[MCP] v1 CLI + E2E + PR-1 follow-ups (consolidated: #621, #623)

[kylebernhardy]

Summary

PR-2 of the consolidated MCP v1 rollout (sequel to PR #856). Closes #621 and #623 and folds in the three non-blocking medium follow-ups @kriszyp flagged on PR #856's approval review.

• harper mcp stdio CLI ([MCP] Stdio CLI (harper mcp) with UDS-first, network fallback #621): bridge / print-config / doctor subcommands. UDS-first connect (no creds, filesystem-perm-gated) with HTTPS fallback. Full Streamable HTTP MCP client over stdin/stdout including SSE-response parsing, Mcp-Session-Id persistence, and a long-lived GET stream for notifications/*.
• SDK-driven E2E suite ([MCP] E2E tests, docs, and migration from external addon #623): integrationTests/mcp/sdk.test.ts runs against a real Harper boot via @modelcontextprotocol/sdk@^1.29 (added as devDep). Validates spec conformance from the reference client.
• PR-1 follow-ups carried forward ([MCP] v1 tools surface + listChanged + audit/rate-limit (consolidated: #617, #618, #619, #620, #622) #856 review):
  • sessionRegistry: idle-prune sweep + SSE on-close hook so dropped GET connections don't leak IterableEventQueue records. touchRegisteredSession from dispatchToolsCall keeps live sessions out of the prune sweep.
  • listChanged: re-resolves the session's user inside the change handler (via a findAndValidateUser test seam) so a role-perm mutation between handshake and the cache-invalidation event is correctly diffed against the current permission set — previously diffed against the frozen snapshot and suppressed notifications.
  • tools/operations.ts: replaced the broad get_* default-allow glob with an explicit safe-getters list (get_job, get_status, get_analytics, get_metrics). The glob had been pulling in get_configuration (secrets), get_components/get_component_file/get_custom_function* (source code that can embed secrets), get_backup, and get_deployment*. Operators who want any of those opt in via mcp.operations.allow.
• Spec-conformance fix surfaced by the SDK test: handleInitialize now negotiates down to the preferred supported version on an unknown protocolVersion instead of erroring with -32602 — per MCP spec, the server MUST respond with a supported version, not fail. This is what let SDK 1.29 (which sends 2025-11-25 by default, newer than Harper's 2025-06-18) connect at all.

Where to look

• components/mcp/lifecycle.ts:61-101 — the spec-conformance fix is small but behavior-changing. Worth a careful read.
• components/mcp/sessionRegistry.ts (full file) — new idle-prune + close-listener logic. The recursion-safety argument for the once('close') listener is in a comment above queue.once(...); please check the reasoning.
• components/mcp/listChanged.ts:78-89, 169-211 — the user re-resolve seam and the async handler shim. The bound listener is a sync wrapper that swallows the resulting promise rejection; happy to make this an explicit pattern elsewhere if you'd rather.
• bin/mcp/client.ts (full file) — the Streamable HTTP client. Notable: SSE parser is hand-rolled (lightweight, MCP only needs event/data/id); the GET stream uses AbortController for cleanup on bridge shutdown. No new deps.
• integrationTests/mcp/sdk.test.ts — the conformance suite. Currently failing locally with 401 (admin user not provisioned in this fresh worktree environment) but should be exercised by GH Actions CI.

Cross-model review

Neither codex nor gemini/agy is available in the environment this branch was prepared from, so the standard step-9 cross-model review was skipped. Would appreciate a manual second-model pass if either is convenient before merge — none of the changes are large-blast-radius but the spec fix touches handshake behavior that other clients depend on.

Open follow-ups (out of scope for this PR)

• harper/documentation MCP section (separate-repo PR, deferred to a follow-up).
• HarperFast/mcp-server external addon: deprecation README + archive on merge (separate repo).

🤖 Generated with Claude Code

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​modelcontextprotocol/​sdk@​1.29.0

View full report

[gemini-code-assist]

Code Review

This pull request introduces Model Context Protocol (MCP) support to HarperDB, adding a stdio-to-HTTP bridge client, diagnostic tools, configuration generation, and robust session lifecycle management. The review feedback focuses on improving the reliability and robustness of the stdio bridge and session registry. Key recommendations include resolving head-of-line blocking in the transport loop, safely decoding UTF-8 stream chunks with StringDecoder, handling CRLF line endings in the SSE parser, avoiding a race condition with request cancellation by passing the AbortSignal directly to http.request, and preventing duplicate close event emissions in the session registry.

[claude]

Reviewed; no blockers found. Both the credential-loading finding and kriszyp's --profile blocker are fully addressed in fcf0d2504 and 9ceb0e442. Non-blocking suggestions (default-clause additions, StringDecoder SSE fix, AbortSignal race fix, registry.delete direct in on-close hook, try/finally on stdinDone) all landed cleanly with matching test updates.

[kriszyp]

Reviewed and took it for a live spin — built dist/, fresh isolated install with mcp.operations enabled, then connected through the bridge end-to-end. Really nice work: the transport plumbing is clean, the comments explain the why well, and the test coverage (fake-server unit tests + the reference-SDK conformance suite) is exactly right for a protocol surface. 🎉

Verified live

• harper mcp doctor over the local UDS: initialize → 2025-06-18, tools/list 20 tools, session cleanup 405 correctly tolerated → "All checks passed".
• Full bridge handshake (initialize → notifications/initialized → tools/list → tools/call system_information) round-trips with real data, clean stderr.
• Version-negotiation fix works — a client sending 2025-11-25 is negotiated down to 2025-06-18 instead of erroring. That's the behavior that lets the newer SDK connect. 👍
• Default-allow tightening works — tools/list surfaces get_analytics/get_job/get_status but not get_configuration. This is my favorite change in the PR: it genuinely closes a secrets/source-leak vector into the LLM context.

One thing I'd resolve before merge

--profile is inert in connection resolution. resolveConnection / runBridge never read opts.profile — UDS mode always targets the operations domain socket, and network mode always uses --target + --mount-path. Confirmed live: harper mcp doctor --profile application (no --target) still hits the operations UDS and returns the 20 operations tools. So:

• there's no way to reach the application profile over local UDS, and
• the flag (and the print-config output that echoes it) silently misleads.

Since the operations UDS is auth-bypassing (resolves to super_user via security/auth.ts), the profile distinction is exactly the kind of thing a user will assume is enforcing something. I'd either wire profile → connection target (select the app UDS / a profile-specific default mount-path) or drop the flag and document that the profile is whatever --target/--mount-path points at.

Smaller notes (non-blocking)

• Lazy idle-prune: pruneIdleSessions only runs inside registerSession, so on a quiet server a zombie the close-hook missed lingers until the next GET opens. touchRegisteredSession covers the live case — fine for v1, maybe a comment or a light timer later.
• pruneIdleSessions reads queue.resolveNext (an IterableEventQueue internal) — brittle if that type changes; the belt-and-braces comment helps.
• Non-exhaustive switches in runMcpCli and renderConfig return undefined on an unexpected value (safe today given parseArgs constraints); a default would be cheap insurance against process.exit(undefined) / block.target on undefined.
• SSE-initialize edge case: runBridge reads protocolVersion from result.bodyText, which is '' for an SSE initialize response, so the GET stream would open without the protocol header. Harper returns initialize as JSON, so it's moot in practice — just noting it.
• E2E suite hasn't been seen green (401 locally per the PR notes) — worth confirming the CI job actually passes, since it's the conformance gate.

On the skipped cross-model review

Totally reasonable that codex/gemini/agy weren't available in your prep env. Kris says he'd be happy to help get codex & agy installed/licensed so the step-9 cross-model pass can run — ping him and we'll get that sorted, then I'm glad to run the adversarial pass on the handshake change before merge.

Thanks for the thorough PR writeup — it made reviewing this a pleasure. 🙏

— Claude (reviewing on Kris's behalf)

[kylebernhardy]

Thanks for the live spin and the catch on --profile — addressed in 89d263df0.

Blocker — fixed

resolveConnection now treats --profile application over UDS as a user error and throws with a helpful message. Default profile is also flipped to operations so the typical zero-config harper mcp / harper mcp doctor path against the local UDS is unchanged (and won't accidentally land on the application profile and silently route to the operations endpoint).

• harper mcp doctor --profile application (no --target) now exits with harper mcp: --profile application requires --target https://<host>:<port>. The application MCP endpoint is mounted on the application HTTP server, which does not expose a local UDS in v1.
• print-config's "omit flag when matching default" rule flipped accordingly — --profile is only emitted when overriding to application.
• Help text and options.ts docstring now call out the UDS limitation explicitly.
• Added unit coverage: error on --profile application w/o target, --bearer precedence, Basic auth construction.

Non-blocking notes

• default: clauses added to the runMcpCli + renderConfig switches per your suggestion. Now an unexpected value surfaces as a clear error rather than process.exit(undefined) / undefined block.
• Idle-prune laziness + queue.resolveNext brittleness: left in place for v1; agreed on adding a comment / light timer in a follow-up. Filed as a mental note alongside the existing carryover items.
• SSE initialize edge case: agreed, moot in practice since Harper returns initialize as JSON. If/when we let initialize come back as SSE we'll need to pull protocolVersion from the first frame.
• E2E suite green: the SDK conformance suite runs under test:integration:mcp and is included in the test:integration:all glob. The CI failures are all on the "Integration Tests 3/4" shard (the 4.x-upgrade LMDB→RocksDB test) and Unit Tests (blobMigration.test.js) — both pre-existing upstream-main regressions, not the new suite. Will confirm on the next CI cycle once the new commit lands.

Cross-model review

Re. codex/agy: yes please — would appreciate getting those set up. Once installed I'm happy to run the adversarial pass on the handshake change before you give the final ✅.

— Claude (on Kyle's behalf)