feat(codemod): close v1-to-v2 mechanical gaps — outputSchema wrap, importMap entries; drop dead expressMiddleware transform#2361
Conversation
🦋 Changeset detectedLatest commit: 693d091 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@modelcontextprotocol/client
@modelcontextprotocol/codemod
@modelcontextprotocol/server
@modelcontextprotocol/server-legacy
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
felixweinberger
force-pushed
the
fweinberger/codemod-gaps
branch
2 times, most recently
from
c46d707 to
7cfe90e
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
felixweinberger
force-pushed
the
fweinberger/codemod-gaps
branch
from
7cfe90e to
0d9215f
Compare
felixweinberger
force-pushed
the
fweinberger/codemod-gaps
branch
2 times, most recently
from
404e24c to
3c0d716
Compare
…leware transform
- registerTool: also wrap raw outputSchema with z.object() (already did inputSchema/argsSchema/uriSchema)
- importMap: + sdk/server/express.js, + sdk/server/middleware/hostHeaderValidation.js, + sdk/client/auth-extensions.js
- delete expressMiddlewareTransform: it rewrote hostHeaderValidation({allowedHosts:[...]}) -> hostHeaderValidation([...]),
but hostHeaderValidation was (string[]) in every released v1.x. The allowedHosts *option* on createMcpExpressApp /
SSEServerTransport is unchanged v1->v2 (only the import path moved); the transform targeted the wrong API.
- docs/migration/upgrade-to-v2.md: HANDLED/NOT-HANDLED lists updated to match
felixweinberger
changed the title
felixweinberger
force-pushed
the
fweinberger/codemod-gaps
branch
from
3c0d716 to
693d091
Compare
There was a problem hiding this comment.
LGTM — codemod-only mechanical gap-closing; prior review feedback (changeset, README coverage prose, extra importMap entries) is addressed in this revision and the docs now match the shipped transforms.
Extended reasoning...
Overview
This PR is confined to the @modelcontextprotocol/codemod package plus migration/README docs: it adds an outputSchema z.object() wrap to mcpServerApiTransform, adds importMap entries (client/auth-extensions.js, server/express.js, server/middleware/hostHeaderValidation.js, client/middleware.js, shared/auth-utils.js), deletes the dead expressMiddlewareTransform, updates the migration guide/README coverage lists, and adds a patch changeset. No SDK runtime code is touched.
Security risks
None — the change affects a developer-run codemod tool and prose documentation only; no auth, transport, or protocol code paths are modified.
Level of scrutiny
Moderate-low. The codemod is a userland migration aid published as alpha; the worst failure mode is an import left unrewritten (surfaced by the documented tsc --noEmit step), not a runtime defect for SDK consumers. I verified the riskier earlier finding is not present in this revision: schemaParamRemoval.ts is unchanged (TARGET_METHODS is still request/callTool), so the previously flagged custom-method schema-stripping regression does not exist; the new sendRequest test is a negative guard consistent with that. The expressMiddleware deletion is backed by the existing migration-guide statement (from #2360) that every released v1.x already used the string[] signature, and the integration tests were updated to assert the call is left untouched while the import is still rewritten.
Other factors
All prior review threads are addressed: the changeset (codemod-v1-to-v2-gaps.md) now exists, the README no longer lists outputSchema wrapping as manual while correctly keeping the ctx.mcpReq.send() schema-arg drop manual (matching the unchanged transform), and the suggested client/middleware.js / shared/auth-utils.js importMap entries were added. New behavior has direct vitest fixtures (outputSchema wrap, no double-wrap, new import-path rewrites), the doc cross-link anchors (#probe-policy, #per-era-wire-codecs) resolve in support-2026-07-28.md, and the bug-hunting system found no bugs in this revision.
1 participant
Close 4 mechanical gaps in the v1→v2 codemod and delete a dead transform.
Motivation and Context
The migration-doc audit (#2360) found the codemod handles
inputSchema/argsSchema/uriSchemaz.object()wrap but notoutputSchema; drops the schema arg fromclient.request()/callTool()but notctx.mcpReq.send(); andimportMapis missingsdk/server/express.js+client/auth-extensions.js. TheexpressMiddlewareTransformallowedHostsrewrite is dead (every released v1.x already hadstring[]).How Has This Been Tested?
codemod suite 348/348 (+7 new fixtures, 3 negative tests correctly inverted), typecheck, lint, docs:check.
Breaking Changes
None — codemod only.
Types of changes
Checklist
Additional context
Transform count 10→9.
docs/migration/upgrade-to-v2.mdHANDLED/NOT-HANDLED lists updated to match.