Skip to content

Upstream 20260501#19

Merged
andylim-duo merged 15 commits intomainfrom
upstream-20260501
May 4, 2026
Merged

Upstream 20260501#19
andylim-duo merged 15 commits intomainfrom
upstream-20260501

Conversation

@andylim-duo
Copy link
Copy Markdown
Owner

@andylim-duo andylim-duo commented May 4, 2026
edited
Loading

Summary

Merge upstream modelcontextprotocol/python-sdk main (as of 2026-05-01) into our fork, preserving multi-tenant isolation features.

Upstream changes included

Merge conflict resolutions

Four files had conflicts between upstream's structural changes and our tenant-scoped storage model:

File Resolution
src/mcp/server/lowlevel/server.py Kept upstream's OTel span structure; grafted tenant_id_var propagation into the new _handle_request; removed duplicate handler block from conflict
src/mcp/server/mcpserver/resources/resource_manager.py Kept tenant-scoped dict[str | None, dict[str, Resource]] type; added upstream's resources= constructor parameter with bulk init
src/mcp/server/mcpserver/tools/tool_manager.py Same pattern — kept tenant-scoped dict, adopted upstream's tools= constructor kwarg
tests/server/mcpserver/resources/test_resource_manager.py Replaced class-method tests with upstream's top-level functions; ported tenant template-duplicate tests; fixed _templates direct write to use add_template()

Context merging fix

Upstream's context-aware streams propagate the sender's (client-side) contextvars.Context to server handlers for OTel trace correlation. This shadowed our tenant_id_var (set server-side) in the in-memory transport.

Fix: Added merge_contexts(sender, server) in src/mcp/shared/_context.py — creates a new context using the sender as base with server-side vars overlaid. Server wins on conflict, preventing clients from spoofing tenant_id_var.

Documentation updates

  • docs/multi-tenancy.md — added Context Merging architecture section, security notes on ctx.meta being client-controlled, documented decorator/constructor global-scope limitations
  • docs/migration.md — added bug fix entry for context propagation with link to multi-tenancy guide

Test plan

  • All 9 multi-tenancy E2E tests pass (6 were previously broken by context propagation change)
  • 7 new merge_contexts unit tests (sender-only, server-only, both, conflict, tenant spoof, empty cases)
  • New integration test: test_sender_context_and_tenant_id_coexist verifies both client contextvar and server tenant_id_var visible in handler
  • Upstream test_context_propagation still passes
  • Full suite: 1282 passed, 98 skipped, 1 xfailed, 0 failed
  • pyright: 0 errors
  • ruff: all checks passed
  • markdownlint: passed

Kludex and others added 14 commits March 31, 2026 12:49
@Kludex
Propagate contextvars.Context through anyio streams without modifying…
e6235d1 
… SessionMessage (modelcontextprotocol#2298)
@maxisbey
Don't block the event loop on sync resource and prompt functions (mod…
3ce0f76 
…elcontextprotocol#2380)
@Kludex
Add basic OpenTelemetry tracing for client and server requests (model…
37891f4 
…contextprotocol#2381)
@dependabot
chore(deps): bump requests from 2.32.5 to 2.33.0 in the uv group acro…
d5b9155 
…ss 1 directory (modelcontextprotocol#2350)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@Kludex
Use shared is_async_callable instead of `inspect.iscoroutinefunctio…
cf4e435 
…n` (modelcontextprotocol#2389)
@maxisbey
docs: fill migration guide gaps surfaced by automated upgrade eval (m…
f27d2aa 
…odelcontextprotocol#2412)
@mplemay @Kludex
Add resources parameter to MCPServer (modelcontextprotocol#2414)
c5f12ec 
Co-authored-by: Marcelo Trylesinski <marcelotryle@gmail.com>
@dependabot
chore(deps): bump cryptography from 46.0.5 to 46.0.7 in the uv group …
8f806da 
…across 1 directory (modelcontextprotocol#2406)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@maxisbey
docs: modernize development guidelines and rename to AGENTS.md (model…
941089e 
…contextprotocol#2413)
@felixweinberger
fix(auth): coerce empty-string optional URL fields to None in OAuthCl…
2dfb51a 
…ientMetadata (modelcontextprotocol#2404)
@maxisbey
fix: catch PydanticUserError when generating output schema (pydantic …
5cbd259 
…2.13 compat) (modelcontextprotocol#2434)
@wdawson
SEP-2207: Refresh token guidance (modelcontextprotocol#2039)
437d15a
@paikend @claude @maxisbey
fix: align Context logging methods with MCP spec data type (modelcont…
3d7b311 
…extprotocol#2366)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Max Isbey <224885523+maxisbey@users.noreply.github.com>
@andylim-duo
Merge remote-tracking branch 'upstream/main' into upstream-20260501
b87f7b1
@andylim-duo andylim-duo self-assigned this May 4, 2026
@andylim-duo @claude
fix: formatting and coverage for CI
2fb900d 
- Add missing blank line after merge_contexts (pre-commit)
- Remove try/finally in test to fix branch coverage gap

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@andylim-duo andylim-duo merged commit bfe7e53 into main May 4, 2026
25 checks passed
@andylim-duo andylim-duo deleted the upstream-20260501 branch May 4, 2026 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@andylim-duo andylim-duo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@andylim-duo @Kludex @maxisbey @mplemay @felixweinberger @wdawson @paikend