeat(server): lift framework-agnostic RS-auth helpers from /express	draft idle 27d	+765-184	27d
#2094	KKonstantinov	2026-06-30 routing exp 1	draft idle 10d	+5558-18134	10d
#2096	MukundaKatta	authdocs(client): clarify private_key_jwt custom claim precedence	draft idle 10d	+37-2	10d
#2097	KKonstantinov	remove tasks	draft idle 10d	+117-17795	10d

draft-active (5) — Author is still working. Fresh draft.

#2130	felixweinberger	refactor(core): extract Dispatcher; Protocol composes it	5d old	+1942-18710	5d
#2131	felixweinberger	[SEP-2575][SEP-2322][SEP-2567] 2026-06 stateless support over StreamableHTTP	5d old	+4229-1047	5d
#2132	felixweinberger	[SEP-2575][SEP-2567] 2026-06 stateless support: stdio + InMemory transports	5d old	+884-190	5d
#2133	felixweinberger	docs: 2026-06 migration guide + examples + changeset	5d old	+153-63	5d
#2134	felixweinberger	refactor!: extract LegacyServer/LegacyClient; NEW Server/Client compose them	5d old	+2083-1561	5d

bot-release (1) — Changesets 'Version Packages' — release trigger, not for triage.

#1845

app/github-actions

Version Packages (alpha)

release bot PR

+245-9

53d

Actionable vs target

↓ 5.95%

174

Auth

—

Actioned (7d)

—

199 in last 30d

Merged (7d)

—

8 in last 30d

Hours to clear

↑ 21.96%

~61.1

1st review > 7d

—

of 119 eligible

Re-review > 24h

—

of 20 eligible

Maintainer > 24h

—

of 3 eligible

Stats — volume, timing, size distribution

Volume

Open PRs

↓ 14.81%

230

Draft PRs

—

Opened

—

last 7 days

Opened

—

129

last 30 days

Opened

—

431

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

273

last 90 days

Time to First Review

Average

—

Median

↑ 22.27%

P90

—

17d

P95

—

27d

Merge Time

Average

—

Median

↑ 18.22%

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Breakdown by tier

Tier	Count	Auth	Maint.	~Time
1 — We're blocking someone	14	2	1	3.3h
2 — High leverage	25	4	2	5.1h
3 — Intake	103	22	0	51.5h
4 — Hygiene	13	2	1	54m
5 — Close candidates	19	3	2	19m
total actionable	174	33	6	61.1h
not our move	38	—	—	—

We're blocking someone (14) ⊕ ⊖

Author did what we asked and is waiting on us. Longest-waiting first.

8 SLA1 auth author-pinged-after-procedural (8) — Author addressed maintainer feedback and pinged — awaiting response.

#1440	ChenyangLi4288	re-reviewFixes protocol compliance gap described in issue #1419	author pinged @felixweinberger 182d ago	+34-1	230d
#1486	daamitt	re-reviewfeat: Add support for specifying NotificationOptions	author pinged @felixweinberger, @maxisbey 190d ago	+16-4	222d
#1697	dgenio	re-reviewdocs: clarify Streamable HTTP stateless mode semantics and usage	author pinged @felixweinberger 46d ago	+149-1	178d
#1709	dgenio	re-reviewfeat: Add LLM provider adapter documentation and examp	author pinged @felixweinberger 86d ago	+1745-0	175d
#1810	punitmahes	re-reviewauthfeat(cmid-server): Implement Server-Side Support for Client ID Metadata Documents (CIMD)	author pinged @maxisbey 82d ago	+189-1	156d
#1856	codefromthecrypt	re-reviewfix: suppress GeneratorExit during client cleanup	author pinged @Kludex 110d ago	+180-13	131d
#2099	dgenio	re-reviewfeat: expand InitializationState with explicit lifecycle state machine	author pinged @maxisbey 86d ago	+421-9	95d
#2147	akshan-main	re-reviewshutdown CPU busy-loop in HTTP/SSE transports	author pinged @maxisbey 48d ago	+156-18	89d

5 SLA1 auth needs-re-review (5) — Author pushed changes after review feedback — needs re-review.

#1436	yarnabrina	re-review[DOC] simple mcp client with sampling capability	author pushed after CHANGES_REQUESTED (150d waiting)	+1204-645	231d
#1721	BinoyOza-okta	re-reviewauthImplement SEP-990 Enterprise Managed OAuth	author pushed after CHANGES_REQUESTED (60d waiting)	+2988-3	172d
#2040	adityuhkapoor	re-reviewfix: prevent stdio_server from closing process stdio handles	author pushed after CHANGES_REQUESTED (80d waiting)	+66-10	103d
#2119	jonathanhefner	re-reviewType-check docstring code examples via companion files and unified sync script	author pushed after CHANGES_REQUESTED (90d waiting)	+1306-270	94d
#2198	Varun6578	re-reviewfix: prevent tool exceptions from leaking internal details to client	author pushed after CHANGES_REQUESTED (79d waiting)	+53-11	84d

1 SLA maintainer-intake (1) — Maintainer-authored PR awaiting review from another maintainer.

#2008

Kludex

maintainerdocs: restructure documentation with quickstart, concepts, and new nav

107d, no maintainer has looked yet

+390-135

107d

High leverage (25) ⊕ ⊖

One decision unblocks or closes multiple things.

13 SLA7 auth duplicate-cluster (15 clusters, 33 PRs) — Multiple PRs address the same issue — one will be picked, others closed as duplicates.

Issue #1401 — 3 PRs ⭐ #2122 (All three PRs have unknown CI status, so that criterion doesn't differentiate. For approach: #2374 (2 files) only logs the exception instead of propagating it — "log instead of silently swallowing" is a weaker fix for an issue about errors not reaching callers, and smaller diff size does not outweigh an incomplete fix. #2122 and #2640 both propagate the error (the correct fix) and both touch 3 files, so diff size is tied. With CI, tests, and diff size all tied between #2122 and #2640, the oldest tiebreaker favors #2122 (PR number 2122 vs 2640). Caveat: if the actual diffs show #2640 includes tests and #2122 does not, that criterion would override and #2640 should be preferred instead.)

#2122	heyhayes	1st-reviewfix: propagate SSE stream errors to waiting requests	cluster primary for issue #1401 (3 PRs)	+115-16	93d
#2374	Aboudjem	fix(session): log exceptions in default message_handler instead of silently swallowing	shares linked issue #1401 with #2122	+141-0	58d
#2640	rudi193-cmd	fix(client): propagate transport exceptions in default message handler	shares linked issue #1401 with #2122	+138-2	7d

Issue #1523 — 2 PRs ⭐ #1531 (Both PRs have unknown CI status, touch 2 files, and produce an identical diff footprint (+10/-2 lines). Neither includes tests. With no difference in CI, test coverage, or diff scope, the tiebreaker is age: #1531 was submitted ~208 days ago vs. ~10 days for #2603. Additionally, #1531's title explicitly names the mechanism ("Add accept json headers for token request"), making the approach immediately auditable, whereas #2603's title ("request json token responses") describes the desired outcome rather than the change made.)

#1531	vincent0426	1st-reviewauthfix: Add accept json headers for token request	cluster primary for issue #1523 (2 PRs)	+10-2	208d
#2603	he-yufeng	authfix: request json token responses	shares linked issue #1523 with #1531	+10-2	10d

Issue #1656 — 2 PRs ⭐ #2503 (Both PRs have unknown CI status. With that tiebreaker exhausted, the preference criteria favor #2503 on two remaining dimensions: diff size (3 files vs. 5 files — a smaller, more focused change carries lower regression risk) and age (lower PR number means it was opened first, giving it priority under the "oldest" rule). Both PRs target the same root issue — logging being configured at framework-initialization time rather than left to the application — but #2503's narrower 3-file scope suggests it confines the fix to the MCPServer initialization path without touching additional call sites that #2532's 5-file diff reaches. No merge-conflict or test-coverage data was retrievable to override these two signals.)

#2503	fungi8	1st-reviewAvoid configuring logging during MCPServer initialization	cluster primary for issue #1656 (2 PRs)	+38-4	30d
#2532	Genmin	Stop FastMCP from configuring application logging	shares linked issue #1656 with #2503	+124-9	24d

Issue #2432 — 2 PRs ⭐ #2438 (PR #2438 contains the actual fix (consuming the response body to prevent the hang), while #2472 is a test-only PR — its "test:" prefix and single changed file confirm it adds a regression test but no fix code. A test-only PR cannot close issue #2432 on its own; merged in isolation, the test would demonstrate an unfixed bug rather than resolve it. With CI unknown for both, the next tiebreaker is "has tests": #2438 changes 2 files, consistent with a fix file plus a test file, whereas #2472 changes only 1 file. #2438 is also the older PR. On every applicable criterion — substantive fix, likely test coverage, and age — #2438 is the correct choice to keep.)

#2438	vishal-vanam	1st-reviewfix: consume response body on unexpected content type to prevent client hang	cluster primary for issue #2432 (2 PRs)	+19-0	42d
#2472	Christian-Sidak	test: regression test for initialize hang on unexpected content-type	shares linked issue #2432 with #2438	+29-0	36d

Issue #2578 — 3 PRs ⭐ #2590 (All three PRs report identical surface metrics: CI status unknown and 2 files changed. With no observable difference in CI results, test coverage, or diff size, the tiebreaker is age — PR #2590 was opened first (lowest PR number). Its title "fix: omit OAuth resource on token refresh" is also the most precise description of the exact parameter being omitted, matching the fix directly. PRs #2645 and #2646 were opened later with no verified technical advantage over #2590.)

#2590	he-yufeng	1st-reviewauthfix: omit OAuth resource on token refresh	cluster primary for issue #2578 (3 PRs)	+41-9	12d
#2645	Epochex	authfix(oauth): omit resource param on token refresh	shares linked issue #2578 with #2590	+27-8	6d
#2646	FU-max-boop	authFix OAuth refresh resource handling	shares linked issue #2578 with #2590	+34-9	6d

Issue #2591 — 2 PRs ⭐ #2592 (Both PRs have unknown CI status. With CI equal, the tiebreakers favor #2592: it has a smaller diff (2 files vs 3) and was opened earlier (lower PR number). #2669's extra file could be a test, but without confirmed CI results or readable diffs, the "smallest focused diff" and "oldest" criteria — applied in the specified order — point to #2592.)

#2592	he-yufeng	1st-reviewfix: support PEP 604 structured output unions	cluster primary for issue #2591 (2 PRs)	+21-1	11d
#2669	he-yufeng	fix: wrap pipe union structured outputs	shares linked issue #2591 with #2592	+58-1	2d

Issue #2629 — 2 PRs ⭐ #2638 (Both PRs have unknown CI status (tie on criterion 1). Test coverage cannot be verified without diff access, so criterion 2 cannot be resolved. Falling through to criterion 3 — smallest focused diff — #2638 changes 2 files vs. #2630's 5 files, making it the more targeted fix. #2630's broader 5-file scope and explicit RFC annotation in the title suggest it may address additional edge cases, but without confirmed CI passage or verified test coverage, the smaller, more contained change is preferred per the stated tiebreaker order.)

#2630	CrypticCortex	authfix(auth): validate redirect_uri schemes at DCR registration (RFC 9700 §4.1.1, RFC 7591 §2)	shares issue #2629; #2638 is the pick	+214-3	7d
#2638	he-yufeng	authfix: validate registered redirect uris	[llm pick] cluster primary for issue #2629: Both PRs have unknown CI status (tie on criterion 1). Test coverage cannot be verified without diff access, so criterion 2 cannot be resolved. Falling through to criterion 3 — smallest focused diff — #2638 changes 2 files vs. #2630's 5 files, making it the more targeted fix. #2630's broader 5-file scope and explicit RFC annotation in the title suggest it may address additional edge cases, but without confirmed CI passage or verified test coverage, the smaller, more contained change is preferred per the stated tiebreaker order.	+82-1	7d

Issue #348 — 2 PRs ⭐ #1824 (Both PRs have unknown CI status, so that criterion is a tie. PR #2511 has 5 changed files vs #1824's 4 — without confirmed test coverage in that extra file, the smaller, more focused diff favors #1824. Applying the stated tiebreaker order (smallest focused diff → oldest), #1824 also wins on age (lower PR number). If a full diff review confirms that #2511's fifth file is a test and #1824 has none, that finding would flip the decision to #2511 under the "has tests" criterion.)

#1824	hanzili	1st-reviewAdd custom content support to ToolError for isError responses	cluster primary for issue #348 (2 PRs)	+269-1	142d
#2511	blackwell-systems	feat: add custom content support to ToolError	shares linked issue #348 with #1824	+155-4	28d

Semantic: Exceptions raised during streamable HTTP request handling (connection drop, server crash, network error) propagate out of the per-request coroutine uncaught, leaving the calling tool in a permanent await with no error response. Both PRs fix this by wrapping the request coroutine in try/except and sending a JSONRPCError back through read_stream_writer. (2 PRs) — 2 PRs ⭐ #2607 (PR #2607 wraps handle_request_async — the common dispatch point for both _handle_post_request and _handle_resumption_request — so the catch covers reconnection/SSE paths as well as plain POST. PR #1578 only wraps _handle_post_request and introduces a separate _send_error_response helper that #2607 renders unnecessary.)

#1578	gyang-xai	Fix issue where client tool call hangs forever if server crashes or connection dies when using streamable-http	[llm] duplicates #2607: Exceptions raised during streamable HTTP request handling (connection drop, server crash, network error) propagate out of the per-request coroutine uncaught, leaving the calling tool in a permanent await with no error response. Both PRs fix this by wrapping the request coroutine in try/except and sending a JSONRPCError back through read_stream_writer.	+332-44	202d
#2607	he-yufeng	1st-reviewfix: isolate streamable HTTP request errors	[llm] cluster primary: Exceptions raised during streamable HTTP request handling (connection drop, server crash, network error) propagate out of the per-request coroutine uncaught, leaving the calling tool in a permanent await with no error response. Both PRs fix this by wrapping the request coroutine in try/except and sending a JSONRPCError back through read_stream_writer. (2 PRs)	+70-4	10d

Semantic: Race condition in streamable HTTP post_writer startup: messages can be dispatched before post_writer is ready to receive them. Both PRs fix this identically — importing TaskStatus from anyio.abc and adding a task_status: TaskStatus[None] = anyio.TASK_STATUS_IGNORED parameter to post_writer, with task_status.started(None) called before the async-for loop to signal readiness. (2 PRs) — 2 PRs ⭐ #2666 (PR #2666 contains the identical post_writer/TaskStatus fix from #1674 and additionally closes a resource leak in stdio.py (process.stdout.aclose() after process exit). Picking #2666 avoids a follow-up PR for the stdio cleanup.)

#1674	AydarAkhmetzyanov	Race condition in streamable http	[llm] duplicates #2666: Race condition in streamable HTTP post_writer startup: messages can be dispatched before post_writer is ready to receive them. Both PRs fix this identically — importing TaskStatus from anyio.abc and adding a task_status: TaskStatus[None] = anyio.TASK_STATUS_IGNORED parameter to post_writer, with task_status.started(None) called before the async-for loop to signal readiness.	+73-2	180d
#2666	Epochex	fix(streamable-http): wait for post_writer before yielding	[llm] cluster primary: Race condition in streamable HTTP post_writer startup: messages can be dispatched before post_writer is ready to receive them. Both PRs fix this identically — importing TaskStatus from anyio.abc and adding a task_status: TaskStatus[None] = anyio.TASK_STATUS_IGNORED parameter to post_writer, with task_status.started(None) called before the async-for loop to signal readiness. (2 PRs)	+50-2	2d

Semantic: write_stream buffer size of 0 blocks a handler from queuing its response while stdout_writer is flushing a concurrent write (e.g., a progress notification), causing a deadlock. Both PRs modify the same `create_context_streams[SessionMessage](N)` call for write_stream. (2 PRs) — 2 PRs ⭐ #2215 (PR #2215 is the more general fix: it adds `write_stream_buffer_size` as an explicit parameter, which can subsume #2654's specific fix by changing the default from 0 to 1. PR #2654 hardcodes the value to 1 with no way for callers to override it, while #2215 exposes configurability and includes test coverage. The two PRs conflict on the same line; merging #2215 with its default updated to 1 renders #2654 redundant.)

#2215	yaowubarbara	1st-reviewfix(stdio): allow configurable memory stream buffer size	[llm] cluster primary: write_stream buffer size of 0 blocks a handler from queuing its response while stdout_writer is flushing a concurrent write (e.g., a progress notification), causing a deadlock. Both PRs modify the same `create_context_streams[SessionMessage](N)` call for write_stream. (2 PRs)	+85-3	81d
#2654	2830500285	fix: buffer stdio server writes during progress notifications	[llm] duplicates #2215: write_stream buffer size of 0 blocks a handler from queuing its response while stdout_writer is flushing a concurrent write (e.g., a progress notification), causing a deadlock. Both PRs modify the same `create_context_streams[SessionMessage](N)` call for write_stream.	+43-2	4d

Semantic: SSE client uses urljoin to resolve the server-advertised messages endpoint, which drops any path prefix added by a reverse proxy or API gateway (e.g. /gateway), producing a broken URL. (2 PRs) — 2 PRs ⭐ #2243 (PR #2243 fixes the bug automatically for all callers by detecting and reattaching the gateway prefix; no API surface change is required. PR #2531 adds a messages_url override parameter but leaves the original urljoin bug in place for any caller that does not pass it, making it a partial workaround rather than a fix. The two PRs define _resolve_endpoint_url with incompatible signatures and cannot both land as-is.)

#2243	Varun6578	1st-reviewfix: preserve API gateway path prefix in SSE client URL resolution	[llm] cluster primary: SSE client uses urljoin to resolve the server-advertised messages endpoint, which drops any path prefix added by a reverse proxy or API gateway (e.g. /gateway), producing a broken URL. (2 PRs)	+134-3	79d
#2531	HenryLee789	feat: allow overriding SSE messages endpoint	[llm] duplicates #2243: SSE client uses urljoin to resolve the server-advertised messages endpoint, which drops any path prefix added by a reverse proxy or API gateway (e.g. /gateway), producing a broken URL.	+110-3	24d

Semantic: BrokenResourceError (and ConnectionResetError) escaping stdout_reader when the client closes the stream while the reader is still running. PR #2450 guards the inner send() calls with try/except; PR #2456 guards the outer iteration boundary — both are plugging the same hole at different levels of the same function and would produce merge conflicts. (2 PRs) — 2 PRs ⭐ #2450 (PR #2450 fixes the race at the precise point of failure — the inner send() calls — which is where BrokenResourceError actually originates in the race scenario (issue #1960). PR #2456 bundles two unrelated changes (outer error handling + changing encoding_error_handler default from strict→replace), making it harder to review and merge cleanly; the encoding default change should travel as its own PR.)

#2450	ddullah	1st-reviewfix(stdio): handle BrokenResourceError in stdout_reader race (#1960)	[llm] cluster primary: BrokenResourceError (and ConnectionResetError) escaping stdout_reader when the client closes the stream while the reader is still running. PR #2450 guards the inner send() calls with try/except; PR #2456 guards the outer iteration boundary — both are plugging the same hole at different levels of the same function and would produce merge conflicts. (2 PRs)	+54-3	40d
#2456	shaun0927	fix(stdio_client): tolerate invalid UTF-8 from child stdout	[llm] duplicates #2450: BrokenResourceError (and ConnectionResetError) escaping stdout_reader when the client closes the stream while the reader is still running. PR #2450 guards the inner send() calls with try/except; PR #2456 guards the outer iteration boundary — both are plugging the same hole at different levels of the same function and would produce merge conflicts.	+41-4	39d

Semantic: UrlElicitationRequiredError pickle round-trip fails because the default Exception.__reduce_ex__ reconstructs via cls(*self.args) = cls(code, message, data), which mismatches the subclass constructor signature cls(elicitations, message=None), raising TypeError on unpickle (issue #2431). (2 PRs) — 2 PRs ⭐ #2555 (PR #2555 is complete and self-contained: it adds __reduce__ directly on UrlElicitationRequiredError using the standard Python pickle protocol, references the tracked issue (#2431), and includes tests. PR #2478 defines a _restore_mcp_error helper but the diff never hooks it into any __reduce__ method, leaving the fix incomplete as written.)

#2478	MukundaKatta	fix(shared): preserve MCPError payload on pickle	[llm] duplicates #2555: UrlElicitationRequiredError pickle round-trip fails because the default Exception.__reduce_ex__ reconstructs via cls(*self.args) = cls(code, message, data), which mismatches the subclass constructor signature cls(elicitations, message=None), raising TypeError on unpickle (issue #2431).	+57-1	35d
#2555	MukundaKatta	1st-reviewfix(shared): make UrlElicitationRequiredError pickle-safe (refs #2431)	[llm] cluster primary: UrlElicitationRequiredError pickle round-trip fails because the default Exception.__reduce_ex__ reconstructs via cls(*self.args) = cls(code, message, data), which mismatches the subclass constructor signature cls(elicitations, message=None), raising TypeError on unpickle (issue #2431). (2 PRs)	+70-0	18d

Semantic: RequestResponder.cancel() doesn't comply with the MCP cancellation spec: it was sending an error response it must not send (#2493), not sending the notifications/cancelled it must send (#2514), and the resulting broken scope state caused a CancelledError to escape __exit__ when _completed=True (#2624). All three are symptoms of the same mis-implemented cancel() flow. (3 PRs) — 3 PRs ⭐ #2514 (PR #2514 is the affirmative fix: it imports CancelledNotificationParams and sends the spec-required notifications/cancelled on both timeout and caller cancellation, covering the widest set of cancellation scenarios. #2493 only removes the wrong behavior (error response) without adding the required notification, and #2624 is a downstream cleanup patch. A consolidated fix naturally starts from implementing the correct notification, then drops the error response and handles scope cleanup from there.)

#2493	Zelys-DFKH	fix: don't send a response for cancelled requests	[llm] duplicates #2514: RequestResponder.cancel() doesn't comply with the MCP cancellation spec: it was sending an error response it must not send (#2493), not sending the notifications/cancelled it must send (#2514), and the resulting broken scope state caused a CancelledError to escape __exit__ when _completed=True (#2624). All three are symptoms of the same mis-implemented cancel() flow.	+30-8	33d
#2514	dragogargo	1st-reviewfix: send notifications/cancelled on request timeout and caller cancellation	[llm] cluster primary: RequestResponder.cancel() doesn't comply with the MCP cancellation spec: it was sending an error response it must not send (#2493), not sending the notifications/cancelled it must send (#2514), and the resulting broken scope state caused a CancelledError to escape __exit__ when _completed=True (#2624). All three are symptoms of the same mis-implemented cancel() flow. (3 PRs)	+121-2	28d
#2624	FU-max-boop	Fix completed request cancellation cleanup	[llm] duplicates #2514: RequestResponder.cancel() doesn't comply with the MCP cancellation spec: it was sending an error response it must not send (#2493), not sending the notifications/cancelled it must send (#2514), and the resulting broken scope state caused a CancelledError to escape __exit__ when _completed=True (#2624). All three are symptoms of the same mis-implemented cancel() flow.	+57-1	8d

9 SLA1 auth needs-decision (9) — Maintainer discussed but hasn't approved or requested changes yet.

#2096	localden	maintainerFix the session binding logic for tasks.	maintainer COMMENTED but took no stance	+681-247	96d
#2344	pja-ant	maintainerfix(server): return -32602 for resource not found (SEP-2164)	maintainer COMMENTED but took no stance	+95-20	61d
#1397	samchenatti	re-reviewValidate metadata keys	2 maintainer comments, zero reviews	+110-1	243d
#1439	beaterblank	re-reviewEnhanced ResourceTemplate URI matching and type handling logic.	maintainer COMMENTED but took no stance	+2350-66	230d
#1517	yukuanj	re-reviewauthAdd resource_owner field to AuthorizationCode and AccessToken classes	maintainer COMMENTED but took no stance	+9-0	210d
#1825	Ilan-kayesar	re-reviewAdded descriptions for arguments taken from docstring	maintainer COMMENTED but took no stance	+253-8	141d
#2075	BabyChrist666	re-reviewReject JSON-RPC requests with null id instead of misclassifying as notifications	maintainer COMMENTED but took no stance	+60-1	97d
#2117	sreenithi	re-reviewPluggable Transport Abstractions for Client and Shared sessions	maintainer COMMENTED but took no stance	+837-83	94d
#2342	perhapzz	re-reviewtest: convert context_aware_server to in-process threads for coverage	maintainer COMMENTED but took no stance	+41-18	61d

1 SLA backport-follows-primary (1) — v1.x sibling of a main-branch PR. Review together — backport diff is usually mechanical.

#2449

ddullah

1st-review[v1.x] fix(stdio): handle BrokenResourceError in stdout_reader race (#1960)

follows #2450

+52-3

40d

Intake (103) ⊕ ⊖

PRs not yet reviewed by a maintainer. Oldest first.

84 SLA22 auth needs-first-review (103) — Not yet reviewed by a maintainer.

#1566	bjoaquinc	1st-reviewtest: update SSE tests to use StreamingASGITransport instead of uvicorn for server testing	203d	+366-367	203d
#1570	carlosemart	1st-reviewDisable logs reconfigure on startup	202d	+45-7	202d
#1582	vincent0426	1st-reviewfix: Raise resource not found error	201d	+50-10	201d
#1597	bjoaquinc	1st-reviewauthfix: validate PRM resource field per RFC 9728 Section 3.3	197d	+62-5	197d
#1608	cbcoutinho	1st-reviewfeat: propagate session_id from transport to tool context	196d	+330-1	196d
#1611	kylestratis	1st-reviewClient notification support	196d	+889-4	196d
#1647	FanisPapakonstantinou	1st-reviewImprove exception handling for ClientDisconnect errors	186d	+10-1	186d
#1666	matthew-gries	1st-reviewfix: Fix logic that determines standard resource vs. resource template to account for context param (#1635)	182d	+280-58	182d
#1807	sesajad	1st-reviewMake `errlog` optional in `stdio_client` and update default to `None`	157d	+73-2	157d
#1812	ivanbelenky	1st-reviewfix: `handle_sse_response` causing dangling client's read_stream	155d	+20-1	156d
#1817	challenger71498	1st-reviewfix: cleanup resources properly on `BaseSession::_receive_loop` cleanup	150d	+89-11	150d
#1818	jayhemnani9910	1st-reviewfix: auto-reinitialize client session on HTTP 404	146d	+671-9	146d
#1846	jayhemnani9910	1st-reviewauthfix: respect token_endpoint_auth_method=none when client_secret exists	136d	+72-3	136d
#1847	challenger71498	1st-reviewauthfeat: fully support Basic Authorization header at token request	134d	+148-58	134d
#1849	newbiehwang	1st-reviewFix: Raise RuntimeError when ClientSession is used without context manager to prevent hangs	133d	+40-0	133d
#1943	sicoyle	1st-reviewfix: prevent silent failure on GET stream so clients don't hang	122d	+185-2	122d
#2032	adityuhkapoor	1st-reviewfix: skip JSON pre-parsing for str union annotations in pre_parse_json	104d	+38-1	104d
#2041	BryceEWatson	1st-reviewfeat: expose progress_callback in ServerSession methods	102d	+144-1	102d
#2065	IT-HONGREAT	1st-reviewauthfeat: add auth parameter to ClientSessionGroup server parameters	100d	+107-1	100d
#2078	BabyChrist666	1st-reviewauthfix: restore eager OAuth discovery to avoid slow unauthenticated roundtrip	97d	+303-99	97d
#2093	aabmass	1st-reviewOpenTelemetry inject trace context propagation in `_meta`	96d	+544-102	96d
#2187	Br1an67	1st-reviewfix: preserve notification metadata when related_request_id is 0	85d	+43-1	85d
#2191	Br1an67	1st-reviewfix: reject unsupported HTTP methods early in session manager	85d	+88-0	85d
#2192	Br1an67	1st-reviewdocs: add CLI command flags reference to README	85d	+46-0	85d
#2193	harsh543	1st-reviewauthfeat(auth): add Authlib-backed OAuth adapter (related to #1240)	85d	+1011-2	85d
#2196	Varun6578	1st-reviewauthfix: only retry 403 responses for insufficient_scope error	84d	+53-5	84d
#2207	weiguangli-io	1st-reviewauthfix: pass related_request_id in Context.report_progress()	82d	+51-3	82d
#2209	shivama205	1st-reviewauthfeat: add subject and claims fields to AccessToken	82d	+127-1	82d
#2261	namabile	1st-reviewauthfix: include "none" in token_endpoint_auth_methods_supported metadata	77d	+9-5	77d
#2271	oedokumaci	1st-reviewauthfix(oauth): preserve existing refresh_token when refresh response omits it	75d	+116-1	75d
#2281	omar-y-abdi	1st-reviewAdd client callbacks for list_changed notifications	75d	+179-4	75d
#2296	ameenalkhaldi	1st-reviewdocs: add environment variables guide	71d	+124-0	71d
#2335	rgoldstein1989	1st-reviewfeat: add remove_prompt(), remove_resource(), and remove_resource_template()	64d	+242-1	64d
#2341	perhapzz	1st-reviewtest: replace subprocess servers with in-process threaded servers for coverage tracking	61d	+459-182	61d
#2343	mangelajo	1st-reviewExpose optional stdin/stdout on MCPServer stdio entrypoints	61d	+76-5	61d
#2352	perhapzz	1st-reviewrefactor: decompose func_metadata() into smaller focused helpers	60d	+153-76	60d
#2357	BlocksecPHD	1st-reviewfix(streamable-http): reduce stateless termination log noise	60d	+44-1	60d
#2361	4444J99	1st-reviewfix: accept single supported content type in SSE mode Accept header	59d	+139-13	59d
#2365	raashish1601	1st-reviewfix: make Windows stdio pywin32 optional	59d	+117-15	59d
#2377	guoyangzhen	1st-reviewfix: allow custom Content-Type header in StreamableHTTPTransport	57d	+10-2	57d
#2394	verdie-g	1st-reviewfeat: implement OTEL mcp.server.* metrics	50d	+1116-751	50d
#2395	Dharit13	1st-reviewFix infinite reconnection loop in StreamableHTTP client	50d	+62-9	50d
#2407	dgenio	1st-reviewfeat: add public setter methods for ClientSession callbacks	46d	+177-1	46d
#2410	RudrenduPaul	1st-reviewfix: allow integer file descriptors for errlog in stdio_client	46d	+13-5	46d
#2411	Smeet23	1st-reviewfix(session): return INVALID_REQUEST error instead of crashing on pre-init requests	46d	+74-2	46d
#2418	manjunathgujjar	1st-reviewfix: silence respond() when concurrent cancellation already completed request	46d	+108-2	46d
#2428	KeWang0622	1st-reviewfix: remove JSON-RPC ID type coercion for spec-compliant strict matching	43d	+40-64	43d
#2437	app/dependabot	1st-reviewchore(deps-dev): bump pillow from 12.1.1 to 12.2.0 in the uv group across 1 directory	42d	+94-94	42d
#2441	atishay2	1st-reviewfix: invalidate tool schema cache on ToolListChangedNotification; paginate all pages in _validate_tool_result	42d	+121-2	42d
#2447	SAY-5	1st-reviewfix(server): allow tools with outputSchema to surface errors via unstructured content	40d	+31-10	40d
#2457	shaun0927	1st-reviewfix(streamable-http): expose session_idle_timeout and pause idle reaping during active requests	39d	+106-11	39d
#2459	yuka-with-data	1st-reviewDoc: Clarify MCP Client-Server model in What is MCP section	39d	+5-1	39d
#2465	cubaseuser123	1st-reviewdocs: add prompt client/server example to address #498	38d	+94-2	38d
#2466	kimsehwan96	1st-reviewfix: skip output schema validation when tool returns is_error=True	37d	+27-2	37d
#2467	kimsehwan96	1st-reviewfix: [v1.x backport] skip output schema validation when tool returns isError=True	37d	+27-2	37d
#2468	NeelakandanNC	1st-reviewfeat(mcpserver): add Context.assert_within_roots for server-side roots enforcement	37d	+180-0	37d
#2476	trentisiete	1st-reviewfeat(examples): add simple-sampling server and client	36d	+603-0	36d
#2484	sakenuGOD	1st-reviewfix(client/stdio): allow FIFO cleanup of multiple transports on asyncio (#577)	35d	+272-30	35d
#2490	demoray	1st-reviewfix: dispatch client request handlers concurrently (#2489)	34d	+262-10	34d
#2492	mangibaud33	1st-reviewauthfeat(auth): persist oauth_metadata via TokenStorage to fix refresh after restart	33d	+294-6	33d
#2498	Zelys-DFKH	1st-reviewfeat(security): add subdomain wildcard support to allowed_hosts and allowed_origins	32d	+264-20	32d
#2500	ZLeventer	1st-reviewauthRemove dead commented-out code in register_client	32d	+0-2	32d
#2502	bobbyo	1st-review[v1.x] Drop responses/notifications when write stream is already closed	31d	+98-4	31d
#2506	GitAashishG	1st-reviewfeat(cli): support env vars in `mcp dev` (#339)	29d	+130-22	30d
#2520	GopalGB	1st-reviewfix(examples/simple-chatbot): align declared deps with actual usage	26d	+6-3	26d
#2524	Genmin	1st-reviewfix(cli): avoid Windows shell for mcp dev	25d	+147-19	25d
#2536	blackwell-systems	1st-reviewfix: resolve lost-wakeup races in InMemoryTaskStore.wait_for_update	23d	+69-7	23d
#2544	abhinavmathur-atlan	1st-reviewfix: exclude None optional fields from task result serialization	20d	+31-2	20d
#2565	blackwell-systems	1st-reviewfix: chain exceptions with `from` in 12 remaining raise sites	17d	+15-15	17d
#2573	charles-adedotun	1st-reviewfix(shared): strip envelope fields when forwarding JSONRPCRequest	14d	+59-0	14d
#2585	Choppaaahh	1st-reviewauthfix(auth): normalize URL paths before hierarchical resource check	12d	+82-3	12d
#2589	stefandevo	1st-reviewfeat: add reset_timeout_on_progress and max_total_timeout to send_request	12d	+500-13	12d
#2606	he-yufeng	1st-reviewfix: reject changed duplicate initialize	10d	+75-2	10d
#2608	MukundaKatta	1st-reviewfeat: expose schema generator for tool schemas	10d	+77-5	10d
#2609	MukundaKatta	1st-reviewdocs: list Python 3.14 in README badge	10d	+1-1	10d
#2612	pragnyanramtha	1st-reviewfix: handle Image helpers in mixed return annotations	10d	+88-3	10d
#2613	pragnyanramtha	1st-reviewfix: isolate streamable HTTP POST errors	10d	+163-1	10d
#2616	pragnyanramtha	1st-reviewauth[v1.x] fix(auth): request JSON token responses	9d	+6-0	9d
#2621	pragnyanramtha	1st-reviewfix: support context-only resources	9d	+44-14	9d
#2622	Epochex	1st-reviewfix: validate full sampling tool result history	9d	+125-22	9d
#2623	pragnyanramtha	1st-reviewfix: detect context on callable tool instances	9d	+26-1	8d
#2631	Epochex	1st-reviewfix: fail fast when session is not started	7d	+60-4	7d
#2633	Epochex	1st-reviewfix(streamable-http): close SSE responses on errors	7d	+149-15	7d
#2636	app/dependabot	1st-reviewchore(deps): bump the github-actions group across 1 directory with 9 updates	7d	+26-26	7d
#2639	he-yufeng	fix: reject initialize protocol version conflicts	7d	+142-17	7d
#2642	siddhirajkatkar	authfix: add 'invalid_target' to AuthorizationErrorCode (RFC 8707)	7d	+1-0	7d
#2650	he-yufeng	fix: request identity encoding for streamable HTTP	5d	+5-0	5d
#2651	pragnyanramtha	authfix(auth): avoid SSE OAuth refresh deadlock	5d	+507-0	5d
#2652	STiFLeR7	feat: add protocol version override support for client session initialization	4d	+139-4	4d
#2656	devteamaegis	fix: rename `.gitattribute` to `.gitattributes` so git actually reads it	4d	+0-0	4d
#2657	truffle-dev	[v1.x] fix(streamable-http): reject duplicate JSON-RPC ids with 409	4d	+98-3	4d
#2658	adityasingh2400	Add list_all_* helpers that drain pagination on the client	4d	+383-18	4d
#2659	adityasingh2400	fix: serialize Image and Audio helpers as ImageContent/AudioContent	4d	+146-0	4d
#2661	putramkti	docs(experimental): add docstrings to default task handler functions	3d	+6-0	3d
#2662	adityasingh2400	authdocs(auth): clarify that resource_server_url must include the transport path	3d	+26-8	3d
#2664	afischh	authfix(auth): accept client credentials from Basic auth header in token endpoint (#1315)	2d	+134-3	2d
#2667	adityasingh2400	feat(client): add validate_structured_output option to ClientSession	2d	+77-0	2d
#2670	afischh	authfix: include transport path in protected resource metadata URL (RFC 9728 §3)	2d	+79-4	2d
#2671	he-yufeng	fix: exit cleanly on stdio KeyboardInterrupt	2d	+15-1	2d
#2672	scosemicolon	Clarify CLI subprocess environment comment	2d	+1-1	2d
#2674	Ar-maan05	feat(session): propagate callback exceptions to the awaiter	1d	+137-2	1d
#2675	Epochex	authfix(auth): get_access_token reflects current request in stateful sessions	1d	+138-2	1d
#2676	dogacancolak	authSEP-2350: accumulate scopes on step-up auth	1d	+595-94	1d

Hygiene (13) ⊕ ⊖

Batchable procedural ops — pings, rebases, peer reviews.

2 auth stale-awaiting-author (8) — Changes requested over two weeks ago with no author response.

#2175	Kludex	Return `CallToolResult` from `convert_result` instead of a tuple	85d since feedback	+14-27	86d
#1638	calvingiles	Add support for _meta attributes in resource contents	CI ping 186d ago, no fix	+426-4	188d
#1784	keurcien	authFix `token_expiry_time` upon context initialization for stored tokens.	author self-diagnosed CI 33d ago, never fixed	+109-0	164d
#1851	domdomegg	chore: update licensing to Apache 2.0 for new contributions	110d since feedback	+203-8	133d
#2020	BabyChrist666	feat: support stderr logging in Jupyter notebook environments	author self-diagnosed CI 98d ago, never fixed	+285-10	106d
#2146	BabyChrist666	feat: public API for runtime handler registration/deregistration	author self-diagnosed CI 66d ago, never fixed	+187-26	89d
#2253	weiguangli-io	fix: terminate active StreamableHTTP sessions during shutdown	author self-diagnosed CI 30d ago, never fixed	+14-0	77d
#2401	enjoykumawat	authfix: prefix auth routes with issuer_url base path for gateway deployments	author self-diagnosed CI 44d ago, never fixed	+62-6	48d

approved-rotted (1) — Was approved, now conflicting. Rebase or ask author.

#1872

DePasqualeOrg

fix: correct unknown tool/prompt/resource error handling

approved 72d ago, now conflicting

+63-35

130d

ci-red-silent (4) — CI failing, not yet flagged to the author.

#2551	namor5772	fix(client/stdio): fall back to os.devnull when sys.stderr is None	red CI 18d	+23-2	18d
#2552	Maanik23	fix: disable newline translation in stdio TextIOWrapper to prevent CRLF on Windows	red CI 18d	+60-2	18d
#2637	VrtxOmega	fix: make ClientSessionGroup streamable HTTP errors catchable	red CI 7d	+121-5	7d
#2668	adityasingh2400	fix(streamable-http): downgrade stateless 'Terminating session: None' log	red CI 2d	+42-1	2d

Close candidates (19) ⊕ ⊖

Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.

3 auth stale-ci-abandoned (19) — CI has been failing for over a month with no activity.

#2339	maxisbey	chore: enforce type annotations on all functions via ruff ANN rules	red CI 62d, no activity	+162-121	62d
#2387	Kludex	Add richer OTel MCP span attributes	red CI 53d, no activity	+196-17	53d
#1712	vemonet	Add working example to easily integrate a FastMCP endpoint to a FastAPI app (which is not trivial)	red CI 175d, no activity	+128-6	175d
#1934	williamomeara	authFix RFC 8252 Section 7.3 compliance for loopback redirect URIs	red CI 123d, no activity	+229-4	123d
#1947	skyvanguard	fix: handle ClientDisconnect gracefully instead of returning HTTP 500	red CI 121d, no activity	+245-49	121d
#2077	mrutunjay-kinagi	authfix(auth): forward user-agent to oauth flow requests	red CI 97d, no activity	+104-3	97d
#2145	wiggzz	Fix stateless HTTP task accumulation causing memory leak	red CI 89d, no activity	+296-20	89d
#2180	dgenio	fix: add SSRF redirect protection to httpx client factory	red CI 86d, no activity	+266-2	86d
#2199	Varun6578	fix: handle HTTP 4xx/5xx gracefully in StreamableHTTP transport	red CI 84d, no activity	+133-5	84d
#2245	Varun6578	fix: collapse single-exception ExceptionGroups from task groups	red CI 79d, no activity	+333-23	79d
#2252	BabyChrist666	refactor: consistent raise-based error handling in MCPServer handlers	red CI 78d, no activity	+227-25	78d
#2327	mrutunjay-kinagi	feat(client): add explicit session_id support for Streamable HTTP resumption	red CI 65d, no activity	+244-7	65d
#2369	raashish1601	Add stdio regression test for raw invalid UTF-8 tool arguments	red CI 58d, no activity	+127-0	58d
#2372	raashish1601	Return METHOD_NOT_FOUND for invalid request methods	red CI 58d, no activity	+70-2	58d
#2373	chasewhughes	authfix(auth): respect explicitly-set client_metadata.scope during discovery	red CI 58d, no activity	+143-5	58d
#2415	mplemay	refactor: make tool registration object-based	red CI 46d, no activity	+199-148	46d
#2448	MukundaKatta	feat(tools): inline local $ref in tool inputSchema (#2384)	red CI 40d, no activity	+328-4	40d
#2483	fede-kamel	fix(client): propagate HTTP transport errors to caller (#2110)	red CI 35d, no activity	+327-15	35d
#2499	Zelys-DFKH	fix(mcpserver): advertise capabilities only for registered primitives	red CI 32d, no activity	+117-2	32d

Not our move (38) ⊕ ⊖

Clock is on the author or blocked externally. No action owed today.

6 auth parked (20) — Maintainer draft >30d, intentionally shelved.

#1855	pcarleton	authAdd conformance auth server for OAuth server authentication testing	maintainer draft, 131d	+302-0	131d
#1921	maxisbey	ci: use conformance repo's composite GitHub Action	maintainer draft, 124d	+25-40	124d
#1938	maxisbey	authfix: strip trailing slashes from OAuth metadata URL fields	maintainer draft, 122d	+28-10	122d
#1999	pcarleton	authfix: pass new conformance auth scenarios, bump to 0.1.13	maintainer draft, 109d	+137-4	109d
#2217	ochafik	[SEP-2356] File input support for tools and elicitation	maintainer draft, 81d	+110-0	81d
#2238	maxisbey	Truncate untrusted peer-controlled values before logging/raising	maintainer draft, 80d	+41-38	80d
#2263	maxisbey	fix: eliminate test port allocation race by running uvicorn in-thread	maintainer draft, 76d	+152-279	76d
#2264	maxisbey	tests: eliminate port-allocation races in SSE/StreamableHTTP tests	maintainer draft, 76d	+647-1119	76d
#2301	maxisbey	authfix: remove scope registration check from authorize handler	maintainer draft, 69d	+37-56	69d
#2320	maxisbey	Extract JSON-RPC wrapping into a Dispatcher component	maintainer draft, 66d	+523-223	66d
#2322	maxisbey	draft: MRTR (SEP-2322) lowlevel plumbing + handler-shape comparison	maintainer draft, 66d	+2609-14	66d
#2336	maxisbey	authfeat(auth): add BearerAuth for minimal bearer-token authentication	maintainer draft, 62d	+829-10	62d
#2340	maxisbey	fix: propagate pre-endpoint errors in sse_client instead of deadlocking	maintainer draft, 62d	+119-9	62d
#2346	maxisbey	authfeat: add MCP_HIDE_INPUT_IN_ERRORS env var to redact payloads from validation errors	maintainer draft, 61d	+75-3	61d
#2356	maxisbey	feat: RFC 6570 URI templates with operator-aware security	maintainer draft, 60d	+3093-38	60d
#2388	Kludex	Add MCP proxy helper	maintainer draft, 52d	+699-12	52d
#2452	maxisbey	feat: add Dispatcher Protocol and DirectDispatcher	maintainer draft, 39d	+623-1	39d
#2458	maxisbey	feat: JSONRPCDispatcher	maintainer draft, 39d	+1227-67	39d
#2460	maxisbey	feat: PeerMixin, BaseContext, Connection, server Context	maintainer draft, 39d	+1230-0	39d
#2491	maxisbey	feat: ServerRunner — per-connection orchestrator	maintainer draft, 34d	+753-6	34d

1 auth stale-draft (12) — Draft with no activity for over a week.

#1800	the-ayyi	Add propagate_through_tool_handlers attribute to McpError for protocol flow control	draft idle 158d	+194-8	158d
#1838	jayhemnani9910	fix: send error on SSE disconnect without resumption token	draft idle 139d	+83-1	139d
#1998	bgaidioz	authFix: Refresh auth context per Streamable HTTP request	draft idle 109d	+196-0	109d
#2130	jonathanhefner	Import "Build an LLM-powered chatbot" quickstart guide	draft idle 91d	+2024-268	91d
#2132	aabmass	OpenTelemetry MCP client spans	draft idle 90d	+1612-118	90d
#2133	aabmass	OpenTelemetry extract trace context from `_meta` in incoming requests	draft idle 90d	+814-114	90d
#2138	jonathanhefner	Import "Build a weather server" quickstart guide	draft idle 90d	+2600-268	90d
#2139	jonathanhefner	Replace Claude for Desktop with VS Code + Copilot in server quickstart	draft idle 90d	+2514-268	90d
#2509	faridun-ag2	fix(server): return 405 on GET/DELETE in stateless HTTP mode	draft idle 29d	+136-0	29d
#2562	maxisbey	[v2] Server registry + per-connection state; ServerRunner consumes Server[L] directly	draft idle 17d	+460-194	17d
#2596	MukundaKatta	refactor(client): rename message handler callback	draft idle 11d	+58-59	11d
#2598	MukundaKatta	docs: add server instructions example	draft idle 10d	+58-0	10d

stale-draft-pinged (4) — Draft; maintainer pinged for status over a week ago with no response.

#946	agronholm	Improved Trio support	pinged 241d ago	+125-138	347d
#1222	wenxuwan	fix: Handle SSE Disconnects Properly When use starlette middleware	pinged 237d ago	+26-20	298d
#1395	Bumshakalaka	fix: update response status code for invalid session ID in HTTPSessionManger	pinged 237d ago	+2-1	243d
#2029	Ashutosh0x	fix: use ASGI callable for SSE endpoint to avoid BaseHTTPMiddleware AssertionError (#883)	pinged 103d ago	+108-8	104d

1 auth draft-active (1) — Author is still working. Fresh draft.

#2660

peisuke

authfix(oauth): narrow context.lock scope in async_auth_flow

3d old

+259-17

bot-release (1) — Changesets 'Version Packages' — release trigger, not for triage.

#2451

app/github-actions

chore: weekly dependency update

release bot PR

+1140-1001

39d

Volume

Open PRs

↑ 18.75%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

144

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

Median

↑ 218.92%

12h

P90

—

14d

P95

—

21d

Merge Time

Average

—

Median

↑ 125.33%

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 35.29%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#1120 (draft)	WIP: Reduce copies, eliminate a lot of UTF-16 transcoding	Tyler-IN	+2145 -425	1	152d
#1238	ClientOAuthProvider.Scopes have priority again (#1236)	halllo	+45 -3	0	111d
#1367	Mcp.core.distributed	xiangyan99	+4033 -1	2	90d
#1393 (draft)	ProtectedMcpServer: enforce per-user concurrent tool-call limit with `PartitionedRateLimiter` in call-tool filter	copilot-swe-agent	+35 -1	0	87d
#1423	Augment conceptual docs with Docker-based MCP server deployment guidance	john-mckillip	+224 -94	0	75d
#1444	fix: propagate auth errors (401/403) immediately instead of falling b…	xue-cai	+72 -1	0	69d
#1474	Implement authorization server binding and credential isolation (MCP SEP-2352)	copilot-swe-agent	+376 -3	0	57d
#1496	feature: Added configurable token endpoint auth method selection	RobotechUSA	+26 -1	0	52d
#1495	Fix flaky DiagnosticTests.Session_TracksActivities by waiting for full server activity predicate	copilot-swe-agent	+28 -13	0	52d
#1501	Add HTTP call completion logging for exceptions and non-success status codes	copilot-swe-agent	+86 -8	0	52d
#1499 (draft)	Fix McpTask double-wrapping when tool returns its own task	copilot-swe-agent	+150 -1	0	52d
#1517	Fix: Relax resource URI validation to accept base URL	JBallan	+64 -11	2	40d
#1519	Release SSE response stream reference when GET request ends	joelmforsyth	+94 -23	0	38d
#1532	feat(server): support external description sources on McpServerTool attribute	MukundaKatta	+263 -4	0	28d
#1531	perf(server): skip IdleTrackingBackgroundService timer in stateless mode	MukundaKatta	+61 -0	0	28d
#1530	fix(client): preserve underlying status code in AutoDetect probe	MukundaKatta	+140 -8	0	28d
#1569	Bump danielpalme/ReportGenerator-GitHub-Action from 5.5.5 to 5.5.10	dependabot	+1 -1	0	14d
#1579 (draft)	[WIP] Implement SEP-2663 Tasks Extension	PranavSenthilnathan	+3848 -11858	0	9d
#1583	Bump JsonSchema.Net and System.Linq.AsyncEnumerable	dependabot	+2 -2	0	7d
#1582	Bump coverlet.collector from 10.0.0 to 10.0.1	dependabot	+1 -1	0	7d
#1586	Bump Microsoft.Extensions.AI.Abstractions from 10.5.2 to 10.6.0	dependabot	+1 -1	0	7d
#1585	Bump Microsoft.Extensions.AI from 10.5.2 to 10.6.0	dependabot	+1 -1	0	7d
#1584	Bump Anthropic from 12.17.0 to 12.21.0	dependabot	+1 -1	0	7d
#1597	Bump qs from 6.14.2 to 6.15.2 in the npm_and_yarn group across 1 directory	dependabot	+3 -3	0	2d
#1600	Require Tool inputSchema during deserialization	DragonFSKY	+9 -0	0	1d
#1599	Add McpClientOptions.InitializeMeta to set _meta on the initialize request	adityasingh2400	+61 -0	0	1d
#1598	Remove explicit SSE content encoding	DragonFSKY	+2 -3	0	1d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Actionable vs target

↓ 3.85%

Auth

—

Actioned (7d)

—

18 in last 30d

Merged (7d)

—

33 in last 30d

Hours to clear

↑ 4.55%

~9.2

1st review > 7d

—

of 17 eligible

Re-review > 24h

—

of 0 eligible

Maintainer > 24h

—

of 4 eligible

Stats — volume, timing, size distribution

Volume

Open PRs

↓ 6.67%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

115

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

11d

Median

↓ 5.65%

P90

—

29d

P95

—

38d

Merge Time

Average

—

Median

↓ 67.83%

21h

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Breakdown by tier

Tier	Count	Auth	Maint.	~Time
0 — Press a button	1	1	0	1m
1 — We're blocking someone	4	2	4	1.3h
3 — Intake	16	5	0	7.8h
4 — Hygiene	1	1	0	5m
5 — Close candidates	3	2	0	3m
total actionable	25	11	4	9.2h
not our move	3	—	—	—

Press a button (1) ⊕ ⊖

Already approved or already decided — ready for action.

1 SLA1 auth needs-merge (1) — Approved and CI-green — ready to merge.

#227

tnorimat

1st-reviewauthfeat: scenario option for authorization server test

approved 34d ago, green

+216-3

40d

We're blocking someone (4) ⊕ ⊖

Author did what we asked and is waiting on us. Longest-waiting first.

4 SLA2 auth maintainer-intake (4) — Maintainer-authored PR awaiting review from another maintainer.

#73	pcarleton	maintainerAdd SSE polling Phase 2 and Phase 3 tests (SEP-1699)	174d, no maintainer has looked yet	+691-1	174d
#106	pcarleton	maintainerauthfeat: add step-up auth scenario for server auth testing	131d, no maintainer has looked yet	+346-1	131d
#203	pcarleton	maintainerauthfix: rename routePrefix to issuerPath and add issuer-mismatch scenario	56d, no maintainer has looked yet	+150-20	56d
#241	pja-ant	maintainerfeat: conformance scenario for MCP-Protocol-Version header 400	33d, no maintainer has looked yet	+461-0	33d

Intake (16) ⊕ ⊖

PRs not yet reviewed by a maintainer. Oldest first.

9 SLA4 auth needs-first-review (13) — Not yet reviewed by a maintainer.

#222	codefromthecrypt	1st-reviewAdd stateless server conformance test	45d	+609-1	45d
#224	alexdoroshevich	1st-reviewfeat: add version negotiation conformance tests (closes #102)	42d	+1210-0	42d
#228	Michito-Okai	1st-reviewauthfeat: add JSON-based setup option to authorization server conformance…	40d	+63-5	40d
#235	tnorimat	1st-reviewauthfeat: check for CIMD of authorization server metadata	39d	+138-17	39d
#236	jeffhandley	1st-reviewAdd partial-run support and fix implicit skip handling in tier audit	38d	+573-138	38d
#257	malladinagarjuna2	1st-reviewfeat: Add multi-stage Docker build and GHCR publishing workflow	29d	+86-0	29d
#263	blackwell-systems	1st-reviewfix(tier-check): swap server/client scenario lists in conformance reconciliation	19d	+7-7	19d
#264	app/dependabot	1st-reviewchore(deps): bump the npm_and_yarn group across 2 directories with 1 update	19d	+14-14	19d
#268	coding-bobo	1st-reviewauthfeat(auth): client conformance for Workload Identity Federation (SEP-1933)	13d	+1216-4	13d
#298	adityachilka1	fix: avoid bash backslash mangling of github.action_path on Windows (fixes #150)	4d	+2-2	4d
#310	panyam	feat(sep-2549): add absence-assert and explicit-zero wire-distinction checks	2d	+220-0	2d
#314	panyam	authfix(docs): correct two specReferences[].url strings that 404	2d	+2-2	2d
#316	pugsatoshi	fix: send HTTP DELETE to terminate server sessions after each scenario	1d	+115-8	1d

2 SLA1 auth community-reviewed (3) — Community members have reviewed, but no maintainer has engaged yet.

#262	panyam	1st-reviewFeat/tasks mrtr extension	20d, reviewed by LucaButBoring (SLA breach)	+4520-2	20d
#267	Michito-Okai	1st-reviewauthfeat: add positive tests for the Authorization Code Grant	13d, reviewed by tnorimat (SLA breach)	+733-23	14d
#299	adityachilka1	fix(initialize scenario): return 202 No Content for notifications (closes #274)	4d, reviewed by nbarbettini	+6-0	4d

Hygiene (1) ⊕ ⊖

Batchable procedural ops — pings, rebases, peer reviews.

1 auth stale-awaiting-author (1) — Changes requested over two weeks ago with no author response.

#139

jdmaturen

authfeat: add token refresh and rotation conformance scenarios

101d since feedback

+612-47

105d

Close candidates (3) ⊕ ⊖

Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.

2 auth pre-ci-ghost (3) — Over 90 days old and CI never ran.

#64	tobinsouth	authAdd server OAuth protection conformance tests	CI never ran, 180d old	+4101-9	180d
#155	wdawson	authImprovements to the Draft Server Auth Conformance tests	CI never ran, 95d old	+8122-2049	95d
#165	lux999	fix: tools-call-simple-text now fails when tool returns isError: true	CI never ran, 91d old	+10-2	91d

Not our move (3) ⊕ ⊖

Clock is on the author or blocked externally. No action owed today.

1 auth parked (2) — Maintainer draft >30d, intentionally shelved.

#105	pcarleton	authfeat: Add server auth conformance tests	maintainer draft, 131d	+1756-55	131d
#137	pcarleton	feat: add notification isolation tests for GHSA-345p-7cg4-v4c7	maintainer draft, 109d	+1607-19	109d

draft-active (1) — Author is still working. Fresh draft.

#308

olaservo

feat: add SEP-2106 structuredContent wire-shape scenario (complements #295)

3d old

+679-0

Volume

Open PRs

↑ 11.76%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

15d

Median

—

11d

P90

—

20d

P95

—

49d

Merge Time

Average

—

19d

Median

—

18d

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 18.18%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#88	feat: add Microsoft Edge AppleScript example for macOS	ntindle	+952 -1	0	283d
#103	Add Python package MCP server example with bundling support	stephaneberle9	+256 -6	0	251d
#134	chore(lint): upgrade ESLint prettier rule to error	loc	+2 -3	3	209d
#170	build(deps): bump tar from 7.5.1 to 7.5.2 in the npm_and_yarn group across 1 directory	dependabot	+3 -3	0	172d
#181	fix(Validation): Make "mcp_config" optional when using uv	daemuth	+122 -52	0	126d
#195	Fix PKCS#7 signature verification	vcolin7	+190 -61	0	93d
#213	Add tests for CLI init helpers and improve parameter naming for testability	coding-creed-technologies	+1132 -17	1	65d
#222	feat: add prepare-for-signing and apply-signature for enterprise HSM signing	bryan-anthropic	+519 -1	1	59d
#227	fix: validate version field is valid semver	bryan-anthropic	+112 -0	1	40d
#237	Fix `approrpiate` -> `appropriate` typo in MANIFEST.md	pikammmmm	+1 -1	1	23d
#242	fix: add field descriptions to v0.4 manifest schema	pl4nty	+108 -44	1	15d
#249	fix: narrow over-broad default pack exclude patterns	adityasingh2400	+106 -2	1	1d
#248	fix(validate): only recommend 512x512 icon size when the icon isn't already 512x512	adityasingh2400	+118 -7	1	1d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Volume

Open PRs

↑ 2.94%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

122

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

11d

Median

↑ 121.19%

P90

—

37d

P95

—

49d

Merge Time

Average

—

Median

↓ 50.00%

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 3.57%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#189	fix: defer initial size measurement to ResizeObserver	nidhiyashwanth	+1 -2	0	155d
#214	Examples: D3 graph and Recharts chart	iamfiscus	+3265 -18	0	137d
#273	Enforce correct UI resource. Remove backwards compatibility in `getToolUiResourceUri`.	matteo8p	+6 -25	0	130d
#291	chore: :lock: npm audit fix	james-lafferty	+24 -3	0	128d
#296	Add Resource Template support to basic-host	rinormaloku	+23 -6	0	127d
#378	Create initial proposal for apps declaring trusted types	connor4312	+124 -3	0	117d
#377	build(deps): bump hono from 4.11.6 to 4.11.7 in the npm_and_yarn group across 1 directory	dependabot	+3 -387	0	117d
#384	fix: update Playwright snapshots for ShaderToy and Wiki Explorer	yaniv-golan	+0 -0	0	117d
#390	Add a pattern for a deferred tool resulting using UI interaction	connor4312	+213 -1	0	116d
#405	New example MCP App: DICOM Viewer	ThalesMMS	+1707 -1	6	115d
#425 (draft)	Fetch That Works in MCP Apps	MiguelsPizza	+9835 -630	0	111d
#424	Add cross-host portability guide for MCP Apps	hatgit	+75 -0	0	111d
#432	fix(examples): resolve CSP 'unsafe-eval' violation in threejs-server	Robloncz	+32 -10	2	109d
#453	feat: Add basic-server-angular example	Avcharov	+17874 -6785	0	101d
#468	Add Stitch Design server example	jayeshvpatil	+3512 -0	0	96d
#473	Rename apps.mdx to ext-apps.mdx	jabidahscreationssystems	+0 -0	0	94d
#531	Feat/create elicitation UI	Avcharov	+377 -24	0	79d
#552 (draft)	feat: implement subscribe/unsubscribe methods for multiple event handlers	Avcharov	+399 -35	0	72d
#553	feat(spec): add renderTiming to McpUiToolMeta for deferred View rendering	netanelavr	+113 -0	0	70d
#596	Add tananchadevelopment.link file	Bang2985	+0 -0	0	52d
#609	--- name: create-mcp-app description: This skill should be used when …	akonjet5	+185 -0	0	44d
#608	Rename tsconfig.json to tsconfig.json	akonjet5	+0 -0	0	44d
#610	example dotnet angular host	halllo	+10826 -1	0	43d
#636	feat: add angular basic example	dalenguyen	+2319 -3	0	32d
#641	feat(transport): add forHostIframe helper and improve init timeout message	netanelavr	+168 -0	0	28d
#645	Add MseeP.ai badge	mseep-ai	+2 -0	0	27d
#650	docs: add mcp-use inspector badge to supported clients	khandrew1	+1 -0	0	20d
#653	spec(draft): add missing HostCapabilities fields (updateModelContext and message)	hydrosquall	+31 -8	2	19d
#656	feat(types,spec): add tools field to McpUiHostCapabilities	saaage	+17 -0	0	18d
#657	Fix broken documentation links	aqilaziz	+2 -2	0	17d
#663	Allows passing input as a query param like other options from the demo app	katerberg	+13 -6	0	3d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines