More strictly enforce `Accept` MCP by jviotti · Pull Request #1025 · sourcemeta/one

jviotti · 2026-06-06T21:04:54Z

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

augmentcode · 2026-06-06T21:09:13Z

🤖 Augment PR Summary

Summary: This PR tightens MCP HTTP request/response expectations by enforcing specific request headers and updating the E2E Hurl suite accordingly.

Changes:

Require clients to send Accept: application/json, text/event-stream for MCP requests and return a 406 JSON-RPC error (-32006) when missing/insufficient.
Enforce Content-Type to be JSON (allowing application/json and application/json; charset=utf-8) and return a 415 JSON-RPC error (-32008) otherwise.
Update MCP error schema (src/self/v1/schemas/mcp/error.json) to whitelist the new error codes/messages.
Update a large set of enterprise/path/community Hurl tests to include the new Accept header for MCP POSTs.
Add new E2E coverage asserting 406/415 behavior for missing/partial Accept and missing/wrong Content-Type.
Adjust resource size assertions for the MCP error schema to reflect the schema change.

Technical Notes: Header names are already expected lowercase due to the underlying HTTP server implementation, and the new behavior is validated via schema evaluation in the E2E suite.

_{🤖 Was this summary useful? React with 👍 or 👎}

augmentcode

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

augmentcode · 2026-06-06T21:09:14Z

+    // type catches integration bugs before SSE lands.
+    // https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#sending-messages-to-the-server
+    const auto accept{request.header("accept")};
+    if (accept.find("application/json") == std::string_view::npos ||


src/actions/action_mcp_v1.h:107: The Accept check uses case-sensitive substring matching on the raw header value; since media types are case-insensitive and clients may vary formatting/whitespace, this can incorrectly reject valid Accept headers.

Severity: medium

Other Locations

enterprise/server/include/sourcemeta/one/enterprise_server_actions.h:119

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

augmentcode · 2026-06-06T21:09:14Z

+    // error). The MUST is implicit in MCP's wire spec. Real-world clients
+    // send one of two forms.
+    const auto content_type{request.header("content-type")};
+    if (content_type != "application/json" &&


src/actions/action_mcp_v1.h:123: The Content-Type validation only accepts two exact strings, but header values aren’t normalized here (e.g., application/json;charset=utf-8 without the space, or charset=UTF-8), so valid JSON requests may get a 415 unexpectedly.

Severity: medium

Other Locations

enterprise/server/include/sourcemeta/one/enterprise_server_actions.h:135

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

cubic-dev-ai

3 issues found across 62 files

_{Reply with feedback, questions, or to request a fix.

Re-trigger cubic}

github-actions

Benchmark Index (community)

Details

Benchmark suite	Current: `c1d4e29`	Previous: `34152d0`	Ratio
`Add one schema (0 existing)`	`413` ms	`333` ms	`1.24`
`Add one schema (100 existing)`	`28` ms	`21` ms	`1.33`
`Add one schema (1000 existing)`	`85` ms	`66` ms	`1.29`
`Add one schema (10000 existing)`	`694` ms	`548` ms	`1.27`
`Update one schema (1 existing)`	`21` ms	`15` ms	`1.40`
`Update one schema (101 existing)`	`29` ms	`22` ms	`1.32`
`Update one schema (1001 existing)`	`87` ms	`67` ms	`1.30`
`Update one schema (10001 existing)`	`712` ms	`554` ms	`1.29`
`Cached rebuild (1 existing)`	`6` ms	`4` ms	`1.50`
`Cached rebuild (101 existing)`	`9` ms	`5` ms	`1.80`
`Cached rebuild (1001 existing)`	`29` ms	`18` ms	`1.61`
`Cached rebuild (10001 existing)`	`248` ms	`157` ms	`1.58`
`Index 100 schemas`	`620` ms	`591` ms	`1.05`
`Index 1000 schemas`	`1543` ms	`1237` ms	`1.25`
`Index 10000 schemas`	`13991` ms	`10932` ms	`1.28`
`Index 10000 schemas (custom meta-schema)`	`145083` ms	`134807` ms	`1.08`

This comment was automatically generated by workflow using github-action-benchmark.

github-actions

Benchmark Index (enterprise)

Details

Benchmark suite	Current: `c1d4e29`	Previous: `34152d0`	Ratio
`Add one schema (0 existing)`	`383` ms	`383` ms	`1`
`Add one schema (100 existing)`	`33` ms	`34` ms	`0.97`
`Add one schema (1000 existing)`	`94` ms	`95` ms	`0.99`
`Add one schema (10000 existing)`	`751` ms	`771` ms	`0.97`
`Update one schema (1 existing)`	`25` ms	`25` ms	`1`
`Update one schema (101 existing)`	`33` ms	`33` ms	`1`
`Update one schema (1001 existing)`	`96` ms	`94` ms	`1.02`
`Update one schema (10001 existing)`	`763` ms	`782` ms	`0.98`
`Cached rebuild (1 existing)`	`8` ms	`8` ms	`1`
`Cached rebuild (101 existing)`	`10` ms	`11` ms	`0.91`
`Cached rebuild (1001 existing)`	`34` ms	`33` ms	`1.03`
`Cached rebuild (10001 existing)`	`275` ms	`282` ms	`0.98`
`Index 100 schemas`	`524` ms	`661` ms	`0.79`
`Index 1000 schemas`	`1623` ms	`1628` ms	`1.00`
`Index 10000 schemas`	`13632` ms	`13558` ms	`1.01`
`Index 10000 schemas (custom meta-schema)`	`134788` ms	`134478` ms	`1.00`

This comment was automatically generated by workflow using github-action-benchmark.

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

cubic-dev-ai

1 issue found across 4 files (changes from recent commits).

_{Reply with feedback, questions, or to request a fix.

Re-trigger cubic}

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

Revise HTTP headers on MCP

263bacc

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

augmentcode Bot reviewed Jun 6, 2026

View reviewed changes

cubic-dev-ai Bot reviewed Jun 6, 2026

View reviewed changes

Comment thread src/actions/action_mcp_v1.h Outdated

Comment thread enterprise/server/include/sourcemeta/one/enterprise_server_actions.h Outdated

Comment thread enterprise/server/include/sourcemeta/one/enterprise_server_actions.h Outdated

github-actions Bot reviewed Jun 6, 2026

View reviewed changes

More

00bd86e

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

cubic-dev-ai Bot reviewed Jun 6, 2026

View reviewed changes

Comment thread src/http/include/sourcemeta/one/http_helpers.h Outdated

Core

c1d4e29

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

jviotti changed the title ~~Revise HTTP headers on MCP~~ More strictly enforce Accept MCP Jun 7, 2026

jviotti merged commit 8a6f1cf into main Jun 7, 2026
5 checks passed

jviotti deleted the mcp-headers branch June 7, 2026 00:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

More strictly enforce `Accept` MCP#1025

More strictly enforce `Accept` MCP#1025
jviotti merged 3 commits into
mainfrom
mcp-headers

jviotti commented Jun 6, 2026

Uh oh!

augmentcode Bot commented Jun 6, 2026

Uh oh!

augmentcode Bot left a comment

Uh oh!

augmentcode Bot Jun 6, 2026 •

edited

Loading

Uh oh!

augmentcode Bot Jun 6, 2026 •

edited

Loading

Uh oh!

cubic-dev-ai Bot left a comment •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot left a comment •

edited

Loading

Uh oh!

github-actions Bot left a comment •

edited

Loading

Uh oh!

cubic-dev-ai Bot left a comment •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

jviotti commented Jun 6, 2026

Uh oh!

augmentcode Bot commented Jun 6, 2026

Uh oh!

augmentcode Bot left a comment

Choose a reason for hiding this comment

Uh oh!

augmentcode Bot Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

augmentcode Bot Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

cubic-dev-ai Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Benchmark Index (community)

Uh oh!

github-actions Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Benchmark Index (enterprise)

Uh oh!

cubic-dev-ai Bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

augmentcode Bot Jun 6, 2026 •

edited

Loading

augmentcode Bot Jun 6, 2026 •

edited

Loading

cubic-dev-ai Bot left a comment •

edited

Loading

github-actions Bot left a comment •

edited

Loading

github-actions Bot left a comment •

edited

Loading

cubic-dev-ai Bot left a comment •

edited

Loading