Pull Requests
Volume
Time to First Review
Merge Time
PRs Needing Maintainer Review
Open PRs with no maintainer review (excludes drafts from counts)
PRs Awaiting Maintainer Review
Sorted by longest wait time first
| PR | Title | Author | Size | Reviews | Waiting |
|---|---|---|---|---|---|
| #813 | fix: deduplicate title definition in tools | connor4312 | +0 -9 | 0 | 389d |
| #1803 | SEP-1803: Event Subscriptions | caseychow-oai | +184 -0 | 0 | 244d |
| #1862 | SEP-1862: Tool Resolution | SamMorrowDrums | +1723 -0 | 0 | 236d |
| #1913 | SEP-1913: Trust and Sensitivity Annotations | SamMorrowDrums | +2347 -0 | 16 | 229d |
| #1984 | SEP-1984: Comprehensive Tool Annotations for Enhanced Governance and UX | sambhav | +488 -0 | 0 | 211d |
| #2028 | SEP-2028: Automatic _meta to HTTP header forwarding for distributed tracing | monahk | +861 -0 | 13 | 197d |
| #2053 | SEP-2053: Server Variants extension | sambhav | +1613 -0 | 0 | 190d |
| #2166 | SEP-2166: Out-of-Band Resource Access via HTTPS URLs | abrookins | +595 -0 | 1 | 167d |
| #2282 | SEP-2282: Server-Declared Behavioural Hooks | heyhayes | +871 -2 | 0 | 143d |
| #2357 | SEP-2357: Dedicated structured media type for MCP HTTP transport | rvmillett | +365 -0 | 0 | 131d |
| #2385 | SEP-2385: Tool Auth Manifest | lececo | +167 -0 | 0 | 125d |
| #2391 (draft) | [WIP] Add spec annotator plugin to Claude Code marketplace | LucaButBoring | +3061 -3 | 0 | 124d |
| #2417 | SEP-2417: Model Preferences for Tools | ProductOfAmerica | +3043 -1 | 0 | 119d |
| #2419 | SEP-2419: cache_hint well-known key in CallToolResult._meta | clouatre | +454 -0 | 0 | 119d |
| #2487 (draft) | SEP-2487: Add execution.requirements field to Tool for preconditions | ZachGerman | +127 -4 | 0 | 109d |
| #2495 | SEP: Event-Driven Tool Invocation (Server-Push to LLM Re-entry) | hf75 | +119 -0 | 2 | 108d |
| #2528 | docs: Add deployment guidelines for proxying MCP servers | jeffyaw | +153 -1 | 0 | 99d |
| #2532 | SEP-2532: Resource Streaming for Binary Content Delivery | patrick-rodgers | +1249 -0 | 0 | 98d |
| #2564 | SEP-2564: Server-Side Filtering for List Methods | anagh96 | +385 -0 | 0 | 92d |
| #2571 | SEP: Resource Submission — client-to-server resource creation for agent coordination | cswelker | +193 -0 | 0 | 91d |
| #2601 | docs: define uriTemplate as unique identifier for resource templates | rohitg00 | +13 -1 | 0 | 87d |
| #2602 | docs: add server instructions guide | rohitg00 | +146 -0 | 0 | 87d |
| #2614 | SEP-2614: Add optional keywords field to Implementation for server routing | Vijaynw | +595 -6 | 0 | 86d |
| #2624 | SEP-2624: Interceptors for the Model Context Protocol | Degiorgio | +3536 -1 | 0 | 84d |
| #2631 (draft) | SEP-2631: File Objects and Transfer | caseychow-oai | +2839 -45 | 0 | 83d |
| #2626 | docs(community): Add Enterprise Interest Group charter | raghu-chandra-mcp | +109 -0 | 15 | 83d |
| #2632 | SEP-2632: Structured Content for Progress Notifications | stevehaertel | +477 -5 | 0 | 83d |
| #2636 | SEP-2636: Progressive Tool Disclosure | SylonZero | +759 -0 | 0 | 83d |
| #2643 | SEP-2643: Structured Authorization Denials | monmohan | +756 -0 | 44 | 82d |
| #2672 | SEP-2672: Per-Call Passkey Verified Approval for MCP Tool Calls | pinialt | +1475 -0 | 0 | 73d |
| #2690 (draft) | Change error response status from 400 to 404 for invalid sessions | tmshkr | +1 -1 | 0 | 70d |
| #2694 | SEP-2694: Resumable Task Event Streams | rynowak | +816 -2 | 0 | 69d |
| #2747 | Fix typos and clarify error handling for missing ttlMs | spacewander | +4 -2 | 2 | 57d |
| #2752 | SEP: HTTP Message Signing for MCP Client Authentication | njdawn | +913 -2 | 0 | 56d |
| #2778 | SEP-2778 Adding type constraints to the MCP | schlpbch | +276 -20 | 0 | 53d |
| #2781 | docs: add deployment guide for proxying MCP servers | founder-OmniPA | +265 -0 | 1 | 53d |
| #2787 | SEP-2787: Tool call attestation | soup-oss | +1138 -445 | 0 | 50d |
| #2793 | SEP: Tool Risk Metadata | walbis | +227 -0 | 0 | 49d |
| #2809 | SEP: Attested Tool-Server Admission (ATSA) | metereconsulting | +1002 -0 | 0 | 47d |
| #2817 | SEP-2817: AI Invocation Audit Context in Request _meta | hangum | +788 -0 | 0 | 46d |
| #2828 | SEP: Server-Side Signed Execution Record for MCP Tool Calls | vaaraio | +1330 -43 | 0 | 45d |
| #2848 | Asynchronous Approval for Tool Calls (Extensions Track SEP) | mcguinness | +1399 -2 | 0 | 42d |
| #2992 | docs: clarify SEP-2243 HeaderMismatch error code | DaleSeo | +22 -22 | 0 | 15d |
| #2998 | Add SEP-2998: Partial Tool Results (streaming tool call output) | kuwatly | +300 -0 | 0 | 13d |
| #3004 | SEP: Tamper-Evident Audit Record Contract | scottrhodes | +1371 -0 | 0 | 12d |
| #3006 | schema(draft): align subscriptions/listen with envelope and _meta naming conventions | JaynouOliver | +61 -8 | 0 | 12d |
| #3062 | Delegate duplicated OAuth material in the authorization spec to RFC citations | claude | +1443 -1001 | 0 | 5d |
| #3068 | docs: document subscriptions/listen and CacheableResult in draft learn and client pages | claude | +87 -12 | 0 | 5d |
| #3069 | docs: reflect the stateless protocol, server/discover, and session removal | claude | +241 -88 | 0 | 5d |
| #3066 | docs: update code examples to the v2 SDKs | claude | +96 -45 | 0 | 5d |
| #3064 | docs: reflect feature lifecycle deprecations and the Tasks recategorization | claude | +18 -20 | 0 | 5d |
| #3092 (draft) | docs: align SEP-2575 error codes | DaleSeo | +4 -4 | 0 | 1d |
| #3090 | docs: repoint the SEP feature-matrix citation at the archived matrix | himanshu-commits | +4 -4 | 0 | 1d |
PR Size Distribution
Open PRs by lines changed
Stats — volume, timing, size distribution
Volume
Time to First Review
Merge Time
PR Size Distribution
Open PRs by lines changed
Breakdown by tier
| Tier | Count | Auth | Maint. | ~Time |
|---|---|---|---|---|
| 1 — We're blocking someone | 20 | 4 | 10 | 6.2h |
| 2 — High leverage | 25 | 8 | 1 | 3.5h |
| 3 — Intake | 91 | 10 | 0 | 45.3h |
| 4 — Hygiene | 12 | 2 | 2 | 56m |
| 5 — Close candidates | 13 | 3 | 0 | 13m |
| untriaged | 1 | 0 | 0 | 15m |
| total actionable | 162 | 27 | 13 | 56.4h |
| not our move | 17 | — | — | — |
We're blocking someone (20) ⊕ ⊖
Author did what we asked and is waiting on us. Longest-waiting first.
3 SLA author-pinged-after-procedural (3) — Author addressed maintainer feedback and pinged — awaiting response.
| #1861 | ravyg | re-reviewmcp: convert tool/prompt schemas eagerly at registration time | author pinged @felixweinberger 86d ago | +362-7 | 98d |
| #2003 | ElliotDrel | re-reviewfix(server): exit when MCP client closes stdin pipe | author pinged @KKonstantinov, @felixweinberger 69d ago | +84-0 | 76d |
| #2204 | aicayzer | re-reviewfix: treat parsedBody = null as no pre-parsed body (v1.x) | author pinged @felixweinberger 37d ago | +47-1 | 47d |
7 SLA1 auth needs-re-review (7) — Author pushed changes after review feedback — needs re-review.
| #1521 | LucaButBoring | re-reviewfix(client): retry SSE stream after receiving session ID | author pushed after CHANGES_REQUESTED (93d waiting) | +417-0 | 155d |
| #1563 | gogakoreli | re-reviewfix: inline local $ref in tool inputSchema for LLM consumption | author pushed after CHANGES_REQUESTED (86d waiting) | +654-1 | 145d |
| #1657 | rechedev9 | re-reviewauthfix: accumulate OAuth scopes on 401/403 instead of overwriting | author pushed after CHANGES_REQUESTED (104d waiting) | +618-50 | 127d |
| #1712 | travisbreaks | re-reviewfeat(server): add host process watchdog to StdioServerTransport | author pushed after CHANGES_REQUESTED (75d waiting) | +57-1 | 118d |
| #1726 | rcdailey | re-reviewfeat(server): add keepAliveInterval for standalone GET SSE stream | author pushed after CHANGES_REQUESTED (54d waiting) | +211-19 | 116d |
| #1814 | MayCXC | re-reviewfix: async onclose, stdin EOF detection, SIGTERM in examples | author pushed after CHANGES_REQUESTED (88d waiting) | +210-40 | 108d |
| #1862 | sid293 | re-reviewfix:close transport on connection failure | author pushed after CHANGES_REQUESTED (31d waiting) | +37-10 | 98d |
9 SLA3 auth maintainer-intake (10) — Maintainer-authored PR awaiting review from another maintainer.
| #1893 | KKonstantinov | maintainerfeat: add class decorators example | 91d, no maintainer has looked yet | +564-15 | 91d |
| #1939 | pcarleton | maintainerbuild: exclude src/examples from published dist (v1.x) | 85d, no maintainer has looked yet | +2-2 | 85d |
| #2125 | dsp-ant | maintainerfix(client): treat HTTP 404 with session ID as session expiry | 56d, no maintainer has looked yet | +191-19 | 56d |
| #2370 | mattzcarey | maintainerfeat: add injectable SDK logger | 20d, no maintainer has looked yet | +300-36 | 20d |
| #2440 | felixweinberger | maintainerfeat(server): SDK-owned resource subscription tracking on McpServer | 9d, no maintainer has looked yet | +514-60 | 9d |
| #2450 | mattzcarey | maintainerauthfix(client): detect authorization-server migration from fresh PRM | 8d, no maintainer has looked yet | +1570-55 | 8d |
| #2449 | mattzcarey | maintainerfix: complete SEP-2106 output typing and schema safety | 8d, no maintainer has looked yet | +343-30 | 8d |
| #2465 | felixweinberger | maintainerauthfix(client): scope transport headers to MCP requests and handle redirects explicitly | 7d, no maintainer has looked yet | +1305-80 | 7d |
| #2485 | felixweinberger | maintainerauthfix(client): scope corrupt-cache-entry deletion to the probed partition | 2d, no maintainer has looked yet | +66-9 | 2d |
| #2501 | felixweinberger | Export Protocol and mergeCapabilities from client/server package roots | 0d, no maintainer has looked yet | +284-74 | 0d |
High leverage (25) ⊕ ⊖
One decision unblocks or closes multiple things.
18 SLA16 auth duplicate-cluster (19 clusters, 53 PRs) — Multiple PRs address the same issue — one will be picked, others closed as duplicates.
Issue #1132 — 2 PRs
| #1857 | nielskaspers | 1st-reviewdocs: document tool list changed notifications | cluster primary for issue #1132 (2 PRs) | +79-31 | 100d |
| #2147 | Nishant-Chaudhary5338 | feat(example): add tool list changed notification example | shares linked issue #1132 with #1857 | +137-9 | 53d |
Issue #1471 — 3 PRs
| #1509 | corvid-agent | 1st-reviewfix: pass empty args to registerToolTask handler when no inputSchema | cluster primary for issue #1471 (3 PRs) | +8-3 | 156d |
| #1975 | nanookclaw | fix: pass both args when inputSchema omitted in task handler executor | shares linked issue #1471 with #1509 | +47-3 | 78d |
| #2009 | Genmin | fix(server): support two-arg no-schema task handlers | shares linked issue #1471 with #1509 | +112-7 | 75d |
Issue #1864 — 5 PRs
| #1873 | nielskaspers | 1st-reviewfix(server): add icons field to registerTool and registerToolTask | cluster primary for issue #1864 (5 PRs) | +21-2 | 96d |
| #1879 | Yanhu007 | fix: support icons in registerTool config and tools/list response | shares linked issue #1864 with #1873 | +14-3 | 95d |
| #1881 | sainathreddyb | fix(server): add icons field to registerTool and registerToolTask | shares linked issue #1864 with #1873 | +168-2 | 94d |
| #1934 | Jim1874 | feat(server): add icons field to registerTool() | shares linked issue #1864 with #1873 | +20-2 | 86d |
| #1977 | Genmin | fix(server): include registered tool icons | shares linked issue #1864 with #1873 | +74-2 | 78d |
Issue #1872 — 2 PRs
| #1933 | Jim1874 | 1st-reviewauthfix(client): prevent duplicate Auth headers in SSE transport | cluster primary for issue #1872 (2 PRs) | +8-1 | 86d |
| #2087 | Christian-Sidak | authfix: prevent duplicate Authorization header in SSEClientTransport | shares linked issue #1872 with #1933 | +49-4 | 62d |
Issue #1944 — 2 PRs
| #1952 | Zelys-DFKH | 1st-reviewfix(server): loosen Accept validation when enableJsonResponse is true | cluster primary for issue #1944 (2 PRs) | +34-8 | 83d |
| #2142 | adityachilka1 | fix(server): allow application/json-only Accept in JSON response mode (closes #1944) | shares linked issue #1944 with #1952 | +38-3 | 55d |
Issue #1954 — 3 PRs
| #1955 | daksh-goyal | 1st-reviewauth fix(client): check token expiry in adaptOAuthProvider before returning expired tokens | cluster primary for issue #1954 (3 PRs) | +11-1 | 82d |
| #1962 | Christian-Sidak | authfix: adaptOAuthProvider returns expired tokens on long-running connections | shares linked issue #1954 with #1955 | +233-2 | 80d |
| #1981 | Genmin | authfix(client): avoid expired OAuth access tokens | shares linked issue #1954 with #1955 | +145-13 | 77d |
Issue #1968 — 2 PRs
| #1989 | Genmin | 1st-reviewauthfix(client): preserve OAuth resource metadata indicator | cluster primary for issue #1968 (2 PRs) | +68-14 | 76d |
| #1991 | Christian-Sidak | authfix: preserve exact resource URI from protected resource metadata | shares linked issue #1968 with #1989 | +75-12 | 76d |
Issue #2002 — 2 PRs
| #2473 | harshmathurx | fix(server): close stdio transport on stdin close | cluster primary for issue #2002 (2 PRs) | +52-4 | 6d |
| #2494 | app/claude | fix(server): close StdioServerTransport when stdin ends or closes | shares linked issue #2002 with #2473 | +193-4 | 1d |
Issue #2012 — 2 PRs
| #2013 | blackwell-systems | 1st-reviewfix: accept null arguments in tools/call and return -32602 for validation errors | cluster primary for issue #2012 (2 PRs) | +63-2 | 74d |
| #2139 | 2830500285 | fix: accept null tool call arguments | shares linked issue #2012 with #2013 | +74-1 | 55d |
Issue #2034 — 5 PRs
| #2035 | jbsky | 1st-reviewauthfix(auth): propagate saveTokens errors during token refresh | cluster primary for issue #2034 (5 PRs) | +54-5 | 68d |
| #2053 | SAY-5 | authfix(client/auth): propagate saveTokens errors after refresh | shares linked issue #2034 with #2035 | +83-4 | 64d |
| #2081 | Jefsky | authfix(client): let saveTokens I/O errors propagate in auth() | shares linked issue #2034 with #2035 | +20-6 | 63d |
| #2110 | pragnyanramtha | authfix(client): propagate refreshed token save errors | shares linked issue #2034 with #2035 | +157-48 | 60d |
| #2210 | he-yufeng | authfix(client): preserve token persistence errors | shares linked issue #2034 with #2035 | +75-4 | 46d |
Issue #2076 — 2 PRs
| #2082 | Jefsky | 1st-reviewauthdocs(core): clarify resetTimeoutOnProgress requires onprogress | cluster primary for issue #2076 (2 PRs) | +25-7 | 63d |
| #2224 | minglong51 | fix(core): reset request timeout on progress without an onprogress handler | shares linked issue #2076 with #2082 | +66-5 | 44d |
Issue #2112 — 2 PRs
| #2113 | sceran | 1st-reviewdocs(README): add `@modelcontextprotocol/fastify` to middleware listing | cluster primary for issue #2112 (2 PRs) | +6-2 | 60d |
| #2497 | Joosboy | docs: add fastify middleware to top-level README listing | shares linked issue #2112 with #2113 | +6-2 | 1d |
Issue #2117 — 4 PRs
| #2135 | kiranmagic7 | 1st-reviewfix(core): preserve relatedRequestId 0 in debounce guard | cluster primary for issue #2117 (4 PRs) | +22-1 | 56d |
| #2141 | adityachilka1 | fix(core): treat relatedRequestId 0 as present in debounce guard (closes #2117) | shares linked issue #2117 with #2135 | +20-1 | 55d |
| #2496 | Herrtian | Fix notification debouncing for request ID zero | shares linked issue #2117 with #2135 | +25-1 | 1d |
| #2498 | harshitj183 | fix(core): prevent debouncing notifications when relatedRequestId is 0 | shares linked issue #2117 with #2135 | +18-1 | 1d |
Issue #2162 — 3 PRs
| #2163 | he-yufeng | 1st-reviewfix: return protocol errors for invalid tool args | cluster primary for issue #2162 (3 PRs) | +286-208 | 48d |
| #2169 | FU-max-boop | Return protocol errors for invalid tool arguments | shares linked issue #2162 with #2163 | +219-152 | 48d |
| #2221 | koriyoshi2041 | Return protocol errors for invalid tool input | shares linked issue #2162 with #2163 | +116-182 | 45d |
Issue #2166 — 3 PRs
| #2170 | NishchayMahor | 1st-reviewfix(core): match multi-variable URI templates like `{a,b}` (#2166) | cluster primary for issue #2166 (3 PRs) | +59-0 | 48d |
| #2216 | he-yufeng | fix(core): match multi-variable URI template path expressions | shares linked issue #2166 with #2170 | +20-0 | 46d |
| #2218 | koriyoshi2041 | Fix URI template matching for multi-variable simple expressions | shares linked issue #2166 with #2170 | +17-0 | 46d |
Issue #2208 — 3 PRs
| #2222 | he-yufeng | 1st-reviewauthfix(client): let auth headers override request headers | cluster primary for issue #2208 (3 PRs) | +78-5 | 45d |
| #2223 | tarunag10 | authLet auth provider headers override requestInit Authorization | shares linked issue #2208 with #2222 | +56-4 | 45d |
| #2475 | sanjibani | authfix(client): let OAuth-derived Authorization override caller-supplied header | shares linked issue #2208 with #2222 | +57-4 | 5d |
Issue #2433 — 2 PRs
| #2434 | Sammy-Dabbas | 1st-reviewfix(server): reject duplicate in-flight request ids in streamable HTTP | cluster primary for issue #2433 (2 PRs) | +222-0 | 11d |
| #2435 | JSap0914 | fix(server): reject duplicate in-flight request ids | shares linked issue #2433 with #2434 | +66-1 | 11d |
Issue #740 — 4 PRs
| #1691 | travisbreaks | 1st-reviewfeat: add multi-server routing example | cluster primary for issue #740 (4 PRs) | +211-1 | 120d |
| #2021 | EfeDurmaz16 | docs(client): add multi-server chatbot example | shares linked issue #740 with #1691 | +253-0 | 71d |
| #2103 | lil-goat | docs: add multi-server tool routing example | shares linked issue #740 with #1691 | +219-0 | 60d |
| #2148 | Nishant-Chaudhary5338 | feat(examples): multi-server chatbot with tool routing (closes #740) | shares linked issue #740 with #1691 | +518-12 | 53d |
2 SLA1 auth needs-decision (2) — Maintainer discussed but hasn't approved or requested changes yet.
| #2448 | mattzcarey | maintainerauthfix(client): preserve scopes across authorization retries | maintainer COMMENTED but took no stance | +437-37 | 8d |
| #1717 | travisbreaks | re-reviewfeat(core): add opt-in periodic ping for connection health monitoring | maintainer COMMENTED but took no stance | +383-1 | 118d |
4 SLA1 auth backport-follows-primary (4) — v1.x sibling of a main-branch PR. Review together — backport diff is usually mechanical.
| #1083 | mgyarmathy | 1st-review[v1.x] fix: Update UriTemplate implementation to handle optional/omitted, out-of-order, and encoded query parameters | follows #2429 (same issue #1079, different branch) | +164-11 | 252d |
| #1520 | LucaButBoring | 1st-review[1.x] fix(client): retry SSE stream after receiving session ID | follows #1521 | +419-0 | 155d |
| #1926 | tonxxd | 1st-reviewfix(sse): escape U+2028 / U+2029 in SSE data lines (V1) | follows #1925 | +61-2 | 89d |
| #2461 | app/claude | 1st-reviewauthfix(auth): treat null optional fields in token responses as absent | follows #2462 | +261-6 | 8d |
Intake (91) ⊕ ⊖
PRs not yet reviewed by a maintainer. Oldest first.
82 SLA10 auth needs-first-review (89) — Not yet reviewed by a maintainer.
| #1876 | JosephDoUrden | 1st-reviewfix: use getLiteralValue for Zod v3 method literal extraction | 96d | +4-42 | 96d |
| #1889 | app/dependabot | 1st-reviewchore(deps): bump actions/upload-pages-artifact from 4 to 5 | 93d | +1-1 | 93d |
| #1894 | app/dependabot | 1st-reviewchore(deps): bump the npm_and_yarn group across 1 directory with 2 updates | 91d | +27-11 | 91d |
| #1911 | langverse2023 | 1st-reviewfix(express): add CJS exports to resolve ERR_PACKAGE_PATH_NOT_EXPORTED | 90d | +7-3 | 90d |
| #1923 | billyriaz | 1st-reviewauthfix: accept null introspection_endpoint in OAuthMetadataSchema | 89d | +1-1 | 89d |
| #1925 | tonxxd | 1st-reviewfix(server): escape U+2028 / U+2029 in SSE data lines (v2) | 89d | +59-1 | 89d |
| #1932 | ameenalkhaldi | 1st-reviewfix(core): skip cancellation notification for initialize requests | 87d | +79-13 | 87d |
| #1935 | Jim1874 | 1st-reviewfix(server): handle undefined args in prompts handler | 86d | +8-1 | 86d |
| #1937 | Zelys-DFKH | 1st-review[v1.x backport] fix(server): respect explicit listChanged: false in McpServer | 86d | +102-4 | 86d |
| #1940 | harshkatakwar | 1st-reviewfeat: add beforeToolCall and afterToolCall lifecycle hooks to McpServer | 85d | +451-24 | 85d |
| #1945 | bokelley | 1st-reviewfix(client): skip outputSchema validation when result is an error | 84d | +153-3 | 84d |
| #1949 | Zelys-DFKH | 1st-reviewfix(core): allow extra JSON Schema keywords on elicitation primitive schemas | 83d | +104-25 | 83d |
| #1951 | Zelys-DFKH | 1st-reviewauthfix(client): preserve resource_metadata URL across non-Bearer WWW-Authenticate challenges | 83d | +160-22 | 83d |
| #1953 | Jim1874 | 1st-reviewfix(server): disable listChanged capability in V1x protocol mode (closes #1819) | 82d | +47-2 | 82d |
| #1958 | mhegazy | 1st-reviewauthfix(client/auth): use .set() for prompt=consent instead of .append() to avoid duplicating | 82d | +22-1 | 82d |
| #1961 | MukundaKatta | 1st-reviewfix(client/sse): release reader lock on disconnect to prevent ~50MB leak | 81d | +100-27 | 81d |
| #1966 | MukundaKatta | 1st-reviewfix(server): return Tool Execution Errors for input validation failures (SEP-1303) | 80d | +154-8 | 80d |
| #1967 | MukundaKatta | 1st-reviewauthdocs(examples): add external auth resource server example (closes #658) | 80d | +361-0 | 80d |
| #1969 | nanookclaw | 1st-reviewfix: handle 404 and 406 gracefully in SSE stream initialization | 79d | +5-3 | 79d |
| #1971 | MukundaKatta | 1st-reviewfix(server): handle ZodObject in RegisteredTool.update (#1960) | 78d | +77-6 | 78d |
| #1972 | MukundaKatta | 1st-reviewauthfix(auth): preserve resource URI without trailing slash (#1968) | 78d | +78-13 | 78d |
| #1980 | AP3X-Dev | 1st-reviewfix(server): accept empty {} annotations in tool() overload | 77d | +59-2 | 77d |
| #1982 | Genmin | 1st-reviewfix: enforce monotonic progress notifications | 77d | +86-7 | 77d |
| #1983 | Genmin | 1st-reviewfix(server): debounce list changed notifications | 77d | +50-1 | 77d |
| #1985 | Genmin | 1st-reviewfix: align zod object schemas with stripped properties | 77d | +36-1 | 77d |
| #1986 | Genmin | 1st-reviewfix: avoid duplicate SSE close callbacks | 77d | +42-2 | 77d |
| #1990 | Genmin | 1st-reviewfix(server): accept structurally compatible Zod v4 schemas | 76d | +57-6 | 76d |
| #1995 | Genmin | 1st-reviewfix(server): surface stateless transport reuse errors | 76d | +75-1 | 76d |
| #1996 | Genmin | 1st-reviewfix(server): allow JSON Accept in JSON response mode | 76d | +89-8 | 76d |
| #1997 | Genmin | 1st-reviewauthfix(server): validate OAuth code redirect URI | 76d | +210-16 | 76d |
| #1998 | Genmin | 1st-reviewfix(client): release SSE reader locks | 76d | +111-27 | 76d |
| #1999 | Genmin | 1st-reviewfix: preserve elicit string pattern constraints | 76d | +24-1 | 76d |
| #2000 | Genmin | 1st-reviewFix invalid JSON-RPC request errors | 76d | +105-9 | 76d |
| #2001 | Genmin | 1st-reviewfix(server): validate wrapped output schemas on v1 | 76d | +78-3 | 76d |
| #2010 | aayushbaluni | 1st-reviewfix: detect plain JSON Schema objects in tool() overload resolution | 75d | +335-2 | 75d |
| #2014 | fengfeng-zi | 1st-reviewfix(core): remove duplicate zod dependency declaration | 72d | +6-2 | 72d |
| #2015 | morozow | 1st-reviewfeat(tasks): add task streaming with partial result notifications | 72d | +3021-7 | 72d |
| #2017 | ankitvirdi4 | 1st-reviewfix(server): preserve inputSchema for z.discriminatedUnion / z.union | 72d | +179-14 | 72d |
| #2026 | Zelys-DFKH | 1st-reviewtest(@modelcontextprotocol/node): cover pre-read body pattern in stateless mode | 70d | +71-8 | 70d |
| #2027 | app/github-actions | 1st-reviewchore: update spec.types.ts from upstream | 69d | +11-5 | 69d |
| #2030 | cyphercodes | 1st-reviewfix: add root package export barrel | 68d | +19-0 | 68d |
| #2033 | lppedd | 1st-reviewbuild: configure tsdown to output both ESM and CJS | 68d | +263-64 | 68d |
| #2039 | navalerakesh | 1st-reviewfix: use constant-time comparison for session ID validation | 67d | +23-1 | 67d |
| #2043 | ChrisJr404 | 1st-reviewfix(client): add missing Windows env vars to DEFAULT_INHERITED_ENV_VARS | 65d | +42-2 | 65d |
| #2044 | raashish1601 | 1st-reviewfix: replay in-memory events for underscore stream ids | 65d | +37-2 | 65d |
| #2045 | raashish1601 | 1st-reviewfix: accept omitted optional prompt and tool arguments | 65d | +114-2 | 65d |
| #2046 | raashish1601 | 1st-reviewfix: accept JSON-only Accept in streamable JSON mode | 65d | +37-8 | 65d |
| #2050 | raashish1601 | 1st-reviewfix: pin vite to patched version | 65d | +36-32 | 65d |
| #2079 | Zelys-DFKH | 1st-reviewfix(test): extend cloudflare workers retry to cover full request cycle | 64d | +27-8 | 64d |
| #2080 | Jefsky | 1st-reviewfix(server): preserve icons in registerPrompt() | 63d | +12-1 | 63d |
| #2085 | rsalus | 1st-review[v1.x] fix(server): emit JSON Schema 2020-12 in tools/list (SEP-1613) | 62d | +87-2 | 62d |
| #2086 | Christian-Sidak | 1st-reviewfix: clear session ID on HTTP 404 per MCP spec §Session Management | 62d | +107-0 | 62d |
| #2089 | ya-nsh | 1st-reviewfix: clear high severity audit findings | 62d | +108-98 | 62d |
| #2091 | RomKadria | 1st-reviewfix(node): reuse getRequestListener instead of creating one per request | 62d | +22-27 | 62d |
| #2092 | bishnubista | 1st-reviewauthfix(client,core): tighten OAuth PRM resource validation per RFC 8707 §2 | 61d | +147-4 | 61d |
| #2102 | pragnyanramtha | 1st-reviewPass request context to completion callbacks | 61d | +173-11 | 61d |
| #2104 | pragnyanramtha | 1st-reviewfix(server): allow streamable HTTP JSON without content type | 60d | +49-23 | 60d |
| #2105 | pragnyanramtha | 1st-reviewfix: tighten request handler result types on v1.x | 60d | +295-40 | 60d |
| #2106 | pragnyanramtha | 1st-reviewfix: validate wrapped Zod output schemas | 60d | +54-2 | 60d |
| #2107 | pragnyanramtha | 1st-reviewfix: accept omitted prompt arguments | 60d | +59-1 | 60d |
| #2109 | leehpham | 1st-reviewfix(server): derive standalone SSE streamId per-session to prevent EventStore collisions | 60d | +76-1 | 60d |
| #2111 | dparikh79 | 1st-reviewfix(server): reject initialize with mismatched MCP-Protocol-Version header | 60d | +82-0 | 60d |
| #2114 | pragnyanramtha | 1st-reviewfix(server): track renamed registered item keys | 60d | +104-16 | 60d |
| #2116 | nacim-coder | 1st-reviewfix: handle cancelled notifications for request id zero | 59d | +45-2 | 59d |
| #2122 | he-yufeng | 1st-reviewfix(server): reject requests before initialization | 57d | +87-2 | 57d |
| #2124 | he-yufeng | 1st-reviewfix(server): keep idle GET SSE streams alive | 56d | +45-0 | 56d |
| #2136 | malventano | 1st-reviewfix: resetTimeoutOnProgress does nothing without onprogress callback | 55d | +10-6 | 55d |
| #2150 | he-yufeng | 1st-reviewfix: reinitialize expired streamable sessions | 52d | +169-50 | 52d |
| #2152 | fallintoplace | 1st-reviewfix(server): replay request SSE responses after closeSSEStream | 52d | +180-20 | 52d |
| #2154 | cyq1017 | 1st-reviewAlign Streamable HTTP onclose type with Transport contract | 52d | +14-3 | 52d |
| #2159 | cogeor | 1st-reviewfix(server): emit object schema for wrapped Zod inputs in tools/list | 49d | +149-13 | 49d |
| #2168 | jstar0 | 1st-reviewfix(server): guard no-schema tool handler signatures | 48d | +19-0 | 48d |
| #2171 | FU-max-boop | 1st-reviewauthContinue OAuth discovery on non-JSON metadata responses | 48d | +26-3 | 48d |
| #2174 | FU-max-boop | 1st-reviewAllow streamable HTTP transport restart after close | 47d | +19-1 | 48d |
| #2177 | sakthiveltofficial | 1st-reviewfix(protocol): add RequestAborted error code for AbortSignal cancellation | 47d | +28-1 | 47d |
| #2207 | he-yufeng | 1st-reviewfix: replay request SSE responses after disconnect | 47d | +111-7 | 47d |
| #2215 | raashish1601 | 1st-reviewauthfix(client): avoid redundant fallback on root-like discovery paths | 46d | +67-12 | 46d |
| #2301 | app/dependabot | 1st-reviewchore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.9 | 30d | +12-12 | 30d |
| #2418 | pablopupo | 1st-reviewfix(client): fire onerror only once when the standalone GET stream fails | 13d | +188-96 | 13d |
| #2429 | vivekjm | 1st-reviewfix: match optional URI template query params | 12d | +59-9 | 12d |
| #2436 | KlyneChrysler | 1st-reviewauthfix(client): decompress gzip token response bodies in oauth flows | 10d | +134-2 | 10d |
| #2438 | Grmiade | 1st-reviewfix: type registerTool output from outputSchema | 9d | +107-37 | 9d |
| #2467 | chakshu-dhannawat | fix(server): honor Zod v4 toJSONSchema output semantics to match raw structuredContent | 7d | +102-2 | 6d |
| #2479 | chenlichao | fix: handle cancelled request id zero | 4d | +47-1 | 4d |
| #2481 | SnowSky1 | fix(server): parse Accept media types exactly | 2d | +102-5 | 2d |
| #2488 | utkarshsharma19 | fix(server): reply to invalid stdio JSON-RPC frames | 2d | +146-14 | 2d |
| #2490 | morluto | fix(server): reject userinfo in Origin and Host headers | 2d | +63-6 | 2d |
| #2492 | earfman | Answer -32602 Invalid params for schema-invalid spec-method requests | 1d | +65-13 | 1d |
| #2500 | rohitjio4g3540-arch | Add SLSA generic generator workflow | 1d | +66-0 | 0d |
2 SLA community-reviewed (2) — Community members have reviewed, but no maintainer has engaged yet.
| #1870 | techtoboggan | 1st-reviewfix: inject progressToken when resetTimeoutOnProgress is set (not only onprogress) | 97d, reviewed by travisbreaks (SLA breach) | +4-2 | 97d |
| #2028 | sfrangulov | 1st-reviewfix(client): stop propagating transport AbortController to POST/DELETE | 69d, reviewed by StantonMatt (SLA breach) | +82-6 | 69d |
Hygiene (12) ⊕ ⊖
Batchable procedural ops — pings, rebases, peer reviews.
2 auth stale-awaiting-author (11) — Changes requested over two weeks ago with no author response.
| #1776 | KKonstantinov | v2 remove console warns on middleware | 104d since feedback | +135-116 | 111d |
| #1283 | evalstate | Fix/onprogress error handling | 106d since feedback | +23-1 | 217d |
| #1493 | TheodorNEngoy | hono: add maxBodyBytes guard for JSON parsing | 107d since feedback | +88-3 | 158d |
| #1496 | TheodorNEngoy | server: add maxBodyBytes guard to WebStandardStreamableHTTPServerTransport | 107d since feedback | +132-2 | 158d |
| #1500 | TheodorNEngoy | ci: retry pkg-pr-new publish on transient 5xx | 107d since feedback | +30-3 | 158d |
| #1664 | Vadaski | fix: surface input validation errors for task-augmented tool calls | 110d since feedback | +107-0 | 125d |
| #1666 | Vadaski | fix: allow registering tools/resources/prompts after connect when capabilities pre-declared (#893) | 104d since feedback | +218-19 | 125d |
| #1669 | Vadaski | authfix: include scope parameter in OAuth authorization code token exchange | 107d since feedback | +122-6 | 125d |
| #1681 | meirk-brd | fix(server): stop replay cleanly when streamable HTTP replay stream c… | 110d since feedback | +131-23 | 122d |
| #1813 | Aboudjem | authfix(auth): deduplicate concurrent token refresh requests | 104d since feedback | +386-0 | 108d |
| #1865 | pch007 | fix(server): handle ZodEffects in normalizeObjectSchema and getObjectShape | 96d since feedback | +246-0 | 98d |
ci-red-silent (1) — CI failing, not yet flagged to the author.
| #2421 | felixweinberger | fix(server): restore v1 transport lifecycle parity: single-use stateless transports, fail-fast on double connect | red CI 13d | +1479-260 | 13d |
Close candidates (13) ⊕ ⊖
Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.
2 auth stale-ci-abandoned (11) — CI has been failing for over a month with no activity.
| #1335 | LucaButBoring | [v1.x] Fix registerToolTask's getTask and getTaskResult handlers not being invoked | red CI 204d, no activity | +311-167 | 204d |
| #1878 | dagangtj | feat(hono): add generic Env type support to createMcpHonoApp | red CI 95d, no activity | +68-3 | 95d |
| #1884 | vrv | Reject standalone GET in stateless streamable HTTP mode | red CI 94d, no activity | +11-0 | 94d |
| #1948 | paulelliotco | fix: respect disabled listChanged capabilities on v1.x | red CI 83d, no activity | +221-9 | 83d |
| #1963 | MukundaKatta | feat(client): add idle timeout to SSE stream reader | red CI 80d, no activity | +192-0 | 80d |
| #1964 | MukundaKatta | feat(deps): make HTTP/SSE transport deps optional for stdio-only consumers | red CI 80d, no activity | +154-13 | 80d |
| #1965 | MukundaKatta | feat(client): honor Retry-After on HTTP 429 responses | red CI 80d, no activity | +383-8 | 80d |
| #2019 | blackwell-systems | fix: check AbortSignal in handleAutomaticTaskPolling to stop cancelled requests | red CI 71d, no activity | +8-0 | 71d |
| #2118 | nielskaspers | authdocs(client): clarify private_key_jwt reserved-claim behavior | red CI 58d, no activity | +7-0 | 58d |
| #2178 | he-yufeng | fix(client): send MCP standard POST headers | red CI 47d, no activity | +135-0 | 47d |
| #2214 | raashish1601 | authchore(client): normalize trailing slashes in discovery paths | red CI 46d, no activity | +31-9 | 46d |
Unclassified (1) ⊕ ⊖
Classifier couldn't determine a state — needs manual triage.
unknown (1) — Classifier couldn't decide. Investigate.
| #1854 | haydenrear | Added default mcp tool call timeout from env | fetch failed: Ignoring 1 permissions.allow entry from .claude/settings.json: this workspace has not been trusted. | +133-2 | 101d |
Not our move (17) ⊕ ⊖
Clock is on the author or blocked externally. No action owed today.
3 auth stale-draft (7) — Draft with no activity for over a week.
| #872 | LucaButBoring | feat: use informative user agent in HTTP requests | draft idle 337d | +407-142 | 337d |
| #1169 | domdomegg | fix: allow any JSON Schema type for outputSchema | draft idle 232d | +6-17 | 232d |
| #1416 | maxisbey | ci: use conformance composite action | draft idle 175d | +68-41 | 175d |
| #2096 | MukundaKatta | authdocs(client): clarify private_key_jwt custom claim precedence | draft idle 61d | +37-2 | 61d |
| #2157 | SamMorrowDrums | authfeat(server): scope challenges for resources, prompts, completions (stacked on #1624) | draft idle 50d | +2107-18 | 50d |
| #2158 | SamMorrowDrums | SEP-2792: Reference implementation for per-request language negotiation | draft idle 50d | +1230-11 | 50d |
| #2462 | app/claude | authfix(auth): treat null optional fields in token responses as absent | draft idle 8d | +299-8 | 8d |
3 auth parked (7) — Maintainer draft >30d, intentionally shelved.
| #1292 | ochafik | feat: generate schemas from types, improve type definitions | maintainer draft, 215d | +9663-3551 | 215d |
| #1492 | ochafik | Add request/response compression support for HTTP transports | maintainer draft, 159d | +1253-10 | 159d |
| #1597 | pcarleton | examples: MRTR backwards-compatibility exploration demos | maintainer draft, 138d | +1185-0 | 138d |
| #1633 | ochafik | [SEP-2356] File input support for tools and elicitation | maintainer draft, 132d | +147-4 | 132d |
| #1721 | pcarleton | authfix(xaa): address review nits from #1593 & use discoveryState | maintainer draft, 117d | +55-153 | 117d |
| #1722 | pcarleton | auth[v1.x backport] SEP-990 Cross-App Access | maintainer draft, 117d | +874-3 | 117d |
| #1957 | pcarleton | authfeat(client/auth): RFC 9207 iss parameter validation (SEP-2468 reference impl) | maintainer draft, 82d | +6790-907 | 82d |
1 auth draft-active (3) — Author is still working. Fresh draft.
| #2470 | felixweinberger | authrefactor(core): extract connection-scoped state into a private Connection owner | 6d old | +1220-222 | 6d |
| #2474 | Sammy-Dabbas | fix(server): reject duplicate in-flight request ids, v1.x backport of #2434 | 6d old | +254-0 | 6d |
| #2495 | app/claude | fix: stop shipping declaration source maps that reference unshipped src/ | 1d old | +154-9 | 1d |
Stats — volume, timing, size distribution
Volume
Time to First Review
Merge Time
PR Size Distribution
Open PRs by lines changed
Breakdown by tier
| Tier | Count | Auth | Maint. | ~Time |
|---|---|---|---|---|
| 0 — Press a button | 1 | 0 | 1 | 1m |
| 1 — We're blocking someone | 21 | 3 | 5 | 5.0h |
| 2 — High leverage | 30 | 4 | 4 | 5.8h |
| 3 — Intake | 143 | 33 | 0 | 69.1h |
| 4 — Hygiene | 10 | 2 | 1 | 55m |
| 5 — Close candidates | 22 | 3 | 2 | 22m |
| total actionable | 227 | 45 | 13 | 81.1h |
| not our move | 33 | — | — | — |
Press a button (1) ⊕ ⊖
Already approved or already decided — ready for action.
needs-merge (1) — Approved and CI-green — ready to merge.
| #3095 | Kludex | Add Streamable HTTP request body limits | approved 0d ago, green | +280-19 | 1d |
We're blocking someone (21) ⊕ ⊖
Author did what we asked and is waiting on us. Longest-waiting first.
12 SLA1 auth author-pinged-after-procedural (12) — Author addressed maintainer feedback and pinged — awaiting response.
| #1440 | ChenyangLi4288 | re-reviewFixes protocol compliance gap described in issue #1419 | author pinged @felixweinberger 233d ago | +34-1 | 281d |
| #1486 | daamitt | re-reviewfeat: Add support for specifying NotificationOptions | author pinged @maxisbey, @felixweinberger 241d ago | +16-4 | 272d |
| #1578 | gyang-xai | re-reviewFix issue where client tool call hangs forever if server crashes or connection dies when using streamable-http | author pinged @maxisbey 204d ago | +332-44 | 252d |
| #1697 | dgenio | re-reviewdocs: clarify Streamable HTTP stateless mode semantics and usage | author pinged @felixweinberger 97d ago | +149-1 | 229d |
| #1709 | dgenio | re-reviewfeat: Add LLM provider adapter documentation and examp | author pinged @felixweinberger 137d ago | +1745-0 | 226d |
| #1810 | punitmahes | re-reviewauthfeat(cmid-server): Implement Server-Side Support for Client ID Metadata Documents (CIMD) | author pinged @maxisbey 133d ago | +189-1 | 207d |
| #1856 | codefromthecrypt | re-reviewfix: suppress GeneratorExit during client cleanup | author pinged @Kludex 161d ago | +180-13 | 182d |
| #2099 | dgenio | re-reviewfeat: expand InitializationState with explicit lifecycle state machine | author pinged @maxisbey 137d ago | +421-9 | 146d |
| #2147 | akshan-main | re-reviewshutdown CPU busy-loop in HTTP/SSE transports | author pinged @maxisbey 99d ago | +156-18 | 140d |
| #2327 | mrutunjay-kinagi | re-reviewfeat(client): add explicit session_id support for Streamable HTTP resumption | author pinged @maxisbey 92d ago | +244-7 | 116d |
| #2657 | truffle-dev | re-review[v1.x] fix(streamable-http): reject duplicate JSON-RPC ids with 409 | author pinged @maxisbey 44d ago | +100-2 | 55d |
| #2666 | Epochex | re-reviewfix(streamable-http): wait for post_writer before yielding | author pinged @maxisbey 53d ago | +45-2 | 53d |
4 SLA1 auth needs-re-review (4) — Author pushed changes after review feedback — needs re-review.
| #1436 | yarnabrina | re-review[DOC] simple mcp client with sampling capability | author pushed after CHANGES_REQUESTED (201d waiting) | +1204-645 | 282d |
| #1721 | BinoyOza-okta | re-reviewauthImplement SEP-990 Enterprise Managed OAuth | author pushed after CHANGES_REQUESTED (111d waiting) | +2988-3 | 223d |
| #2119 | jonathanhefner | re-reviewType-check docstring code examples via companion files and unified sync script | author pushed after CHANGES_REQUESTED (141d waiting) | +1306-270 | 145d |
| #2198 | Varun6578 | re-reviewfix: prevent tool exceptions from leaking internal details to client | author pushed after CHANGES_REQUESTED (43d waiting) | +53-11 | 135d |
5 SLA1 auth maintainer-intake (5) — Maintainer-authored PR awaiting review from another maintainer.
| #3018 | maxisbey | maintainerExtend the interaction suite to the 2026-07-28 spec | 16d, community reviewed (cubic-dev-ai) | +8721-368 | 16d |
| #3048 | maxisbey | maintainerAdd the todos-server reference example | 14d, community reviewed (cubic-dev-ai) | +922-0 | 14d |
| #3075 | maxisbey | maintainerauthScope HTTP client redirect following to the request's origin | 7d, community reviewed (cubic-dev-ai) | +878-57 | 7d |
| #3082 | maxisbey | maintainer[v1.x] ci: pick the docs toolchain per worktree in build-docs.sh | 6d, community reviewed (cubic-dev-ai) | +29-7 | 6d |
| #3086 | maxisbey | maintainer[v1.x] fix: reject trailing newline in tool-name validation | 5d, community reviewed (cubic-dev-ai) | +6-1 | 5d |
High leverage (30) ⊕ ⊖
One decision unblocks or closes multiple things.
20 SLA9 auth duplicate-cluster (20 clusters, 49 PRs) — Multiple PRs address the same issue — one will be picked, others closed as duplicates.
Issue #1265 — 2 PRs
| #1938 | maxisbey | maintainerauthfix: strip trailing slashes from OAuth metadata URL fields | cluster primary for issue #1265 (2 PRs) | +28-10 | 173d |
| #3013 | piyushbag | authfix(auth): strip trailing slashes from OAuth metadata URLs | shares linked issue #1265 with #1938 | +51-39 | 17d |
Issue #1401 — 3 PRs
| #2122 | heyhayes | 1st-reviewfix: propagate SSE stream errors to waiting requests | cluster primary for issue #1401 (3 PRs) | +115-16 | 144d |
| #2374 | Aboudjem | fix(session): log exceptions in default message_handler instead of silently swallowing | shares linked issue #1401 with #2122 | +141-0 | 109d |
| #2940 | KartavyaDikshit | Fix for issue #1401 | shares linked issue #1401 with #2122 | +14-1 | 24d |
Issue #156 — 2 PRs
| #2020 | BabyChrist666 | 1st-reviewfeat: support stderr logging in Jupyter notebook environments | cluster primary for issue #156 (2 PRs) | +285-10 | 156d |
| #2915 | jordansilly77-stack | fix: forward stdio server stderr through errlog | shares linked issue #156 with #2020 | +82-2 | 25d |
Issue #1656 — 3 PRs
| #2503 | fungi8 | 1st-reviewAvoid configuring logging during MCPServer initialization | cluster primary for issue #1656 (3 PRs) | +38-4 | 81d |
| #2532 | Genmin | Stop FastMCP from configuring application logging | shares linked issue #1656 with #2503 | +124-9 | 75d |
| #3071 | gee-46 | Add configure_logging opt-out to MCPServer (#1656) | shares linked issue #1656 with #2503 | +42-3 | 8d |
Issue #1933 — 6 PRs
| #2040 | adityuhkapoor | 1st-reviewfix: prevent stdio_server from closing process stdio handles | cluster primary for issue #1933 (6 PRs) | +66-10 | 154d |
| #2722 | TheChyeahhh | Fix stdio transport closing sys.stdin.buffer/sys.stdout.buffer on exit | shares linked issue #1933 with #2040 | +13-2 | 47d |
| #2734 | pranjalbhatia710 | fix: preserve stdio streams in server transport | shares linked issue #1933 with #2040 | +112-29 | 45d |
| #2737 | xlyoung | fix: use os.dup to avoid closing real stdin/stdout in stdio_server | shares linked issue #1933 with #2040 | +1363-1331 | 45d |
| #2866 | superShen0916 | fix(server): duplicate stdio fds to prevent closing real stdio | shares linked issue #1933 with #2040 | +18-7 | 31d |
| #3090 | steps-re | Don't close real process stdio in stdio_server (#1933) | shares linked issue #1933 with #2040 | +119-10 | 2d |
Issue #2432 — 2 PRs
| #2438 | vishal-vanam | 1st-reviewfix: consume response body on unexpected content type to prevent client hang | cluster primary for issue #2432 (2 PRs) | +19-0 | 93d |
| #2472 | Christian-Sidak | test: regression test for initialize hang on unexpected content-type | shares linked issue #2432 with #2438 | +29-0 | 87d |
Issue #2454 — 2 PRs
| #2456 | shaun0927 | 1st-reviewfix(stdio_client): tolerate invalid UTF-8 from child stdout | cluster primary for issue #2454 (2 PRs) | +41-4 | 90d |
| #2907 | sarvesh1327 | fix(client/stdio): default encoding_error_handler to 'replace' for resilient UTF-8 decoding | shares linked issue #2454 with #2456 | +25-1 | 27d |
Issue #2556 — 3 PRs
| #2658 | adityasingh2400 | 1st-reviewAdd list_all_* helpers that drain pagination on the client | cluster primary for issue #2556 (3 PRs) | +383-18 | 55d |
| #3021 | CJGjr | Add list_all_* helpers that drain pagination on the client | shares linked issue #2556 with #2658 | +565-20 | 16d |
| #3083 | sanjibani | feat(client): add list_all_* helpers that drain pagination | shares linked issue #2556 with #2658 | +350-0 | 6d |
Issue #2605 — 2 PRs
| #2606 | he-yufeng | 1st-reviewfix: reject changed duplicate initialize | cluster primary for issue #2605 (2 PRs) | +25-1 | 61d |
| #2999 | maxisbey | authWork through the spec-conformance gaps recorded by the interaction suite | shares linked issue #2605 with #2606 | +3804-1033 | 19d |
Issue #2629 — 2 PRs
| #2630 | CrypticCortex | 1st-reviewauthfix(auth): validate redirect_uri schemes at DCR registration (RFC 9700 §4.1.1, RFC 7591 §2) | cluster primary for issue #2629 (2 PRs) | +214-3 | 58d |
| #2860 | KirtiRamchandani | authValidate DCR redirect_uris with HTTPS-or-loopback policy | shares linked issue #2629 with #2630 | +94-43 | 32d |
Issue #2663 — 2 PRs
| #2778 | koriyoshi2041 | 1st-reviewSuppress KeyboardInterrupt tracebacks from MCPServer.run | cluster primary for issue #2663 (2 PRs) | +38-10 | 42d |
| #3027 | devansh-dek | fix(server): exit cleanly on KeyboardInterrupt in MCPServer.run | shares linked issue #2663 with #2778 | +31-7 | 15d |
Issue #2678 — 2 PRs
| #2680 | Epochex | 1st-reviewfix(stdio): drain responses after stdin EOF | cluster primary for issue #2678 (2 PRs) | +435-45 | 51d |
| #3026 | matthewchen94 | fix: drain accepted JSON-RPC requests after read EOF | shares linked issue #2678 with #2680 | +129-7 | 16d |
Issue #2687 — 2 PRs
| #2808 | he-yufeng | 1st-reviewauthfix(auth): normalize redirect URI URL subclasses | cluster primary for issue #2687 (2 PRs) | +38-3 | 38d |
| #2825 | sarvesh1327 | authfix: compare OAuth redirect URI strings | shares linked issue #2687 with #2808 | +33-4 | 35d |
Issue #2689 — 3 PRs
| #2698 | Epochex | 1st-reviewfix(client): respect negotiated capabilities in ClientSessionGroup | cluster primary for issue #2689 (3 PRs) | +109-26 | 50d |
| #2753 | mr-brobot | fix(clientsessiongroup): only query negotiated capabilities | shares linked issue #2689 with #2698 | +77-25 | 44d |
| #2861 | he-yufeng | fix(client): respect session group capabilities | shares linked issue #2689 with #2698 | +83-25 | 32d |
Issue #2935 — 2 PRs
| #2939 | anneheartrecord | 1st-reviewfix(mcpserver): preserve Annotated/Field metadata for dict[str, T] return types | cluster primary for issue #2935 (2 PRs) | +30-3 | 24d |
| #3042 | Whning0513 | Preserve dict output Field metadata | shares linked issue #2935 with #2939 | +14-3 | 14d |
Issue #2960 — 2 PRs
| #2962 | Bartok9 | 1st-reviewfix(server): don't raise when tool_use is not followed by tool_result | cluster primary for issue #2960 (2 PRs) | +25-1 | 20d |
| #2981 | syf2211 | fix(validation): only match tool_use/tool_result IDs when last message has tool_result | shares linked issue #2960 with #2962 | +18-1 | 19d |
Issue #2965 — 2 PRs
| #2979 | syf2211 | 1st-reviewfix(server): validate elicitation form/url sub-capabilities in check_capability | cluster primary for issue #2965 (2 PRs) | +39-2 | 20d |
| #3061 | Rodrigo-Palma | Validate elicitation sub-capabilities in check_capability | shares linked issue #2965 with #2979 | +56-2 | 12d |
Issue #3009 — 2 PRs
| #3041 | Whning0513 | 1st-reviewauthFix substring matches in WWW-Authenticate parsing | cluster primary for issue #3009 (2 PRs) | +109-6 | 14d |
| #3050 | pradeep-ramola | authfix: match complete www-authenticate auth params | shares linked issue #3009 with #3041 | +29-2 | 14d |
Issue #348 — 3 PRs
| #1824 | hanzili | 1st-reviewAdd custom content support to ToolError for isError responses | cluster primary for issue #348 (3 PRs) | +269-1 | 192d |
| #2841 | cognis-digital | test: lock in CallToolResult(is_error=True) with non-text content (#348) | shares linked issue #348 with #1824 | +33-0 | 33d |
| #2984 | RaidLZ | feat(mcpserver): let ToolError carry content for is_error results | shares linked issue #348 with #1824 | +58-3 | 19d |
9 SLA needs-decision (9) — Maintainer discussed but hasn't approved or requested changes yet.
| #2344 | pja-ant | maintainerfix(server): return -32602 for resource not found (SEP-2164) | maintainer COMMENTED but took no stance | +95-20 | 112d |
| #2696 | dsp-ant | maintainerAdd experimental Server Cards support (SEP-2127) | 2 maintainer comments, zero reviews | +1760-0 | 50d |
| #3005 | Kludex | maintainerAdd the SEP-2663 Tasks extension (core) | maintainer COMMENTED but took no stance | +3204-73 | 19d |
| #1439 | beaterblank | re-reviewEnhanced ResourceTemplate URI matching and type handling logic. | maintainer COMMENTED but took no stance | +2350-66 | 281d |
| #1825 | Ilan-kayesar | re-reviewAdded descriptions for arguments taken from docstring | maintainer COMMENTED but took no stance | +253-8 | 192d |
| #2075 | BabyChrist666 | re-reviewReject JSON-RPC requests with null id instead of misclassifying as notifications | maintainer COMMENTED but took no stance | +60-1 | 148d |
| #2117 | sreenithi | re-reviewPluggable Transport Abstractions for Client and Shared sessions | maintainer COMMENTED but took no stance | +837-83 | 145d |
| #2342 | perhapzz | re-reviewtest: convert context_aware_server to in-process threads for coverage | maintainer COMMENTED but took no stance | +41-18 | 112d |
| #2693 | dsfaccini | re-reviewDeprecate `httpx` in favor of `httpx2` | maintainer COMMENTED but took no stance | +114-19 | 50d |
1 SLA backport-follows-primary (1) — v1.x sibling of a main-branch PR. Review together — backport diff is usually mechanical.
| #2449 | ddullah | 1st-review[v1.x] fix(stdio): handle BrokenResourceError in stdout_reader race (#1960) | follows #2450 | +52-3 | 91d |
Intake (143) ⊕ ⊖
PRs not yet reviewed by a maintainer. Oldest first.
113 SLA28 auth needs-first-review (114) — Not yet reviewed by a maintainer.
| #1531 | vincent0426 | 1st-reviewauthfix: Add accept json headers for token request | 259d | +10-2 | 259d |
| #1566 | bjoaquinc | 1st-reviewtest: update SSE tests to use StreamingASGITransport instead of uvicorn for server testing | 254d | +366-367 | 254d |
| #1570 | carlosemart | 1st-reviewDisable logs reconfigure on startup | 253d | +45-7 | 253d |
| #1582 | vincent0426 | 1st-reviewfix: Raise resource not found error | 252d | +50-10 | 252d |
| #1597 | bjoaquinc | 1st-reviewauthfix: validate PRM resource field per RFC 9728 Section 3.3 | 248d | +62-5 | 248d |
| #1608 | cbcoutinho | 1st-reviewfeat: propagate session_id from transport to tool context | 247d | +330-1 | 247d |
| #1611 | kylestratis | 1st-reviewClient notification support | 247d | +889-4 | 247d |
| #1647 | FanisPapakonstantinou | 1st-reviewImprove exception handling for ClientDisconnect errors | 237d | +10-1 | 237d |
| #1666 | matthew-gries | 1st-reviewfix: Fix logic that determines standard resource vs. resource template to account for context param (#1635) | 232d | +280-58 | 232d |
| #1674 | AydarAkhmetzyanov | 1st-reviewRace condition in streamable http | 231d | +73-2 | 231d |
| #1807 | sesajad | 1st-reviewMake `errlog` optional in `stdio_client` and update default to `None` | 208d | +73-2 | 208d |
| #1812 | ivanbelenky | 1st-reviewfix: `handle_sse_response` causing dangling client's read_stream | 206d | +20-1 | 206d |
| #1817 | challenger71498 | 1st-reviewfix: cleanup resources properly on `BaseSession::_receive_loop` cleanup | 201d | +89-11 | 201d |
| #1818 | jayhemnani9910 | 1st-reviewfix: auto-reinitialize client session on HTTP 404 | 196d | +671-9 | 196d |
| #1846 | jayhemnani9910 | 1st-reviewauthfix: respect token_endpoint_auth_method=none when client_secret exists | 187d | +72-3 | 187d |
| #1847 | challenger71498 | 1st-reviewauthfeat: fully support Basic Authorization header at token request | 185d | +148-58 | 185d |
| #1849 | newbiehwang | 1st-reviewFix: Raise RuntimeError when ClientSession is used without context manager to prevent hangs | 184d | +40-0 | 184d |
| #1943 | sicoyle | 1st-reviewfix: prevent silent failure on GET stream so clients don't hang | 173d | +185-2 | 173d |
| #2032 | adityuhkapoor | 1st-reviewfix: skip JSON pre-parsing for str union annotations in pre_parse_json | 154d | +38-1 | 154d |
| #2041 | BryceEWatson | 1st-reviewfeat: expose progress_callback in ServerSession methods | 153d | +148-1 | 153d |
| #2065 | IT-HONGREAT | 1st-reviewauthfeat: add auth parameter to ClientSessionGroup server parameters | 151d | +107-1 | 151d |
| #2078 | BabyChrist666 | 1st-reviewauthfix: restore eager OAuth discovery to avoid slow unauthenticated roundtrip | 148d | +303-99 | 148d |
| #2093 | aabmass | 1st-reviewOpenTelemetry inject trace context propagation in `_meta` | 147d | +544-102 | 147d |
| #2187 | Br1an67 | 1st-reviewfix: preserve notification metadata when related_request_id is 0 | 136d | +43-1 | 136d |
| #2191 | Br1an67 | 1st-reviewfix: reject unsupported HTTP methods early in session manager | 136d | +88-0 | 136d |
| #2192 | Br1an67 | 1st-reviewdocs: add CLI command flags reference to README | 136d | +46-0 | 136d |
| #2193 | harsh543 | 1st-reviewauthfeat(auth): add Authlib-backed OAuth adapter (related to #1240) | 136d | +1011-2 | 136d |
| #2196 | Varun6578 | 1st-reviewauthfix: only retry 403 responses for insufficient_scope error | 135d | +53-5 | 135d |
| #2207 | weiguangli-io | 1st-reviewauthfix: pass related_request_id in Context.report_progress() | 133d | +51-3 | 133d |
| #2261 | namabile | 1st-reviewauthfix: include "none" in token_endpoint_auth_methods_supported metadata | 128d | +9-5 | 128d |
| #2271 | oedokumaci | 1st-reviewauthfix(oauth): preserve existing refresh_token when refresh response omits it | 126d | +116-1 | 126d |
| #2281 | omar-y-abdi | 1st-reviewAdd client callbacks for list_changed notifications | 126d | +179-4 | 126d |
| #2296 | ameenalkhaldi | 1st-reviewdocs: add environment variables guide | 122d | +124-0 | 122d |
| #2335 | rgoldstein1989 | 1st-reviewfeat: add remove_prompt(), remove_resource(), and remove_resource_template() | 115d | +242-1 | 115d |
| #2341 | perhapzz | 1st-reviewtest: replace subprocess servers with in-process threaded servers for coverage tracking | 112d | +459-182 | 112d |
| #2343 | mangelajo | 1st-reviewExpose optional stdin/stdout on MCPServer stdio entrypoints | 112d | +76-5 | 112d |
| #2352 | perhapzz | 1st-reviewrefactor: decompose func_metadata() into smaller focused helpers | 111d | +153-76 | 111d |
| #2357 | BlocksecPHD | 1st-reviewfix(streamable-http): reduce stateless termination log noise | 111d | +44-1 | 111d |
| #2361 | 4444J99 | 1st-reviewfix: accept single supported content type in SSE mode Accept header | 110d | +139-13 | 110d |
| #2365 | raashish1601 | 1st-reviewfix: make Windows stdio pywin32 optional | 110d | +117-15 | 110d |
| #2377 | guoyangzhen | 1st-reviewfix: allow custom Content-Type header in StreamableHTTPTransport | 108d | +10-2 | 108d |
| #2394 | verdie-g | 1st-reviewfeat: implement OTEL mcp.server.* metrics | 101d | +1116-751 | 101d |
| #2395 | Dharit13 | 1st-reviewFix infinite reconnection loop in StreamableHTTP client | 101d | +62-9 | 101d |
| #2407 | dgenio | 1st-reviewfeat: add public setter methods for ClientSession callbacks | 97d | +177-1 | 97d |
| #2410 | RudrenduPaul | 1st-reviewfix: allow integer file descriptors for errlog in stdio_client | 97d | +13-5 | 97d |
| #2411 | Smeet23 | 1st-reviewfix(session): return INVALID_REQUEST error instead of crashing on pre-init requests | 97d | +74-2 | 97d |
| #2418 | manjunathgujjar | 1st-reviewfix: silence respond() when concurrent cancellation already completed request | 96d | +108-2 | 96d |
| #2428 | KeWang0622 | 1st-reviewfix: remove JSON-RPC ID type coercion for spec-compliant strict matching | 94d | +40-64 | 94d |
| #2437 | app/dependabot | 1st-reviewchore(deps-dev): bump pillow from 12.1.1 to 12.2.0 in the uv group across 1 directory | 93d | +94-94 | 93d |
| #2441 | atishay2 | 1st-reviewfix: invalidate tool schema cache on ToolListChangedNotification; paginate all pages in _validate_tool_result | 92d | +121-2 | 92d |
| #2447 | SAY-5 | 1st-reviewfix(server): allow tools with outputSchema to surface errors via unstructured content | 91d | +31-10 | 91d |
| #2457 | shaun0927 | 1st-reviewfix(streamable-http): expose session_idle_timeout and pause idle reaping during active requests | 90d | +106-11 | 90d |
| #2465 | cubaseuser123 | 1st-reviewdocs: add prompt client/server example to address #498 | 89d | +94-2 | 89d |
| #2466 | kimsehwan96 | 1st-reviewfix: skip output schema validation when tool returns is_error=True | 88d | +27-2 | 88d |
| #2467 | kimsehwan96 | 1st-reviewfix: [v1.x backport] skip output schema validation when tool returns isError=True | 88d | +27-2 | 88d |
| #2468 | NeelakandanNC | 1st-reviewfeat(mcpserver): add Context.assert_within_roots for server-side roots enforcement | 88d | +180-0 | 88d |
| #2476 | trentisiete | 1st-reviewfeat(examples): add simple-sampling server and client | 87d | +603-0 | 87d |
| #2478 | MukundaKatta | 1st-reviewfix(shared): preserve MCPError payload on pickle | 86d | +57-1 | 86d |
| #2484 | sakenuGOD | 1st-reviewfix(client/stdio): allow FIFO cleanup of multiple transports on asyncio (#577) | 86d | +272-30 | 86d |
| #2492 | mangibaud33 | 1st-reviewauthfeat(auth): persist oauth_metadata via TokenStorage to fix refresh after restart | 84d | +294-6 | 84d |
| #2493 | Zelys-DFKH | 1st-reviewfix: don't send a response for cancelled requests | 84d | +30-8 | 84d |
| #2498 | Zelys-DFKH | 1st-reviewfeat(security): add subdomain wildcard support to allowed_hosts and allowed_origins | 83d | +264-20 | 83d |
| #2502 | bobbyo | 1st-review[v1.x] Drop responses/notifications when write stream is already closed | 82d | +98-4 | 82d |
| #2506 | GitAashishG | 1st-reviewfeat(cli): support env vars in `mcp dev` (#339) | 80d | +130-22 | 80d |
| #2520 | GopalGB | 1st-reviewfix(examples/simple-chatbot): align declared deps with actual usage | 76d | +6-3 | 76d |
| #2524 | Genmin | 1st-reviewfix(cli): avoid Windows shell for mcp dev | 76d | +147-19 | 76d |
| #2555 | MukundaKatta | 1st-reviewfix(shared): make UrlElicitationRequiredError pickle-safe (refs #2431) | 69d | +70-0 | 69d |
| #2565 | blackwell-systems | 1st-reviewfix: chain exceptions with `from` in 12 remaining raise sites | 68d | +15-15 | 68d |
| #2573 | charles-adedotun | 1st-reviewfix(shared): strip envelope fields when forwarding JSONRPCRequest | 65d | +59-0 | 65d |
| #2585 | Choppaaahh | 1st-reviewauthfix(auth): normalize URL paths before hierarchical resource check | 63d | +82-3 | 63d |
| #2589 | stefandevo | 1st-reviewfeat: add reset_timeout_on_progress and max_total_timeout to send_request | 63d | +500-13 | 63d |
| #2608 | MukundaKatta | 1st-reviewfeat: expose schema generator for tool schemas | 61d | +77-5 | 61d |
| #2612 | pragnyanramtha | 1st-reviewfix: handle Image helpers in mixed return annotations | 61d | +88-3 | 61d |
| #2616 | pragnyanramtha | 1st-reviewauth[v1.x] fix(auth): request JSON token responses | 60d | +6-0 | 60d |
| #2621 | pragnyanramtha | 1st-reviewfix: support context-only resources | 60d | +44-14 | 60d |
| #2622 | Epochex | 1st-reviewfix: validate full sampling tool result history | 60d | +223-25 | 60d |
| #2623 | pragnyanramtha | 1st-reviewfix: detect context on callable tool instances | 59d | +26-1 | 59d |
| #2631 | Epochex | 1st-reviewfix: fail fast when session is not started | 58d | +51-4 | 58d |
| #2633 | Epochex | 1st-reviewfix(streamable-http): close SSE responses on errors | 58d | +148-14 | 58d |
| #2651 | pragnyanramtha | 1st-reviewauthfix(auth): avoid SSE OAuth refresh deadlock | 56d | +507-0 | 56d |
| #2654 | 2830500285 | 1st-reviewfix: buffer stdio server writes during progress notifications | 55d | +43-2 | 55d |
| #2659 | adityasingh2400 | 1st-reviewfix: serialize Image and Audio helpers as ImageContent/AudioContent | 55d | +146-0 | 55d |
| #2662 | adityasingh2400 | 1st-reviewauthdocs(auth): clarify that resource_server_url must include the transport path | 54d | +26-8 | 54d |
| #2667 | adityasingh2400 | 1st-reviewfeat(client): add validate_structured_output option to ClientSession | 53d | +77-0 | 53d |
| #2675 | Epochex | 1st-reviewauthfix(auth): get_access_token reflects current request in stateful sessions | 52d | +130-1 | 52d |
| #2676 | dogacancolak | 1st-reviewauthSEP-2350: accumulate scopes on step-up auth | 52d | +595-94 | 52d |
| #2681 | golevishal | 1st-reviewauthAdd client example demonstrating pre-execution authorization check | 51d | +160-0 | 51d |
| #2697 | SHAI-Akshay-Tripathi | 1st-reviewFIX Remove duplicate VBLoRAConfig entry from peft.__all__ | 50d | +10-11 | 50d |
| #2706 | anhtnt90dev | 1st-reviewdocs: clarify client tool cancellation guidance | 48d | +32-0 | 48d |
| #2709 | haoxuw | 1st-reviewauthauth: improve ClientAuthenticator error messaging | 48d | +59-0 | 48d |
| #2728 | TheChyeahhh | 1st-reviewauthFix typos: requestor -> requester, Implementors -> Implementers | 46d | +9-9 | 46d |
| #2729 | Bartok9 | 1st-reviewfix(client): send same-origin Origin header from streamable HTTP client | 46d | +43-2 | 46d |
| #2745 | he-yufeng | 1st-reviewfix: exit stdio server cleanly on interrupt | 45d | +41-12 | 45d |
| #2774 | mplemay | 1st-reviewfeat: add_resource_template to mcpserver and resource manager | 42d | +154-10 | 42d |
| #2775 | pranjalbhatia710 | 1st-reviewdocs: add transport security troubleshooting guide | 42d | +78-0 | 42d |
| #2789 | He-wei-gui | 1st-reviewdocs: explain client-side sampling callbacks | 39d | +134-0 | 39d |
| #2812 | VIVAAN-DHAWAN | 1st-reviewfix: validate wildcard port allowlist suffixes | 38d | +8-4 | 38d |
| #2824 | MicroYui | 1st-reviewfeat(types): add SEP-2549 cache hints to result models | 36d | +199-5 | 36d |
| #2827 | sohammmmm10 | 1st-reviewExpose sampling capabilities on high-level clients | 35d | +198-16 | 35d |
| #2846 | nikodemas | 1st-reviewauthFix/simple auth example | 33d | +5-6 | 33d |
| #2852 | anneheartrecord | 1st-reviewfix: correlate invalid JSON-RPC envelope errors with the original request id | 33d | +153-9 | 33d |
| #2853 | fede-kamel | 1st-reviewauthfix: omit RFC 8707 resource param on refresh_token grants and strip root trailing slash from PRM resource | 33d | +76-12 | 33d |
| #2858 | Bartok9 | 1st-reviewauthfix(oauth): narrow context.lock scope in async_auth_flow (rebase of #2660 by @peisuke, closes #2847) | 32d | +355-18 | 32d |
| #2859 | Bartok9 | 1st-reviewauthfeat(auth): proactive OAuth token refresh with jitter to reduce concurrent refresh spikes | 32d | +343-4 | 32d |
| #2869 | agaonker | 1st-reviewDeprecate the SSE transport | 31d | +52-0 | 31d |
| #2875 | beraterkanelcelik | 1st-reviewauthfix(client/auth): use stored refresh_token on 401 instead of full re-authorization | 30d | +175-2 | 30d |
| #2876 | Gaurangwad | 1st-reviewExtract tool parameter descriptions from docstrings | 30d | +214-1 | 30d |
| #2882 | LiJzd | 1st-reviewauthdocs: add bearer auth server example | 29d | +77-2 | 29d |
| #2888 | Epochex | 1st-reviewauthfix(auth): keep root PRM resource URL canonical | 29d | +28-2 | 29d |
| #2906 | Bartok9 | 1st-reviewtest(mcpserver): cover PEP 604 union return annotations (#2591) | 27d | +36-0 | 27d |
| #2916 | ly-wang19 | 1st-reviewfix(server): match Content-Type case-insensitively in StreamableHTTP | 25d | +27-1 | 25d |
| #2918 | ly-wang19 | 1st-reviewfix(server): treat text/* mime types case-insensitively for FileResource | 25d | +43-2 | 25d |
| #2938 | KartavyaDikshit | 1st-reviewFix for issue #1205 | 25d | +67-0 | 24d |
| #3085 | app/dependabot | chore(deps): bump the github-actions group across 1 directory with 4 updates | 5d | +15-15 | 5d |
23 SLA5 auth community-reviewed (29) — Community members have reviewed, but no maintainer has engaged yet.
| #2652 | STiFLeR7 | 1st-reviewfeat: add protocol version override support for client session initialization | 55d, reviewed by cubic-dev-ai (SLA breach) | +170-13 | 55d |
| #2732 | Epochex | 1st-reviewfix(streamable-http): fail request when resumable SSE stream can't complete | 46d, reviewed by cubic-dev-ai (SLA breach) | +229-8 | 46d |
| #2747 | kaushik701 | 1st-reviewtest: add regression test for issue #2001 (progress related_request_id) | 45d, reviewed by StantonMatt (SLA breach) | +103-0 | 44d |
| #2749 | vidigoat | 1st-reviewfix(resources): escape literal regex metacharacters in ResourceTemplate.matches | 44d, reviewed by Robin1987China, StantonMatt (SLA breach) | +41-0 | 44d |
| #2766 | he-yufeng | 1st-reviewfix(server): return stdio parse errors | 43d, reviewed by StantonMatt (SLA breach) | +136-19 | 43d |
| #2772 | mengyunxie | 1st-reviewfix: propagate McpError from tool handlers as JSON-RPC error | 43d, reviewed by StantonMatt (SLA breach) | +37-16 | 43d |
| #2779 | Bartok9 | 1st-reviewauthfix(client): preserve existing query params on OAuth authorization_endpoint | 41d, reviewed by STiFLeR7, cubic-dev-ai (SLA breach) | +121-3 | 41d |
| #2854 | etserend | 1st-reviewAdd GenAI semconv attributes to native OTel spans | 33d, reviewed by adityamehra (SLA breach) | +165-10 | 33d |
| #2982 | tarunag10 | 1st-reviewfix: clean up StreamableHTTP SSE disconnects | 19d, reviewed by cubic-dev-ai (SLA breach) | +56-3 | 19d |
| #2983 | Bartok9 | 1st-reviewfix(server): guard error-path send into closed session stream | 19d, reviewed by cubic-dev-ai (SLA breach) | +64-1 | 19d |
| #3008 | CodingFeng101 | 1st-reviewauthPreserve userinfo case in resource URLs | 18d, reviewed by cubic-dev-ai (SLA breach) | +28-1 | 18d |
| #3010 | Rifa-111 | 1st-reviewOffload sync function calls to a thread | 18d, reviewed by cubic-dev-ai (SLA breach) | +5-1 | 18d |
| #3012 | tarunag10 | 1st-reviewauthfix(auth): match complete WWW-Authenticate parameters | 17d, reviewed by cubic-dev-ai, fede-kamel (SLA breach) | +196-7 | 17d |
| #3025 | devansh-dek | 1st-reviewfix(client): catch httpx transport errors in streamable HTTP post_writer | 15d, reviewed by cubic-dev-ai (SLA breach) | +48-4 | 16d |
| #3051 | Sehlani042 | 1st-reviewfix(client): surface streamable HTTP 401 as JSON-RPC error | 13d, reviewed by cubic-dev-ai (SLA breach) | +29-0 | 13d |
| #3053 | HarperZ9 | 1st-reviewClarify missing tool_result validation error | 13d, reviewed by cubic-dev-ai (SLA breach) | +19-0 | 13d |
| #3056 | vientooscuro | 1st-reviewFix pre_parse_json corrupting str | None values that look like JSON | 13d, reviewed by akminx, cubic-dev-ai (SLA breach) | +79-1 | 13d |
| #3059 | raphaelOhana | 1st-reviewfix: prevent session + task leak on GET/DELETE without session-id | 12d, reviewed by cubic-dev-ai (SLA breach) | +225-1 | 12d |
| #3063 | Sammy-Dabbas | 1st-reviewfix(streamable-http): reject duplicate in-flight request ids | 11d, reviewed by cubic-dev-ai (SLA breach) | +258-10 | 11d |
| #3064 | akminx | 1st-reviewfix(dispatcher): reject duplicate in-flight request ids | 10d, reviewed by cubic-dev-ai (SLA breach) | +110-85 | 10d |
| #3066 | mayankbohradev | 1st-reviewauthPreserve query components in PRM resource URLs | 9d, reviewed by cubic-dev-ai (SLA breach) | +82-11 | 9d |
| #3068 | elbachir-salik | 1st-reviewfix: forbid extra arguments in FastMCP tool arg models (#3067) | 9d, reviewed by cubic-dev-ai (SLA breach) | +41-14 | 9d |
| #3069 | isheng-eqi | 1st-reviewauthfix(server): guard GET SSE response with CancelScope to prevent Windows deadlock (#2653) | 9d, reviewed by cubic-dev-ai (SLA breach) | +25-4 | 9d |
| #3077 | Joosboy | docs: clarify OpenTelemetry spans for resources and prompts | 7d, reviewed by cubic-dev-ai | +50-4 | 7d |
| #3078 | ychampion | fix(server): reject changed duplicate initialize | 7d, reviewed by cubic-dev-ai | +129-17 | 7d |
| #3079 | AndreKalberer | docs: document Windows stdio subprocess stdin handling | 7d, reviewed by cubic-dev-ai | +59-0 | 7d |
| #3088 | shivamsingh-007 | [v1.x] fix: guard respond() and cancel() against concurrent cancellation race (#2416) | 4d, reviewed by cubic-dev-ai | +32-2 | 4d |
| #3092 | himanshu-commits | fix(client): surface non-2xx HTTP responses to the waiting caller | 2d, reviewed by afterrburn, cubic-dev-ai | +275-17 | 2d |
| #3093 | zsxh1990 | test: add tests for non-2xx HTTP status handling (fixes #3091) | 1d, reviewed by cubic-dev-ai | +133-0 | 1d |
Hygiene (10) ⊕ ⊖
Batchable procedural ops — pings, rebases, peer reviews.
2 auth stale-awaiting-author (9) — Changes requested over two weeks ago with no author response.
| #2175 | Kludex | Return `CallToolResult` from `convert_result` instead of a tuple | 136d since feedback | +14-27 | 137d |
| #1638 | calvingiles | Add support for _meta attributes in resource contents | CI ping 237d ago, no fix | +426-4 | 239d |
| #1784 | keurcien | authFix `token_expiry_time` upon context initialization for stored tokens. | author self-diagnosed CI 84d ago, never fixed | +109-0 | 215d |
| #2146 | BabyChrist666 | feat: public API for runtime handler registration/deregistration | author self-diagnosed CI 116d ago, never fixed | +187-26 | 140d |
| #2253 | weiguangli-io | fix: terminate active StreamableHTTP sessions during shutdown | author self-diagnosed CI 81d ago, never fixed | +14-0 | 128d |
| #2401 | enjoykumawat | authfix: prefix auth routes with issuer_url base path for gateway deployments | author self-diagnosed CI 95d ago, never fixed | +62-6 | 99d |
| #2450 | ddullah | fix(stdio): handle BrokenResourceError in stdout_reader race (#1960) | 90d since feedback | +54-3 | 91d |
| #2514 | dragogargo | fix: send notifications/cancelled on request timeout and caller cancellation | author self-diagnosed CI 78d ago, never fixed | +121-2 | 79d |
| #2624 | FU-max-boop | Fix completed request cancellation cleanup | author self-diagnosed CI 47d ago, never fixed | +57-1 | 59d |
approved-rotted (1) — Was approved, now conflicting. Rebase or ask author.
| #1872 | DePasqualeOrg | fix: correct unknown tool/prompt/resource error handling | approved 123d ago, now conflicting | +63-35 | 181d |
Close candidates (22) ⊕ ⊖
Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.
3 auth stale-ci-abandoned (22) — CI has been failing for over a month with no activity.
| #2339 | maxisbey | chore: enforce type annotations on all functions via ruff ANN rules | red CI 113d, no activity | +162-121 | 113d |
| #2387 | Kludex | Add richer OTel MCP span attributes | red CI 104d, no activity | +196-17 | 104d |
| #1712 | vemonet | Add working example to easily integrate a FastMCP endpoint to a FastAPI app (which is not trivial) | red CI 226d, no activity | +128-6 | 226d |
| #1934 | williamomeara | authFix RFC 8252 Section 7.3 compliance for loopback redirect URIs | red CI 174d, no activity | +229-4 | 174d |
| #2077 | mrutunjay-kinagi | authfix(auth): forward user-agent to oauth flow requests | red CI 148d, no activity | +104-3 | 148d |
| #2145 | wiggzz | Fix stateless HTTP task accumulation causing memory leak | red CI 140d, no activity | +296-20 | 140d |
| #2180 | dgenio | fix: add SSRF redirect protection to httpx client factory | red CI 137d, no activity | +266-2 | 137d |
| #2215 | yaowubarbara | fix(stdio): allow configurable memory stream buffer size | red CI 132d, no activity | +85-3 | 132d |
| #2245 | Varun6578 | fix: collapse single-exception ExceptionGroups from task groups | red CI 130d, no activity | +333-23 | 130d |
| #2252 | BabyChrist666 | refactor: consistent raise-based error handling in MCPServer handlers | red CI 128d, no activity | +227-25 | 128d |
| #2369 | raashish1601 | Add stdio regression test for raw invalid UTF-8 tool arguments | red CI 109d, no activity | +127-0 | 109d |
| #2372 | raashish1601 | Return METHOD_NOT_FOUND for invalid request methods | red CI 109d, no activity | +70-2 | 109d |
| #2373 | chasewhughes | authfix(auth): respect explicitly-set client_metadata.scope during discovery | red CI 109d, no activity | +143-5 | 109d |
| #2415 | mplemay | refactor: make tool registration object-based | red CI 97d, no activity | +199-148 | 97d |
| #2448 | MukundaKatta | feat(tools): inline local $ref in tool inputSchema (#2384) | red CI 91d, no activity | +328-4 | 91d |
| #2499 | Zelys-DFKH | fix(mcpserver): advertise capabilities only for registered primitives | red CI 83d, no activity | +117-2 | 83d |
| #2531 | HenryLee789 | feat: allow overriding SSE messages endpoint | red CI 75d, no activity | +110-3 | 75d |
| #2551 | namor5772 | fix(client/stdio): fall back to os.devnull when sys.stderr is None | red CI 69d, no activity | +23-2 | 69d |
| #2552 | Maanik23 | fix: disable newline translation in stdio TextIOWrapper to prevent CRLF on Windows | red CI 69d, no activity | +60-2 | 69d |
| #2712 | whocareyw | fix(streamable-http): drain SSE response to EOF instead of closing early | red CI 47d, no activity | +24-12 | 48d |
| #2726 | he-yufeng | fix: explain transport host rejections | red CI 46d, no activity | +53-7 | 46d |
| #2777 | kiankhooban | fix: add raise ... from e in all except handlers | red CI 42d, no activity | +11-11 | 42d |
Not our move (33) ⊕ ⊖
Clock is on the author or blocked externally. No action owed today.
2 auth stale-draft (15) — Draft with no activity for over a week.
| #1800 | the-ayyi | Add propagate_through_tool_handlers attribute to McpError for protocol flow control | draft idle 209d | +194-8 | 209d |
| #1838 | jayhemnani9910 | fix: send error on SSE disconnect without resumption token | draft idle 190d | +83-1 | 190d |
| #1998 | bgaidioz | authFix: Refresh auth context per Streamable HTTP request | draft idle 160d | +196-0 | 160d |
| #2130 | jonathanhefner | Import "Build an LLM-powered chatbot" quickstart guide | draft idle 142d | +2024-268 | 142d |
| #2132 | aabmass | OpenTelemetry MCP client spans | draft idle 141d | +1612-118 | 141d |
| #2138 | jonathanhefner | Import "Build a weather server" quickstart guide | draft idle 141d | +2600-268 | 141d |
| #2139 | jonathanhefner | Replace Claude for Desktop with VS Code + Copilot in server quickstart | draft idle 141d | +2514-268 | 141d |
| #2509 | faridun-ag2 | fix(server): return 405 on GET/DELETE in stateless HTTP mode | draft idle 80d | +136-0 | 80d |
| #2596 | MukundaKatta | refactor(client): rename message handler callback | draft idle 61d | +58-59 | 62d |
| #2598 | MukundaKatta | docs: add server instructions example | draft idle 61d | +58-0 | 61d |
| #2862 | maxpetrusenkoagent | authAdd OIDC fallback for legacy OAuth discovery | draft idle 31d | +96-8 | 32d |
| #2951 | SamMorrowDrums | Add experimental Server Cards support (SEP-2127) | draft idle 23d | +1700-0 | 23d |
| #3011 | maxisbey | [do not merge] Add mcp-codemod, an automated v1 to v2 migration tool | draft idle 18d | +6753-10 | 18d |
| #3022 | maxisbey | Tighten comments and docstrings repo-wide | draft idle 16d | +3860-13549 | 16d |
| #3052 | Sehlani042 | fix(client): unblock streamable HTTP calls on early SSE close | draft idle 13d | +48-1 | 13d |
3 auth parked (12) — Maintainer draft >30d, intentionally shelved.
| #2217 | ochafik | [SEP-2356] File input support for tools and elicitation | maintainer draft, 132d | +110-0 | 132d |
| #2238 | maxisbey | Truncate untrusted peer-controlled values before logging/raising | maintainer draft, 131d | +41-38 | 131d |
| #2263 | maxisbey | fix: eliminate test port allocation race by running uvicorn in-thread | maintainer draft, 127d | +152-279 | 127d |
| #2264 | maxisbey | tests: eliminate port-allocation races in SSE/StreamableHTTP tests | maintainer draft, 127d | +647-1119 | 127d |
| #2301 | maxisbey | authfix: remove scope registration check from authorize handler | maintainer draft, 120d | +37-56 | 120d |
| #2320 | maxisbey | Extract JSON-RPC wrapping into a Dispatcher component | maintainer draft, 117d | +523-223 | 117d |
| #2322 | maxisbey | draft: MRTR (SEP-2322) lowlevel plumbing + handler-shape comparison | maintainer draft, 117d | +2609-14 | 117d |
| #2336 | maxisbey | authfeat(auth): add BearerAuth for minimal bearer-token authentication | maintainer draft, 113d | +829-10 | 113d |
| #2340 | maxisbey | fix: propagate pre-endpoint errors in sse_client instead of deadlocking | maintainer draft, 113d | +119-9 | 113d |
| #2346 | maxisbey | authfeat: add MCP_HIDE_INPUT_IN_ERRORS env var to redact payloads from validation errors | maintainer draft, 112d | +75-3 | 112d |
| #2388 | Kludex | Add MCP proxy helper | maintainer draft, 103d | +699-12 | 103d |
| #2717 | maxisbey | [v1.x] tests: backport interaction-model suite from main (527 tests, src/ untouched) | maintainer draft, 47d | +17006-2605 | 47d |
stale-draft-pinged (4) — Draft; maintainer pinged for status over a week ago with no response.
| #946 | agronholm | Improved Trio support | pinged 43d ago | +125-138 | 398d |
| #1222 | wenxuwan | fix: Handle SSE Disconnects Properly When use starlette middleware | pinged 288d ago | +26-20 | 349d |
| #1395 | Bumshakalaka | fix: update response status code for invalid session ID in HTTPSessionManger | pinged 288d ago | +2-1 | 294d |
| #2029 | Ashutosh0x | fix: use ASGI callable for SSE endpoint to avoid BaseHTTPMiddleware AssertionError (#883) | pinged 154d ago | +108-8 | 155d |
Volume
Time to First Review
Merge Time
PRs Needing Maintainer Review
Open PRs with no maintainer review (excludes drafts from counts)
PRs Awaiting Maintainer Review
Sorted by longest wait time first
| PR | Title | Author | Size | Reviews | Waiting |
|---|---|---|---|---|---|
| #1120 (draft) | WIP: Reduce copies, eliminate a lot of UTF-16 transcoding | Tyler-IN | +2145 -425 | 1 | 203d |
| #1367 | Mcp.core.distributed | xiangyan99 | +4033 -1 | 2 | 141d |
| #1393 (draft) | ProtectedMcpServer: enforce per-user concurrent tool-call limit with `PartitionedRateLimiter` in call-tool filter | copilot-swe-agent | +35 -1 | 0 | 138d |
| #1423 | Augment conceptual docs with Docker-based MCP server deployment guidance | john-mckillip | +224 -94 | 0 | 126d |
| #1444 | fix: propagate auth errors (401/403) immediately instead of falling b… | xue-cai | +72 -1 | 0 | 120d |
| #1496 | feature: Added configurable token endpoint auth method selection | RobotechUSA | +26 -1 | 0 | 103d |
| #1532 | feat(server): support external description sources on McpServerTool attribute | MukundaKatta | +263 -4 | 0 | 79d |
| #1530 | fix(client): preserve underlying status code in AutoDetect probe | MukundaKatta | +140 -8 | 0 | 79d |
| #1585 | Bump Microsoft.Extensions.AI from 10.5.2 to 10.6.0 | dependabot | +1 -1 | 0 | 58d |
| #1597 | Bump qs from 6.14.2 to 6.15.2 in the npm_and_yarn group across 1 directory | dependabot | +3 -3 | 0 | 53d |
| #1615 | Allow setting token endpoint auth method on ClientOAuthOptions (#1612) | mikeholczer | +81 -2 | 0 | 43d |
| #1629 | Reply with JSON-RPC parse error for over-nested stdio requests | adityasingh2400 | +151 -1 | 0 | 39d |
| #1668 | Bump Microsoft.Extensions.AI.Abstractions from 10.5.2 to 10.7.0 | dependabot | +1 -1 | 0 | 23d |
| #1665 | Bump actions/checkout from 6 to 7 | dependabot | +11 -11 | 0 | 23d |
| #1681 | Bump OpenTelemetry and 5 others | dependabot | +6 -6 | 0 | 16d |
| #1679 | Bump coverlet.collector and Microsoft.NET.Test.Sdk | dependabot | +2 -2 | 0 | 16d |
| #1678 | Bump actions/setup-dotnet from 5.2.0 to 5.4.0 | dependabot | +8 -8 | 0 | 16d |
| #1675 | Apply default tool annotation hints from McpServerToolAttribute | goutamadwant | +12 -27 | 0 | 16d |
| #1698 | Add round-trip integration tests for MCP Apps _meta.ui serialization | yayayouyou | +100 -0 | 1 | 5d |
| #1703 | fix(stdio): handle spaces in Command path on Windows (cmd /d /s /c) | yayayouyou | +283 -4 | 1 | 1d |
PR Size Distribution
Open PRs by lines changed
Stats — volume, timing, size distribution
Volume
Time to First Review
Merge Time
PR Size Distribution
Open PRs by lines changed
Breakdown by tier
| Tier | Count | Auth | Maint. | ~Time |
|---|---|---|---|---|
| 1 — We're blocking someone | 6 | 3 | 5 | 1.8h |
| 3 — Intake | 18 | 2 | 0 | 8.9h |
| 4 — Hygiene | 1 | 0 | 0 | 5m |
| 5 — Close candidates | 5 | 2 | 0 | 5m |
| untriaged | 1 | 1 | 0 | 15m |
| total actionable | 31 | 8 | 5 | 11.2h |
| not our move | 10 | — | — | — |
We're blocking someone (6) ⊕ ⊖
Author did what we asked and is waiting on us. Longest-waiting first.
1 SLA author-pinged-after-procedural (1) — Author addressed maintainer feedback and pinged — awaiting response.
| #257 | malladinagarjuna2 | re-reviewfeat: Add multi-stage Docker build and GHCR publishing workflow | author pinged @pcarleton 64d ago | +86-0 | 80d |
5 SLA3 auth maintainer-intake (5) — Maintainer-authored PR awaiting review from another maintainer.
| #73 | pcarleton | maintainerAdd SSE polling Phase 2 and Phase 3 tests (SEP-1699) | 225d, no maintainer has looked yet | +691-1 | 225d |
| #106 | pcarleton | maintainerauthfeat: add step-up auth scenario for server auth testing | 182d, no maintainer has looked yet | +346-1 | 182d |
| #203 | pcarleton | maintainerauthfix: rename routePrefix to issuerPath and add issuer-mismatch scenario | 107d, no maintainer has looked yet | +150-20 | 107d |
| #241 | pja-ant | maintainerfeat: conformance scenario for MCP-Protocol-Version header 400 | 84d, no maintainer has looked yet | +461-0 | 84d |
| #350 | pja-ant | maintainerauthfix(sep-2243): scope Mcp-Method to requests only; add Base64 Mcp-Name checks | 27d, no maintainer has looked yet | +227-8 | 27d |
Intake (18) ⊕ ⊖
PRs not yet reviewed by a maintainer. Oldest first.
17 SLA2 auth needs-first-review (17) — Not yet reviewed by a maintainer.
| #263 | blackwell-systems | 1st-reviewfix(tier-check): swap server/client scenario lists in conformance reconciliation | 70d | +7-7 | 70d |
| #264 | app/dependabot | 1st-reviewchore(deps): bump the npm_and_yarn group across 2 directories with 1 update | 69d | +14-14 | 70d |
| #316 | pugsatoshi | 1st-reviewfix: send HTTP DELETE to terminate server sessions after each scenario | 52d | +107-7 | 52d |
| #322 | pugsatoshi | 1st-reviewfeat: add session-lifecycle conformance scenario for streamable HTTP | 48d | +391-1 | 48d |
| #325 | rinaldofesta | 1st-reviewfeat(scenarios/server): cover the two untested SEP-2243 server param-presence requirements | 44d | +248-5 | 44d |
| #326 | rinaldofesta | 1st-reviewfeat(client): add session renegotiation on HTTP 404 conformance scenario | 44d | +560-0 | 44d |
| #327 | rinaldofesta | 1st-reviewStandardize scenario setup/execution failure reporting (#248) | 44d | +157-27 | 44d |
| #335 | pugsatoshi | 1st-reviewfeat: add client-side JSON Schema 2020-12 preservation scenario | 36d | +808-38 | 36d |
| #340 | jstar0 | 1st-reviewSend initialized notification in DNS rebinding scenario | 30d | +286-4 | 30d |
| #346 | canardleteer | 1st-reviewci: smoke-test client CLI path and fix everything-client core drift | 28d | +49-100 | 28d |
| #358 | jstar0 | 1st-reviewFix custom-header schema freshness | 26d | +86-4 | 26d |
| #380 | canardleteer | 1st-reviewFix tools-name-format for spec Tool Names SHOULD rules on 2025-11-25+ | 14d | +293-33 | 14d |
| #381 | canardleteer | 1st-reviewAdd json-rpc-batch-rejection scenario for 2025-06-18+ | 14d | +494-0 | 14d |
| #383 | logiscapedev | 1st-reviewfix(server-stateless): declare the elicitation capability on the streaming-probe request | 13d | +139-1 | 13d |
| #392 | howardjohn | 1st-reviewtest_streaming_elicitation: use proper SSE instead of NDJSON | 9d | +53-56 | 9d |
| #395 | PieterKas | 1st-reviewauthServer Auth: DPoP Proof Validation (SEP-1932) | 8d | +4517-5 | 8d |
| #396 | PieterKas | 1st-reviewauthAuthorization Server: DPoP Support (SEP-1932) | 8d | +3770-5 | 8d |
1 SLA community-reviewed (1) — Community members have reviewed, but no maintainer has engaged yet.
| #299 | adityachilka1 | 1st-reviewfix(initialize scenario): return 202 No Content for notifications (closes #274) | 55d, reviewed by nbarbettini (SLA breach) | +6-0 | 55d |
Hygiene (1) ⊕ ⊖
Batchable procedural ops — pings, rebases, peer reviews.
stale-awaiting-author (1) — Changes requested over two weeks ago with no author response.
| #375 | maxisbey | fix(sse-retry): gate retry timing only on the early side | author self-diagnosed CI 15d ago, never fixed | +11-36 | 15d |
Close candidates (5) ⊕ ⊖
Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.
2 auth pre-ci-ghost (5) — Over 90 days old and CI never ran.
| #64 | tobinsouth | authAdd server OAuth protection conformance tests | CI never ran, 231d old | +4101-9 | 231d |
| #155 | wdawson | authImprovements to the Draft Server Auth Conformance tests | CI never ran, 146d old | +8122-2049 | 146d |
| #165 | lux999 | fix: tools-call-simple-text now fails when tool returns isError: true | CI never ran, 142d old | +10-2 | 142d |
| #222 | codefromthecrypt | Add stateless server conformance test | CI never ran, 96d old | +609-1 | 96d |
| #224 | alexdoroshevich | feat: add version negotiation conformance tests (closes #102) | CI never ran, 93d old | +1210-0 | 93d |
Unclassified (1) ⊕ ⊖
Classifier couldn't determine a state — needs manual triage.
1 auth unknown (1) — Classifier couldn't decide. Investigate.
| #139 | jdmaturen | authfeat: add token refresh and rotation conformance scenarios | fetch failed: Ignoring 1 permissions.allow entry from .claude/settings.json: this workspace has not been trusted. | +612-47 | 156d |
Not our move (10) ⊕ ⊖
Clock is on the author or blocked externally. No action owed today.
1 auth stale-draft (5) — Draft with no activity for over a week.
| #308 | olaservo | feat: add SEP-2106 structuredContent wire-shape scenario (complements #295) | draft idle 53d | +679-0 | 54d |
| #330 | panyam | chore: add SEP-2640 requirement-traceability YAML (Skills Extension) | draft idle 41d | +393-1 | 41d |
| #351 | pja-ant | feat: SEP-2575 subscriptionId value assertion + server-sent cancelled restriction | draft idle 27d | +184-22 | 27d |
| #352 | pja-ant | feat(sep-2243): add x-mcp-header static-reachability checks | draft idle 27d | +331-6 | 27d |
| #393 | app/claude | authAdd client check: preserve query params in protected resource metadata discovery URL | draft idle 9d | +286-15 | 9d |
1 auth draft-active (3) — Author is still working. Fresh draft.
| #399 | app/claude | Validate all wire messages against the per-version spec JSON schema | 7d old | +13934-120 | 7d |
| #400 | app/claude | authclient/dpop: follow-ups from review (stacked on #394) | 6d old | +520-123 | 6d |
| #402 | rinaldofesta | feat(tier-check): validate the submitted SDK release against the target spec version | 0d old | +1124-52 | 0d |
Volume
Time to First Review
Merge Time
PRs Needing Maintainer Review
Open PRs with no maintainer review (excludes drafts from counts)
PRs Awaiting Maintainer Review
Sorted by longest wait time first
| PR | Title | Author | Size | Reviews | Waiting |
|---|---|---|---|---|---|
| #88 | feat: add Microsoft Edge AppleScript example for macOS | ntindle | +952 -1 | 0 | 334d |
| #103 | Add Python package MCP server example with bundling support | stephaneberle9 | +256 -6 | 0 | 303d |
| #134 | chore(lint): upgrade ESLint prettier rule to error | loc | +2 -3 | 3 | 260d |
| #170 | build(deps): bump tar from 7.5.1 to 7.5.2 in the npm_and_yarn group across 1 directory | dependabot | +3 -3 | 0 | 223d |
| #181 | fix(Validation): Make "mcp_config" optional when using uv | daemuth | +122 -52 | 0 | 177d |
| #195 | Fix PKCS#7 signature verification | vcolin7 | +190 -61 | 0 | 144d |
| #213 | Add tests for CLI init helpers and improve parameter naming for testability | coding-creed-technologies | +1132 -17 | 1 | 117d |
| #222 | feat: add prepare-for-signing and apply-signature for enterprise HSM signing | bryan-anthropic | +519 -1 | 1 | 110d |
| #227 | fix: validate version field is valid semver | bryan-anthropic | +112 -0 | 1 | 91d |
| #237 | Fix `approrpiate` -> `appropriate` typo in MANIFEST.md | pikammmmm | +1 -1 | 1 | 74d |
| #242 | fix: add field descriptions to v0.4 manifest schema | pl4nty | +108 -44 | 1 | 66d |
| #254 | fix: preserve zip modes when packing on Windows | he-yufeng | +100 -16 | 0 | 45d |
| #253 | fix: keep runtime files in mcpb packages | he-yufeng | +33 -2 | 0 | 45d |
| #252 | fix: resolve user config placeholders | he-yufeng | +74 -8 | 0 | 45d |
| #255 | fix: make `mcpb verify`/`info` actually verify PKCS#7 signatures | andy-liner | +141 -44 | 0 | 44d |
| #257 | Add npm source and issue metadata | wowsofine | +8 -0 | 1 | 37d |
| #259 | Fix $-pattern corruption of user_config values in replaceVariables | aosmcleod | +14 -1 | 2 | 36d |
| #274 | Redact secrets from substitution warning; fix manifest version precedence | aosmcleod | +74 -14 | 0 | 36d |
| #273 | Bound mcpb unpack against decompression bombs and malformed central directories | aosmcleod | +149 -36 | 0 | 36d |
| #272 | Drop platform_overrides from resolved mcp_config; honour empty-string overrides | aosmcleod | +75 -2 | 0 | 36d |
| #271 | Preserve unknown nested manifest keys in loose schemas (mcpb clean) | aosmcleod | +266 -169 | 0 | 36d |
| #270 | Make server.mcp_config optional for uv server type (strict 0.4 schema) | aosmcleod | +53 -6 | 0 | 36d |
| #269 | Escape regex metacharacters in the variable key during substitution | aosmcleod | +26 -1 | 0 | 36d |
| #268 | Skip directory entries when unpacking (fixes mcpb unpack on standard ZIP archives) | aosmcleod | +49 -0 | 0 | 36d |
| #286 | Verify signed MCPB bundles | jstar0 | +179 -109 | 0 | 26d |
| #293 | fix: skip symlink cycles during pack instead of failing with ELOOP | gagan-53 | +154 -2 | 0 | 1d |
PR Size Distribution
Open PRs by lines changed
Volume
Time to First Review
Merge Time
PRs Needing Maintainer Review
Open PRs with no maintainer review (excludes drafts from counts)
PRs Awaiting Maintainer Review
Sorted by longest wait time first
| PR | Title | Author | Size | Reviews | Waiting |
|---|---|---|---|---|---|
| #189 | fix: defer initial size measurement to ResizeObserver | nidhiyashwanth | +1 -2 | 0 | 206d |
| #214 | Examples: D3 graph and Recharts chart | iamfiscus | +3265 -18 | 0 | 188d |
| #273 | Enforce correct UI resource. Remove backwards compatibility in `getToolUiResourceUri`. | matteo8p | +6 -25 | 0 | 181d |
| #291 | chore: :lock: npm audit fix | james-lafferty | +24 -3 | 0 | 179d |
| #296 | Add Resource Template support to basic-host | rinormaloku | +23 -6 | 0 | 178d |
| #378 | Create initial proposal for apps declaring trusted types | connor4312 | +124 -3 | 0 | 168d |
| #377 | build(deps): bump hono from 4.11.6 to 4.11.7 in the npm_and_yarn group across 1 directory | dependabot | +3 -387 | 0 | 168d |
| #384 | fix: update Playwright snapshots for ShaderToy and Wiki Explorer | yaniv-golan | +0 -0 | 0 | 168d |
| #390 | Add a pattern for a deferred tool resulting using UI interaction | connor4312 | +213 -1 | 0 | 167d |
| #405 | New example MCP App: DICOM Viewer | ThalesMMS | +1707 -1 | 6 | 166d |
| #425 (draft) | Fetch That Works in MCP Apps | MiguelsPizza | +9835 -630 | 0 | 162d |
| #424 | Add cross-host portability guide for MCP Apps | hatgit | +75 -0 | 0 | 162d |
| #432 | fix(examples): resolve CSP 'unsafe-eval' violation in threejs-server | Robloncz | +32 -10 | 2 | 160d |
| #453 | feat: Add basic-server-angular example | Avcharov | +17874 -6785 | 0 | 152d |
| #468 | Add Stitch Design server example | jayeshvpatil | +3512 -0 | 0 | 147d |
| #473 | Rename apps.mdx to ext-apps.mdx | jabidahscreationssystems | +0 -0 | 0 | 145d |
| #531 | Feat/create elicitation UI | Avcharov | +377 -24 | 0 | 130d |
| #552 (draft) | feat: implement subscribe/unsubscribe methods for multiple event handlers | Avcharov | +399 -35 | 0 | 123d |
| #553 | feat(spec): add renderTiming to McpUiToolMeta for deferred View rendering | netanelavr | +113 -0 | 0 | 121d |
| #596 | Add tananchadevelopment.link file | Bang2985 | +0 -0 | 0 | 103d |
| #608 | Rename tsconfig.json to tsconfig.json | akonjet5 | +0 -0 | 0 | 95d |
| #609 | --- name: create-mcp-app description: This skill should be used when … | akonjet5 | +185 -0 | 0 | 95d |
| #610 | example dotnet angular host | halllo | +10826 -1 | 0 | 94d |
| #636 | feat: add angular basic example | dalenguyen | +2319 -3 | 0 | 84d |
| #641 | feat(transport): add forHostIframe helper and improve init timeout message | netanelavr | +168 -0 | 0 | 79d |
| #656 | feat(types,spec): add tools field to McpUiHostCapabilities | saaage | +17 -0 | 1 | 69d |
| #663 | Allows passing input as a query param like other options from the demo app | katerberg | +13 -6 | 0 | 54d |
| #690 | Add linkTrustedDomains view property | fredericbarthelet | +182 -27 | 3 | 27d |
| #691 | feat: add support for 'tools' permission | beaufortfrancois | +63 -1 | 0 | 27d |
| #693 | Add conformance-server: host conformance test harness (addresses #674) | qchuchu | +2294 -389 | 1 | 16d |
| #695 | fix: don't fail install when running npm install in an example workspace (#687) | d-turley | +159 -11 | 0 | 12d |
| #705 | fix: add explicit .js extensions to relative imports so declarations resolve under NodeNext/Node16 | ken-jo | +35 -35 | 0 | 4d |
| #709 (draft) | spec: align capability negotiation with SEP-2133 | khandrew1 | +115 -70 | 0 | 1d |
| #710 | Migrate ext-apps to @modelcontextprotocol/server v2 SDK | khandrew1 | +2225 -1451 | 0 | 0d |
PR Size Distribution
Open PRs by lines changed