[go-fan] Go Module Review: modelcontextprotocol/go-sdk

[github-actions]

🐹 Go Fan Report: modelcontextprotocol/go-sdk

Module Overview

The official Go SDK for Model Context Protocol (MCP) servers and clients, maintained in collaboration with Google. This is the core dependency that enables gh-aw-mcpg to function as an MCP gateway, providing protocol implementation for stdio, HTTP, SSE, and streamable transports.

Repository: https://github.com/modelcontextprotocol/go-sdk
Stars: 3,745+ ⭐
Last Updated: 2026-02-02T07:05:15Z (Updated TODAY! 🎉)

Current Usage in gh-aw-mcpg

Version: v1.1.0 (from go.mod)
Files Using Module: 20 files across the codebase
Key APIs Used:

• Client creation: sdk.NewClient(), sdk.ClientSession
• Transports: CommandTransport, StreamableClientTransport, SSEClientTransport
• Server: NewStreamableHTTPHandler(), StreamableHTTPOptions
• Session operations: ListTools(), CallTool(), ListResources(), ReadResource(), ListPrompts(), GetPrompt()

Usage Breakdown

• Core Connection (internal/mcp/connection.go): Client, session, transport management
• Server Transport (internal/server/transport.go): Streamable HTTP handler for MCP protocol
• Server Logic (internal/server/routed.go, unified.go): Server initialization
• Middleware (internal/middleware/jqschema.go): Tool result processing
• Testing (15 files): Comprehensive test coverage using SDK types

Research Findings

Recent Updates (Repository Updated TODAY!)

v1.2.0 (Latest Stable - 2025-12-22)

Major Features:

• ✅ Support for MCP Spec 2025-11-25 (icons, metadata, tool name validation)
• ✅ Common error codes via jsonrpc.Error sentinel values
• ✅ OAuth 2.0 Protected Resource Metadata support
• ✅ Security: UserID in TokenInfo for session hijacking prevention
• ✅ Streamable transport improvements (SSE, context cancellation, transient errors)
• ✅ Windows CRLF handling, connection reuse improvements

v1.3.0-pre.1 (Latest Pre-release - 2026-01-27)

Performance Breakthrough 🚀:

• Schema Caching: 132x faster tool registration (161µs → 1.2µs per tool)
• 51x fewer allocations, 32x less memory per tool registration
• Critical for stateless server deployments with many tools

New Features:

• DisableListening option for StreamableClientTransport (reduce resource usage)
• Exported GetError and SetError methods for error manipulation
• Fixed race condition in logging
• HTTP 405 responses now include Allow header per RFC 9110

Best Practices from Maintainers

1. Logging: Use ServerOptions.Logger and ClientOptions.Logger for integrated logging
2. Timeouts: Configure StreamableHTTPOptions.SessionTimeout to prevent resource leaks
3. Resource Optimization: Use DisableListening: true if server notifications aren't needed
4. Error Handling: Use standardized jsonrpc.Error codes for interoperability
5. Version Tracking: Set meaningful Implementation.Version for debugging
6. Security: Set UserID in TokenInfo to prevent session hijacking (v1.2.0+)

Improvement Opportunities

🏃 Quick Wins

1. Upgrade to v1.2.0 (Stable Release) ⚡

Location: go.mod
Benefit: Security fixes, bug fixes, MCP spec 2025-11-25 support
Risk: Low (mostly additive changes, well-tested in production)
Action: go get -u github.com/modelcontextprotocol/go-sdk@v1.2.0
Impact: HIGH - Security and stability improvements

Why Now: v1.2.0 includes session hijacking prevention, streamable transport bug fixes, and better error handling - all critical for a production gateway.

2. Add Logger to StreamableHTTPOptions ⚡

Location: internal/server/transport.go:99
Current:

&sdk.StreamableHTTPOptions{
    Stateless: false,
}

Suggested:

&sdk.StreamableHTTPOptions{
    Stateless: false,
    Logger:    logTransport, // Use existing logger
}

Benefit: Integrate SDK logging with project's logger framework for better debugging
Impact: MEDIUM - Improved observability and debugging

3. Add SessionTimeout to StreamableHTTPOptions ⚡

Location: internal/server/transport.go:99
Suggested:

&sdk.StreamableHTTPOptions{
    Stateless: false,
    Logger:    logTransport,
    SessionTimeout: 30 * time.Minute, // Configurable timeout
}

Benefit: Prevent resource leaks from idle connections
Impact: MEDIUM - Resource management and stability

4. Add DisableListening to StreamableClientTransport 💡

Location: internal/mcp/connection.go:362
Suggested:

&sdk.StreamableClientTransport{
    URL:              url,
    HTTPClient:       httpClient,
    DisableListening: true, // Optional: disable if not needed
}

Benefit: Reduce resource usage if server notifications aren't needed
Impact: LOW-MEDIUM - Depends on usage pattern, but eliminates unnecessary SSE connections

✨ Feature Opportunities

1. Add Client-Side Logging

Location: internal/mcp/connection.go:76-80
Suggested:

func newMCPClient() *sdk.Client {
    return sdk.NewClient(&sdk.Implementation{
        Name:    "awmg",
        Version: GetVersion(), // Use actual project version
    }, &sdk.ClientOptions{
        Logger: logger.New("sdk:client"),
    })
}

Benefit: Integrated client-side SDK logging for better debugging
Impact: MEDIUM - Better client-side diagnostics

2. Use Standardized jsonrpc.Error Codes (v1.2.0+)

Location: Error handling throughout codebase
Benefit: Better interoperability with other MCP implementations
Action: Review and migrate custom error codes to jsonrpc.Error sentinel values
Impact: MEDIUM - Improved compatibility and standards compliance

3. Consider v1.3.0-pre.1 for Performance (When Stable)

Benefit: Schema caching provides 132x speedup for tool registration
Use Case: Particularly valuable if moving to stateless server architecture
Action: Monitor for v1.3.0 stable release (expected soon, pre-release from 2026-01-27)
Impact: HIGH (for stateless scenarios) / LOW (for current stateful architecture)

📐 Best Practice Alignment

1. Update Implementation Version to Use Project Version

Location: internal/mcp/connection.go:79
Current: Hardcoded "1.0.0"
Suggested: Read from version.go or build-time variable
Benefit: Accurate version reporting for debugging and monitoring
Impact: LOW - Better diagnostics

2. Review MCP Spec 2025-11-25 Features (v1.2.0)

Available Features:

• Icons and metadata support
• Tool name validation
• Elicitation improvements (defaults, URL mode, enum improvements)

Action: Determine if any features would enhance the gateway
Impact: MEDIUM - Potential UX improvements

🔧 General Improvements

1. Monitor for v1.3.0 Stable Release

   • Schema caching performance boost (132x faster)
   • Logging race condition fix
   • Better error handling exports
   • Timeline: Pre-release published 2026-01-27, stable expected soon

2. Consider OAuth 2.0 Support (v1.2.0)

   • Available in auth and oauthex packages
   • Current: Simple API key authentication
   • Potential for enterprise use cases

3. Leverage New Capability Configuration (v1.2.0)

   • Capabilities fields in ServerOptions/ClientOptions
   • Simplifies capability configuration vs manual setup

Recommendations

Priority 1 (Immediate) ⚡

1. Upgrade to v1.2.0 - Security fixes, bug fixes, MCP spec compliance
2. Add Logger to StreamableHTTPOptions - Better debugging and monitoring

Priority 2 (Short-term) 💡

3. Add SessionTimeout - Prevent resource leaks
4. Update Implementation.Version - Use actual project version
5. Add Client Logger - Client-side debugging

Priority 3 (Medium-term) 🔍

6. Consider DisableListening - Optimize resource usage
7. Review jsonrpc.Error Migration - Better interoperability
8. Evaluate MCP Spec 2025-11-25 Features - Potential UX enhancements

Future Monitoring 📡

• Watch for v1.3.0 stable (schema caching performance boost)
• Consider OAuth 2.0 support for enterprise scenarios
• Stay current with MCP specification updates

Next Steps

1. Upgrade Path: v1.1.0 → v1.2.0 (stable, well-tested, low risk)
2. Configuration Enhancement: Add logging and timeout options to StreamableHTTPOptions
3. Version Tracking: Use dynamic project version in SDK client initialization
4. Future Planning: Monitor v1.3.0 for performance improvements

Summary

Overall Assessment: The project uses modelcontextprotocol/go-sdk effectively but conservatively. The current usage (v1.1.0) is solid and functional, but upgrading to v1.2.0 and adding a few configuration options would provide immediate benefits with minimal risk.

Key Insights:

• ✅ Core dependency that powers the entire MCP gateway
• ✅ Well-maintained by official MCP team + Google (updated today!)
• ✅ Stable foundation with correct API usage patterns
• ⚠️ Version lag - v1.1.0 vs v1.2.0 stable (missing security fixes)
• ⚠️ Minimal configuration - not leveraging logging, timeouts, or resource optimization

Low Risk, High Value: All suggested improvements are backward-compatible additions that enhance observability, security, and reliability without breaking existing functionality.

---

Generated by Go Fan 🐹
Module summary saved to: /tmp/gh-aw/cache-memory/go-fan-go-sdk-summary.md
Reviewed: 2026-02-02
Repository Status: Active development, updated today!

AI generated by Go Fan