Merge branch 'main' into feat/auth-test-server

Resolved conflicts:
- Moved auth-test-server.ts to test/conformance/src/authTestServer.ts
  (following the src/conformance -> test/conformance restructure)
- Updated imports to use NodeStreamableHTTPServerTransport from
  @modelcontextprotocol/node and isInitializeRequest from
  @modelcontextprotocol/server
- Inlined bearer auth middleware since requireBearerAuth was moved
  to examples-shared (demo-only code)
- Updated inputSchema to use z.object() wrapper for zod/v4
- Updated README paths

Author: felixweinberger

.changeset/add-hono-peer-dep.md

@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/node': patch
+---
+
+Add missing `hono` peer dependency to `@modelcontextprotocol/node`. The package already depends on `@hono/node-server` which requires `hono` at runtime, but `hono` was only listed in the workspace root, not as a peer dependency of the package itself.

.changeset/config.json

@@ -7,5 +7,11 @@
     "access": "public",
     "baseBranch": "main",
     "updateInternalDependencies": "patch",
-    "ignore": ["@modelcontextprotocol/examples-client", "@modelcontextprotocol/examples-server", "@modelcontextprotocol/examples-shared"]
+    "ignore": [
+        "@modelcontextprotocol/examples-client",
+        "@modelcontextprotocol/examples-client-quickstart",
+        "@modelcontextprotocol/examples-server",
+        "@modelcontextprotocol/examples-server-quickstart",
+        "@modelcontextprotocol/examples-shared"
+    ]
 }

.changeset/expose-auth-server-discovery.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/client': minor
+---
+
+Add `discoverOAuthServerInfo()` function and unified discovery state caching for OAuth
+
+- New `discoverOAuthServerInfo(serverUrl)` export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server URL outside of `auth()`.
+- New `OAuthDiscoveryState` type and optional `OAuthClientProvider` methods `saveDiscoveryState()` / `discoveryState()` allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost.
+- New `'discovery'` scope for `invalidateCredentials()` to clear cached discovery state.
+- New `OAuthServerInfo` type exported for the return value of `discoverOAuthServerInfo()`.

.changeset/fix-task-session-isolation.md

@@ -0,0 +1,5 @@
+---
+'@modelcontextprotocol/core': patch
+---
+
+Fix InMemoryTaskStore to enforce session isolation. Previously, sessionId was accepted but ignored on all TaskStore methods, allowing any session to enumerate, read, and mutate tasks created by other sessions. The store now persists sessionId at creation time and enforces ownership on all reads and writes.

.changeset/fix-unknown-tool-protocol-error.md

@@ -0,0 +1,15 @@
+---
+"@modelcontextprotocol/core": minor
+"@modelcontextprotocol/server": major
+---
+
+Fix error handling for unknown tools and resources per MCP spec.
+
+**Tools:** Unknown or disabled tool calls now return JSON-RPC protocol errors with
+code `-32602` (InvalidParams) instead of `CallToolResult` with `isError: true`.
+Callers who checked `result.isError` for unknown tools should catch rejected promises instead.
+
+**Resources:** Unknown resource reads now return error code `-32002` (ResourceNotFound)
+instead of `-32602` (InvalidParams).
+
+Added `ProtocolErrorCode.ResourceNotFound`.

.changeset/oauth-error-http200.md

@@ -0,0 +1,7 @@
+---
+'@modelcontextprotocol/client': patch
+---
+
+Fix OAuth error handling for servers returning errors with HTTP 200 status
+
+Some OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an `error` field in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages.

.changeset/quick-islands-occur.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/express': patch
+'@modelcontextprotocol/hono': patch
+'@modelcontextprotocol/node': patch
+'@modelcontextprotocol/client': patch
+'@modelcontextprotocol/server': patch
+'@modelcontextprotocol/core': patch
+---
+
+remove npm references, use pnpm

.changeset/respect-capability-negotiation.md

@@ -0,0 +1,14 @@
+---
+'@modelcontextprotocol/client': patch
+---
+
+Respect capability negotiation in list methods by returning empty lists when server lacks capability
+
+The Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability:
+
+- `listPrompts()` returns `{ prompts: [] }` if server lacks prompts capability
+- `listResources()` returns `{ resources: [] }` if server lacks resources capability
+- `listResourceTemplates()` returns `{ resourceTemplates: [] }` if server lacks resources capability
+- `listTools()` returns `{ tools: [] }` if server lacks tools capability
+
+This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing `enforceStrictCapabilities` option continues to throw errors when set to `true`.

.changeset/rich-hounds-report.md

@@ -0,0 +1,10 @@
+---
+'@modelcontextprotocol/express': patch
+'@modelcontextprotocol/hono': patch
+'@modelcontextprotocol/node': patch
+'@modelcontextprotocol/client': patch
+'@modelcontextprotocol/server': patch
+'@modelcontextprotocol/core': patch
+---
+
+clean up package manager usage, all pnpm

.changeset/support-standard-json-schema.md

@@ -0,0 +1,34 @@
+---
+'@modelcontextprotocol/core': minor
+'@modelcontextprotocol/server': minor
+'@modelcontextprotocol/client': minor
+---
+
+Support Standard Schema for tool and prompt schemas
+
+Tool and prompt registration now accepts any schema library that implements the [Standard Schema spec](https://standardschema.dev/): Zod v4, Valibot, ArkType, and others. `RegisteredTool.inputSchema`, `RegisteredTool.outputSchema`, and `RegisteredPrompt.argsSchema` now use `StandardSchemaWithJSON` (requires both `~standard.validate` and `~standard.jsonSchema`) instead of the Zod-specific `AnySchema` type.
+
+**Zod v4 schemas continue to work unchanged** — Zod v4 implements the required interfaces natively.
+
+```typescript
+import { type } from 'arktype';
+
+server.registerTool('greet', {
+  inputSchema: type({ name: 'string' })
+}, async ({ name }) => ({ content: [{ type: 'text', text: `Hello, ${name}!` }] }));
+```
+
+For raw JSON Schema (e.g. TypeBox output), use the new `fromJsonSchema` adapter:
+
+```typescript
+import { fromJsonSchema, AjvJsonSchemaValidator } from '@modelcontextprotocol/core';
+
+server.registerTool('greet', {
+  inputSchema: fromJsonSchema({ type: 'object', properties: { name: { type: 'string' } } }, new AjvJsonSchemaValidator())
+}, handler);
+```
+
+**Breaking changes:**
+- `experimental.tasks.getTaskResult()` no longer accepts a `resultSchema` parameter. Returns `GetTaskPayloadResult` (a loose `Result`); cast to the expected type at the call site.
+- Removed unused exports from `@modelcontextprotocol/core`: `SchemaInput`, `schemaToJson`, `parseSchemaAsync`, `getSchemaShape`, `getSchemaDescription`, `isOptionalSchema`, `unwrapOptionalSchema`. Use the new `standardSchemaToJsonSchema` and `validateStandardSchema` instead.
+- `completable()` remains Zod-specific (it relies on Zod's `.shape` introspection).