actionmcp 0.71.0 → 0.72.0

data/lib/action_mcp/client/streamable_http_transport.rb

@@ -13,12 +13,16 @@ module ActionMCP
       SSE_TIMEOUT = 10
       ENDPOINT_TIMEOUT = 5
 
-      attr_reader :session_id, :last_event_id
+      attr_reader :session_id, :last_event_id, :protocol_version
 
-      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, **options)
+      def initialize(url, session_store:, session_id: nil, oauth_provider: nil, jwt_provider: nil,
+                     protocol_version: nil, **options)
         super(url, session_store: session_store, **options)
         @session_id = session_id
         @oauth_provider = oauth_provider
+        @jwt_provider = jwt_provider
+        @protocol_version = protocol_version || ActionMCP::DEFAULT_PROTOCOL_VERSION
+        @negotiated_protocol_version = nil
         @last_event_id = nil
         @buffer = +""
         @current_event = nil
@@ -38,8 +42,9 @@ module ActionMCP
         # Start SSE stream if server supports it
         start_sse_stream
 
-        set_connected(true)
+        # Set ready first, then connected (so transport is ready when on_connect fires)
         set_ready(true)
+        set_connected(true)
         log_debug("StreamableHTTP connection established")
         true
       rescue StandardError => e
@@ -62,9 +67,7 @@ module ActionMCP
       end
 
       def send_message(message)
-        unless ready?
-          raise ConnectionError, "Transport not ready"
-        end
+        raise ConnectionError, "Transport not ready" unless ready?
 
         headers = build_post_headers
         json_data = message.is_a?(String) ? message : message.to_json
@@ -98,7 +101,13 @@ module ActionMCP
         }
         headers["mcp-session-id"] = @session_id if @session_id
         headers["Last-Event-ID"] = @last_event_id if @last_event_id
+
+        # Add MCP-Protocol-Version header for GET requests when we have a negotiated version
+        headers["MCP-Protocol-Version"] = @negotiated_protocol_version if @negotiated_protocol_version
+
         headers.merge!(oauth_headers)
+        headers.merge!(jwt_headers)
+        log_debug("Final GET headers: #{headers}")
         headers
       end
 
@@ -108,7 +117,14 @@ module ActionMCP
           "Accept" => "application/json, text/event-stream"
         }
         headers["mcp-session-id"] = @session_id if @session_id
+
+        # Add MCP-Protocol-Version header as per 2025-06-18 spec
+        # Only include when we have a negotiated version from previous handshake
+        headers["MCP-Protocol-Version"] = @negotiated_protocol_version if @negotiated_protocol_version
+
         headers.merge!(oauth_headers)
+        headers.merge!(jwt_headers)
+        log_debug("Final POST headers: #{headers}")
         headers
       end
 
@@ -133,6 +149,7 @@ module ActionMCP
         @http_client.get(@url, nil, headers) do |req|
           req.options.on_data = proc do |chunk, _bytes|
             break if @stop_requested
+
             process_sse_chunk(chunk)
           end
         end
@@ -161,9 +178,9 @@ module ActionMCP
 
         lines.each do |line|
           if line.start_with?("id:")
-            event_id = line[3..-1].strip
+            event_id = line[3..].strip
           elsif line.start_with?("data:")
-            data_lines << line[5..-1].strip
+            data_lines << line[5..].strip
           end
         end
 
@@ -180,11 +197,9 @@ module ActionMCP
         end
       end
 
-      def handle_post_response(response, original_message)
+      def handle_post_response(response, _original_message)
         # Extract session ID from response headers
-        if response.headers["mcp-session-id"]
-          @session_id = response.headers["mcp-session-id"]
-        end
+        @session_id = response.headers["mcp-session-id"] if response.headers["mcp-session-id"]
 
         case response.status
         when 200
@@ -216,12 +231,17 @@ module ActionMCP
       end
 
       def handle_json_response(response)
-        begin
-          message = MultiJson.load(response.body)
-          handle_message(message)
-        rescue MultiJson::ParseError => e
-          log_error("Failed to parse JSON response: #{e}")
+        message = MultiJson.load(response.body)
+
+        # Check if this is an initialize response to capture negotiated protocol version
+        if message.is_a?(Hash) && message["result"] && message["result"]["protocolVersion"]
+          @negotiated_protocol_version = message["result"]["protocolVersion"]
+          log_debug("Negotiated protocol version: #{@negotiated_protocol_version}")
         end
+
+        handle_message(message)
+      rescue MultiJson::ParseError => e
+        log_error("Failed to parse JSON response: #{e}")
       end
 
       def handle_sse_response_stream(response)
@@ -232,10 +252,8 @@ module ActionMCP
       end
 
       def handle_error_response(response)
-        error_msg = "HTTP #{response.status}: #{response.reason_phrase}"
-        if response.body && !response.body.empty?
-          error_msg << " - #{response.body}"
-        end
+        error_msg = +"HTTP #{response.status}: #{response.reason_phrase}"
+        error_msg << " - #{response.body}" if response.body && !response.body.empty?
         raise ConnectionError, error_msg
       end
 
@@ -280,7 +298,7 @@ module ActionMCP
           id: @session_id,
           last_event_id: @last_event_id,
           session_data: {},
-          protocol_version: PROTOCOL_VERSION
+          protocol_version: @protocol_version
         }
 
         @session_store.save_session(@session_id, session_data)
@@ -290,21 +308,39 @@ module ActionMCP
       def oauth_headers
         return {} unless @oauth_provider&.authenticated?
 
-        @oauth_provider.authorization_headers
+        headers = @oauth_provider.authorization_headers
+        log_debug("OAuth headers: #{headers}") unless headers.empty?
+        headers
       rescue StandardError => e
         log_error("Failed to get OAuth headers: #{e.message}")
         {}
       end
 
-      def handle_authentication_error(response)
-        return unless @oauth_provider
+      def jwt_headers
+        return {} unless @jwt_provider&.authenticated?
 
+        headers = @jwt_provider.authorization_headers
+        log_debug("JWT headers: #{headers}") unless headers.empty?
+        headers
+      rescue StandardError => e
+        log_error("Failed to get JWT headers: #{e.message}")
+        {}
+      end
+
+      def handle_authentication_error(response)
         # Check for OAuth challenge in WWW-Authenticate header
         www_auth = response.headers["www-authenticate"]
-        if www_auth&.include?("Bearer")
-          log_debug("Received OAuth challenge, clearing tokens")
+        return unless www_auth&.include?("Bearer")
+
+        if @oauth_provider
+          log_debug("Received OAuth challenge, clearing OAuth tokens")
           @oauth_provider.clear_tokens!
         end
+
+        return unless @jwt_provider
+
+        log_debug("Received Bearer challenge, clearing JWT tokens")
+        @jwt_provider.clear_tokens!
       end
 
       def user_agent

data/lib/action_mcp/client.rb

@@ -4,6 +4,7 @@ require_relative "client/transport"
 require_relative "client/session_store"
 require_relative "client/streamable_http_transport"
 require_relative "client/oauth_client_provider"
+require_relative "client/jwt_client_provider"
 
 module ActionMCP
   # Creates a client appropriate for the given endpoint.
@@ -13,6 +14,8 @@ module ActionMCP
   # @param session_store [Symbol] The session store type (:memory, :active_record)
   # @param session_id [String] Optional session ID for resuming connections
   # @param oauth_provider [ActionMCP::Client::OauthClientProvider] Optional OAuth provider for authentication
+  # @param jwt_provider [ActionMCP::Client::JwtClientProvider] Optional JWT provider for authentication
+  # @param protocol_version [String] The MCP protocol version to use (defaults to ActionMCP::DEFAULT_PROTOCOL_VERSION)
   # @param logger [Logger] The logger to use. Default is Logger.new($stdout).
   # @param options [Hash] Additional options to pass to the client constructor.
   #
@@ -46,7 +49,17 @@ module ActionMCP
   #     "http://127.0.0.1:3001/action_mcp",
   #     oauth_provider: oauth_provider
   #   )
-  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil, oauth_provider: nil, logger: Logger.new($stdout), **options)
+  #
+  # @example With JWT authentication
+  #   jwt_provider = ActionMCP::Client::JwtClientProvider.new(
+  #     token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
+  #   )
+  #   client = ActionMCP.create_client(
+  #     "http://127.0.0.1:3001/action_mcp",
+  #     jwt_provider: jwt_provider
+  #   )
+  def self.create_client(endpoint, transport: :streamable_http, session_store: nil, session_id: nil,
+                         oauth_provider: nil, jwt_provider: nil, protocol_version: nil, logger: Logger.new($stdout), **options)
     unless endpoint =~ %r{\Ahttps?://}
       raise ArgumentError, "Only HTTP(S) endpoints are supported. STDIO and other transports are not supported."
     end
@@ -55,11 +68,13 @@ module ActionMCP
     store = Client::SessionStoreFactory.create(session_store, **options)
 
     # Create transport
-    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id, oauth_provider: oauth_provider, logger: logger, **options)
+    transport_instance = create_transport(transport, endpoint, session_store: store, session_id: session_id,
+                                                               oauth_provider: oauth_provider, jwt_provider: jwt_provider, protocol_version: protocol_version, logger: logger, **options)
 
     logger.info("Creating #{transport} client for endpoint: #{endpoint}")
-    # Pass session_id to the client
-    Client::Base.new(transport: transport_instance, logger: logger, session_id: session_id, **options)
+    # Pass session_id and protocol_version to the client
+    Client::Base.new(transport: transport_instance, logger: logger, session_id: session_id,
+                     protocol_version: protocol_version, **options)
   end
 
   private_class_method def self.create_transport(type, endpoint, **options)

data/lib/action_mcp/configuration.rb

@@ -53,7 +53,7 @@ module ActionMCP
 
     def initialize
       @logging_enabled = true
-      @list_changed = false
+      @list_changed = true
       @logging_level = :info
       @resources_subscribe = false
       @elicitation_enabled = false
@@ -67,7 +67,7 @@ module ActionMCP
 
       @sse_heartbeat_interval = 30
       @post_response_preference = :json
-      @protocol_version = "2025-03-26"  # Default to legacy for backwards compatibility
+      @protocol_version = "2025-03-26" # Default to legacy for backwards compatibility
 
       # Resumability defaults
       @sse_event_retention_period = 15.minutes
@@ -93,8 +93,8 @@ module ActionMCP
 
     def gateway_class
       if @gateway_class_name
-        klass = @gateway_class_name.constantize
-        klass
+        @gateway_class_name.constantize
+
       else
         @gateway_class
       end
@@ -117,22 +117,16 @@ module ActionMCP
         raise "Invalid MCP config file" unless app_config.is_a?(Hash)
 
         # Extract authentication configuration if present
-        if app_config["authentication"]
-          @authentication_methods = Array(app_config["authentication"])
-        end
+        @authentication_methods = Array(app_config["authentication"]) if app_config["authentication"]
 
         # Extract OAuth configuration if present
-        if app_config["oauth"]
-          @oauth_config = HashWithIndifferentAccess.new(app_config["oauth"])
-        end
+        @oauth_config = HashWithIndifferentAccess.new(app_config["oauth"]) if app_config["oauth"]
 
         # Extract other top-level configuration settings
         extract_top_level_settings(app_config)
 
         # Extract profiles configuration
-        if app_config["profiles"]
-          @profiles = app_config["profiles"]
-        end
+        @profiles = app_config["profiles"] if app_config["profiles"]
       rescue StandardError => e
         # If the config file doesn't exist in the Rails app, just use the defaults
         Rails.logger.warn "[Configuration] Failed to load MCP config: #{e.class} - #{e.message}"
@@ -192,20 +186,16 @@ module ActionMCP
 
       # Check profile configuration instead of registry contents
       # If profile includes tools (either "all" or specific tools), advertise tools capability
-      if profile && profile[:tools] && profile[:tools].any?
-        capabilities[:tools] = { listChanged: @list_changed }
-      end
+      capabilities[:tools] = { listChanged: @list_changed } if profile && profile[:tools]&.any?
 
       # If profile includes prompts, advertise prompts capability
-      if profile && profile[:prompts] && profile[:prompts].any?
-        capabilities[:prompts] = { listChanged: @list_changed }
-      end
+      capabilities[:prompts] = { listChanged: @list_changed } if profile && profile[:prompts]&.any?
 
       capabilities[:logging] = {} if @logging_enabled
 
       # If profile includes resources, advertise resources capability
-      if profile && profile[:resources] && profile[:resources].any?
-        capabilities[:resources] = { subscribe: @resources_subscribe }
+      if profile && profile[:resources]&.any?
+        capabilities[:resources] = { subscribe: @resources_subscribe, listChanged: @list_changed }
       end
 
       capabilities[:elicitation] = {} if @elicitation_enabled
@@ -240,12 +230,12 @@ module ActionMCP
 
       # Check if any component type includes "all"
       needs_eager_load = profile[:tools]&.include?("all") ||
-                        profile[:prompts]&.include?("all") ||
-                        profile[:resources]&.include?("all")
+                         profile[:prompts]&.include?("all") ||
+                         profile[:resources]&.include?("all")
 
-      if needs_eager_load
-        ensure_mcp_components_loaded
-      end
+      return unless needs_eager_load
+
+      ensure_mcp_components_loaded
     end
 
     private
@@ -285,51 +275,35 @@ module ActionMCP
       end
 
       # Extract thread pool settings
-      if app_config["min_threads"]
-        @min_threads = app_config["min_threads"]
-      end
+      @min_threads = app_config["min_threads"] if app_config["min_threads"]
 
-      if app_config["max_threads"]
-        @max_threads = app_config["max_threads"]
-      end
+      @max_threads = app_config["max_threads"] if app_config["max_threads"]
 
-      if app_config["max_queue"]
-        @max_queue = app_config["max_queue"]
-      end
+      @max_queue = app_config["max_queue"] if app_config["max_queue"]
 
       # Extract polling interval for solid_cable
-      if app_config["polling_interval"]
-        @polling_interval = app_config["polling_interval"]
-      end
+      @polling_interval = app_config["polling_interval"] if app_config["polling_interval"]
 
       # Extract connects_to setting
-      if app_config["connects_to"]
-        @connects_to = app_config["connects_to"]
-      end
+      @connects_to = app_config["connects_to"] if app_config["connects_to"]
 
       # Extract verbose logging setting
-      if app_config.key?("verbose_logging")
-        @verbose_logging = app_config["verbose_logging"]
-      end
+      @verbose_logging = app_config["verbose_logging"] if app_config.key?("verbose_logging")
 
       # Extract gateway class configuration
-      if app_config["gateway_class"]
-        @gateway_class_name = app_config["gateway_class"]
-      end
+      @gateway_class_name = app_config["gateway_class"] if app_config["gateway_class"]
 
       # Extract session store configuration
-      if app_config["session_store_type"]
-        @session_store_type = app_config["session_store_type"].to_sym
-      end
+      @session_store_type = app_config["session_store_type"].to_sym if app_config["session_store_type"]
 
       # Extract client and server session store types
       if app_config["client_session_store_type"]
         @client_session_store_type = app_config["client_session_store_type"].to_sym
       end
 
-      if app_config["server_session_store_type"]
-        @server_session_store_type = app_config["server_session_store_type"].to_sym
-      end
+      return unless app_config["server_session_store_type"]
+
+      @server_session_store_type = app_config["server_session_store_type"].to_sym
     end
 
     def should_include_all?(type)
@@ -377,6 +351,7 @@ module ActionMCP
         Dir.glob(mcp_path.join("**/*.rb")).sort.each do |file|
           # Skip base classes we already loaded
           next if base_files.any? { |base| file == base.to_s }
+
           require_dependency file
         end
       end

data/lib/action_mcp/engine.rb

@@ -61,9 +61,10 @@ module ActionMCP
       end
     end
 
-    # Configure autoloading for the mcp/tools directory
+    # Configure autoloading for the mcp/tools directory and identifiers
     initializer "action_mcp.autoloading", before: :set_autoload_paths do |app|
       mcp_path = app.root.join("app/mcp")
+      identifiers_path = app.root.join("app/identifiers")
 
       if mcp_path.exist?
         # First add the parent mcp directory
@@ -74,6 +75,9 @@ module ActionMCP
           app.autoloaders.main.collapse(dir)
         end
       end
+
+      # Add identifiers directory for gateway identifiers
+      app.autoloaders.main.push_dir(identifiers_path, namespace: Object) if identifiers_path.exist?
     end
 
     # Initialize the ActionMCP logger.

data/lib/action_mcp/filtered_logger.rb

@@ -16,7 +16,7 @@ module ActionMCP
 
     def add(severity, message = nil, progname = nil, &block)
       # Filter out repetitive OAuth metadata requests
-      if message && message.is_a?(String)
+      if message.is_a?(String)
         return if FILTERED_PATHS.any? { |path| message.include?(path) && message.include?("200 OK") }
 
         # Filter out repetitive MCP notifications

data/lib/action_mcp/gateway.rb

@@ -5,170 +5,80 @@ module ActionMCP
 
   class Gateway
     class << self
-      def identified_by(*attrs)
-        @identifiers ||= []
-        @identifiers.concat(attrs.map(&:to_sym)).uniq!
-        attr_accessor(*attrs)
+      # pluck in one or many GatewayIdentifier classes
+      def identified_by(*klasses)
+        @identifier_classes = klasses.flatten
       end
 
-      def identifiers
-        @identifiers ||= []
+      def identifier_classes
+        @identifier_classes || []
       end
     end
 
-    identified_by :user
-
-    attr_reader :request
-
-    def call(request)
+    def initialize(request)
       @request = request
-      connect
-      self
     end
 
-    def connect
+    # called by your rack/websocket layer
+    def call
       identities = authenticate!
-      reject_unauthorized_connection unless identities.is_a?(Hash)
-
-      # Assign all identities (e.g., :user, :account)
-      self.class.identifiers.each do |id|
-        value = identities[id]
-        reject_unauthorized_connection unless value
-
-        public_send("#{id}=", value)
-
-        # Set to ActionMCP::Current
-        ActionMCP::Current.public_send("#{id}=", value)
-      end
-
-      # Also set the gateway instance itself
-      ActionMCP::Current.gateway = self
+      assign_identities(identities)
+      self
     end
 
-
     protected
 
     def authenticate!
-      auth_methods = ActionMCP.configuration.authentication_methods || [ "jwt" ]
-
-      auth_methods.each do |method|
-        case method
-        when "none"
-          return default_user_identity
-        when "jwt"
-          result = jwt_authenticate
-          return result if result
-        when "oauth"
-          result = oauth_authenticate
-          return result if result
-        end
+      active_identifiers = filter_active_identifiers
+
+      raise ActionMCP::UnauthorizedError, "No authentication methods available" if active_identifiers.empty?
+
+      # Try identifiers in order, use the first one that succeeds
+      last_error = nil
+      active_identifiers.each do |klass|
+        result = klass.new(@request).resolve
+        return { klass.identifier_name => result }
+      rescue ActionMCP::GatewayIdentifier::Unauthorized => e
+        last_error = e
+        # Try next identifier
+        next
       end
 
-      raise UnauthorizedError, "No valid authentication found"
-    end
-
-    def extract_bearer_token
-      header = request.headers["Authorization"] || request.headers["authorization"]
-      return nil unless header&.start_with?("Bearer ")
-      header.split(" ", 2).last
+      # If we get here, all identifiers failed
+      # Use the last specific error message if available, otherwise generic message
+      error_message = last_error&.message || "Authentication failed"
+      raise ActionMCP::UnauthorizedError, error_message
     end
 
-    def resolve_user(payload)
-      return nil unless payload.is_a?(Hash)
-      user_id = payload["user_id"] || payload["sub"]
-      return nil unless user_id
-      user = User.find_by(id: user_id)
-      return nil unless user
-
-      # Return a hash with all identified_by attributes
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        hash[identifier] = user if identifier == :user
-        # Add support for other identifiers as needed
-      end
-    end
-
-    def reject_unauthorized_connection
-      raise UnauthorizedError, "Unauthorized"
-    end
-
-    # Default user identity for "none" authentication
-    def default_user_identity
-      # Return a hash with all identified_by attributes set to a default user
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        if identifier == :user
-          # Create or find a default user for development
-          hash[identifier] = find_or_create_default_user
-        end
-        # Add support for other identifiers as needed
-      end
-    end
-
-    # JWT authentication (existing implementation)
-    def jwt_authenticate
-      token = extract_bearer_token
-      unless token
-        raise UnauthorizedError, "Missing token" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        return nil
-      end
-
-      payload = ActionMCP::JwtDecoder.decode(token)
-      result = resolve_user(payload)
-      unless result
-        raise UnauthorizedError, "Unauthorized" if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        return nil
-      end
-      result
-    rescue ActionMCP::JwtDecoder::DecodeError => e
-      if ActionMCP.configuration.authentication_methods == [ "jwt" ]
-        raise UnauthorizedError, "Invalid token"
-      else
-        nil # Let it try other authentication methods
-      end
-    end
-
-    # OAuth authentication via middleware
-    def oauth_authenticate
-      return nil unless oauth_enabled?
-
-      # Check if OAuth middleware has already validated the token
-      token_info = request.env["action_mcp.oauth_token_info"]
-      return nil unless token_info && token_info["active"]
-
-      resolve_user_from_oauth(token_info)
-    rescue ActionMCP::OAuth::Error
-      nil # Let it try other authentication methods
-    end
-
-    def oauth_enabled?
-      ActionMCP.configuration.authentication_methods&.include?("oauth") &&
-        ActionMCP.configuration.oauth_config.present?
-    end
+    private
 
-    def resolve_user_from_oauth(token_info)
-      return nil unless token_info.is_a?(Hash)
+    def filter_active_identifiers
+      configured_methods = ActionMCP.configuration.authentication_methods || []
 
-      user_id = token_info["sub"] || token_info["user_id"]
-      return nil unless user_id
+      # If no authentication methods configured, use all identifiers
+      return self.class.identifier_classes if configured_methods.empty?
 
-      user = User.find_by(id: user_id) || User.find_by(oauth_subject: user_id)
-      return nil unless user
+      # Normalize configured methods to strings for consistent comparison
+      normalized_methods = configured_methods.map(&:to_s)
 
-      # Return a hash with all identified_by attributes
-      self.class.identifiers.each_with_object({}) do |identifier, hash|
-        hash[identifier] = user if identifier == :user
-        # Add support for other identifiers as needed
+      # Filter identifiers to only those matching configured authentication methods
+      self.class.identifier_classes.select do |klass|
+        normalized_methods.include?(klass.auth_method.to_s)
       end
     end
 
-    def find_or_create_default_user
-      # Only for development/testing with "none" authentication
-      return nil unless Rails.env.development? || Rails.env.test?
+    def assign_identities(identities)
+      identities.each do |name, value|
+        # define accessor on the fly
+        self.class.attr_reader name unless respond_to?(name)
+        instance_variable_set("@#{name}", value)
 
-      if defined?(User)
-        User.find_or_create_by(email: "dev@localhost") do |user|
-          user.name = "Development User" if user.respond_to?(:name=)
-        end
+        # also set current context if you have one
+        ActionMCP::Current.public_send("#{name}=", value) if
+          ActionMCP::Current.respond_to?("#{name}=")
       end
+      ActionMCP::Current.gateway = self if
+        ActionMCP::Current.respond_to?(:gateway=)
     end
   end
 end