Merge branch 'main' into localden/tasks-session

Author: localden

.github/workflows/shared.yml

@@ -70,6 +70,7 @@ jobs:
       - name: Run pytest with coverage
         shell: bash
         run: |
+          uv run --frozen --no-sync coverage erase
           uv run --frozen --no-sync coverage run -m pytest -n auto
           uv run --frozen --no-sync coverage combine
           uv run --frozen --no-sync coverage report

.github/workflows/weekly-lockfile-update.yml

@@ -32,6 +32,7 @@ jobs:
         uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
         with:
           commit-message: "chore: update uv.lock with latest dependencies"
+          sign-commits: true
           title: "chore: weekly dependency update"
           body-path: pr_body.md
           branch: weekly-lockfile-update

CLAUDE.md

@@ -28,9 +28,19 @@ This document contains critical information about working with this codebase. Fo
    - Bug fixes require regression tests
    - IMPORTANT: The `tests/client/test_client.py` is the most well designed test file. Follow its patterns.
    - IMPORTANT: Be minimal, and focus on E2E tests: Use the `mcp.client.Client` whenever possible.
-   - IMPORTANT: Before pushing, verify 100% branch coverage on changed files by running
-     `uv run --frozen pytest -x` (coverage is configured in `pyproject.toml` with `fail_under = 100`
-     and `branch = true`). If any branch is uncovered, add a test for it before pushing.
+   - Coverage: CI requires 100% (`fail_under = 100`, `branch = true`).
+     - Full check: `./scripts/test` (~20s, matches CI exactly)
+     - Targeted check while iterating:
+
+       ```bash
+       uv run --frozen coverage erase
+       uv run --frozen coverage run -m pytest tests/path/test_foo.py
+       uv run --frozen coverage combine
+       uv run --frozen coverage report --include='src/mcp/path/foo.py' --fail-under=0
+       ```
+
+       Partial runs can't hit 100% (coverage tracks `tests/` too), so `--fail-under=0`
+       and `--include` scope the report to what you actually changed.
    - Avoid `anyio.sleep()` with a fixed duration to wait for async operations. Instead:
      - Use `anyio.Event` — set it in the callback/handler, `await event.wait()` in the test
      - For stream messages, use `await stream.receive()` instead of `sleep()` + `receive_nowait()`

docs/migration.md

@@ -288,6 +288,37 @@ app = Starlette(routes=[Mount("/", app=mcp.streamable_http_app(json_response=Tru
 
 **Note:** DNS rebinding protection is automatically enabled when `host` is `127.0.0.1`, `localhost`, or `::1`. This now happens in `sse_app()` and `streamable_http_app()` instead of the constructor.
 
+### `MCPServer.get_context()` removed
+
+`MCPServer.get_context()` has been removed. Context is now injected by the framework and passed explicitly — there is no ambient ContextVar to read from.
+
+**If you were calling `get_context()` from inside a tool/resource/prompt:** use the `ctx: Context` parameter injection instead.
+
+**Before (v1):**
+
+```python
+@mcp.tool()
+async def my_tool(x: int) -> str:
+    ctx = mcp.get_context()
+    await ctx.info("Processing...")
+    return str(x)
+```
+
+**After (v2):**
+
+```python
+@mcp.tool()
+async def my_tool(x: int, ctx: Context) -> str:
+    await ctx.info("Processing...")
+    return str(x)
+```
+
+### `MCPServer.call_tool()`, `read_resource()`, `get_prompt()` now accept a `context` parameter
+
+`MCPServer.call_tool()`, `MCPServer.read_resource()`, and `MCPServer.get_prompt()` now accept an optional `context: Context | None = None` parameter. The framework passes this automatically during normal request handling. If you call these methods directly and omit `context`, a Context with no active request is constructed for you — tools that don't use `ctx` work normally, but any attempt to use `ctx.session`, `ctx.request_id`, etc. will raise.
+
+The internal layers (`ToolManager.call_tool`, `Tool.run`, `Prompt.render`, `ResourceTemplate.create_resource`, etc.) now require `context` as a positional argument.
+
 ### Replace `RootModel` by union types with `TypeAdapter` validation
 
 The following union types are no longer `RootModel` subclasses:
@@ -694,7 +725,7 @@ If you prefer the convenience of automatic wrapping, use `MCPServer` which still
 
 ### Lowlevel `Server`: `request_context` property removed
 
-The `server.request_context` property has been removed. Request context is now passed directly to handlers as the first argument (`ctx`). The `request_ctx` module-level contextvar is now an internal implementation detail and should not be relied upon.
+The `server.request_context` property has been removed. Request context is now passed directly to handlers as the first argument (`ctx`). The `request_ctx` module-level contextvar has been removed entirely.
 
 **Before (v1):**
 

scripts/test

@@ -2,6 +2,7 @@
 
 set -ex
 
+uv run --frozen coverage erase
 uv run --frozen coverage run -m pytest -n auto $@
 uv run --frozen coverage combine
 uv run --frozen coverage report

src/mcp/client/auth/oauth2.py

@@ -205,8 +205,9 @@ def prepare_token_auth(
             headers["Authorization"] = f"Basic {encoded_credentials}"
             # Don't include client_secret in body for basic auth
             data = {k: v for k, v in data.items() if k != "client_secret"}
-        elif auth_method == "client_secret_post" and self.client_info.client_secret:
-            # Include client_secret in request body
+        elif auth_method == "client_secret_post" and self.client_info.client_id and self.client_info.client_secret:
+            # Include client_id and client_secret in request body (RFC 6749 §2.3.1)
+            data["client_id"] = self.client_info.client_id
             data["client_secret"] = self.client_info.client_secret
         # For auth_method == "none", don't add any client_secret
 

src/mcp/server/lowlevel/server.py

@@ -36,7 +36,6 @@ async def main():
 
 from __future__ import annotations
 
-import contextvars
 import logging
 import warnings
 from collections.abc import AsyncIterator, Awaitable, Callable
@@ -74,8 +73,6 @@ async def main():
 
 LifespanResultT = TypeVar("LifespanResultT", default=Any)
 
-request_ctx: contextvars.ContextVar[ServerRequestContext[Any]] = contextvars.ContextVar("request_ctx")
-
 
 class NotificationOptions:
     def __init__(self, prompts_changed: bool = False, resources_changed: bool = False, tools_changed: bool = False):
@@ -476,11 +473,7 @@ async def _handle_request(
                     close_sse_stream=close_sse_stream_cb,
                     close_standalone_sse_stream=close_standalone_sse_stream_cb,
                 )
-                token = request_ctx.set(ctx)
-                try:
-                    response = await handler(ctx, req.params)
-                finally:
-                    request_ctx.reset(token)
+                response = await handler(ctx, req.params)
             except MCPError as err:
                 response = err.error
             except anyio.get_cancelled_exc_class():

src/mcp/server/mcpserver/__init__.py

@@ -2,7 +2,8 @@
 
 from mcp.types import Icon
 
-from .server import Context, MCPServer
+from .context import Context
+from .server import MCPServer
 from .utilities.types import Audio, Image
 
 __all__ = ["MCPServer", "Context", "Image", "Audio", "Icon"]