dependabot[bot] opened a new pull request, #3209: URL: https://github.com/apache/cxf/pull/3209
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 3.1.0 to 4.0.51. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's releases</a>.</em></p> <blockquote> <h2>Atmosphere 4.0.51</h2> <h3>Added</h3> <ul> <li><strong>MCP <code>2026-07-28</code> release candidate</strong> — the largest MCP revision since launch, implemented as a <strong>stateless dialect that coexists</strong> with the session-based protocol (<code>2024-11-05</code> through <code>2025-11-25</code>). The dialect is selected per request (the client carries the protocol version in <code>params._meta</code> or calls <code>server/discover</code>), so existing clients are unaffected. Stateless core has no <code>Mcp-Session-Id</code> and no <code>initialize</code> handshake, so the server runs behind a plain round-robin load balancer with no session affinity.</li> <li><strong>MCP operability</strong> — <code>Mcp-Method</code> / <code>Mcp-Name</code> routing headers (validated against the body), <code>ttlMs</code> + <code>cacheScope</code> cache metadata on <code>tools/list</code> / <code>resources/list</code> / <code>resources/read</code>, and W3C Trace Context (<code>traceparent</code> / <code>tracestate</code> / <code>baggage</code>) read from <code>_meta</code> and bridged into the OpenTelemetry span.</li> <li><strong>MCP Tasks extension</strong> (<code>io.modelcontextprotocol/tasks</code>) and multi-round-trip input — <code>@McpTool(longRunning = true)</code> returns a task handle polled via <code>tasks/get</code>, and the stateless dialect can return <code>InputRequiredResult</code> with a base64 <code>requestState</code> to request more input mid-call and resume on any instance.</li> <li><strong>JSON Schema 2020-12</strong> dialect (<code>$schema</code>) on generated tool input schemas, and a standardized resource-not-found error (<code>-32602</code>) on the stateless dialect.</li> <li><strong>MCP Apps (SEP-1865)</strong> — <code>@McpTool(uiResource = "ui://…")</code> plus a <code>text/html;profile=mcp-app</code> resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a <strong>bidirectional App Bridge</strong> (apps call server tools through the host under the policy gateway; the host lists and calls the app's own <code>appCapabilities.tools</code>), and uses a <strong>separate-origin sandbox proxy</strong> for isolation (<code>atmosphere.mcp-sandbox-origin</code>, with a <code>localhost</code>↔ <code>127.0.0.1</code> dev fallback, otherwise an opaque-origin direct sandbox).</li> <li><strong>MCP authorization</strong> — the server acts as an OAuth 2.0 Resource Server: RFC 9728 protected-resource metadata at <code>/.well-known/oauth-protected-resource</code> and a <code>401</code> + <code>WWW-Authenticate</code> challenge for unauthenticated requests. Token validation is delegated to the host framework (Spring Security resource server / <code>quarkus-oidc</code>); opt in via the <code>org.atmosphere.mcp.auth.*</code> init parameters.</li> </ul> <h2>Atmosphere 4.0.50</h2> <h3>Removed</h3> <ul> <li>Pruned dead/unwired internal classes found during a release-readiness audit — none was documented, advertised, or reachable from a user code path: <code>McpWebSocketHandler</code> (superseded by <code>McpHandler</code>'s direct WebSocket-frame handling), <code>AgUiSession</code> (superseded by <code>ResourceAgUiStreamingSession</code>), <code>AiCoalescingBroadcasterCache</code> (a delegate-only <code>BroadcasterCache</code> that the no-arg reflective cache-wiring path cannot instantiate), <code>AdkArtifactBridge</code>, <code>AdkCompactionBridge</code>, <code>AtmosphereRequestBridge</code>, <code>AtmosphereResponseBridge</code>, the channels <code>AuditLoggingFilter</code> (never registered as a bean, so it never reached the filter chain), the unwired <code>GrpcProtocolBridge</code>, and the A2A <code>ListTaskPushNotificationConfigsResponse</code> DTO (the <code>ListTaskPushNotificationConfigs</code> method returns <code>ERROR_PUSH_NOT_SUPPORTED</code>, so the response type was never constructed).</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md";>org.atmosphere:atmosphere-runtime's changelog</a>.</em></p> <blockquote> <h2>[4.0.51] - 2026-06-06</h2> <h3>Added</h3> <ul> <li><strong>MCP <code>2026-07-28</code> release candidate</strong> — the largest MCP revision since launch, implemented as a <strong>stateless dialect that coexists</strong> with the session-based protocol (<code>2024-11-05</code> through <code>2025-11-25</code>). The dialect is selected per request (the client carries the protocol version in <code>params._meta</code> or calls <code>server/discover</code>), so existing clients are unaffected. Stateless core has no <code>Mcp-Session-Id</code> and no <code>initialize</code> handshake, so the server runs behind a plain round-robin load balancer with no session affinity.</li> <li><strong>MCP operability</strong> — <code>Mcp-Method</code> / <code>Mcp-Name</code> routing headers (validated against the body), <code>ttlMs</code> + <code>cacheScope</code> cache metadata on <code>tools/list</code> / <code>resources/list</code> / <code>resources/read</code>, and W3C Trace Context (<code>traceparent</code> / <code>tracestate</code> / <code>baggage</code>) read from <code>_meta</code> and bridged into the OpenTelemetry span.</li> <li><strong>MCP Tasks extension</strong> (<code>io.modelcontextprotocol/tasks</code>) and multi-round-trip input — <code>@McpTool(longRunning = true)</code> returns a task handle polled via <code>tasks/get</code>, and the stateless dialect can return <code>InputRequiredResult</code> with a base64 <code>requestState</code> to request more input mid-call and resume on any instance.</li> <li><strong>JSON Schema 2020-12</strong> dialect (<code>$schema</code>) on generated tool input schemas, and a standardized resource-not-found error (<code>-32602</code>) on the stateless dialect.</li> <li><strong>MCP Apps (SEP-1865)</strong> — <code>@McpTool(uiResource = "ui://…")</code> plus a <code>text/html;profile=mcp-app</code> resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a <strong>bidirectional App Bridge</strong> (apps call server tools through the host under the policy gateway; the host lists and calls the app's own <code>appCapabilities.tools</code>), and uses a <strong>separate-origin sandbox proxy</strong> for isolation (<code>atmosphere.mcp-sandbox-origin</code>, with a <code>localhost</code>↔ <code>127.0.0.1</code> dev fallback, otherwise an opaque-origin direct sandbox).</li> <li><strong>MCP authorization (protocol glue)</strong> — the server acts as an OAuth 2.0 Resource Server: RFC 9728 protected-resource metadata at <code>/.well-known/oauth-protected-resource</code> and a <code>401</code> + <code>WWW-Authenticate</code> challenge for unauthenticated requests; opt in via the <code>org.atmosphere.mcp.auth.*</code> init parameters. This release shipped the protocol glue only; bearer-token validation was wired end-to-end in 4.0.52 (see Unreleased).</li> </ul> <h2>[4.0.50] - 2026-06-05</h2> <h3>Removed</h3> <ul> <li>Pruned dead/unwired internal classes found during a release-readiness audit — none was documented, advertised, or reachable from a user code path: <code>McpWebSocketHandler</code> (superseded by <code>McpHandler</code>'s direct WebSocket-frame handling), <code>AgUiSession</code> (superseded by <code>ResourceAgUiStreamingSession</code>), <code>AiCoalescingBroadcasterCache</code> (a delegate-only <code>BroadcasterCache</code> that the no-arg reflective cache-wiring path cannot instantiate), <code>AdkArtifactBridge</code>, <code>AdkCompactionBridge</code>, <code>AtmosphereRequestBridge</code>, <code>AtmosphereResponseBridge</code>, the channels <code>AuditLoggingFilter</code> (never registered as a bean, so it never reached the filter chain), the unwired <code>GrpcProtocolBridge</code>, and the A2A <code>ListTaskPushNotificationConfigsResponse</code> DTO (the <code>ListTaskPushNotificationConfigs</code> method returns <code>ERROR_PUSH_NOT_SUPPORTED</code>, so the response type was never constructed).</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Atmosphere/atmosphere/commit/401382847818ed53c9e52f218ccf362a55344dc4";><code>4013828</code></a> release: Atmosphere 4.0.51</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/d9fda32454fa587de5e5624347370071e2cf6e21";><code>d9fda32</code></a> docs(mcp): advertise the 2026-07-28 RC support across README, module docs, CH...</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/49fad335c8e91468670ecc3e44f1cadabdb7e6e4";><code>49fad33</code></a> feat(mcp): render MCP Apps through a separate-origin sandbox proxy</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/d30c98b8f9531e8ed19b6a30e409874396252dbc";><code>d30c98b</code></a> feat(mcp): let the console host list and call app-registered tools (Host->App)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/4f8af53c232b28dc0ba34928a97679423af00377";><code>4f8af53</code></a> feat(mcp): add MCP Apps App Bridge so apps call server tools via the console ...</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/972e9053c2cfccbcb4a60ad99f4dbc833dcdb8a5";><code>972e905</code></a> feat(mcp): add MCP Apps (SEP-1865) with a sandboxed-iframe console host</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/185d43d917b2fd62819adb27019dc433027a7535";><code>185d43d</code></a> feat(mcp): add OAuth resource-server glue (RFC 9728 metadata + WWW-Authenticate)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/4b51fd7799559156e2926660a1428f5431b5e36e";><code>4b51fd7</code></a> feat(mcp): declare JSON Schema 2020-12 dialect and standardize resource-not-f...</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/e6c4f1b8ff9619534a1908c3bd0564c11d094f69";><code>e6c4f1b</code></a> feat(mcp): resume input_required tasks via tasks/update on the stateless dialect</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/c03863e78f46abdbc77bd4ab83d816c1309ad791";><code>c03863e</code></a> feat(mcp): add SEP-2322 multi-round-trip input to stateless tool calls</li> <li>Additional commits viewable in <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-project-3.1.0...atmosphere-4.0.51";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
