Documentation
¶
Overview ¶
Package mcpmw provides MCP-specific HTTP middleware: JSON-RPC envelope rewriting, Origin allowlist, and (in later versions) audit emitter wrapping.
Each middleware is a standard `func(http.Handler) http.Handler` so it composes with any HTTP framework that can wrap handlers.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Envelope ¶
Envelope rewrites plain-text HTTP error responses on the MCP transport into canonical JSON-RPC 2.0 error envelopes.
The Streamable HTTP handler from the upstream Go MCP SDK uses http.Error for protocol-level rejections (parse errors, unknown methods, missing params). Those escape the SDK as text/plain bodies that strict MCP clients (Inspector, Claude Code) misreport as transport-level failures rather than the actual JSON-RPC -326xx errors they really are.
Behaviour:
- Only intercepts POST. Other methods pass through untouched.
- Buffers the response in memory until the first byte (or end of handler). If the SDK starts streaming an SSE response (Content-Type: text/event-stream) or returns a non-error status (< 400), the buffered state is flushed verbatim and the writer falls back to pass-through — so successful streaming responses are unaffected.
- For 4xx text/plain responses with a known SDK error prefix, rewrites them as a canonical JSON-RPC envelope with HTTP 200.
- 401 / 403 / 404 / 415 / other transport-level codes pass through untouched so WWW-Authenticate, Origin enforcement, etc. survive.
The original SDK error message is preserved in the envelope's `error.data` field so callers can debug. Per MCP transport guidance, JSON-RPC error responses use HTTP 200; the JSON `error` object is the truth.
Originally extracted from vorrent/internal/mcpserver/jsonrpc_envelope.go.
Types ¶
type OriginConfig ¶
type OriginConfig struct {
// Allowed is the set of permitted Origin header values (exact match).
// Empty means no browser clients are allowed (loopback may still be
// permitted via AllowLoopback).
Allowed []string
// AllowLoopback permits Origin values that resolve to a loopback host
// (127.0.0.0/8, ::1, or the literal "localhost"). Set true in dev.
AllowLoopback bool
// OnDeny, if set, is called instead of writing the default 403 response.
// Use this to integrate with the consumer's error-envelope conventions.
OnDeny func(w http.ResponseWriter, r *http.Request, origin string)
}
OriginConfig configures the Origin allowlist middleware.