Pull Requests

Volume

Open PRs

↑ 5.56%

114

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

272

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

194

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

12d

Median

↑ 7.74%

17h

P90

—

29d

P95

—

64d

Merge Time

Average

—

15d

Median

—

18h

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 13.11%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#678	Remove references to enumNames	stickeegreg	+0 -9	0	350d
#813	fix: deduplicate title definition in tools	connor4312	+0 -9	0	339d
#1336	SEP-1336: User Agent Guidance for Client Implementations	LucaButBoring	+184 -0	1	285d
#1515	docs: add STDIO, SSE, and Streamable HTTP columns to clients matrix	theailanguage	+86 -83	0	245d
#1695	Recommend 128 bits of entropy	loganaden	+1 -1	0	215d
#1803	SEP-1803: Event Subscriptions	caseychow-oai	+184 -0	0	194d
#1822	SEP-1821: Add dynamic tool search support	truehazker	+66 -4	1	189d
#1831	chore: Add BizContext, extensions, and context support for task	He-Pin	+30 -3	2	188d
#1834	chore: Add pending status to task	He-Pin	+6 -3	0	188d
#1862	SEP-1862: Tool Resolution	SamMorrowDrums	+1723 -0	0	185d
#1904	SEP-1904 : Add filtering support for tasks/list	He-Pin	+153 -2	0	180d
#1905 (draft)	SEP-1905: Task Result Streaming and Immediate Result Acceptance	He-Pin	+709 -2	0	180d
#1913	SEP-1913: Trust and Sensitivity Annotations	SamMorrowDrums	+2347 -0	16	179d
#1921	SEP-1921: Add Context Headers (Tool, Prompt, Resources) to MCP Requests for Fine-Grained Rate Limiting	Rajesh-Narayanappa87	+75 -0	0	174d
#1975	SEP-1975: Conversation Event Subscriptions	varun29ankuS	+172 -0	0	163d
#1984	SEP-1984: Comprehensive Tool Annotations for Enhanced Governance and UX	sambhav	+488 -0	0	160d
#2001	SEP-2001: Optional High Availability Patterns for Stateful Streaming in MCP Deployments	jizhuozhi	+138 -0	0	155d
#2007	SEP-2007: Add MCP Payment Support Specification	shivankgoel	+1969 -0	43	153d
#2028	SEP-2028: Automatic _meta to HTTP header forwarding for distributed tracing	monahk	+861 -0	12	146d
#2053	SEP-2053: Server Variants extension	sambhav	+1613 -0	0	139d
#2061 (draft)	SEP-2061: Action Security Metadata for MCP Tools	rreichel3	+292 -0	0	138d
#2072	SEP-2072: Memory Portals	comradenala	+601 -0	0	133d
#2166	SEP-2166: Out-of-Band Resource Access via HTTPS URLs	abrookins	+595 -0	1	117d
#2188	SEP-2188: Add elicitation timeout coordination via notifications/elicitation/pe…	ArsalanShakil	+463 -0	0	112d
#2268 (draft)	SEP-2268: Subtasks	LucaButBoring	+317 -0	0	96d
#2282	SEP-2282: Server-Declared Behavioural Hooks	heyhayes	+871 -2	0	93d
#2317	SEP-2290: Content Negotiation Extension	schlpbch	+104 -0	0	87d
#2325	SEP-2325: SSH Custom Transport	tobert	+1017 -0	0	84d
#2357	SEP-2357: Dedicated structured media type for MCP HTTP transport	rvmillett	+365 -0	0	81d
#2355	docs(spec): add internationalization guidance for Streamable HTTP	SamMorrowDrums	+25 -0	0	81d
#2385	SEP-2385: Tool Auth Manifest	lececo	+167 -0	0	74d
#2391 (draft)	[WIP] Add spec annotator plugin to Claude Code marketplace	LucaButBoring	+3061 -3	0	73d
#2417	SEP-2417: Model Preferences for Tools	ProductOfAmerica	+3043 -1	0	69d
#2419	SEP-2419: cache_hint well-known key in CallToolResult._meta	clouatre	+454 -0	0	68d
#2433	SEP-2433: Transfer Descriptors — Out-of-Band Data Transfer Negotiation	bhanquier	+1172 -47	0	64d
#2448	SEP-2448: MCP server execution telemetry	savula15	+564 -16	5	62d
#2487 (draft)	SEP-2487: Add execution.requirements field to Tool for preconditions	ZachGerman	+127 -4	0	58d
#2495	SEP: Event-Driven Tool Invocation (Server-Push to LLM Re-entry)	hf75	+119 -0	2	57d
#2528	docs: Add deployment guidelines for proxying MCP servers	jeffyaw	+153 -1	0	49d
#2532	SEP-2532: Resource Streaming for Binary Content Delivery	patrick-rodgers	+1249 -0	0	48d
#2564	SEP-2564: Server-Side Filtering for List Methods	anagh96	+385 -0	0	41d
#2571	SEP: Resource Submission — client-to-server resource creation for agent coordination	cswelker	+193 -0	0	41d
#2601	docs: define uriTemplate as unique identifier for resource templates	rohitg00	+13 -1	0	37d
#2602	docs: add server instructions guide	rohitg00	+146 -0	0	37d
#2614	SEP-2614: Add optional keywords field to Implementation for server routing	Vijaynw	+595 -6	0	35d
#2607	docs(clients): add Burnish (explorer-first MCP client)	danfking	+24 -0	0	35d
#2618	docs: add AgentOne to the MCP clients list	The-Best-Codes	+22 -0	1	34d
#2626	docs(community): Add Enterprise Interest Group charter	raghu-chandra-mcp	+102 -0	1	33d
#2624	SEP-2624: Interceptors for the Model Context Protocol	Degiorgio	+3536 -1	0	33d
#2636	SEP-2636: Progressive Tool Disclosure	SylonZero	+759 -0	0	32d
#2637	docs: add Microsoft 365 Copilot to extension support matrix and MCP Apps client list	SuryaMSFT	+12 -11	0	32d
#2631 (draft)	SEP-2631: File Objects and Transfer	caseychow-oai	+2584 -88	0	32d
#2632	SEP-2632: Structured Content for Progress Notifications	stevehaertel	+477 -5	0	32d
#2643	SEP-2643: Structured Authorization Denials	monmohan	+743 -2	41	31d
#2657	Add HiveMind OS to list of clients supporting MCP Apps	danielgerlag	+1 -0	0	28d
#2665	docs: add `filter` URL parameter to `/clients` page to pre-filter clients with specific capabilities	jancurn	+20 -1	0	26d
#2669	SEP-2669: Task Interaction Methods (steer, pause, resume)	prezaei	+624 -0	0	25d
#2667	Add Ontheia as MCP client	Ontheia	+19 -0	0	25d
#2672	SEP-2672: Per-Call Passkey Verified Approval for MCP Tool Calls	pinialt	+1475 -0	0	23d
#2678	SEP-2678: Introduce additional error codes to protocol	MatthewKhouzam	+582 -0	0	21d
#2679	SEP-2679: Task streaming partial results	morozow	+775 -0	0	21d
#2684	docs: clarify HTTP log stream routing	EfeDurmaz16	+14 -0	0	19d
#2690 (draft)	Change error response status from 400 to 404 for invalid sessions	tmshkr	+1 -1	0	19d
#2694	SEP-2694: Resumable Task Event Streams	rynowak	+816 -2	0	18d
#2697	docs: clarify server description and instructions	looooown2006	+24 -0	0	17d
#2702	SEP: MCP Client Silent Refresh on 401 Invalid Token	waddah12alhajar	+152 -0	0	17d
#2707	docs: add Archestra.AI to MCP Apps and Enterprise Auth client matrix	Matvey-Kuk	+2 -1	0	14d
#2710	fix: NumberSchema min/max/default should be number, not integer	gsdv	+24 -6	0	14d
#2732	Clarify initialize version header precedence	AIandI0x1	+10 -0	0	9d
#2737	build(deps-dev): bump eslint from 10.3.0 to 10.4.0	dependabot	+9 -9	0	7d
#2747	Fix typos and clarify error handling for missing ttlMs	spacewander	+4 -2	2	6d
#2752	SEP: HTTP Message Signing for MCP Client Authentication	njdawn	+813 -2	0	5d
#2756	fix(SEP-2663): specify -32003 error for missing client capability	LucaButBoring	+16 -12	1	4d
#2781	docs: add deployment guide for proxying MCP servers	founder-OmniPA	+265 -0	0	2d
#2773	fix(SEP-2322): Explicitly support extending ResultType	LucaButBoring	+49 -50	0	2d
#2778	SEP-XXX: Adding constraints to thr MCP	schlpbch	+260 -18	0	2d
#2787	SEP-2787: Tool call attestation	soup-oss	+953 -2	0	0d
#2786	build(deps-dev): bump typescript-eslint from 8.59.3 to 8.59.4	dependabot	+66 -66	0	0d
#2785	build(deps-dev): bump tsx from 4.22.1 to 4.22.3	dependabot	+5 -5	0	0d
#2784	build(deps-dev): bump typescript-json-schema from 0.67.1 to 0.67.4	dependabot	+87 -241	0	0d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Actionable vs target

↑ 9.70%

147

Auth

—

Actioned (7d)

↓ 66.67%

80 in last 30d

Merged (7d)

—

17 in last 30d

Hours to clear

↑ 9.59%

~48.0

1st review > 7d

—

of 92 eligible

Re-review > 24h

—

of 11 eligible

Maintainer > 24h

—

of 18 eligible

Stats — volume, timing, size distribution

Volume

Open PRs

↑ 15.82%

205

Draft PRs

—

Opened

—

last 7 days

Opened

—

155

last 30 days

Opened

—

467

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

129

last 90 days

Closed Unmerged

—

257

last 90 days

Time to First Review

Average

—

15d

Median

↑ 9.69%

P90

—

50d

P95

—

70d

Merge Time

Average

—

17d

Median

↑ 8.57%

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Breakdown by tier

Tier	Count	Auth	Maint.	~Time
1 — We're blocking someone	26	4	16	8.5h
2 — High leverage	26	7	2	3.9h
3 — Intake	69	7	0	34.2h
4 — Hygiene	23	4	3	1.2h
5 — Close candidates	3	0	0	3m
total actionable	147	22	21	48.0h
not our move	26	—	—	—

We're blocking someone (26) ⊕ ⊖

Author did what we asked and is waiting on us. Longest-waiting first.

1 SLA author-pinged-after-procedural (1) — Author addressed maintainer feedback and pinged — awaiting response.

#1861

ravyg

re-reviewmcp: convert tool/prompt schemas eagerly at registration time

author pinged @felixweinberger 35d ago

+362-7

48d

9 SLA1 auth needs-re-review (9) — Author pushed changes after review feedback — needs re-review.

#1521	LucaButBoring	re-reviewfix(client): retry SSE stream after receiving session ID	author pushed after CHANGES_REQUESTED (42d waiting)	+417-0	104d
#1563	gogakoreli	re-reviewfix: inline local $ref in tool inputSchema for LLM consumption	author pushed after CHANGES_REQUESTED (35d waiting)	+654-1	94d
#1627	nielskaspers	re-reviewdocs(server): add unit testing guide using InMemoryTransport	author pushed after CHANGES_REQUESTED (53d waiting)	+110-3	82d
#1657	rechedev9	re-reviewauthfix: accumulate OAuth scopes on 401/403 instead of overwriting	author pushed after CHANGES_REQUESTED (53d waiting)	+618-50	76d
#1712	travisbreaks	re-reviewfeat(server): add host process watchdog to StdioServerTransport	author pushed after CHANGES_REQUESTED (25d waiting)	+57-1	67d
#1726	rcdailey	re-reviewfeat(server): add keepAliveInterval for standalone GET SSE stream	author pushed after CHANGES_REQUESTED (3d waiting)	+211-19	65d
#1814	MayCXC	re-reviewfix: async onclose, stdin EOF detection, SIGTERM in examples	author pushed after CHANGES_REQUESTED (38d waiting)	+210-40	57d
#1830	claygeo	re-reviewfix(server): sanitize internal error details in tool error responses	author pushed after CHANGES_REQUESTED (41d waiting)	+192-5	55d
#1862	sid293	re-reviewfix:close transport on connection failure	author pushed after CHANGES_REQUESTED (1d waiting)	+37-10	47d

15 SLA3 auth maintainer-intake (16) — Maintainer-authored PR awaiting review from another maintainer.

#1764	felixweinberger	maintainer[v2] Make ToolTaskHandler.getTask/getTaskResult optional and actually invoke them	61d, no maintainer has looked yet	+340-315	61d
#1785	felixweinberger	maintainerfix: UriTemplate.match() handles optional, out-of-order, and encoded query parameters	59d, community reviewed (mgyarmathy)	+162-7	59d
#1828	felixweinberger	maintainerfix(client): allow transport restart after close()	55d, no maintainer has looked yet	+113-5	55d
#1893	KKonstantinov	maintainerfeat: add class decorators example	40d, no maintainer has looked yet	+564-15	40d
#1902	felixweinberger	maintainerfeat(compat): add deprecated flat ctx.* fields + RequestHandlerExtra type alias	40d, no maintainer has looked yet	+147-6	40d
#1903	felixweinberger	maintainerauthfeat(compat): McpError/ErrorCode/JSONRPCError/StreamableHTTPError + OAuth subclass aliases	40d, no maintainer has looked yet	+319-21	40d
#1908	felixweinberger	maintainerauthfeat(server-auth-legacy): add frozen v1 Authorization-Server package	40d, no maintainer has looked yet	+4976-13	40d
#1909	felixweinberger	maintainerfeat(node): restore SSEServerTransport under /node/sse, @deprecated	40d, no maintainer has looked yet	+387-11	40d
#1910	felixweinberger	maintainerdocs: reframe migration guide as 'most servers: just bump' + 21 doc gaps	40d, no maintainer has looked yet	+142-2	40d
#1939	pcarleton	maintainerbuild: exclude src/examples from published dist (v1.x)	34d, no maintainer has looked yet	+2-2	34d
#2088	mattzcarey	maintainerBundle automatic validator defaults in client/server shims	11d, no maintainer has looked yet	+384-297	11d
#2095	mattzcarey	maintainerchore: switch to module ESNext + moduleResolution bundler	10d, no maintainer has looked yet	+506-681	10d
#2125	dsp-ant	maintainerfix(client): treat HTTP 404 with session ID as session expiry	5d, no maintainer has looked yet	+202-19	5d
#2128	felixweinberger	maintainer[SEP-2663] refactor!: remove 2025-11 experimental tasks	5d, no maintainer has looked yet	+272-17461	5d
#2137	KKonstantinov	maintainerauthv2: SdkError tests	5d, no maintainer has looked yet	+72-2	5d
#2156	KKonstantinov	codemod improvements	0d, no maintainer has looked yet	+435-118	0d

High leverage (26) ⊕ ⊖

One decision unblocks or closes multiple things.

13 SLA16 auth duplicate-cluster (20 clusters, 52 PRs) — Multiple PRs address the same issue — one will be picked, others closed as duplicates.

Issue #1132 — 2 PRs ⭐ #2147 (Both PRs have unknown CI status, so that criterion is a tie. PR #2147 ("feat(example): add tool list changed notification example") touches 5 files versus PR #1857's 2 files — but the nature of the fix matters more than raw file count: #1857 is documentation-only (docs label, 2 files), while #2147 ships a runnable example with 5 files, which typically includes the example code itself alongside any supporting files and is more likely to contain a test or executable demonstration of the behavior. A working code example is stronger evidence that the feature is correctly implemented than prose documentation alone, and it also serves as a regression guard. PR #1857 is older, which would normally be a tiebreaker in its favor, but the "smallest focused diff" criterion cuts the other way only when both PRs address the same concern equally — here #2147 addresses the issue more completely by providing a concrete, verifiable artifact rather than just describing behavior. On balance, #2147's runnable example provides more durable value for issue #1132.)

#1857	nielskaspers	docs: document tool list changed notifications	shares issue #1132; #2147 is the pick	+79-31	50d
#2147	Nishant-Chaudhary5338	feat(example): add tool list changed notification example	[llm pick] cluster primary for issue #1132: Both PRs have unknown CI status, so that criterion is a tie. PR #2147 ("feat(example): add tool list changed notification example") touches 5 files versus PR #1857's 2 files — but the nature of the fix matters more than raw file count: #1857 is documentation-only (docs label, 2 files), while #2147 ships a runnable example with 5 files, which typically includes the example code itself alongside any supporting files and is more likely to contain a test or executable demonstration of the behavior. A working code example is stronger evidence that the feature is correctly implemented than prose documentation alone, and it also serves as a regression guard. PR #1857 is older, which would normally be a tiebreaker in its favor, but the "smallest focused diff" criterion cuts the other way only when both PRs address the same concern equally — here #2147 addresses the issue more completely by providing a concrete, verifiable artifact rather than just describing behavior. On balance, #2147's runnable example provides more durable value for issue #1132.	+133-9	2d

Issue #1211 — 2 PRs ⭐ #2124 (CI is unknown for both PRs. Neither PR's test coverage can be confirmed from available data, so that criterion is tied. #2124 has a smaller diff (2 files vs 3 files for #1827), which is the next tiebreaker. Additionally, #2124 addresses the problem at the server layer by keeping idle GET SSE streams alive — a direct fix — whereas #1827 suppresses a client-side onerror callback during reconnect, which is a symptom-level workaround rather than a root-cause fix. Smaller diff and more direct approach both favor #2124.)

#1827	felixweinberger	fix(client): suppress onerror when SSE disconnect will be handled by reconnect	shares issue #1211; #2124 is the pick	+49-13	55d
#2124	he-yufeng	fix(server): keep idle GET SSE streams alive	[llm pick] cluster primary for issue #1211: CI is unknown for both PRs. Neither PR's test coverage can be confirmed from available data, so that criterion is tied. #2124 has a smaller diff (2 files vs 3 files for #1827), which is the next tiebreaker. Additionally, #2124 addresses the problem at the server layer by keeping idle GET SSE streams alive — a direct fix — whereas #1827 suppresses a client-side onerror callback during reconnect, which is a symptom-level workaround rather than a root-cause fix. Smaller diff and more direct approach both favor #2124.	+40-0	6d

Issue #1471 — 3 PRs ⭐ #2009 (All three PRs have unknown CI status, so that criterion is a three-way tie. The deciding factor is test coverage: #2009 touches 4 files vs. 2 files for #1509 and #1975, which is the strongest available signal that it includes a test file alongside the source fix — a 2-file PR for a handler bug could plausibly be just the source change and a type file, while a 4-file PR more likely adds a dedicated test case. The "has tests" criterion ranks above both diff size and age in the stated priority order, so #2009 is preferred on that basis. #1509 would be the fallback pick if inspection reveals that none of the three PRs include test coverage, since it is the oldest (lowest PR number) with a focused 2-file diff matching #1975, and age is the final tiebreaker.)

#1509	corvid-agent	fix: pass empty args to registerToolTask handler when no inputSchema	shares issue #1471; #2009 is the pick	+8-3	105d
#1975	nanookclaw	fix: pass both args when inputSchema omitted in task handler executor	shares linked issue #1471 with #1509	+7-5	27d
#2009	Genmin	1st-reviewfix(server): support two-arg no-schema task handlers	[llm pick] cluster primary for issue #1471: All three PRs have unknown CI status, so that criterion is a three-way tie. The deciding factor is test coverage: #2009 touches 4 files vs. 2 files for #1509 and #1975, which is the strongest available signal that it includes a test file alongside the source fix — a 2-file PR for a handler bug could plausibly be just the source change and a type file, while a 4-file PR more likely adds a dedicated test case. The "has tests" criterion ranks above both diff size and age in the stated priority order, so #2009 is preferred on that basis. #1509 would be the fallback pick if inspection reveals that none of the three PRs include test coverage, since it is the oldest (lowest PR number) with a focused 2-file diff matching #1975, and age is the final tiebreaker.	+112-7	24d

Issue #1658 — 2 PRs ⭐ #1912 (Both PRs have unknown CI status (wash). PR #1786 carries an [RFC] prefix, marking it as a proposal/discussion rather than a merge-ready implementation — landing it would still require a follow-up PR to close #1658. PR #1912 is a direct implementation with no RFC caveat; its 7-file / 535-addition diff (vs. #1786's 4-file / 268-addition diff) provides room for test coverage alongside the feature. Although #1786 wins on smallest diff and age (created 2026-03-27 vs. #1912's 2026-04-16), the RFC-vs-implementation distinction is the deciding factor: a proposal PR cannot close the issue without further work, while #1912 is scoped precisely to the capability the issue requests.)

#1786	felixweinberger	[RFC] feat(server): multi-node session hydration (C# SDK parity)	shares issue #1658; #1912 is the pick	+268-11	59d
#1912	kev-flex	1st-reviewfeat(server): add replayInitialization for stateless serverless sessions	[llm pick] cluster primary for issue #1658: Both PRs have unknown CI status (wash). PR #1786 carries an [RFC] prefix, marking it as a proposal/discussion rather than a merge-ready implementation — landing it would still require a follow-up PR to close #1658. PR #1912 is a direct implementation with no RFC caveat; its 7-file / 535-addition diff (vs. #1786's 4-file / 268-addition diff) provides room for test coverage alongside the feature. Although #1786 wins on smallest diff and age (created 2026-03-27 vs. #1912's 2026-04-16), the RFC-vs-implementation distinction is the deciding factor: a proposal PR cannot close the issue without further work, while #1912 is scoped precisely to the capability the issue requests.	+535-9	40d

Issue #1708 — 2 PRs ⭐ #1718 (CI status is unknown and files-changed count is identical (3) for both PRs, so neither of the first three criteria differentiates them. The deciding factor is age: PR #1718 appears in every tracked weekly snapshot back to 2026-03-22 (open 2+ months), while PR #2086 is absent from the 2026-05-24 snapshot even though adjacent PRs #2085 and #2088 are present, indicating it was opened after May 24 and is at most 1–2 days old. Under the stated tiebreaker chain, oldest wins.)

#1718	Maverick-666	1st-reviewfix(client): recover streamable HTTP session on 404 for session-bound requests	cluster primary for issue #1708 (2 PRs)	+238-3	67d
#2086	Christian-Sidak	fix: clear session ID on HTTP 404 per MCP spec §Session Management	shares linked issue #1708 with #1718	+107-0	11d

Issue #1864 — 5 PRs ⭐ #1879 (All five PRs have unknown CI status, so no differentiation there. Among the remaining criteria, #1879 has the smallest diff (2 files changed vs. 3–4 for the others), making it the most focused fix with the least review surface area and lowest merge-conflict risk. Its title explicitly calls out both the registerTool config side and the tools/list response side, indicating full scope coverage in fewer changes. #1873 is older but touches 3 files; #1881 shares the same title as #1873 but adds a file; #1934 uses a `feat` prefix for what is a bug fix; #1977 is the newest and largest.)

#1873	nielskaspers	fix(server): add icons field to registerTool and registerToolTask	shares issue #1864; #1879 is the pick	+21-2	46d
#1879	Yanhu007	1st-reviewfix: support icons in registerTool config and tools/list response	[llm pick] cluster primary for issue #1864: All five PRs have unknown CI status, so no differentiation there. Among the remaining criteria, #1879 has the smallest diff (2 files changed vs. 3–4 for the others), making it the most focused fix with the least review surface area and lowest merge-conflict risk. Its title explicitly calls out both the registerTool config side and the tools/list response side, indicating full scope coverage in fewer changes. #1873 is older but touches 3 files; #1881 shares the same title as #1873 but adds a file; #1934 uses a `feat` prefix for what is a bug fix; #1977 is the newest and largest.	+14-3	44d
#1881	sainathreddyb	fix(server): add icons field to registerTool and registerToolTask	shares linked issue #1864 with #1873	+168-2	44d
#1934	Jim1874	feat(server): add icons field to registerTool()	shares linked issue #1864 with #1873	+20-2	36d
#1977	Genmin	fix(server): include registered tool icons	shares linked issue #1864 with #1873	+74-2	27d

Issue #1872 — 2 PRs ⭐ #1933 (Both PRs have unknown CI status. Neither title mentions tests. Falling back to the remaining tiebreakers: #1933 touches 2 files vs #2087's 3 files (smaller, more focused diff) and #1933 is the older PR (lower number). On both "smallest focused diff" and "oldest" criteria, #1933 is preferred.)

#1933	Jim1874	1st-reviewauthfix(client): prevent duplicate Auth headers in SSE transport	cluster primary for issue #1872 (2 PRs)	+8-1	36d
#2087	Christian-Sidak	authfix: prevent duplicate Authorization header in SSEClientTransport	shares linked issue #1872 with #1933	+49-4	11d

Issue #1944 — 2 PRs ⭐ #2142 (Both PRs have unknown CI status. Based on the available metadata, PR #2142 changes 2 files versus PR #1952's 3 files. Per the stated priority (CI > tests > smallest focused diff > oldest), with CI tied and test coverage unverifiable without diff access, the smaller diff of #2142 is the deciding factor. PR #1952 is older, but "oldest" ranks below "smallest focused diff" in the priority order, so #2142 is preferred on that basis.)

#1952	Zelys-DFKH	fix(server): loosen Accept validation when enableJsonResponse is true	shares issue #1944; #2142 is the pick	+34-8	32d
#2142	adityachilka1	fix(server): allow application/json-only Accept in JSON response mode (closes #1944)	[llm pick] cluster primary for issue #1944: Both PRs have unknown CI status. Based on the available metadata, PR #2142 changes 2 files versus PR #1952's 3 files. Per the stated priority (CI > tests > smallest focused diff > oldest), with CI tied and test coverage unverifiable without diff access, the smaller diff of #2142 is the deciding factor. PR #1952 is older, but "oldest" ranks below "smallest focused diff" in the priority order, so #2142 is preferred on that basis.	+38-3	4d

Issue #1954 — 3 PRs ⭐ #1962 (All three PRs have unknown CI status. #1955 changes only 1 file, making it unlikely to include test coverage. #1962 (3 files) and #1981 (5 files) are each large enough to include test files alongside the fix. Between those two, #1962 is the smaller, more focused diff (3 vs 5 files) and is older (lower PR number). Note: this reasoning is based on file counts alone — actual diff contents were not accessible to verify test presence or approach specifics.)

#1955	daksh-goyal	auth fix(client): check token expiry in adaptOAuthProvider before returning expired tokens	shares issue #1954; #1962 is the pick	+11-1	32d
#1962	Christian-Sidak	1st-reviewauthfix: adaptOAuthProvider returns expired tokens on long-running connections	[llm pick] cluster primary for issue #1954: All three PRs have unknown CI status. #1955 changes only 1 file, making it unlikely to include test coverage. #1962 (3 files) and #1981 (5 files) are each large enough to include test files alongside the fix. Between those two, #1962 is the smaller, more focused diff (3 vs 5 files) and is older (lower PR number). Note: this reasoning is based on file counts alone — actual diff contents were not accessible to verify test presence or approach specifics.	+233-2	30d
#1981	Genmin	authfix(client): avoid expired OAuth access tokens	shares linked issue #1954 with #1955	+145-13	26d

Issue #1968 — 2 PRs ⭐ #1989 (CI status is unknown for both PRs and diff details were not retrievable, so the decision falls to the final tiebreaker: submission order. #1989 was opened before #1991 (lower PR number), giving it priority under the oldest-first rule. No other concrete technical differentiator (CI result, test presence, diff size) could be established to override this.)

#1989	Genmin	1st-reviewauthfix(client): preserve OAuth resource metadata indicator	cluster primary for issue #1968 (2 PRs)	+68-14	26d
#1991	Christian-Sidak	authfix: preserve exact resource URI from protected resource metadata	shares linked issue #1968 with #1989	+75-12	26d

Issue #2012 — 2 PRs ⭐ #2013 (Both PRs have unknown CI status and touch 4 files, so the tiebreaker falls to age: #2013 was opened earlier. Additionally, #2013's title explicitly calls out returning HTTP -32602 (JSON-RPC "Invalid params") for validation errors alongside accepting null arguments, indicating it handles the error-path contract more completely per the JSON-RPC spec. #2139's scope ("accept null tool call arguments") appears narrower — it may not cover the validation-error response path. With CI unknown and diff sizes equal, the older PR with the broader stated scope is preferred.)

#2013	blackwell-systems	1st-reviewfix: accept null arguments in tools/call and return -32602 for validation errors	cluster primary for issue #2012 (2 PRs)	+63-2	23d
#2139	2830500285	fix: accept null tool call arguments	shares linked issue #2012 with #2013	+74-1	4d

Issue #2034 — 6 PRs ⭐ #2035 (CI status is unknown for all six PRs. #2110 is eliminated because it touches 4 files versus 2 for the other five, making its diff larger and less focused. Among the five remaining 2-file PRs, no test-coverage data is available to differentiate them, so the tiebreaker is age: #2035 is the earliest submission (lowest PR number) and therefore the reference point closest to when the bug was first identified. Its title "fix(auth): propagate saveTokens errors during token refresh" is also precisely scoped to the auth subsystem, matching the fix scope.)

#2035	jbsky	1st-reviewauthfix(auth): propagate saveTokens errors during token refresh	cluster primary for issue #2034 (6 PRs)	+54-5	17d
#2053	SAY-5	authfix(client/auth): propagate saveTokens errors after refresh	shares linked issue #2034 with #2035	+83-4	14d
#2081	Jefsky	authfix(client): let saveTokens I/O errors propagate in auth()	shares linked issue #2034 with #2035	+20-6	12d
#2110	pragnyanramtha	authfix(client): propagate refreshed token save errors	shares linked issue #2034 with #2035	+157-48	9d
#2121	he-yufeng	authfix(client): surface OAuth token persistence failures	shares linked issue #2034 with #2035	+74-4	7d
#2149	he-yufeng	authfix: propagate refresh token persistence errors	shares linked issue #2034 with #2035	+76-4	1d

Issue #2115 — 2 PRs ⭐ #2138 (PR #2138 touches 2 files vs #2116's 3 files, making it the smaller, more focused diff — the only concrete differentiator available since both have unknown CI status and no other metadata distinguishes them. If the extra file in #2116 is a test, this pick should be reconsidered.)

#2116	nacim-coder	fix: handle cancelled notifications for request id zero	shares issue #2115; #2138 is the pick	+45-2	8d
#2138	he-yufeng	fix: handle cancellation for request id zero	[llm pick] cluster primary for issue #2115: PR #2138 touches 2 files vs #2116's 3 files, making it the smaller, more focused diff — the only concrete differentiator available since both have unknown CI status and no other metadata distinguishes them. If the extra file in #2116 is a test, this pick should be reconsidered.	+36-2	4d

Issue #2117 — 3 PRs ⭐ #2141 (All three PRs have unknown CI status, eliminating that criterion. #2141 has the smallest diff at 2 files versus 3 files for both #2120 and #2135, making it the most focused fix per the stated tiebreaking order. A minimal 2-file change that treats relatedRequestId 0 as present in the debounce guard carries the least risk of unintended side effects. #2141 also explicitly closes #2117 in its title. Age favors #2120, but diff size ranks above age in the criteria.)

#2120	he-yufeng	fix: keep related request id zero from debouncing	shares issue #2117; #2141 is the pick	+21-1	7d
#2135	kiranmagic7	fix(core): preserve relatedRequestId 0 in debounce guard	shares linked issue #2117 with #2120	+24-1	5d
#2141	adityachilka1	fix(core): treat relatedRequestId 0 as present in debounce guard (closes #2117)	[llm pick] cluster primary for issue #2117: All three PRs have unknown CI status, eliminating that criterion. #2141 has the smallest diff at 2 files versus 3 files for both #2120 and #2135, making it the most focused fix per the stated tiebreaking order. A minimal 2-file change that treats relatedRequestId 0 as present in the debounce guard carries the least risk of unintended side effects. #2141 also explicitly closes #2117 in its title. Age favors #2120, but diff size ranks above age in the criteria.	+20-1	4d

Issue #2126 — 2 PRs ⭐ #2127 (Both PRs have unknown CI status and change 2 files, so the tiebreaker is age: #2127 was opened first. Its title ("non-JSON metadata") also describes a slightly more precise failure condition than #2140's ("invalid JSON metadata"), suggesting a more targeted fix scope. With all other criteria equal, the older PR gets priority.)

#2127	he-yufeng	authfix: continue OAuth discovery after non-JSON metadata	cluster primary for issue #2126 (2 PRs)	+33-3	5d
#2140	he-yufeng	authfix: continue auth discovery after invalid JSON metadata	shares linked issue #2126 with #2127	+37-4	4d

Issue #2151 — 2 PRs ⭐ #2153 (Both PRs have unknown CI status, so that criterion is a tie. #2153 touches 2 files versus #2152's 3 files, making it the smaller, more focused diff — which ranks above PR age in the stated criteria. The narrower title ("request-scoped terminal response") is consistent with a more targeted fix. Without diff access to verify test coverage in either PR, diff size is the deciding factor.)

#2152	fallintoplace	fix(server): replay request SSE responses after closeSSEStream	shares issue #2151; #2153 is the pick	+180-20	1d
#2153	adityasingh2400	authfix(server): replay request-scoped terminal response after closeSSEStream	[llm pick] cluster primary for issue #2151: Both PRs have unknown CI status, so that criterion is a tie. #2153 touches 2 files versus #2152's 3 files, making it the smaller, more focused diff — which ranks above PR age in the stated criteria. The narrower title ("request-scoped terminal response") is consistent with a more targeted fix. Without diff access to verify test coverage in either PR, diff size is the deciding factor.	+107-4	1d

Issue #740 — 4 PRs ⭐ #2021 (All four PRs have unknown CI status, so that criterion does not differentiate them. #2021 touches only 2 files — the smallest diff of the four (vs. 6, 7, and 8 files for the others) — making it the most focused change. A 2-file docs addition is easier to review, less likely to introduce merge conflicts, and carries a lower risk of unintended side effects. The "docs(client)" scope label also signals intentional narrowness. No test information was available to distinguish the candidates further.)

#1691	travisbreaks	feat: add multi-server routing example	shares issue #740; #2021 is the pick	+211-1	70d
#2021	EfeDurmaz16	1st-reviewdocs(client): add multi-server chatbot example	[llm pick] cluster primary for issue #740: All four PRs have unknown CI status, so that criterion does not differentiate them. #2021 touches only 2 files — the smallest diff of the four (vs. 6, 7, and 8 files for the others) — making it the most focused change. A 2-file docs addition is easier to review, less likely to introduce merge conflicts, and carries a lower risk of unintended side effects. The "docs(client)" scope label also signals intentional narrowness. No test information was available to distinguish the candidates further.	+253-0	20d
#2103	lil-goat	docs: add multi-server chatbot quickstart example	shares linked issue #740 with #1691	+9422-9091	10d
#2148	Nishant-Chaudhary5338	feat(examples): multi-server chatbot with tool routing (closes #740)	shares linked issue #740 with #1691	+493-12	2d

Issue #943 — 2 PRs ⭐ #1978 (Both PRs report unknown CI and touch 3 files, so no advantage on the top two criteria. On diff focus, the titles hint at scope: #1984 narrows the fix to "underscored ids" specifically, while #1978's title ("use stored stream ids") describes correcting the general replay mechanism to read from stored state — the more complete framing of an event-replay bug. With all else equal, the tiebreaker in the stated preference order is oldest, and #1978 was opened first.)

#1978	Genmin	1st-reviewfix: make in-memory event replay use stored stream ids	cluster primary for issue #943 (2 PRs)	+37-10	27d
#1984	Genmin	fix: resume in-memory event streams with underscored ids	shares linked issue #943 with #1978	+47-17	26d

Semantic: Both fix the same bug on v1.x: listChanged: false set at construction time is ignored, causing list-changed notifications to fire unconditionally. Both carry identical mcp.ts changes (git object 9fe0ed549c→cf46173285) and the same getCapabilities() visibility change in server/index.ts. (2 PRs) — 2 PRs ⭐ #1948 (PR #1948 is a strict superset of #1937: it shares the identical mcp.ts fix and getCapabilities() change, and additionally guards sendResourceListChanged/sendToolListChanged/sendPromptListChanged at the base Server class level. This second layer ensures the capability check is enforced even when callers use Server directly rather than through McpServer, making the fix more complete.)

#1937	Zelys-DFKH	[v1.x backport] fix(server): respect explicit listChanged: false in McpServer	[llm] duplicates #1948: Both fix the same bug on v1.x: listChanged: false set at construction time is ignored, causing list-changed notifications to fire unconditionally. Both carry identical mcp.ts changes (git object 9fe0ed549c→cf46173285) and the same getCapabilities() visibility change in server/index.ts.	+102-4	35d
#1948	paulelliotco	1st-reviewfix: respect disabled listChanged capabilities on v1.x	[llm] cluster primary: Both fix the same bug on v1.x: listChanged: false set at construction time is ignored, causing list-changed notifications to fire unconditionally. Both carry identical mcp.ts changes (git object 9fe0ed549c→cf46173285) and the same getCapabilities() visibility change in server/index.ts. (2 PRs)	+221-9	32d

Semantic: Vite security vulnerability: both PRs pin vite to 7.3.2 to move off the vulnerable 7.3.0 release, touching the same package.json devDependency entry and the same vitest peer-dep line in pnpm-lock.yaml. (2 PRs) — 2 PRs ⭐ #2089 (PR #2089 uses an exact pin (7.3.2) rather than a caret range (^7.3.2), which is the safer approach for a security fix. It also covers additional high-severity audit findings via resolutions for defu, fast-uri, and kysely, and it includes the @hono/node-server bump from PR #1894 — making it a superset fix. PR #2050 addresses only the vite pin and would leave the other audit findings open.)

#2050	raashish1601	fix: pin vite to patched version	[llm] duplicates #2089: Vite security vulnerability: both PRs pin vite to 7.3.2 to move off the vulnerable 7.3.0 release, touching the same package.json devDependency entry and the same vitest peer-dep line in pnpm-lock.yaml.	+36-32	14d
#2089	ya-nsh	1st-reviewfix: clear high severity audit findings	[llm] cluster primary: Vite security vulnerability: both PRs pin vite to 7.3.2 to move off the vulnerable 7.3.0 release, touching the same package.json devDependency entry and the same vitest peer-dep line in pnpm-lock.yaml. (2 PRs)	+108-98	11d

3 SLA1 auth needs-decision (3) — Maintainer discussed but hasn't approved or requested changes yet.

#1826	felixweinberger	maintainerauthfix(client): remove redundant onerror in _startOrAuthSse catch	maintainer COMMENTED but took no stance	+122-59	55d
#1906	felixweinberger	maintainerfeat(compat): add /server/zod-schemas subpath re-exporting *Schema constants	maintainer COMMENTED but took no stance	+94-5	40d
#1717	travisbreaks	re-reviewfeat(core): add opt-in periodic ping for connection health monitoring	maintainer COMMENTED but took no stance	+383-1	67d

3 SLA backport-follows-primary (3) — v1.x sibling of a main-branch PR. Review together — backport diff is usually mechanical.

#1083	mgyarmathy	1st-review[v1.x] fix: Update UriTemplate implementation to handle optional/omitted, out-of-order, and encoded query parameters	follows #1785 (same issue #149, different branch)	+164-11	201d
#1520	LucaButBoring	1st-review[1.x] fix(client): retry SSE stream after receiving session ID	follows #1521	+419-0	104d
#1926	tonxxd	1st-reviewfix(sse): escape U+2028 / U+2029 in SSE data lines (V1)	follows #1925	+61-2	38d

Intake (69) ⊕ ⊖

PRs not yet reviewed by a maintainer. Oldest first.

61 SLA7 auth needs-first-review (66) — Not yet reviewed by a maintainer.

#1876	JosephDoUrden	1st-reviewfix: use getLiteralValue for Zod v3 method literal extraction	45d	+4-42	45d
#1889	app/dependabot	1st-reviewchore(deps): bump actions/upload-pages-artifact from 4 to 5	42d	+1-1	42d
#1894	app/dependabot	1st-reviewchore(deps): bump the npm_and_yarn group across 1 directory with 2 updates	40d	+27-11	40d
#1911	langverse2023	1st-reviewfix(express): add CJS exports to resolve ERR_PACKAGE_PATH_NOT_EXPORTED	40d	+7-3	40d
#1923	billyriaz	1st-reviewauthfix: accept null introspection_endpoint in OAuthMetadataSchema	38d	+1-1	38d
#1925	tonxxd	1st-reviewfix(server): escape U+2028 / U+2029 in SSE data lines (v2)	38d	+59-1	38d
#1932	ameenalkhaldi	1st-reviewfix(core): skip cancellation notification for initialize requests	36d	+79-13	36d
#1935	Jim1874	1st-reviewfix(server): handle undefined args in prompts handler	36d	+8-1	36d
#1940	harshkatakwar	1st-reviewfeat: add beforeToolCall and afterToolCall lifecycle hooks to McpServer	34d	+451-24	34d
#1945	bokelley	1st-reviewfix(client): skip outputSchema validation when result is an error	33d	+153-3	33d
#1949	Zelys-DFKH	1st-reviewfix(core): allow extra JSON Schema keywords on elicitation primitive schemas	32d	+104-25	32d
#1951	Zelys-DFKH	1st-reviewauthfix(client): preserve resource_metadata URL across non-Bearer WWW-Authenticate challenges	32d	+160-22	32d
#1953	Jim1874	1st-reviewfix(server): disable listChanged capability in V1x protocol mode (closes #1819)	32d	+47-2	32d
#1958	mhegazy	1st-reviewauthfix(client/auth): use .set() for prompt=consent instead of .append() to avoid duplicating	31d	+22-1	31d
#1961	MukundaKatta	1st-reviewfix(client/sse): release reader lock on disconnect to prevent ~50MB leak	30d	+100-27	30d
#1966	MukundaKatta	1st-reviewfix(server): return Tool Execution Errors for input validation failures (SEP-1303)	29d	+154-8	29d
#1967	MukundaKatta	1st-reviewauthdocs(examples): add external auth resource server example (closes #658)	29d	+361-0	29d
#1969	nanookclaw	1st-reviewfix: handle 404 and 406 gracefully in SSE stream initialization	28d	+5-3	28d
#1971	MukundaKatta	1st-reviewfix(server): handle ZodObject in RegisteredTool.update (#1960)	28d	+77-6	28d
#1972	MukundaKatta	1st-reviewauthfix(auth): preserve resource URI without trailing slash (#1968)	28d	+78-13	28d
#1980	AP3X-Dev	1st-reviewfix(server): accept empty {} annotations in tool() overload	26d	+59-2	26d
#1982	Genmin	1st-reviewfix: enforce monotonic progress notifications	26d	+86-7	26d
#1983	Genmin	1st-reviewfix(server): debounce list changed notifications	26d	+50-1	26d
#1985	Genmin	1st-reviewfix: align zod object schemas with stripped properties	26d	+36-1	26d
#1986	Genmin	1st-reviewfix: avoid duplicate SSE close callbacks	26d	+42-2	26d
#1990	Genmin	1st-reviewfix(server): accept structurally compatible Zod v4 schemas	26d	+57-6	26d
#1995	Genmin	1st-reviewfix(server): surface stateless transport reuse errors	25d	+75-1	25d
#1996	Genmin	1st-reviewfix(server): allow JSON Accept in JSON response mode	25d	+89-8	25d
#1997	Genmin	1st-reviewauthfix(server): validate OAuth code redirect URI	25d	+210-16	25d
#1998	Genmin	1st-reviewfix(client): release SSE reader locks	25d	+111-27	25d
#1999	Genmin	1st-reviewfix: preserve elicit string pattern constraints	25d	+24-1	25d
#2000	Genmin	1st-reviewFix invalid JSON-RPC request errors	25d	+105-9	25d
#2001	Genmin	1st-reviewfix(server): validate wrapped output schemas on v1	25d	+78-3	25d
#2014	fengfeng-zi	1st-reviewfix(core): remove duplicate zod dependency declaration	21d	+6-2	22d
#2017	ankitvirdi4	1st-reviewfix(server): preserve inputSchema for z.discriminatedUnion / z.union	21d	+179-14	21d
#2026	Zelys-DFKH	1st-reviewtest(@modelcontextprotocol/node): cover pre-read body pattern in stateless mode	19d	+60-15	19d
#2027	app/github-actions	1st-reviewchore: update spec.types.ts from upstream	19d	+383-695	19d
#2028	sfrangulov	1st-reviewfix(client): stop propagating transport AbortController to POST/DELETE	18d	+82-6	18d
#2030	cyphercodes	1st-reviewfix: add root package export barrel	18d	+19-0	18d
#2033	lppedd	1st-reviewbuild: configure tsdown to output both ESM and CJS	17d	+263-64	17d
#2039	navalerakesh	1st-reviewfix: use constant-time comparison for session ID validation	16d	+23-1	16d
#2043	ChrisJr404	1st-reviewfix(client): add missing Windows env vars to DEFAULT_INHERITED_ENV_VARS	14d	+42-2	14d
#2044	raashish1601	1st-reviewfix: replay in-memory events for underscore stream ids	14d	+37-2	14d
#2045	raashish1601	1st-reviewfix: accept omitted optional prompt and tool arguments	14d	+114-2	14d
#2046	raashish1601	1st-reviewfix: accept JSON-only Accept in streamable JSON mode	14d	+37-8	14d
#2052	app/dependabot	1st-reviewchore(deps): bump changesets/action from 1.7.0 to 1.8.0	14d	+2-2	14d
#2079	Zelys-DFKH	1st-reviewfix(test): extend cloudflare workers retry to cover full request cycle	13d	+16-15	13d
#2085	rsalus	1st-review[v1.x] fix(server): emit JSON Schema 2020-12 in tools/list (SEP-1613)	12d	+87-2	12d
#2091	RomKadria	1st-reviewfix(node): reuse getRequestListener instead of creating one per request	11d	+22-27	11d
#2092	bishnubista	1st-reviewauthfix(client,core): tighten OAuth PRM resource validation per RFC 8707 §2	11d	+147-4	11d
#2099	he-yufeng	1st-reviewfix(client): fail fast after SSE reconnect exhaustion	10d	+82-17	10d
#2102	pragnyanramtha	1st-reviewPass request context to completion callbacks	10d	+173-11	10d
#2104	pragnyanramtha	1st-reviewfix(server): allow streamable HTTP JSON without content type	10d	+49-23	10d
#2105	pragnyanramtha	1st-reviewfix: tighten request handler result types on v1.x	10d	+295-40	10d
#2106	pragnyanramtha	1st-reviewfix: validate wrapped Zod output schemas	10d	+54-2	10d
#2107	pragnyanramtha	1st-reviewfix: accept omitted prompt arguments	10d	+59-1	10d
#2109	leehpham	1st-reviewfix(server): derive standalone SSE streamId per-session to prevent EventStore collisions	9d	+76-1	9d
#2111	dparikh79	1st-reviewfix(server): reject initialize with mismatched MCP-Protocol-Version header	9d	+82-0	9d
#2113	sceran	1st-reviewdocs(README): add `@modelcontextprotocol/fastify` to middleware listing	9d	+6-2	9d
#2114	pragnyanramtha	1st-reviewfix(server): track renamed registered item keys	9d	+104-16	9d
#2119	abdulmunimj	1st-reviewfix(core): inline reused Zod subschemas in tools/list JSON Schema	7d	+124-3	7d
#2122	he-yufeng	fix(server): reject requests before initialization	7d	+90-4	7d
#2123	app/dependabot	chore(deps): bump pnpm/action-setup from 5.0.0 to 6.0.8	7d	+10-10	7d
#2136	malventano	fix: resetTimeoutOnProgress does nothing without onprogress callback	5d	+10-6	5d
#2150	he-yufeng	fix: reinitialize expired streamable sessions	1d	+160-43	1d
#2154	cyq1017	Align Streamable HTTP onclose type with Transport contract	1d	+14-3	1d

3 SLA community-reviewed (3) — Community members have reviewed, but no maintainer has engaged yet.

#1870	techtoboggan	1st-reviewfix: inject progressToken when resetTimeoutOnProgress is set (not only onprogress)	46d, reviewed by travisbreaks (SLA breach)	+4-2	46d
#2003	ElliotDrel	1st-reviewfix(server): exit when MCP client closes stdin pipe	25d, reviewed by stomde (SLA breach)	+84-0	25d
#2015	morozow	1st-reviewfeat(tasks): add task streaming with partial result notifications	21d, reviewed by stomde (SLA breach)	+3021-7	21d

Hygiene (23) ⊕ ⊖

Batchable procedural ops — pings, rebases, peer reviews.

2 auth stale-awaiting-author (13) — Changes requested over two weeks ago with no author response.

#1769	felixweinberger	fix(server): align ProtocolError re-throw with spec error classification	53d since feedback	+220-58	60d
#1776	KKonstantinov	v2 remove console warns on middleware	53d since feedback	+135-116	60d
#1283	evalstate	Fix/onprogress error handling	55d since feedback	+23-1	166d
#1493	TheodorNEngoy	hono: add maxBodyBytes guard for JSON parsing	56d since feedback	+88-3	107d
#1496	TheodorNEngoy	server: add maxBodyBytes guard to WebStandardStreamableHTTPServerTransport	56d since feedback	+132-2	107d
#1500	TheodorNEngoy	ci: retry pkg-pr-new publish on transient 5xx	56d since feedback	+30-3	107d
#1664	Vadaski	fix: surface input validation errors for task-augmented tool calls	59d since feedback	+107-0	75d
#1666	Vadaski	fix: allow registering tools/resources/prompts after connect when capabilities pre-declared (#893)	53d since feedback	+218-19	75d
#1669	Vadaski	authfix: include scope parameter in OAuth authorization code token exchange	56d since feedback	+122-6	74d
#1681	meirk-brd	fix(server): stop replay cleanly when streamable HTTP replay stream c…	59d since feedback	+131-23	72d
#1813	Aboudjem	authfix(auth): deduplicate concurrent token refresh requests	53d since feedback	+386-0	57d
#1854	haydenrear	Added default mcp tool call timeout from env	46d since feedback	+133-2	50d
#1865	pch007	fix(server): handle ZodEffects in normalizeObjectSchema and getObjectShape	46d since feedback	+246-0	47d

2 auth ci-red-silent (10) — CI failing, not yet flagged to the author.

#2129	felixweinberger	chore: sync schemas to spec @142b3c3c; segregate pre-2026 wire schemas	red CI 5d	+1266-1165	5d
#1963	MukundaKatta	feat(client): add idle timeout to SSE stream reader	red CI 29d	+192-0	29d
#1964	MukundaKatta	feat(deps): make HTTP/SSE transport deps optional for stdio-only consumers	red CI 29d	+154-13	29d
#1965	MukundaKatta	feat(client): honor Retry-After on HTTP 429 responses	red CI 29d	+383-8	29d
#2010	aayushbaluni	fix: detect plain JSON Schema objects in tool() overload resolution	red CI 24d	+335-2	24d
#2019	blackwell-systems	fix: check AbortSignal in handleAutomaticTaskPolling to stop cancelled requests	red CI 21d	+8-0	21d
#2024	JoannaaKL	fix: kill process tree on StdioClientTransport.close()	red CI 19d	+174-6	19d
#2080	Jefsky	fix(server): preserve icons in registerPrompt()	red CI 12d	+12-1	12d
#2082	Jefsky	authdocs(core): clarify resetTimeoutOnProgress requires onprogress	red CI 12d	+25-7	12d
#2118	nielskaspers	authdocs(client): clarify private_key_jwt reserved-claim behavior	red CI 8d	+7-0	8d

Close candidates (3) ⊕ ⊖

Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.

stale-ci-abandoned (3) — CI has been failing for over a month with no activity.

#1335	LucaButBoring	[v1.x] Fix registerToolTask's getTask and getTaskResult handlers not being invoked	red CI 153d, no activity	+311-167	153d
#1878	dagangtj	feat(hono): add generic Env type support to createMcpHonoApp	red CI 44d, no activity	+68-3	44d
#1884	vrv	Reject standalone GET in stateless streamable HTTP mode	red CI 43d, no activity	+11-0	43d

Not our move (26) ⊕ ⊖

Clock is on the author or blocked externally. No action owed today.

4 auth parked (12) — Maintainer draft >30d, intentionally shelved.

#1292	ochafik	feat: generate schemas from types, improve type definitions	maintainer draft, 164d	+9663-3551	164d
#1463	mattzcarey	fix: tighten setRequestHandler types for Client and Server	maintainer draft, 111d	+44-15	111d
#1492	ochafik	Add request/response compression support for HTTP transports	maintainer draft, 108d	+1253-10	108d
#1531	pcarleton	authAlternative: XAA as OAuthClientProvider with Layer 2 utilities	maintainer draft, 101d	+441-140	101d
#1597	pcarleton	examples: MRTR backwards-compatibility exploration demos	maintainer draft, 87d	+1185-0	87d
#1633	ochafik	[SEP-2356] File input support for tools and elicitation	maintainer draft, 81d	+147-4	81d
#1701	felixweinberger	examples: MRTR dual-path options for 2025-11 client compat	maintainer draft, 68d	+1727-0	68d
#1721	pcarleton	authfix(xaa): address review nits from #1593 & use discoveryState	maintainer draft, 66d	+55-153	66d
#1722	pcarleton	auth[v1.x backport] SEP-990 Cross-App Access	maintainer draft, 66d	+874-3	66d
#1913	felixweinberger	feat(sdk): @modelcontextprotocol/sdk meta-package with v1 deep-import subpaths	maintainer draft, 39d	+1152-6	39d
#1942	felixweinberger	[DO NOT MERGE] RFC reference: request-first SDK architecture	maintainer draft, 34d	+14447-5183	34d
#1957	pcarleton	authfeat(client/auth): RFC 9207 iss parameter validation (SEP-2468 reference impl)	maintainer draft, 31d	+6790-907	31d

3 auth stale-draft (8) — Draft with no activity for over a week.

#872	LucaButBoring	feat: use informative user agent in HTTP requests	draft idle 286d	+407-142	286d
#1169	domdomegg	fix: allow any JSON Schema type for outputSchema	draft idle 181d	+6-17	181d
#1416	maxisbey	ci: use conformance composite action	draft idle 124d	+68-41	124d
#1624	SamMorrowDrums	authfeat(server): OAuth scope challenge support (step-up auth)	draft idle 82d	+1243-3	82d
#1973	felixweinberger	authfeat(server): lift framework-agnostic RS-auth helpers from /express	draft idle 27d	+765-184	27d
#2094	KKonstantinov	2026-06-30 routing exp 1	draft idle 10d	+5558-18134	10d
#2096	MukundaKatta	authdocs(client): clarify private_key_jwt custom claim precedence	draft idle 10d	+37-2	10d
#2097	KKonstantinov	remove tasks	draft idle 10d	+117-17795	10d

draft-active (5) — Author is still working. Fresh draft.

#2130	felixweinberger	refactor(core): extract Dispatcher; Protocol composes it	5d old	+1942-18710	5d
#2131	felixweinberger	[SEP-2575][SEP-2322][SEP-2567] 2026-06 stateless support over StreamableHTTP	5d old	+4229-1047	5d
#2132	felixweinberger	[SEP-2575][SEP-2567] 2026-06 stateless support: stdio + InMemory transports	5d old	+884-190	5d
#2133	felixweinberger	docs: 2026-06 migration guide + examples + changeset	5d old	+153-63	5d
#2134	felixweinberger	refactor!: extract LegacyServer/LegacyClient; NEW Server/Client compose them	5d old	+2083-1561	5d

bot-release (1) — Changesets 'Version Packages' — release trigger, not for triage.

#1845

app/github-actions

Version Packages (alpha)

release bot PR

+245-9

53d

Actionable vs target

↓ 5.95%

174

Auth

—

Actioned (7d)

↑ 66.67%

201 in last 30d

Merged (7d)

—

8 in last 30d

Hours to clear

↑ 21.16%

~60.7

1st review > 7d

—

of 119 eligible

Re-review > 24h

—

of 20 eligible

Maintainer > 24h

—

of 3 eligible

Stats — volume, timing, size distribution

Volume

Open PRs

↓ 14.44%

231

Draft PRs

—

Opened

—

last 7 days

Opened

—

130

last 30 days

Opened

—

432

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

273

last 90 days

Time to First Review

Average

—

Median

↑ 22.27%

P90

—

17d

P95

—

27d

Merge Time

Average

—

Median

↑ 18.22%

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Breakdown by tier

Tier	Count	Auth	Maint.	~Time
1 — We're blocking someone	14	2	1	3.3h
2 — High leverage	26	5	2	5.2h
3 — Intake	102	21	0	51.0h
4 — Hygiene	14	2	1	51m
5 — Close candidates	18	2	2	18m
total actionable	174	32	6	60.7h
not our move	38	—	—	—

We're blocking someone (14) ⊕ ⊖

Author did what we asked and is waiting on us. Longest-waiting first.

8 SLA1 auth author-pinged-after-procedural (8) — Author addressed maintainer feedback and pinged — awaiting response.

#1440	ChenyangLi4288	re-reviewFixes protocol compliance gap described in issue #1419	author pinged @felixweinberger 182d ago	+34-1	230d
#1486	daamitt	re-reviewfeat: Add support for specifying NotificationOptions	author pinged @felixweinberger, @maxisbey 191d ago	+16-4	222d
#1697	dgenio	re-reviewdocs: clarify Streamable HTTP stateless mode semantics and usage	author pinged @felixweinberger 47d ago	+149-1	178d
#1709	dgenio	re-reviewfeat: Add LLM provider adapter documentation and examp	author pinged @felixweinberger 86d ago	+1745-0	175d
#1810	punitmahes	re-reviewauthfeat(cmid-server): Implement Server-Side Support for Client ID Metadata Documents (CIMD)	author pinged @maxisbey 82d ago	+189-1	156d
#1856	codefromthecrypt	re-reviewfix: suppress GeneratorExit during client cleanup	author pinged @Kludex 110d ago	+180-13	131d
#2099	dgenio	re-reviewfeat: expand InitializationState with explicit lifecycle state machine	author pinged @maxisbey 86d ago	+421-9	95d
#2147	akshan-main	re-reviewshutdown CPU busy-loop in HTTP/SSE transports	author pinged @maxisbey 48d ago	+156-18	89d

5 SLA1 auth needs-re-review (5) — Author pushed changes after review feedback — needs re-review.

#1436	yarnabrina	re-review[DOC] simple mcp client with sampling capability	author pushed after CHANGES_REQUESTED (150d waiting)	+1204-645	231d
#1721	BinoyOza-okta	re-reviewauthImplement SEP-990 Enterprise Managed OAuth	author pushed after CHANGES_REQUESTED (61d waiting)	+2988-3	172d
#2040	adityuhkapoor	re-reviewfix: prevent stdio_server from closing process stdio handles	author pushed after CHANGES_REQUESTED (80d waiting)	+66-10	103d
#2119	jonathanhefner	re-reviewType-check docstring code examples via companion files and unified sync script	author pushed after CHANGES_REQUESTED (90d waiting)	+1306-270	94d
#2198	Varun6578	re-reviewfix: prevent tool exceptions from leaking internal details to client	author pushed after CHANGES_REQUESTED (80d waiting)	+53-11	84d

1 SLA maintainer-intake (1) — Maintainer-authored PR awaiting review from another maintainer.

#2008

Kludex

maintainerdocs: restructure documentation with quickstart, concepts, and new nav

107d, no maintainer has looked yet

+390-135

107d

High leverage (26) ⊕ ⊖

One decision unblocks or closes multiple things.

13 SLA9 auth duplicate-cluster (16 clusters, 35 PRs) — Multiple PRs address the same issue — one will be picked, others closed as duplicates.

Issue #1401 — 3 PRs ⭐ #2122 (CI is unknown for all three, so the tiebreakers are diff size and age. #2122 has the smallest total diff (131 lines: 115 additions + 16 deletions) versus #2640 at 140 lines and #2374 at 141 lines. Its 16 deletions indicate it actually replaces problematic code rather than only appending, which is the correct shape for a propagation fix. #2374's zero deletions and title ("log exceptions … instead of silently swallowing") suggest it adds logging around the swallowed error rather than propagating it to callers, making it a weaker fix for the same root cause. #2640's scope ("transport exceptions") overlaps heavily with #2122's SSE-specific fix but arrived 86 days later with a marginally larger diff. #2122 is also the oldest open PR (93 days, labeled P1/bug by maintainers), giving it seniority on the "oldest" tiebreaker.)

#2122	heyhayes	1st-reviewfix: propagate SSE stream errors to waiting requests	cluster primary for issue #1401 (3 PRs)	+115-16	93d
#2374	Aboudjem	fix(session): log exceptions in default message_handler instead of silently swallowing	shares linked issue #1401 with #2122	+141-0	58d
#2640	rudi193-cmd	fix(client): propagate transport exceptions in default message handler	shares linked issue #1401 with #2122	+138-2	7d

Issue #1523 — 2 PRs ⭐ #1531 (CI status is unknown for both PRs and both change exactly 2 files, so the deciding criterion is age: #1531 was opened earlier than #2603. Both PRs target the same root cause (missing Accept: application/json header on the OAuth token request), but #1531's title ("Add accept json headers for token request") and #2603's title ("request json token responses") describe the same approach. With no other differentiating signals — CI results, test coverage, diff size — #1531 is preferred solely because it is the older submission.)

#1531	vincent0426	1st-reviewauthfix: Add accept json headers for token request	cluster primary for issue #1523 (2 PRs)	+10-2	209d
#2603	he-yufeng	authfix: request json token responses	shares linked issue #1523 with #1531	+10-2	10d

Issue #1656 — 2 PRs ⭐ #2503 (Both PRs have unknown CI status. Falling to diff size: #2503 changes 3 files vs. #2532's 5 files, making it the smaller, more focused fix for the same root cause. #2503 is also older (lower PR number). With CI tied, the smallest-focused-diff and oldest tiebreakers both point to #2503.)

#2503	fungi8	1st-reviewAvoid configuring logging during MCPServer initialization	cluster primary for issue #1656 (2 PRs)	+38-4	30d
#2532	Genmin	Stop FastMCP from configuring application logging	shares linked issue #1656 with #2503	+124-9	24d

Issue #2432 — 2 PRs ⭐ #2438 (PR #2438 changes 2 files (source fix + likely a test) and directly resolves the hang by consuming the response body on unexpected content-type — addressing the root cause. PR #2472 changes only 1 file and its title says "test: regression test", meaning it adds a test without the underlying fix; a regression test alone cannot close issue #2432. Both have unknown CI, so that criterion is a tie. On the "has tests > smallest focused diff > oldest" tiebreakers: #2438 is the older PR (lower number), contains the actual behavior change needed to unblock callers, and a two-file diff that fixes a real hang is more complete than a one-file diff that only asserts the (unfixed) hang does not occur.)

#2438	vishal-vanam	1st-reviewfix: consume response body on unexpected content type to prevent client hang	cluster primary for issue #2432 (2 PRs)	+19-0	42d
#2472	Christian-Sidak	test: regression test for initialize hang on unexpected content-type	shares linked issue #2432 with #2438	+29-0	36d

Issue #2578 — 3 PRs ⭐ #2590 (All three PRs report CI unknown and touch exactly 2 files, so CI status and diff size do not differentiate them, and no PR is confirmed to include tests. Falling through to the final tiebreaker — submission order — #2590 is the oldest of the three (lowest PR number, filed before #2645 and #2646). Its title "fix: omit OAuth resource on token refresh" follows conventional-commit format and names the behavior precisely. #2645 is substantively identical in title wording (adding only an `oauth` scope tag), and #2646's title is vaguer. With no concrete technical differentiator favoring either newer PR, #2590 is kept on seniority.)

#2590	he-yufeng	1st-reviewauthfix: omit OAuth resource on token refresh	cluster primary for issue #2578 (3 PRs)	+41-9	12d
#2645	Epochex	authfix(oauth): omit resource param on token refresh	shares linked issue #2578 with #2590	+27-8	6d
#2646	FU-max-boop	authFix OAuth refresh resource handling	shares linked issue #2578 with #2590	+34-9	6d

Issue #2591 — 2 PRs ⭐ #2592 (Both PRs have unknown CI status and share the same author (he-yufeng — #2669 appears to be a follow-up by the same contributor). With CI equal, the remaining tiebreakers both favor #2592: it has a materially smaller diff (22 lines changed vs. 59 in #2669), and it was opened 9 days earlier (2026-05-14 vs. 2026-05-23). #2669's third file could be a test, which would favor it on the "has tests" criterion, but that cannot be confirmed without readable diffs — and the "smallest focused diff" rule applies before "oldest," so #2592 wins on two consecutive tiebreakers. If maintainers can verify #2669 includes a test file and #2592 does not, that should override this pick.)

#2592	he-yufeng	1st-reviewfix: support PEP 604 structured output unions	cluster primary for issue #2591 (2 PRs)	+21-1	11d
#2669	he-yufeng	fix: wrap pipe union structured outputs	shares linked issue #2591 with #2592	+58-1	2d

Issue #2629 — 2 PRs ⭐ #2638 (Both PRs have unknown CI status (tie). Without diff access to verify test coverage, the deciding criterion is diff size: #2638 touches 2 files vs #2630's 5 files, making it the smaller, more focused fix. Note: if #2630's additional 3 files include test coverage that #2638 lacks, that would reverse this decision — reviewers should confirm test presence before closing #2630.)

#2630	CrypticCortex	authfix(auth): validate redirect_uri schemes at DCR registration (RFC 9700 §4.1.1, RFC 7591 §2)	shares issue #2629; #2638 is the pick	+214-3	7d
#2638	he-yufeng	1st-reviewauthfix: validate registered redirect uris	[llm pick] cluster primary for issue #2629: Both PRs have unknown CI status (tie). Without diff access to verify test coverage, the deciding criterion is diff size: #2638 touches 2 files vs #2630's 5 files, making it the smaller, more focused fix. Note: if #2630's additional 3 files include test coverage that #2638 lacks, that would reverse this decision — reviewers should confirm test presence before closing #2630.	+82-1	7d

Issue #348 — 2 PRs ⭐ #1824 (Both PRs have unknown CI status. Moving to the next tiebreakers: #1824 touches 4 files vs #2511's 5 files, giving it a smaller, more focused diff, and #1824 was opened earlier (lower PR number). Neither CI criterion nor test-coverage evidence distinguishes them from the available metadata, so the two concrete differences — diff size and age — both point to #1824.)

#1824	hanzili	1st-reviewAdd custom content support to ToolError for isError responses	cluster primary for issue #348 (2 PRs)	+269-1	142d
#2511	blackwell-systems	feat: add custom content support to ToolError	shares linked issue #348 with #1824	+155-4	28d

Semantic: Errors during streamable HTTP request handling are not communicated back to the caller, causing tool calls to hang or silently fail. All three convert error conditions into JSONRPC error responses instead of letting exceptions propagate or go unhandled. (3 PRs) — 3 PRs ⭐ #2607 (PR #2607 wraps handle_request_async at the top level, covering both POST and resumption request paths — a strict superset of PR #1578 (which only wraps _handle_post_request) and PR #2613 (which only handles HTTP 4xx/5xx status codes). The other two can be closed in favor of a follow-on to add richer HTTP-status error detail if desired.)

#1578	gyang-xai	Fix issue where client tool call hangs forever if server crashes or connection dies when using streamable-http	[llm] duplicates #2607: Errors during streamable HTTP request handling are not communicated back to the caller, causing tool calls to hang or silently fail. All three convert error conditions into JSONRPC error responses instead of letting exceptions propagate or go unhandled.	+332-44	202d
#2607	he-yufeng	1st-reviewfix: isolate streamable HTTP request errors	[llm] cluster primary: Errors during streamable HTTP request handling are not communicated back to the caller, causing tool calls to hang or silently fail. All three convert error conditions into JSONRPC error responses instead of letting exceptions propagate or go unhandled. (3 PRs)	+70-4	10d
#2613	pragnyanramtha	fix: isolate streamable HTTP POST errors	[llm] duplicates #2607: Errors during streamable HTTP request handling are not communicated back to the caller, causing tool calls to hang or silently fail. All three convert error conditions into JSONRPC error responses instead of letting exceptions propagate or go unhandled.	+163-1	10d

Semantic: Race condition in streamable HTTP: post_writer begins consuming messages before signaling readiness, so the caller can yield control before the writer is listening. Both PRs make identical changes — importing TaskStatus and calling task_status.started(None) before the async-for loop. (2 PRs) — 2 PRs ⭐ #2666 (PR #2666 contains the same post_writer/TaskStatus fix as #1674 and additionally patches stdio.py to call process.stdout.aclose() during teardown, covering a related resource-leak on process exit. Broader fix with no conflicting changes.)

#1674	AydarAkhmetzyanov	Race condition in streamable http	[llm] duplicates #2666: Race condition in streamable HTTP: post_writer begins consuming messages before signaling readiness, so the caller can yield control before the writer is listening. Both PRs make identical changes — importing TaskStatus and calling task_status.started(None) before the async-for loop.	+73-2	180d
#2666	Epochex	fix(streamable-http): wait for post_writer before yielding	[llm] cluster primary: Race condition in streamable HTTP: post_writer begins consuming messages before signaling readiness, so the caller can yield control before the writer is listening. Both PRs make identical changes — importing TaskStatus and calling task_status.started(None) before the async-for loop. (2 PRs)	+50-2	2d

Semantic: sys.stderr cannot safely be passed to subprocess in non-standard environments (Jupyter ZMQ streams, sandboxed runners). Both PRs address the same failure mode: the errlog parameter's default value breaks subprocess spawning in these contexts. (2 PRs) — 2 PRs ⭐ #2410 (#2410 fixes the root cause at the API boundary (TextIO | int type union) and works for all non-standard environments, not just Jupyter. #2020 requires an IPython import and fragile ZMQInteractiveShell class-name detection — with #2410 merged, Jupyter users can pass subprocess.DEVNULL explicitly, making the detection logic in #2020 unnecessary and the import dependency avoidable.)

#2020	BabyChrist666	feat: support stderr logging in Jupyter notebook environments	[llm] duplicates #2410: sys.stderr cannot safely be passed to subprocess in non-standard environments (Jupyter ZMQ streams, sandboxed runners). Both PRs address the same failure mode: the errlog parameter's default value breaks subprocess spawning in these contexts.	+285-10	106d
#2410	RudrenduPaul	1st-reviewfix: allow integer file descriptors for errlog in stdio_client	[llm] cluster primary: sys.stderr cannot safely be passed to subprocess in non-standard environments (Jupyter ZMQ streams, sandboxed runners). Both PRs address the same failure mode: the errlog parameter's default value breaks subprocess spawning in these contexts. (2 PRs)	+13-5	46d

Semantic: write_stream buffer size of 0 causes a deadlock when a handler tries to enqueue its final response while stdout_writer is still flushing an earlier progress notification (2 PRs) — 2 PRs ⭐ #2654 (PR #2654 directly fixes the deadlock by setting the buffer to 1 and includes a BlockingStdout test that reproduces the race condition. PR #2215 makes buffer size configurable but keeps the default at 0, so the bug remains unless callers explicitly pass write_stream_buffer_size=1 — it would need to be rebased on top of #2654's fix to be useful as a follow-on configurability feature.)

#2215	yaowubarbara	fix(stdio): allow configurable memory stream buffer size	[llm] duplicates #2654: write_stream buffer size of 0 causes a deadlock when a handler tries to enqueue its final response while stdout_writer is still flushing an earlier progress notification	+85-3	81d
#2654	2830500285	fix: buffer stdio server writes during progress notifications	[llm] cluster primary: write_stream buffer size of 0 causes a deadlock when a handler tries to enqueue its final response while stdout_writer is still flushing an earlier progress notification (2 PRs)	+43-2	4d

Semantic: get_client_metadata_scopes() overwrites existing scope state rather than preserving or accumulating it. PR #2373 fixes this in the 401 initial-auth discovery path (adds `if scope is None` guard); PR #2676 fixes it in the 403 step-up path (introduces union_scopes per SEP-2350). Both are symptoms of the same design gap: scope selection does not respect previously established scope state, causing either user-provided scopes to be silently discarded on first auth or prior grants to be dropped during step-up. (2 PRs) — 2 PRs ⭐ #2676 (PR #2676 is built on a later base commit (72309f5775 vs 25075dec3b for #2373), carries the SEP-2350 specification reference, and introduces the union_scopes accumulation utility which is the correct semantic for scope management. The simpler if-None guard from #2373 for the 401 discovery path should be folded into #2676 to give a single PR that addresses scope preservation across both the initial-auth and step-up flows.)

#2373	chasewhughes	authfix(auth): respect explicitly-set client_metadata.scope during discovery	[llm] duplicates #2676: get_client_metadata_scopes() overwrites existing scope state rather than preserving or accumulating it. PR #2373 fixes this in the 401 initial-auth discovery path (adds `if scope is None` guard); PR #2676 fixes it in the 403 step-up path (introduces union_scopes per SEP-2350). Both are symptoms of the same design gap: scope selection does not respect previously established scope state, causing either user-provided scopes to be silently discarded on first auth or prior grants to be dropped during step-up.	+143-5	58d
#2676	dogacancolak	authSEP-2350: accumulate scopes on step-up auth	[llm] cluster primary: get_client_metadata_scopes() overwrites existing scope state rather than preserving or accumulating it. PR #2373 fixes this in the 401 initial-auth discovery path (adds `if scope is None` guard); PR #2676 fixes it in the 403 step-up path (introduces union_scopes per SEP-2350). Both are symptoms of the same design gap: scope selection does not respect previously established scope state, causing either user-provided scopes to be silently discarded on first auth or prior grants to be dropped during step-up. (2 PRs)	+595-94	1d

Semantic: BrokenResourceError escapes stdout_reader when the stdio_client context is exited while the subprocess is still writing, causing an unhandled exception. Both PRs add BrokenResourceError to the exception handling in the same try/except block in stdout_reader and would conflict on merge. (2 PRs) — 2 PRs ⭐ #2450 (#2450 catches BrokenResourceError at each individual send() call site (inner try/except), which stops the reader immediately and precisely on stream closure without masking other exceptions. #2456 catches it only in the outer except clause (coarser granularity) and bundles an unrelated encoding_error_handler default change ('strict' → 'replace') that should be reviewed separately on its own merits rather than coupled to the race-condition fix.)

#2450	ddullah	1st-reviewfix(stdio): handle BrokenResourceError in stdout_reader race (#1960)	[llm] cluster primary: BrokenResourceError escapes stdout_reader when the stdio_client context is exited while the subprocess is still writing, causing an unhandled exception. Both PRs add BrokenResourceError to the exception handling in the same try/except block in stdout_reader and would conflict on merge. (2 PRs)	+54-3	40d
#2456	shaun0927	fix(stdio_client): tolerate invalid UTF-8 from child stdout	[llm] duplicates #2450: BrokenResourceError escapes stdout_reader when the stdio_client context is exited while the subprocess is still writing, causing an unhandled exception. Both PRs add BrokenResourceError to the exception handling in the same try/except block in stdout_reader and would conflict on merge.	+41-4	39d

Semantic: UrlElicitationRequiredError is not pickle-safe because Exception.__reduce_ex__ calls cls(*self.args) with (code, message, data) but the subclass constructor expects (elicitations, message=None), raising TypeError on unpickle (issue #2431). (2 PRs) — 2 PRs ⭐ #2555 (PR #2555 implements __reduce__ directly on UrlElicitationRequiredError using Python's standard pickle protocol and includes tests covering the round-trip. PR #2478 adds a _restore_mcp_error helper but never hooks it into the pickle machinery (no __reduce__ added to any class), leaving pickling broken.)

#2478	MukundaKatta	fix(shared): preserve MCPError payload on pickle	[llm] duplicates #2555: UrlElicitationRequiredError is not pickle-safe because Exception.__reduce_ex__ calls cls(*self.args) with (code, message, data) but the subclass constructor expects (elicitations, message=None), raising TypeError on unpickle (issue #2431).	+57-1	36d
#2555	MukundaKatta	1st-reviewfix(shared): make UrlElicitationRequiredError pickle-safe (refs #2431)	[llm] cluster primary: UrlElicitationRequiredError is not pickle-safe because Exception.__reduce_ex__ calls cls(*self.args) with (code, message, data) but the subclass constructor expects (elicitations, message=None), raising TypeError on unpickle (issue #2431). (2 PRs)	+70-0	18d

Semantic: RequestResponder.cancel() incorrectly sends a JSON-RPC error response for cancelled requests, violating the MCP cancellation spec. Both PRs modify the same cancel() method in src/mcp/shared/session.py and both touch the server-side _handle_request cancellation path. (2 PRs) — 2 PRs ⭐ #2514 (PR #2514 is the more complete fix: it both removes the erroneous error response from cancel() AND adds the spec-required notifications/cancelled notification (adding CancelledNotificationParams), covering request timeout and caller cancellation scenarios. PR #2493 only removes the error response without sending any notification, leaving the client silent where the spec requires a notifications/cancelled message.)

#2493	Zelys-DFKH	fix: don't send a response for cancelled requests	[llm] duplicates #2514: RequestResponder.cancel() incorrectly sends a JSON-RPC error response for cancelled requests, violating the MCP cancellation spec. Both PRs modify the same cancel() method in src/mcp/shared/session.py and both touch the server-side _handle_request cancellation path.	+30-8	33d
#2514	dragogargo	1st-reviewfix: send notifications/cancelled on request timeout and caller cancellation	[llm] cluster primary: RequestResponder.cancel() incorrectly sends a JSON-RPC error response for cancelled requests, violating the MCP cancellation spec. Both PRs modify the same cancel() method in src/mcp/shared/session.py and both touch the server-side _handle_request cancellation path. (2 PRs)	+121-2	28d

9 SLA1 auth needs-decision (9) — Maintainer discussed but hasn't approved or requested changes yet.

#2096	localden	maintainerFix the session binding logic for tasks.	maintainer COMMENTED but took no stance	+681-247	96d
#2344	pja-ant	maintainerfix(server): return -32602 for resource not found (SEP-2164)	maintainer COMMENTED but took no stance	+95-20	61d
#1397	samchenatti	re-reviewValidate metadata keys	2 maintainer comments, zero reviews	+110-1	243d
#1439	beaterblank	re-reviewEnhanced ResourceTemplate URI matching and type handling logic.	maintainer COMMENTED but took no stance	+2350-66	231d
#1517	yukuanj	re-reviewauthAdd resource_owner field to AuthorizationCode and AccessToken classes	maintainer COMMENTED but took no stance	+9-0	210d
#1825	Ilan-kayesar	re-reviewAdded descriptions for arguments taken from docstring	maintainer COMMENTED but took no stance	+253-8	142d
#2075	BabyChrist666	re-reviewReject JSON-RPC requests with null id instead of misclassifying as notifications	maintainer COMMENTED but took no stance	+60-1	97d
#2117	sreenithi	re-reviewPluggable Transport Abstractions for Client and Shared sessions	maintainer COMMENTED but took no stance	+837-83	94d
#2342	perhapzz	re-reviewtest: convert context_aware_server to in-process threads for coverage	maintainer COMMENTED but took no stance	+41-18	61d

1 SLA backport-follows-primary (1) — v1.x sibling of a main-branch PR. Review together — backport diff is usually mechanical.

#2449

ddullah

1st-review[v1.x] fix(stdio): handle BrokenResourceError in stdout_reader race (#1960)

follows #2450

+52-3

40d

Intake (102) ⊕ ⊖

PRs not yet reviewed by a maintainer. Oldest first.

85 SLA21 auth needs-first-review (102) — Not yet reviewed by a maintainer.

#1566	bjoaquinc	1st-reviewtest: update SSE tests to use StreamingASGITransport instead of uvicorn for server testing	203d	+366-367	203d
#1570	carlosemart	1st-reviewDisable logs reconfigure on startup	202d	+45-7	202d
#1582	vincent0426	1st-reviewfix: Raise resource not found error	201d	+50-10	201d
#1597	bjoaquinc	1st-reviewauthfix: validate PRM resource field per RFC 9728 Section 3.3	197d	+62-5	197d
#1608	cbcoutinho	1st-reviewfeat: propagate session_id from transport to tool context	196d	+330-1	196d
#1611	kylestratis	1st-reviewClient notification support	196d	+889-4	196d
#1647	FanisPapakonstantinou	1st-reviewImprove exception handling for ClientDisconnect errors	186d	+10-1	186d
#1666	matthew-gries	1st-reviewfix: Fix logic that determines standard resource vs. resource template to account for context param (#1635)	182d	+280-58	182d
#1807	sesajad	1st-reviewMake `errlog` optional in `stdio_client` and update default to `None`	157d	+73-2	157d
#1812	ivanbelenky	1st-reviewfix: `handle_sse_response` causing dangling client's read_stream	156d	+20-1	156d
#1817	challenger71498	1st-reviewfix: cleanup resources properly on `BaseSession::_receive_loop` cleanup	151d	+89-11	151d
#1818	jayhemnani9910	1st-reviewfix: auto-reinitialize client session on HTTP 404	146d	+671-9	146d
#1846	jayhemnani9910	1st-reviewauthfix: respect token_endpoint_auth_method=none when client_secret exists	136d	+72-3	136d
#1847	challenger71498	1st-reviewauthfeat: fully support Basic Authorization header at token request	134d	+148-58	134d
#1849	newbiehwang	1st-reviewFix: Raise RuntimeError when ClientSession is used without context manager to prevent hangs	133d	+40-0	134d
#1943	sicoyle	1st-reviewfix: prevent silent failure on GET stream so clients don't hang	122d	+185-2	122d
#2032	adityuhkapoor	1st-reviewfix: skip JSON pre-parsing for str union annotations in pre_parse_json	104d	+38-1	104d
#2041	BryceEWatson	1st-reviewfeat: expose progress_callback in ServerSession methods	103d	+144-1	103d
#2065	IT-HONGREAT	1st-reviewauthfeat: add auth parameter to ClientSessionGroup server parameters	100d	+107-1	100d
#2078	BabyChrist666	1st-reviewauthfix: restore eager OAuth discovery to avoid slow unauthenticated roundtrip	97d	+303-99	97d
#2093	aabmass	1st-reviewOpenTelemetry inject trace context propagation in `_meta`	96d	+544-102	96d
#2187	Br1an67	1st-reviewfix: preserve notification metadata when related_request_id is 0	85d	+43-1	85d
#2191	Br1an67	1st-reviewfix: reject unsupported HTTP methods early in session manager	85d	+88-0	85d
#2192	Br1an67	1st-reviewdocs: add CLI command flags reference to README	85d	+46-0	85d
#2193	harsh543	1st-reviewauthfeat(auth): add Authlib-backed OAuth adapter (related to #1240)	85d	+1011-2	85d
#2196	Varun6578	1st-reviewauthfix: only retry 403 responses for insufficient_scope error	84d	+53-5	84d
#2207	weiguangli-io	1st-reviewauthfix: pass related_request_id in Context.report_progress()	82d	+51-3	82d
#2209	shivama205	1st-reviewauthfeat: add subject and claims fields to AccessToken	82d	+127-1	82d
#2243	Varun6578	1st-reviewfix: preserve API gateway path prefix in SSE client URL resolution	79d	+134-3	80d
#2261	namabile	1st-reviewauthfix: include "none" in token_endpoint_auth_methods_supported metadata	77d	+9-5	77d
#2271	oedokumaci	1st-reviewauthfix(oauth): preserve existing refresh_token when refresh response omits it	75d	+116-1	75d
#2281	omar-y-abdi	1st-reviewAdd client callbacks for list_changed notifications	75d	+179-4	75d
#2296	ameenalkhaldi	1st-reviewdocs: add environment variables guide	71d	+124-0	71d
#2335	rgoldstein1989	1st-reviewfeat: add remove_prompt(), remove_resource(), and remove_resource_template()	64d	+242-1	64d
#2341	perhapzz	1st-reviewtest: replace subprocess servers with in-process threaded servers for coverage tracking	61d	+459-182	61d
#2343	mangelajo	1st-reviewExpose optional stdin/stdout on MCPServer stdio entrypoints	61d	+76-5	61d
#2352	perhapzz	1st-reviewrefactor: decompose func_metadata() into smaller focused helpers	60d	+153-76	60d
#2357	BlocksecPHD	1st-reviewfix(streamable-http): reduce stateless termination log noise	60d	+44-1	60d
#2361	4444J99	1st-reviewfix: accept single supported content type in SSE mode Accept header	59d	+139-13	59d
#2365	raashish1601	1st-reviewfix: make Windows stdio pywin32 optional	59d	+117-15	59d
#2377	guoyangzhen	1st-reviewfix: allow custom Content-Type header in StreamableHTTPTransport	57d	+10-2	57d
#2394	verdie-g	1st-reviewfeat: implement OTEL mcp.server.* metrics	50d	+1116-751	50d
#2395	Dharit13	1st-reviewFix infinite reconnection loop in StreamableHTTP client	50d	+62-9	50d
#2407	dgenio	1st-reviewfeat: add public setter methods for ClientSession callbacks	47d	+177-1	47d
#2411	Smeet23	1st-reviewfix(session): return INVALID_REQUEST error instead of crashing on pre-init requests	46d	+74-2	46d
#2418	manjunathgujjar	1st-reviewfix: silence respond() when concurrent cancellation already completed request	46d	+108-2	46d
#2428	KeWang0622	1st-reviewfix: remove JSON-RPC ID type coercion for spec-compliant strict matching	43d	+40-64	43d
#2437	app/dependabot	1st-reviewchore(deps-dev): bump pillow from 12.1.1 to 12.2.0 in the uv group across 1 directory	42d	+94-94	42d
#2441	atishay2	1st-reviewfix: invalidate tool schema cache on ToolListChangedNotification; paginate all pages in _validate_tool_result	42d	+121-2	42d
#2447	SAY-5	1st-reviewfix(server): allow tools with outputSchema to surface errors via unstructured content	41d	+31-10	41d
#2457	shaun0927	1st-reviewfix(streamable-http): expose session_idle_timeout and pause idle reaping during active requests	39d	+106-11	39d
#2459	yuka-with-data	1st-reviewDoc: Clarify MCP Client-Server model in What is MCP section	39d	+5-1	39d
#2465	cubaseuser123	1st-reviewdocs: add prompt client/server example to address #498	38d	+94-2	38d
#2466	kimsehwan96	1st-reviewfix: skip output schema validation when tool returns is_error=True	37d	+27-2	37d
#2467	kimsehwan96	1st-reviewfix: [v1.x backport] skip output schema validation when tool returns isError=True	37d	+27-2	37d
#2468	NeelakandanNC	1st-reviewfeat(mcpserver): add Context.assert_within_roots for server-side roots enforcement	37d	+180-0	37d
#2476	trentisiete	1st-reviewfeat(examples): add simple-sampling server and client	36d	+603-0	36d
#2484	sakenuGOD	1st-reviewfix(client/stdio): allow FIFO cleanup of multiple transports on asyncio (#577)	35d	+272-30	35d
#2490	demoray	1st-reviewfix: dispatch client request handlers concurrently (#2489)	34d	+262-10	34d
#2492	mangibaud33	1st-reviewauthfeat(auth): persist oauth_metadata via TokenStorage to fix refresh after restart	33d	+294-6	33d
#2498	Zelys-DFKH	1st-reviewfeat(security): add subdomain wildcard support to allowed_hosts and allowed_origins	32d	+264-20	32d
#2500	ZLeventer	1st-reviewauthRemove dead commented-out code in register_client	32d	+0-2	32d
#2502	bobbyo	1st-review[v1.x] Drop responses/notifications when write stream is already closed	32d	+98-4	32d
#2506	GitAashishG	1st-reviewfeat(cli): support env vars in `mcp dev` (#339)	30d	+130-22	30d
#2520	GopalGB	1st-reviewfix(examples/simple-chatbot): align declared deps with actual usage	26d	+6-3	26d
#2524	Genmin	1st-reviewfix(cli): avoid Windows shell for mcp dev	25d	+147-19	25d
#2536	blackwell-systems	1st-reviewfix: resolve lost-wakeup races in InMemoryTaskStore.wait_for_update	23d	+69-7	23d
#2544	abhinavmathur-atlan	1st-reviewfix: exclude None optional fields from task result serialization	20d	+31-2	20d
#2565	blackwell-systems	1st-reviewfix: chain exceptions with `from` in 12 remaining raise sites	17d	+15-15	17d
#2573	charles-adedotun	1st-reviewfix(shared): strip envelope fields when forwarding JSONRPCRequest	14d	+59-0	14d
#2585	Choppaaahh	1st-reviewauthfix(auth): normalize URL paths before hierarchical resource check	12d	+82-3	12d
#2589	stefandevo	1st-reviewfeat: add reset_timeout_on_progress and max_total_timeout to send_request	12d	+500-13	12d
#2606	he-yufeng	1st-reviewfix: reject changed duplicate initialize	10d	+75-2	10d
#2608	MukundaKatta	1st-reviewfeat: expose schema generator for tool schemas	10d	+77-5	10d
#2609	MukundaKatta	1st-reviewdocs: list Python 3.14 in README badge	10d	+1-1	10d
#2612	pragnyanramtha	1st-reviewfix: handle Image helpers in mixed return annotations	10d	+88-3	10d
#2616	pragnyanramtha	1st-reviewauth[v1.x] fix(auth): request JSON token responses	9d	+6-0	10d
#2621	pragnyanramtha	1st-reviewfix: support context-only resources	9d	+44-14	9d
#2622	Epochex	1st-reviewfix: validate full sampling tool result history	9d	+125-22	9d
#2623	pragnyanramtha	1st-reviewfix: detect context on callable tool instances	9d	+26-1	9d
#2624	FU-max-boop	1st-reviewFix completed request cancellation cleanup	8d	+57-1	8d
#2631	Epochex	1st-reviewfix: fail fast when session is not started	7d	+60-4	7d
#2633	Epochex	1st-reviewfix(streamable-http): close SSE responses on errors	7d	+149-15	7d
#2636	app/dependabot	1st-reviewchore(deps): bump the github-actions group across 1 directory with 9 updates	7d	+26-26	7d
#2639	he-yufeng	1st-reviewfix: reject initialize protocol version conflicts	7d	+142-17	7d
#2642	siddhirajkatkar	authfix: add 'invalid_target' to AuthorizationErrorCode (RFC 8707)	7d	+1-0	7d
#2650	he-yufeng	fix: request identity encoding for streamable HTTP	5d	+5-0	5d
#2651	pragnyanramtha	authfix(auth): avoid SSE OAuth refresh deadlock	5d	+507-0	5d
#2652	STiFLeR7	feat: add protocol version override support for client session initialization	5d	+139-4	5d
#2656	devteamaegis	fix: rename `.gitattribute` to `.gitattributes` so git actually reads it	4d	+0-0	4d
#2657	truffle-dev	[v1.x] fix(streamable-http): reject duplicate JSON-RPC ids with 409	4d	+98-3	4d
#2658	adityasingh2400	Add list_all_* helpers that drain pagination on the client	4d	+383-18	4d
#2659	adityasingh2400	fix: serialize Image and Audio helpers as ImageContent/AudioContent	4d	+146-0	4d
#2661	putramkti	docs(experimental): add docstrings to default task handler functions	3d	+6-0	4d
#2662	adityasingh2400	authdocs(auth): clarify that resource_server_url must include the transport path	3d	+26-8	3d
#2664	afischh	authfix(auth): accept client credentials from Basic auth header in token endpoint (#1315)	2d	+134-3	2d
#2667	adityasingh2400	feat(client): add validate_structured_output option to ClientSession	2d	+77-0	2d
#2670	afischh	authfix: include transport path in protected resource metadata URL (RFC 9728 §3)	2d	+79-4	2d
#2671	he-yufeng	fix: exit cleanly on stdio KeyboardInterrupt	2d	+15-1	2d
#2672	scosemicolon	Clarify CLI subprocess environment comment	2d	+1-1	2d
#2674	Ar-maan05	feat(session): propagate callback exceptions to the awaiter	1d	+137-2	1d
#2675	Epochex	authfix(auth): get_access_token reflects current request in stateful sessions	1d	+138-2	1d

Hygiene (14) ⊕ ⊖

Batchable procedural ops — pings, rebases, peer reviews.

2 auth stale-awaiting-author (7) — Changes requested over two weeks ago with no author response.

#2175	Kludex	Return `CallToolResult` from `convert_result` instead of a tuple	85d since feedback	+14-27	86d
#1638	calvingiles	Add support for _meta attributes in resource contents	CI ping 186d ago, no fix	+426-4	188d
#1784	keurcien	authFix `token_expiry_time` upon context initialization for stored tokens.	author self-diagnosed CI 33d ago, never fixed	+109-0	164d
#1851	domdomegg	chore: update licensing to Apache 2.0 for new contributions	110d since feedback	+203-8	133d
#2146	BabyChrist666	feat: public API for runtime handler registration/deregistration	author self-diagnosed CI 66d ago, never fixed	+187-26	89d
#2253	weiguangli-io	fix: terminate active StreamableHTTP sessions during shutdown	author self-diagnosed CI 31d ago, never fixed	+14-0	77d
#2401	enjoykumawat	authfix: prefix auth routes with issuer_url base path for gateway deployments	author self-diagnosed CI 44d ago, never fixed	+62-6	48d

approved-rotted (1) — Was approved, now conflicting. Rebase or ask author.

#1872

DePasqualeOrg

fix: correct unknown tool/prompt/resource error handling

approved 73d ago, now conflicting

+63-35

130d

ci-red-silent (6) — CI failing, not yet flagged to the author.

#2531	HenryLee789	feat: allow overriding SSE messages endpoint	red CI 24d	+110-3	24d
#2551	namor5772	fix(client/stdio): fall back to os.devnull when sys.stderr is None	red CI 18d	+23-2	18d
#2552	Maanik23	fix: disable newline translation in stdio TextIOWrapper to prevent CRLF on Windows	red CI 18d	+60-2	18d
#2637	VrtxOmega	fix: make ClientSessionGroup streamable HTTP errors catchable	red CI 7d	+121-5	7d
#2668	adityasingh2400	fix(streamable-http): downgrade stateless 'Terminating session: None' log	red CI 2d	+42-1	2d
#2679	ZCoder20	Update README.md	red CI 0d	+6-6	0d

Close candidates (18) ⊕ ⊖

Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.

2 auth stale-ci-abandoned (18) — CI has been failing for over a month with no activity.

#2339	maxisbey	chore: enforce type annotations on all functions via ruff ANN rules	red CI 62d, no activity	+162-121	62d
#2387	Kludex	Add richer OTel MCP span attributes	red CI 53d, no activity	+196-17	53d
#1712	vemonet	Add working example to easily integrate a FastMCP endpoint to a FastAPI app (which is not trivial)	red CI 175d, no activity	+128-6	175d
#1934	williamomeara	authFix RFC 8252 Section 7.3 compliance for loopback redirect URIs	red CI 123d, no activity	+229-4	123d
#1947	skyvanguard	fix: handle ClientDisconnect gracefully instead of returning HTTP 500	red CI 121d, no activity	+245-49	121d
#2077	mrutunjay-kinagi	authfix(auth): forward user-agent to oauth flow requests	red CI 97d, no activity	+104-3	97d
#2145	wiggzz	Fix stateless HTTP task accumulation causing memory leak	red CI 89d, no activity	+296-20	89d
#2180	dgenio	fix: add SSRF redirect protection to httpx client factory	red CI 86d, no activity	+266-2	86d
#2199	Varun6578	fix: handle HTTP 4xx/5xx gracefully in StreamableHTTP transport	red CI 84d, no activity	+133-5	84d
#2245	Varun6578	fix: collapse single-exception ExceptionGroups from task groups	red CI 79d, no activity	+333-23	79d
#2252	BabyChrist666	refactor: consistent raise-based error handling in MCPServer handlers	red CI 78d, no activity	+227-25	78d
#2327	mrutunjay-kinagi	feat(client): add explicit session_id support for Streamable HTTP resumption	red CI 65d, no activity	+244-7	65d
#2369	raashish1601	Add stdio regression test for raw invalid UTF-8 tool arguments	red CI 58d, no activity	+127-0	58d
#2372	raashish1601	Return METHOD_NOT_FOUND for invalid request methods	red CI 58d, no activity	+70-2	58d
#2415	mplemay	refactor: make tool registration object-based	red CI 46d, no activity	+199-148	46d
#2448	MukundaKatta	feat(tools): inline local $ref in tool inputSchema (#2384)	red CI 41d, no activity	+328-4	40d
#2483	fede-kamel	fix(client): propagate HTTP transport errors to caller (#2110)	red CI 35d, no activity	+327-15	35d
#2499	Zelys-DFKH	fix(mcpserver): advertise capabilities only for registered primitives	red CI 32d, no activity	+117-2	32d

Not our move (38) ⊕ ⊖

Clock is on the author or blocked externally. No action owed today.

6 auth parked (20) — Maintainer draft >30d, intentionally shelved.

#1855	pcarleton	authAdd conformance auth server for OAuth server authentication testing	maintainer draft, 131d	+302-0	131d
#1921	maxisbey	ci: use conformance repo's composite GitHub Action	maintainer draft, 124d	+25-40	124d
#1938	maxisbey	authfix: strip trailing slashes from OAuth metadata URL fields	maintainer draft, 122d	+28-10	122d
#1999	pcarleton	authfix: pass new conformance auth scenarios, bump to 0.1.13	maintainer draft, 109d	+137-4	109d
#2217	ochafik	[SEP-2356] File input support for tools and elicitation	maintainer draft, 81d	+110-0	81d
#2238	maxisbey	Truncate untrusted peer-controlled values before logging/raising	maintainer draft, 80d	+41-38	80d
#2263	maxisbey	fix: eliminate test port allocation race by running uvicorn in-thread	maintainer draft, 76d	+152-279	76d
#2264	maxisbey	tests: eliminate port-allocation races in SSE/StreamableHTTP tests	maintainer draft, 76d	+647-1119	76d
#2301	maxisbey	authfix: remove scope registration check from authorize handler	maintainer draft, 69d	+37-56	69d
#2320	maxisbey	Extract JSON-RPC wrapping into a Dispatcher component	maintainer draft, 66d	+523-223	66d
#2322	maxisbey	draft: MRTR (SEP-2322) lowlevel plumbing + handler-shape comparison	maintainer draft, 66d	+2609-14	66d
#2336	maxisbey	authfeat(auth): add BearerAuth for minimal bearer-token authentication	maintainer draft, 62d	+829-10	62d
#2340	maxisbey	fix: propagate pre-endpoint errors in sse_client instead of deadlocking	maintainer draft, 62d	+119-9	62d
#2346	maxisbey	authfeat: add MCP_HIDE_INPUT_IN_ERRORS env var to redact payloads from validation errors	maintainer draft, 61d	+75-3	61d
#2356	maxisbey	feat: RFC 6570 URI templates with operator-aware security	maintainer draft, 60d	+3093-38	60d
#2388	Kludex	Add MCP proxy helper	maintainer draft, 52d	+699-12	52d
#2452	maxisbey	feat: add Dispatcher Protocol and DirectDispatcher	maintainer draft, 39d	+623-1	39d
#2458	maxisbey	feat: JSONRPCDispatcher	maintainer draft, 39d	+1227-67	39d
#2460	maxisbey	feat: PeerMixin, BaseContext, Connection, server Context	maintainer draft, 39d	+1230-0	39d
#2491	maxisbey	feat: ServerRunner — per-connection orchestrator	maintainer draft, 34d	+753-6	34d

1 auth stale-draft (12) — Draft with no activity for over a week.

#1800	the-ayyi	Add propagate_through_tool_handlers attribute to McpError for protocol flow control	draft idle 158d	+194-8	158d
#1838	jayhemnani9910	fix: send error on SSE disconnect without resumption token	draft idle 139d	+83-1	139d
#1998	bgaidioz	authFix: Refresh auth context per Streamable HTTP request	draft idle 109d	+196-0	109d
#2130	jonathanhefner	Import "Build an LLM-powered chatbot" quickstart guide	draft idle 91d	+2024-268	91d
#2132	aabmass	OpenTelemetry MCP client spans	draft idle 91d	+1612-118	91d
#2133	aabmass	OpenTelemetry extract trace context from `_meta` in incoming requests	draft idle 91d	+814-114	91d
#2138	jonathanhefner	Import "Build a weather server" quickstart guide	draft idle 90d	+2600-268	90d
#2139	jonathanhefner	Replace Claude for Desktop with VS Code + Copilot in server quickstart	draft idle 90d	+2514-268	90d
#2509	faridun-ag2	fix(server): return 405 on GET/DELETE in stateless HTTP mode	draft idle 29d	+136-0	29d
#2562	maxisbey	[v2] Server registry + per-connection state; ServerRunner consumes Server[L] directly	draft idle 17d	+460-194	17d
#2596	MukundaKatta	refactor(client): rename message handler callback	draft idle 11d	+58-59	11d
#2598	MukundaKatta	docs: add server instructions example	draft idle 10d	+58-0	10d

stale-draft-pinged (4) — Draft; maintainer pinged for status over a week ago with no response.

#946	agronholm	Improved Trio support	pinged 241d ago	+125-138	347d
#1222	wenxuwan	fix: Handle SSE Disconnects Properly When use starlette middleware	pinged 237d ago	+26-20	298d
#1395	Bumshakalaka	fix: update response status code for invalid session ID in HTTPSessionManger	pinged 237d ago	+2-1	243d
#2029	Ashutosh0x	fix: use ASGI callable for SSE endpoint to avoid BaseHTTPMiddleware AssertionError (#883)	pinged 103d ago	+108-8	104d

1 auth draft-active (1) — Author is still working. Fresh draft.

#2660

peisuke

authfix(oauth): narrow context.lock scope in async_auth_flow

3d old

+259-17

bot-release (1) — Changesets 'Version Packages' — release trigger, not for triage.

#2451

app/github-actions

chore: weekly dependency update

release bot PR

+1140-1001

40d

Volume

Open PRs

↑ 18.75%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

143

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

Median

↑ 218.92%

12h

P90

—

14d

P95

—

21d

Merge Time

Average

—

Median

↑ 125.33%

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 35.29%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#1120 (draft)	WIP: Reduce copies, eliminate a lot of UTF-16 transcoding	Tyler-IN	+2145 -425	1	152d
#1238	ClientOAuthProvider.Scopes have priority again (#1236)	halllo	+45 -3	0	111d
#1367	Mcp.core.distributed	xiangyan99	+4033 -1	2	90d
#1393 (draft)	ProtectedMcpServer: enforce per-user concurrent tool-call limit with `PartitionedRateLimiter` in call-tool filter	copilot-swe-agent	+35 -1	0	88d
#1423	Augment conceptual docs with Docker-based MCP server deployment guidance	john-mckillip	+224 -94	0	75d
#1444	fix: propagate auth errors (401/403) immediately instead of falling b…	xue-cai	+72 -1	0	70d
#1474	Implement authorization server binding and credential isolation (MCP SEP-2352)	copilot-swe-agent	+376 -3	0	57d
#1496	feature: Added configurable token endpoint auth method selection	RobotechUSA	+26 -1	0	53d
#1495	Fix flaky DiagnosticTests.Session_TracksActivities by waiting for full server activity predicate	copilot-swe-agent	+28 -13	0	53d
#1501	Add HTTP call completion logging for exceptions and non-success status codes	copilot-swe-agent	+86 -8	0	52d
#1499 (draft)	Fix McpTask double-wrapping when tool returns its own task	copilot-swe-agent	+150 -1	0	52d
#1517	Fix: Relax resource URI validation to accept base URL	JBallan	+64 -11	2	40d
#1519	Release SSE response stream reference when GET request ends	joelmforsyth	+94 -23	0	38d
#1532	feat(server): support external description sources on McpServerTool attribute	MukundaKatta	+263 -4	0	28d
#1531	perf(server): skip IdleTrackingBackgroundService timer in stateless mode	MukundaKatta	+61 -0	0	28d
#1530	fix(client): preserve underlying status code in AutoDetect probe	MukundaKatta	+140 -8	0	28d
#1569	Bump danielpalme/ReportGenerator-GitHub-Action from 5.5.5 to 5.5.10	dependabot	+1 -1	0	14d
#1579 (draft)	[WIP] Implement SEP-2663 Tasks Extension	PranavSenthilnathan	+3848 -11858	0	9d
#1583	Bump JsonSchema.Net and System.Linq.AsyncEnumerable	dependabot	+2 -2	0	7d
#1582	Bump coverlet.collector from 10.0.0 to 10.0.1	dependabot	+1 -1	0	7d
#1586	Bump Microsoft.Extensions.AI.Abstractions from 10.5.2 to 10.6.0	dependabot	+1 -1	0	7d
#1585	Bump Microsoft.Extensions.AI from 10.5.2 to 10.6.0	dependabot	+1 -1	0	7d
#1584	Bump Anthropic from 12.17.0 to 12.21.0	dependabot	+1 -1	0	7d
#1597	Bump qs from 6.14.2 to 6.15.2 in the npm_and_yarn group across 1 directory	dependabot	+3 -3	0	2d
#1600	Require Tool inputSchema during deserialization	DragonFSKY	+9 -0	0	1d
#1599	Add McpClientOptions.InitializeMeta to set _meta on the initialize request	adityasingh2400	+61 -0	0	1d
#1598	Remove explicit SSE content encoding	DragonFSKY	+2 -3	0	1d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Actionable vs target

↓ 3.85%

Auth

—

Actioned (7d)

—

18 in last 30d

Merged (7d)

—

33 in last 30d

Hours to clear

↑ 4.55%

~9.2

1st review > 7d

—

of 17 eligible

Re-review > 24h

—

of 0 eligible

Maintainer > 24h

—

of 4 eligible

Stats — volume, timing, size distribution

Volume

Open PRs

↓ 6.67%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

115

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

11d

Median

↓ 5.65%

P90

—

29d

P95

—

38d

Merge Time

Average

—

Median

↓ 67.83%

21h

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Breakdown by tier

Tier	Count	Auth	Maint.	~Time
0 — Press a button	1	1	0	1m
1 — We're blocking someone	4	2	4	1.3h
3 — Intake	16	5	0	7.8h
4 — Hygiene	1	1	0	5m
5 — Close candidates	3	2	0	3m
total actionable	25	11	4	9.2h
not our move	3	—	—	—

Press a button (1) ⊕ ⊖

Already approved or already decided — ready for action.

1 SLA1 auth needs-merge (1) — Approved and CI-green — ready to merge.

#227

tnorimat

1st-reviewauthfeat: scenario option for authorization server test

approved 34d ago, green

+216-3

40d

We're blocking someone (4) ⊕ ⊖

Author did what we asked and is waiting on us. Longest-waiting first.

4 SLA2 auth maintainer-intake (4) — Maintainer-authored PR awaiting review from another maintainer.

#73	pcarleton	maintainerAdd SSE polling Phase 2 and Phase 3 tests (SEP-1699)	174d, no maintainer has looked yet	+691-1	174d
#106	pcarleton	maintainerauthfeat: add step-up auth scenario for server auth testing	131d, no maintainer has looked yet	+346-1	131d
#203	pcarleton	maintainerauthfix: rename routePrefix to issuerPath and add issuer-mismatch scenario	56d, no maintainer has looked yet	+150-20	56d
#241	pja-ant	maintainerfeat: conformance scenario for MCP-Protocol-Version header 400	33d, no maintainer has looked yet	+461-0	33d

Intake (16) ⊕ ⊖

PRs not yet reviewed by a maintainer. Oldest first.

9 SLA4 auth needs-first-review (13) — Not yet reviewed by a maintainer.

#222	codefromthecrypt	1st-reviewAdd stateless server conformance test	45d	+609-1	45d
#224	alexdoroshevich	1st-reviewfeat: add version negotiation conformance tests (closes #102)	43d	+1210-0	43d
#228	Michito-Okai	1st-reviewauthfeat: add JSON-based setup option to authorization server conformance…	40d	+63-5	40d
#235	tnorimat	1st-reviewauthfeat: check for CIMD of authorization server metadata	39d	+138-17	39d
#236	jeffhandley	1st-reviewAdd partial-run support and fix implicit skip handling in tier audit	39d	+573-138	38d
#257	malladinagarjuna2	1st-reviewfeat: Add multi-stage Docker build and GHCR publishing workflow	29d	+86-0	29d
#263	blackwell-systems	1st-reviewfix(tier-check): swap server/client scenario lists in conformance reconciliation	20d	+7-7	20d
#264	app/dependabot	1st-reviewchore(deps): bump the npm_and_yarn group across 2 directories with 1 update	19d	+14-14	19d
#268	coding-bobo	1st-reviewauthfeat(auth): client conformance for Workload Identity Federation (SEP-1933)	13d	+1216-4	13d
#298	adityachilka1	fix: avoid bash backslash mangling of github.action_path on Windows (fixes #150)	4d	+2-2	4d
#310	panyam	feat(sep-2549): add absence-assert and explicit-zero wire-distinction checks	2d	+220-0	2d
#314	panyam	authfix(docs): correct two specReferences[].url strings that 404	2d	+2-2	2d
#316	pugsatoshi	fix: send HTTP DELETE to terminate server sessions after each scenario	1d	+115-8	1d

2 SLA1 auth community-reviewed (3) — Community members have reviewed, but no maintainer has engaged yet.

#262	panyam	1st-reviewFeat/tasks mrtr extension	20d, reviewed by LucaButBoring (SLA breach)	+4520-2	20d
#267	Michito-Okai	1st-reviewauthfeat: add positive tests for the Authorization Code Grant	14d, reviewed by tnorimat (SLA breach)	+733-23	14d
#299	adityachilka1	fix(initialize scenario): return 202 No Content for notifications (closes #274)	4d, reviewed by nbarbettini	+6-0	4d

Hygiene (1) ⊕ ⊖

Batchable procedural ops — pings, rebases, peer reviews.

1 auth stale-awaiting-author (1) — Changes requested over two weeks ago with no author response.

#139

jdmaturen

authfeat: add token refresh and rotation conformance scenarios

101d since feedback

+612-47

106d

Close candidates (3) ⊕ ⊖

Likely to be closed — inactive, stale, or needing more context. Reviewed before closing.

2 auth pre-ci-ghost (3) — Over 90 days old and CI never ran.

#64	tobinsouth	authAdd server OAuth protection conformance tests	CI never ran, 180d old	+4101-9	180d
#155	wdawson	authImprovements to the Draft Server Auth Conformance tests	CI never ran, 95d old	+8122-2049	95d
#165	lux999	fix: tools-call-simple-text now fails when tool returns isError: true	CI never ran, 91d old	+10-2	91d

Not our move (3) ⊕ ⊖

Clock is on the author or blocked externally. No action owed today.

1 auth parked (2) — Maintainer draft >30d, intentionally shelved.

#105	pcarleton	authfeat: Add server auth conformance tests	maintainer draft, 131d	+1756-55	131d
#137	pcarleton	feat: add notification isolation tests for GHSA-345p-7cg4-v4c7	maintainer draft, 109d	+1607-19	109d

draft-active (1) — Author is still working. Fresh draft.

#308

olaservo

feat: add SEP-2106 structuredContent wire-shape scenario (complements #295)

3d old

+679-0

Volume

Open PRs

↑ 11.76%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

15d

Median

—

11d

P90

—

20d

P95

—

49d

Merge Time

Average

—

19d

Median

—

18d

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 18.18%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#88	feat: add Microsoft Edge AppleScript example for macOS	ntindle	+952 -1	0	283d
#103	Add Python package MCP server example with bundling support	stephaneberle9	+256 -6	0	252d
#134	chore(lint): upgrade ESLint prettier rule to error	loc	+2 -3	3	209d
#170	build(deps): bump tar from 7.5.1 to 7.5.2 in the npm_and_yarn group across 1 directory	dependabot	+3 -3	0	172d
#181	fix(Validation): Make "mcp_config" optional when using uv	daemuth	+122 -52	0	127d
#195	Fix PKCS#7 signature verification	vcolin7	+190 -61	0	93d
#213	Add tests for CLI init helpers and improve parameter naming for testability	coding-creed-technologies	+1132 -17	1	66d
#222	feat: add prepare-for-signing and apply-signature for enterprise HSM signing	bryan-anthropic	+519 -1	1	59d
#227	fix: validate version field is valid semver	bryan-anthropic	+112 -0	1	41d
#237	Fix `approrpiate` -> `appropriate` typo in MANIFEST.md	pikammmmm	+1 -1	1	23d
#242	fix: add field descriptions to v0.4 manifest schema	pl4nty	+108 -44	1	15d
#249	fix: narrow over-broad default pack exclude patterns	adityasingh2400	+106 -2	1	1d
#248	fix(validate): only recommend 512x512 icon size when the icon isn't already 512x512	adityasingh2400	+118 -7	1	1d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines

Volume

Open PRs

↑ 2.94%

Draft PRs

—

Opened

—

last 7 days

Opened

—

last 30 days

Opened

—

119

last 90 days

Merged

—

last 7 days

Merged

—

last 30 days

Merged

—

last 90 days

Closed Unmerged

—

last 90 days

Time to First Review

Average

—

12d

Median

↑ 82.12%

P90

—

37d

P95

—

49d

Merge Time

Average

—

Median

↓ 50.00%

PRs Needing Maintainer Review

Open PRs with no maintainer review (excludes drafts from counts)

No Maintainer Review

↑ 3.57%

>24 hours

No Maintainer Review

—

>7 days

PRs Awaiting Maintainer Review

Sorted by longest wait time first

PR	Title	Author	Size	Reviews	Waiting
#189	fix: defer initial size measurement to ResizeObserver	nidhiyashwanth	+1 -2	0	156d
#214	Examples: D3 graph and Recharts chart	iamfiscus	+3265 -18	0	137d
#273	Enforce correct UI resource. Remove backwards compatibility in `getToolUiResourceUri`.	matteo8p	+6 -25	0	130d
#291	chore: :lock: npm audit fix	james-lafferty	+24 -3	0	129d
#296	Add Resource Template support to basic-host	rinormaloku	+23 -6	0	127d
#378	Create initial proposal for apps declaring trusted types	connor4312	+124 -3	0	117d
#377	build(deps): bump hono from 4.11.6 to 4.11.7 in the npm_and_yarn group across 1 directory	dependabot	+3 -387	0	117d
#384	fix: update Playwright snapshots for ShaderToy and Wiki Explorer	yaniv-golan	+0 -0	0	117d
#390	Add a pattern for a deferred tool resulting using UI interaction	connor4312	+213 -1	0	116d
#405	New example MCP App: DICOM Viewer	ThalesMMS	+1707 -1	6	115d
#425 (draft)	Fetch That Works in MCP Apps	MiguelsPizza	+9835 -630	0	111d
#424	Add cross-host portability guide for MCP Apps	hatgit	+75 -0	0	111d
#432	fix(examples): resolve CSP 'unsafe-eval' violation in threejs-server	Robloncz	+32 -10	2	109d
#453	feat: Add basic-server-angular example	Avcharov	+17874 -6785	0	101d
#468	Add Stitch Design server example	jayeshvpatil	+3512 -0	0	96d
#473	Rename apps.mdx to ext-apps.mdx	jabidahscreationssystems	+0 -0	0	95d
#531	Feat/create elicitation UI	Avcharov	+377 -24	0	80d
#552 (draft)	feat: implement subscribe/unsubscribe methods for multiple event handlers	Avcharov	+399 -35	0	72d
#553	feat(spec): add renderTiming to McpUiToolMeta for deferred View rendering	netanelavr	+113 -0	0	71d
#596	Add tananchadevelopment.link file	Bang2985	+0 -0	0	53d
#609	--- name: create-mcp-app description: This skill should be used when …	akonjet5	+185 -0	0	45d
#608	Rename tsconfig.json to tsconfig.json	akonjet5	+0 -0	0	45d
#610	example dotnet angular host	halllo	+10826 -1	0	43d
#636	feat: add angular basic example	dalenguyen	+2319 -3	0	33d
#641	feat(transport): add forHostIframe helper and improve init timeout message	netanelavr	+168 -0	0	28d
#645	Add MseeP.ai badge	mseep-ai	+2 -0	0	27d
#650	docs: add mcp-use inspector badge to supported clients	khandrew1	+1 -0	0	20d
#653	spec(draft): add missing HostCapabilities fields (updateModelContext and message)	hydrosquall	+31 -8	2	19d
#656	feat(types,spec): add tools field to McpUiHostCapabilities	saaage	+17 -0	0	18d
#657	Fix broken documentation links	aqilaziz	+2 -2	0	17d
#663	Allows passing input as a query param like other options from the demo app	katerberg	+13 -6	0	4d

PR Size Distribution

Open PRs by lines changed

Small

—

<100 lines

Medium

—

100-500 lines

Large

—

>500 lines